SPF 和 OpenDMARC 在 Postfix 中不起作用

SPF 和 OpenDMARC 在 Postfix 中不起作用

我正在努力将 SPF 和 OpenDMARC/DKIM 实现到我的邮件服务器中。目前,我在不同的子网中拥有两台邮件服务器,每台都有单独的 DNS 服务器和域名。它们可以成功交换电子邮件。

我使用 pypolicyd-spf 设置了 SPF,使用 OpenDMARC 设置了 DMARC,使用 OpenDKIM 设置了 DKIM。DKIM 运行正常,但是 DMARC 和 SPF 存在一些问题,可能与我的地形有关(下面有一张图)。

我在每个邮件服务器上都创建了用户,并通过 Squirrelmail 在他们之间交换邮件。

如何使 SPF 和 DMARC 正常工作?在我的电子邮件标头中,我收到:

Received-SPF: None (mailfrom) identity=mailfrom; client-ip=192.168.22.132
Authentication-Results: OpenDKIM; dmarc=none (p=none dis=none) header.from=another.com

我认为日志中的本地主机 IP 有问题,但我不知道是什么原因造成的:

policyd-spf[2183]: prepend X-Comment: SPF check N/A for local connections - client-ip=127.0.0.1; helo=[192.168.22.128]; [email protected]; receiver=<UNKNOWN>
postfix/smtpd[2177]: D5DA9C0F5F38: client=localhost[127.0.0.1]

我的postconf -n输出:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = $myhostname
myhostname = example.com
mynetworks = 127.0.0.0/8, 192.168.22.0/24
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
smtpd_recipient_restrictions = check_policy_service unix:private/policy-spf, permit_mynetworks, 
reject_unauth_destination
unknown_local_recipient_reject_code = 550

网络图:

网络图

如果需要的话我可以提供任何其他信息。

当然,DNS中的所有条目都已完成。

example.com.     IN      TXT     "v=spf1 mx ~all"
default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=XXXkeyXXX" )  ; ----- DKIM key default for example.com
_dmarc.example.com.       IN      TXT      "v=DMARC1; p=none; pct=100"

policyd-spf 日志:

policyd-spf[2681]: Read line: "request=smtpd_access_policy"
policyd-spf[2681]: Read line: "protocol_state=RCPT"
policyd-spf[2681]: Read line: "protocol_name=ESMTP"
policyd-spf[2681]: Read line: "client_address=192.168.22.132"
policyd-spf[2681]: Read line: "client_name=gateway"
policyd-spf[2681]: Read line: "reverse_client_name=gateway"
policyd-spf[2681]: Read line: "helo_name=example.com"
policyd-spf[2681]: Read line: "[email protected]"
policyd-spf[2681]: Read line: "[email protected]"
policyd-spf[2681]: Read line: "recipient_count=0"
policyd-spf[2681]: Read line: "queue_id="
policyd-spf[2681]: Read line: "instance=a73.5fe8c4e7.510b9.0"
policyd-spf[2681]: Read line: "size=935"
policyd-spf[2681]: Read line: "etrn_domain="
policyd-spf[2681]: Read line: "stress="
policyd-spf[2681]: Read line: "sasl_method="
policyd-spf[2681]: Read line: "sasl_username="
policyd-spf[2681]: Read line: "sasl_sender="
policyd-spf[2681]: Read line: "ccert_subject="
policyd-spf[2681]: Read line: "ccert_issuer="
policyd-spf[2681]: Read line: "ccert_fingerprint="
policyd-spf[2681]: Read line: "ccert_pubkey_fingerprint="
policyd-spf[2681]: Read line: "encryption_protocol="
policyd-spf[2681]: Read line: "encryption_cipher="
policyd-spf[2681]: Read line: "encryption_keysize=0"
policyd-spf[2681]: Read line: ""
policyd-spf[2681]: Found the end of entry
policyd-spf[2681]: Config: {'Whitelist_Lookup_Time': 10, 'skip_addresses': '127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'Reason_Message': 'Message {rejectdefer} due to: {spf}. Please see {url}', 'PermError_reject': 'False', 'Header_Type': 'SPF', 'TestOnly': 0, 'SPF_Enhanced_Status_Codes': 'Yes', 'TempError_Defer': 'False', 'Lookup_Time': 20, 'debugLevel': 4, 'Authserv_Id': 'centos2.another.agh.edu.pl', 'Mail_From_reject': 'Fail', 'Hide_Receiver': 'Yes', 'HELO_reject': 'Fail', 'Void_Limit': 2, 'Mock': False}
Dec 27 12:31:19 centos2 policyd-spf[2681]: Cached data for this instance: []
Dec 27 12:31:19 centos2 policyd-spf[2681]: skip_addresses enabled.
Dec 27 12:31:29 centos2 policyd-spf[2681]: spfcheck: pyspf result: "['None', '', 'helo']"
Dec 27 12:31:29 centos2 policyd-spf[2681]: None; identity=no SPF record; client-ip=192.168.22.132; helo=example.com; [email protected]; receiver=<UNKNOWN>
Dec 27 12:31:29 centos2 policyd-spf[2681]: spfcheck: pyspf result: "['None', '', 'mailfrom']"
Dec 27 12:31:29 centos2 policyd-spf[2681]: None; identity=mailfrom; client-ip=192.168.22.132; helo=example.com; [email protected]; receiver=<UNKNOWN>
Dec 27 12:31:29 centos2 policyd-spf[2681]: not peruser
Dec 27 12:31:29 centos2 policyd-spf[2681]: Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=192.168.22.132; helo=example.com; [email protected]; receiver=<UNKNOWN>  Reject action: 550 5.7.23

答案1

经过几天与 pypolicyd-spf 的 SPF 斗争之后,我终于知道问题出在哪里了。

我的拓扑包括 2 个 DNS 服务器,并且邮件服务器上的 /etc/resolv.conf 文件同时包含这两个 DNS 服务器。

OpenDMARC SPF 运行良好,并对两个 DNS 上的 spf 记录的变化做出了响应,但 pyspf 却没有。

答案是:pypolicyd-spf 不支持 resolv.conf 中的两个 dns。一个简单的解决方法是在一个 DNS 服务器中创建两个区域。然后 pyspf 就会突然开始工作。

相关内容