我有这个域名,我为其设置了 SPF、DKIM 和 DMARC 等。假设该域名example.com的 DNS 区域中有以下条目:
example.com. 600 IN MX 1 mail.morpheu5.net.
example.com. 600 IN TXT "v=spf1 a mx -all"
_dmarc.example.com. 600 IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; ri=86400"
mail._domainkey.example.com. 600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSYXmE/aXew9wcS9dCZFYrPetCRC9rW3vVYRQo980JbC6pXbAkqnUd7ncWkUaQZgF2HKzrspUMklRN35rB1b9iHX3dHnf/gvxSURZPYcKT1DenFt+Vhplv2IuWCNWRSqTuXTXlVOnf+TwWLZayKNq62mCqU09sasP9kHXO5lyIbwIDAQAB"
mail.morpheu5.net是我的 postfix 的本地主机/域/事物,我将其example.com作为虚拟域进行管理。我运行 OpenDKIM 和 OpenDMARC 作为邮件过滤程序 — SpamAssassin 也是如此,但运行正常。
OpenDKIM 运行良好,所有邮件都正确签名,Gmail 甚至显示“签名者:example.com”和标准加密 (TLS) 确认。事实上,如果我在 Gmail 中检查原始邮件,我会得到以下内容:
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=mail header.b=pixIC2KM;
spf=pass (google.com: domain of [email protected] designates 79.137.83.28 as permitted sender) [email protected];
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
Return-Path: <[email protected]>
Received: from mail.morpheu5.net (mail.morpheu5.net. [79.137.83.28])
by mx.google.com with ESMTPS id p67-v6si2567899wmd.147.2018.10.31.08.01.43
for <[email protected]>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 31 Oct 2018 08:01:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 79.137.83.28 as permitted sender) client-ip=79.137.83.28;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=mail header.b=pixIC2KM;
spf=pass (google.com: domain of [email protected] designates 79.137.83.28 as permitted sender) [email protected];
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
如果我没看错的话,它告诉我
- 我的 SPF 策略没有问题(example.com 将 mail.morpheu5.net 指定为允许的发件人),
- 我的 DKIM 签名有效(表明 OpenDKIM 工作正常),并且
- 我的 DMARC 记录有效,并且之前两次检查都通过了。
进一步,如果我检查我自己的 MTA 生成的标头,我会看到以下内容
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 8E8CE100B2EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=mail; t=1540998102; bh=j1p26NHBiJxaCqvB8/JaswqiQuHCsG+QNIkoIUc8B+0=; h=From:Subject:Date:To:From; b=pixIC2KMsLYpq4KQn4gRIJ4wr3Tle+Iaq08lSVdIz82nrKDybFhOivpIrmtpKSXND
rS4MPn7aNRV2D2KJPqG6Ru2tFAJEaBviC/7BNs2x3mIGlIxv5OzvD2EIvrJSJ8FA9U
1Uf9YTdWgSF4FdytLD21Jus6dYt4evDc3ZZujvIU=
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 8E8CE100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com
^^^^^^^^^^- WHAT?!
这本身就很令人困惑,因为看起来 OpenDMARC 甚至在发送邮件时也在运行(记住,我是从[电子邮件保护]到[电子邮件保护])。不过,这可能是因为我运行 milter 的方式。这是 postfix 中的相关位main.cf:
smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891
non_smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891
^- SpamAssassin ^- OpenDMARC ^- OpenDKIM
我愿意接受有关此事的建议。
但真正让我抓狂的是,OpenDMARC 几乎让所有进入的邮件都失败。这是我从另一个域名发送的消息(我将其设置为与 example.com 类似)
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.morpheu5.net ([172.18.0.14])
by 6c01c2ccb641 with LMTP
id t10hEf7J2Vu3BQAAl2tFQA
(envelope-from <[email protected]>)
for <[email protected]>; Wed, 31 Oct 2018 15:27:58 +0000
Received: from porto.home (host109-154-219-15.range109-154.btcentralplus.com [109.154.219.15])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.morpheu5.net (Postfix) with ESMTPSA id E0A22100B2EB
for <[email protected]>; Wed, 31 Oct 2018 15:27:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net E0A22100B2EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
s=mail; t=1540999678;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
h=From:Subject:Date:To:From;
b=ulFaGLYp8hoosllX0rs+byXALUScldP5Of4Sf9/GxuuEqkz5VpCwPHib0TCXQNyqG
yGqzlgBUoKB2SB0vRqbDW6vb+1UyG971DVeC0WfuRvoe7lKFLFmzD+V25rht/83TKv
GFhIX2JMMobnw+wS++/6rS/l93/NLlTysiKECSfo=
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net E0A22100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com
From: "example.com" <[email protected]>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject:
Message-Id: <[email protected]>
Date: Wed, 31 Oct 2018 15:27:57 +0000
To: [email protected]
它们都由同一个 postfix 安装提供服务,因此请自行得出结论。我在日志中看到的唯一内容是一条非常简洁的
Oct 31 15:27:58 bd85f6a3b2b6 opendmarc[20]: E0A22100B2EB: example.com fail
所以我想我在发送邮件时一定出了什么问题。然后我从我的 gmail.com 地址发送了一封邮件,结果
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.morpheu5.net ([172.18.0.14])
by 6c01c2ccb641 with LMTP
id 3P0+CTjL2Vu7BQAAl2tFQA
(envelope-from <[email protected]>)
for <[email protected]>; Wed, 31 Oct 2018 15:33:12 +0000
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by mail.morpheu5.net (Postfix) with ESMTPS id 63728100B2EB
for <[email protected]>; Wed, 31 Oct 2018 15:33:11 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 63728100B2EB
Authentication-Results: mail.morpheu5.net;
dkim=pass (2048-bit key) header.d=gmail.com [email protected] header.b="Yrnjbum2"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 63728100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=gmail.com
Received: by mail-lf1-f51.google.com with SMTP id p86so9773378lfg.5
for <[email protected]>; Wed, 31 Oct 2018 08:33:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=;
b=Yrnjbum25r6EczXzozeQERktfI7380FH3ETaRQ574kjKWdI+gtL337nVsPH34hnkyy
YZ3XuVBCyKpz2ulXqF6G9ipsk9Hh6cK6P/BGNO9fs1WRrz9U8BImKhiqJBTdv4J+K4Rq
grpn4buL1q3lRqunfJzSPaTww0DnYPWR89ICeMiyIYGbNYA4uTBQhQm0GUQRMJz6J1Bm
4FGL9dL2/sgexlOGga3AeP1dHyPoLag9FN2Vbr/nJThqml8BcC4kPdVb1iH4FZoNaTSh
s4CeTREvW6XLEAVgSz5Q3DgFLR0V4iCuqYxKkkHDYNi1If/agXkbRBigRP6+HUsTw7mM
8O7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=;
b=MPBwgFcsvJZ9gZbD0n0kfYMKpaHDQ3SkU30o5qVqs9Zwaqu3bTubSDkB+HCHsq8P8A
6BZN3WARiL9zi9sdxKmvHYBvrf043htR1/jFEr6+1Wr5eO2ULZmKIxdKl609YffDmzM8
vXXNzIw8pNYvEcaKUW04APzyEG5iEA9B5hrik4ivD9EWC0LHGuVf5jZuFT0LsKuWwydP
n30LqX6Wra8XjSnbejgeD/m53xDWQpYckArRm6VA7+XqH1W7xnKgxc4MBmeX7gqYQrvV
nmXMJyJAVtjiW9PXKDIE0SpP9XXryLn3FsguDCCwb46FS3rLJWW7i9SYSDKDb4N6iY3r
NXUA==
X-Gm-Message-State: AGRZ1gIHySs3xex2WNMp2GByh7QqSOszi85+983Juw7ZJnOEDB28/jma
iM0XrZTH6QjHeJajn8Zxx3UmFTkgAJ1MdBldxKeKiQ==
X-Google-Smtp-Source: AJdET5dvhrIXWjNNjZ2g5C7dSnHwXF95xuK/26l2o3C8fhT2r034Pos5Z776NyKi6JQvIAXpGCEkKe/WjOMaWWllzCM=
X-Received: by 2002:a19:13cc:: with SMTP id 73mr1902315lft.79.1540999989833;
Wed, 31 Oct 2018 08:33:09 -0700 (PDT)
MIME-Version: 1.0
From: Andrea Franceschini <[email protected]>
Date: Wed, 31 Oct 2018 15:32:32 +0000
Message-ID: <CACY09wpao6XSxkjzNXytTJ3Z3SCrpnhQkUjoWHJzYd8sS23jmA@mail.gmail.com>
Subject:
To: [email protected]
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=2.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DNS_FROM_AHBL_RHSBL,FREEMAIL_FROM,UNPARSEABLE_RELAY,
URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on 226c07f01f2b
这就是日志中显示的内容
Oct 31 15:33:12 bd85f6a3b2b6 opendmarc[20]: 63728100B2EB: gmail.com fail
还请注意,SpamAssassin 为此消息计算了一堆 DKIM 分数,而这种情况以前从未发生过,因此... 是时候提供更多的配置文件了!
首先是 OpenDKIM
PidFile /var/run/opendkim/opendkim.pid
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
UserID opendkim:opendkim
Socket inet:8891@localhost
Umask 002
SendReports yes
SoftwareHeader yes
Canonicalization relaxed/relaxed
Selector default
MinimumKeyBits 1024
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
OversignHeaders From
QueryCache yes
AutoRestart Yes
我觉得 KeyTable 不错
mail._domainkey.unijobs.it unijobs.it:mail:/etc/opendkim/keys/unijobs.it/dkim-private.pem
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/dkim-private.pem
我也有通配符签名
*@unijobs.it mail._domainkey.unijobs.it
*@example.com mail._domainkey.example.com
并将其作为受信任的主机
127.0.0.1
::1
172.17.0.0/16
172.18.0.0/16
OpenDMARC 配置如下
AuthservID mail.morpheu5.net
HistoryFile /var/spool/opendmarc/opendmarc.dat
IgnoreHosts /etc/opendmarc/ignore.hosts
RejectFailures false
Socket inet:8893@localhost
SoftwareHeader true
Syslog true
UMask 007
UserID opendmarc:mail
使用以下内容ignore.hosts
localhost
172.17.0.0/16
172.18.0.0/16
那么...为什么 OpenDMARC 几乎使所有通过的请求都失败呢?
编辑我运行了opendmarc -t其中一条消息,最糟糕的情况是
opendmarc: mlfi_connect() returned SMFIS_ACCEPT
如果我使用我的自定义配置文件运行它,并且
opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: message: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: message: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 2: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 3: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 8: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 13: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 14: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 15: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 16: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 23: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 24: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 26: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 27: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 28: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 29: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 30: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 31: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 34: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 35: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 37: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 38: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; dmarc=fail (p=none dis=none) header.from=example.com'
opendmarc: message: mlfi_eom() returned SMFIS_ACCEPT
opendmarc: mlfi_close() returned SMFIS_CONTINUE
如果我没有指定我的自定义配置文件(由于某些原因,它位于一个奇怪的位置)。
编辑Gmail 现在通过了 SPF、DKIM,最终 opendmarc 也让它通过了。不知道发生了什么。
答案1
我最近也遇到了这个问题。就我而言,我通过添加以下内容解决了该问题/etc/opendmarc.conf:
IgnoreAuthenticatedClients true
man opendmarc.conf对此有这样的看法:
IgnoreAuthenticatedClients (Boolean)
If set, causes mail from authenticated clients (i.e., those that used SMTP AUTH) to be
ignored by the filter. The default is "false".
这正是我想要的。我只允许通过安全连接与 SMTP 进行外部连接。现在 opendmarc 不会管我的外发邮件。
答案2
尝试更改 main.cf
smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8891 inet:localhost:8893
non_smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8891 inet:localhost:8893
首先检查 OpenDKIM!接下来是检查 OpenDMARC...
答案3
因此,您的 DMARC(spf、dkim)的外部验证没有问题。(您可以使用https://dmarcian.com/dmarc-inspector/?domain=example.com)
每次传递消息时内部检查都会失败。
可能是配置中的行
AuthservID mail.morpheu5.net
无法正确解析。请尝试改为设置字符串“HOSTNAME”。然后它将使用函数 获取主机名() (这只是猜测)
那么 ignorehosts 文件呢,也许您还应该添加 127.0.0.1(如果没有指定,则为默认值),而不仅仅是 localhost。
更新: 尝试从中删除 DMARC 过滤器
main.cf: non_smtpd_milters xxxxx
答案4
我知道已经晚了,但是由于您在这一行中看到的内容,它失败了:
已收到:来自 mail.morpheu5.net ([172.18.0.14]),由 6c01c2ccb641 使用 LMTP
具体来说,由 6c01c2ccb641 使用 LMTP
如果您可以匹配它,以便 6c01c2ccb641 也显示为 mail.morpheu5.net,那么它就可以正常工作。