我有两个 postfix,一个用于接收邮件,另一个用于发送邮件,我无法在发送邮件上签名 dkim。我按照这个教程。
日志也没有帮助我指出主要问题。OpenDKIM 运行良好:
● opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter
Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-06-18 17:39:40 UTC; 4s ago
Docs: man:opendkim(8)
man:opendkim.conf(5)
man:opendkim-genkey(8)
man:opendkim-genzone(8)
man:opendkim-testadsp(8)
man:opendkim-testkey
http://www.opendkim.org/docs.html
Process: 246310 ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf (code=exited, status=0/SUCCESS)
Main PID: 246321 (opendkim)
Tasks: 7 (limit: 4681)
Memory: 2.8M
CGroup: /system.slice/opendkim.service
├─246321 /usr/sbin/opendkim -x /etc/opendkim.conf
└─246322 /usr/sbin/opendkim -x /etc/opendkim.conf
Jun 18 17:39:40 testmailcdo systemd[1]: Starting OpenDKIM DomainKeys Identified Mail (DKIM) Milter...
Jun 18 17:39:40 testmailcdo systemd[1]: Started OpenDKIM DomainKeys Identified Mail (DKIM) Milter.
Jun 18 17:39:40 testmailcdo opendkim[246322]: OpenDKIM Filter v2.11.0 starting (args: -x /etc/opendkim.conf)
我的 postfix main.cf:
milter_default_action = accept
milter_protocol = 6
#smtpd_milters = inet:localhost:8891
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
master.cf:
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_wrappermode=no
# -o smtpd_tls_auth_only=yes
-o smtpd_enforce_tls=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=$smtpauth_recipient_restrictions
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_sasl_tls_security_options=noanonymous
opendkim.conf:
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 007
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain testmailcdo.apolloglobal.net
#KeyFile /etc/dkimkeys/dkim.key
#Selector mail1
# Commonly-used options; the commented-out versions show the defaults.
Canonicalization relaxed/relaxed
Mode sv
SubDomains no
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
# Socket smtp://localhost
#
# ## Socket socketspec
# ##
# ## Names the socket where this filter should listen for milter connections
# ##
# ## Names the socket where this filter should listen for milter connections
# ## from the MTA. Required. Should be in one of these forms:
# ##
# ## inet:port@address to listen on a specific interface
# ## inet:port to listen on all interfaces
# ## local:/path/to/socket to listen on a UNIX domain socket
#
#Socket inet:8891@localhost
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
Socket local:/var/spool/postfix/opendkim/opendkim.sock
## PidFile filename
### default (none)
###
### Name of the file where the filter should write its pid before beginning
### normal operations.
#
PidFile /var/run/opendkim/opendkim.pid
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
## ResolverConfiguration filename
## default (none)
##
## Specifies a configuration file to be passed to the Unbound library that
##
## Specifies a configuration file to be passed to the Unbound library that
## performs DNS queries applying the DNSSEC protocol. See the Unbound
## documentation at http://unbound.net for the expected content of this file.
## The results of using this and the TrustAnchorFile setting at the same
## time are undefined.
## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
## unbound package
# ResolverConfiguration /etc/unbound/unbound.conf
## TrustAnchorFile filename
## default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
## at http://unbound.net for the expected format of this file.
TrustAnchorFile /usr/share/dns/root.key
## Userid userid
### default (none)
###
### Change to user "userid" before starting normal operation? May include
### a group ID as well, separated from the userid by a colon.
#
UserID opendkim
# Map domains in From addresses to keys used to sign messages
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
# Hosts to ignore when verifying signatures
ExternalIgnoreList /etc/opendkim/trusted.hosts
# A set of internal hosts whose mail should be signed
InternalHosts /etc/opendkim/trusted.hosts
发送邮件时记录trusted.hosts
Jun 18 18:14:08 testmailcdo postfix/submission/smtpd[247218]: connect from unknown[202.60.9.10]
Jun 18 18:14:08 testmailcdo postfix/submission/smtpd[247218]: 6D0D413C124: client=unknown[202.60.9.10]
Jun 18 18:14:08 testmailcdo postfix/cleanup[247221]: 6D0D413C124: message-id=<[email protected]>
Jun 18 18:14:08 testmailcdo postfix/qmgr[246787]: 6D0D413C124: from=<[email protected]>, size=601, nrcpt=1 (queue active)
Jun 18 18:14:08 testmailcdo postfix/submission/smtpd[247218]: disconnect from unknown[202.60.9.10] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jun 18 18:14:10 testmailcdo postfix/smtp[247222]: 6D0D413C124: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[142.250.157.26]:25, delay=1.8, delays=0.06/0/0.82/0.97, dsn=2.0.0, status=sent (250 2.0.0 OK 1624040055 p7si10315751pjl.99 - gsmtp)
Jun 18 18:14:10 testmailcdo postfix/qmgr[246787]: 6D0D413C124: removed
ls -l /var/spool/postfix/opendkim/opendkim.sock
输出:
srwxrwx--- 1 opendkim opendkim 0 Jun 18 17:39 /var/spool/postfix/opendkim/opendkim.sock
我真的迷茫了。任何建议和帮助都将不胜感激!
答案1
您在 上的模式是错误的opendkim.sock
。这些模式0770
包括rwx
按所有者、rwx
按组,没有其他模式,其中所有者是opendkim
,组是opendkim
,但 Postfix 通常以postfix:mail
或类似的身份运行,因此它属于“其他”类别,不允许访问。您应该在 Postfix 日志中找到对此的提及(在 Debian 中,我们会查看/var/log/mail.err
)。
还要注意,chown
你所做的是目录,包含套接字,而不是插座本身,所以这还不够。
尝试将0777
其设置opendkim.sock
为一次性测试解决方案:
chmod 0777 /var/spool/postfix/opendkim/opendkim.sock
如果有帮助,那我们就走在正确的轨道上。OpenDKIM 每次重启时都会使用以前的模式重新创建套接字,因此模式将重置,这就是此解决方案一次性的原因。为了使其持久,将用户(或正在运行的postfix
任何帐户)添加到组中,因此第二个“7”将适用于它(允许的组访问):smtpd
opendkim
gpasswd -a postfix opendkim
或者(例如,如果smtpd
在下运行),您可以稍微更改 OpenDKIM 的启动脚本,以便它在创建套接字后nobody
设置模式。0777