Postfix 发送的邮件中没有 DKIM 标头

tag-icon tag-icon ubuntu postfix sendmail dkim ubuntu-20.04
Postfix 发送的邮件中没有 DKIM 标头

我有两个 postfix,一个用于接收邮件,另一个用于发送邮件,我无法在发送邮件上签名 dkim。我按照这个教程

日志也没有帮助我指出主要问题。OpenDKIM 运行良好:

● opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter
     Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-06-18 17:39:40 UTC; 4s ago
       Docs: man:opendkim(8)
             man:opendkim.conf(5)
             man:opendkim-genkey(8)
             man:opendkim-genzone(8)
             man:opendkim-testadsp(8)
             man:opendkim-testkey
             http://www.opendkim.org/docs.html
    Process: 246310 ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf (code=exited, status=0/SUCCESS)
   Main PID: 246321 (opendkim)
      Tasks: 7 (limit: 4681)
     Memory: 2.8M
     CGroup: /system.slice/opendkim.service
             ├─246321 /usr/sbin/opendkim -x /etc/opendkim.conf
             └─246322 /usr/sbin/opendkim -x /etc/opendkim.conf

Jun 18 17:39:40 testmailcdo systemd[1]: Starting OpenDKIM DomainKeys Identified Mail (DKIM) Milter...
Jun 18 17:39:40 testmailcdo systemd[1]: Started OpenDKIM DomainKeys Identified Mail (DKIM) Milter.
Jun 18 17:39:40 testmailcdo opendkim[246322]: OpenDKIM Filter v2.11.0 starting (args: -x /etc/opendkim.conf)

我的 postfix main.cf:

milter_default_action = accept
milter_protocol = 6
#smtpd_milters = inet:localhost:8891
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters =  $smtpd_milters

master.cf:

smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_wrappermode=no
#  -o smtpd_tls_auth_only=yes
  -o smtpd_enforce_tls=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=$smtpauth_recipient_restrictions
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_sasl_tls_security_options=noanonymous

opendkim.conf:

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   007

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain                 testmailcdo.apolloglobal.net
#KeyFile                /etc/dkimkeys/dkim.key
#Selector               mail1

# Commonly-used options; the commented-out versions show the defaults.
Canonicalization        relaxed/relaxed
Mode                    sv
SubDomains              no

AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256

# Socket smtp://localhost
#
# ##  Socket socketspec
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##  from the MTA.  Required.  Should be in one of these forms:
# ##
# ##  inet:port@address           to listen on a specific interface
# ##  inet:port                   to listen on all interfaces
# ##  local:/path/to/socket       to listen on a UNIX domain socket
#
#Socket                  inet:8891@localhost
#Socket                 local:/var/spool/postfix/opendkim/opendkim.sock
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
Socket local:/var/spool/postfix/opendkim/opendkim.sock
##  PidFile filename
###      default (none)
###
###  Name of the file where the filter should write its pid before beginning
###  normal operations.
#
PidFile               /var/run/opendkim/opendkim.pid


# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

##  ResolverConfiguration filename
##      default (none)
##
##  Specifies a configuration file to be passed to the Unbound library that
##
##  Specifies a configuration file to be passed to the Unbound library that
##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
##  documentation at http://unbound.net for the expected content of this file.
##  The results of using this and the TrustAnchorFile setting at the same
##  time are undefined.
##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
##  unbound package

# ResolverConfiguration     /etc/unbound/unbound.conf

##  TrustAnchorFile filename
##      default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
## at http://unbound.net for the expected format of this file.

TrustAnchorFile       /usr/share/dns/root.key

##  Userid userid
###      default (none)
###
###  Change to user "userid" before starting normal operation?  May include
###  a group ID as well, separated from the userid by a colon.
#
UserID                opendkim
# Map domains in From addresses to keys used to sign messages
KeyTable           refile:/etc/opendkim/key.table
SigningTable       refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList  /etc/opendkim/trusted.hosts

# A set of internal hosts whose mail should be signed
InternalHosts       /etc/opendkim/trusted.hosts

发送邮件时记录trusted.hosts

Jun 18 18:14:08 testmailcdo postfix/submission/smtpd[247218]: connect from unknown[202.60.9.10]
Jun 18 18:14:08 testmailcdo postfix/submission/smtpd[247218]: 6D0D413C124: client=unknown[202.60.9.10]
Jun 18 18:14:08 testmailcdo postfix/cleanup[247221]: 6D0D413C124: message-id=<[email protected]>
Jun 18 18:14:08 testmailcdo postfix/qmgr[246787]: 6D0D413C124: from=<[email protected]>, size=601, nrcpt=1 (queue active)
Jun 18 18:14:08 testmailcdo postfix/submission/smtpd[247218]: disconnect from unknown[202.60.9.10] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jun 18 18:14:10 testmailcdo postfix/smtp[247222]: 6D0D413C124: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[142.250.157.26]:25, delay=1.8, delays=0.06/0/0.82/0.97, dsn=2.0.0, status=sent (250 2.0.0 OK  1624040055 p7si10315751pjl.99 - gsmtp)
Jun 18 18:14:10 testmailcdo postfix/qmgr[246787]: 6D0D413C124: removed

ls -l /var/spool/postfix/opendkim/opendkim.sock输出:

srwxrwx--- 1 opendkim opendkim 0 Jun 18 17:39 /var/spool/postfix/opendkim/opendkim.sock

我真的迷茫了。任何建议和帮助都将不胜感激!

答案1

您在 上的模式是错误的opendkim.sock。这些模式0770包括rwx按所有者、rwx按组,没有其他模式,其中所有者是opendkim,组是opendkim,但 Postfix 通常以postfix:mail或类似的身份运行,因此它属于“其他”类别,不允许访问。您应该在 Postfix 日志中找到对此的提及(在 Debian 中,我们会查看/var/log/mail.err)。

还要注意,chown你所做的是目录,包含套接字,而不是插座本身,所以这还不够。

尝试将0777其设置opendkim.sock为一次性测试解决方案:

chmod 0777 /var/spool/postfix/opendkim/opendkim.sock

如果有帮助,那我们就走在正确的轨道上。OpenDKIM 每次重启时都会使用以前的模式重新创建套接字,因此模式将重置,这就是此解决方案一次性的原因。为了使其持久,将用户(或正在运行的postfix任何帐户)添加到组中,因此第二个“7”将适用于它(允许的组访问):smtpdopendkim

gpasswd -a postfix opendkim

或者(例如,如果smtpd在下运行),您可以稍微更改 OpenDKIM 的启动脚本,以便它在创建套接字后nobody设置模式。0777

相关内容