我有一个基于 Fedora 的小型邮件服务器,其中带有 postfix、OpenDKIM、spamassassin 和 mailman。
- OpenDKIM 签名可用于发送邮件
- OpenDKIM 验证传入电子邮件
当 DKIM 消息发送到邮件列表时,我会在标题中看到以下内容:
DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li DB09BDFEE4
Authentication-Results: corti.li;
dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=id.ethz.ch [email protected] header.a=rsa-sha256 header.s=key1-q3-2021 header.b=FOCb7EwF
[...]
DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li A2C29DFED2
Received: from mailg210.ethz.ch (mailg210.ethz.ch [129.132.198.194])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by corti.li (Postfix) with ESMTPS id 98D21DF4AC
for <[email protected]>; Thu, 2 Dec 2021 14:19:55 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li 98D21DF4AC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=id.ethz.ch;
s=key1-q3-2021; t=1638451169; h=From:Subject:Date:Message-ID:To
:MIME-Version:Content-Type; bh=qzmynR6bBoUQ7r53VOIB9APaTNZN6JNW86G7ge/XIj
U=; b=FOCb7EwFI/pVyk/KvT2kEAFLcKguQN9b+UzfLobMxPe1YwAm1wHrRSs3ZXo8l1DUJTM
J5/lO3rJAMu8+ZidXMHLSFWl7JwZ2ciqB93RiQMYNONBLZ+HOYpkUxzof3L9MAzdCmGeaJisF
bk8FF/E8G+rGrBP7xXMpv+MgvofWU9RVCTQZqLOnWqPYyBsEsptByHDgsrUsmPGZSxQ1OUasd
j6cEkRfXk3EVqVNVZXWfGLWDD4CWd0VKSNMGk/SMPgx9L63SUe1qSv4PUIJn9Lepn6gnvZaE9
D7+v3uk69Kfglr4gK7OpFB1X/YQrEhQYzcstB6+sUUVTFhA3ROKyuHXA==;
在此示例中
- corti.li 是我的服务器
- @id.ethz.ch 是发件域名
OpenDKIM 配置如下/etc/postfix/main.cf:
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
Mailman 通过以下方式配置
./postfix/main.cf:alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
以及类似的条目
testlist: "|/usr/lib/mailman/mail/mailman post testlist"
在/etc/mailman/aliases
Spamassassin/etc/postfix/master.cf配置如下:
[root@corti etc]# grep spamass /etc/postfix/master.cf
smtp inet n - n - - smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
submission inet n - n - - smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
smtps inet n - n - - smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
spamassassin unix - n n - - pipe user=spamassassin argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
关于的日志条目A2C29DFED2
Dec 02 14:19:57 corti.li postfix/pickup[190218]: A2C29DFED2: uid=513 from=<[email protected]>
Dec 02 14:19:57 corti.li postfix/cleanup[194198]: A2C29DFED2: message-id=<[email protected]>
Dec 02 14:19:57 corti.li opendkim[192090]: A2C29DFED2: no signing table match for '*****@id.ethz.ch'
Dec 02 14:19:57 corti.li opendkim[192090]: A2C29DFED2: DKIM verification successful
Dec 02 14:19:57 corti.li postfix/qmgr[1080]: A2C29DFED2: from=<[email protected]>, size=12955, nrcpt=1 (queue active)
Dec 02 14:19:57 corti.li postfix/local[194206]: A2C29DFED2: to=<[email protected]>, relay=local, delay=0.1, delays=0.01/0/0/0.09, dsn=2.0.0, status=sent (delivered to command: /usr/lib/mailman/mail/mailman post rpg)
Dec 02 14:19:57 corti.li postfix/qmgr[1080]: A2C29DFED2: removed
和
Dec 02 14:20:03 corti.li postfix/pickup[190218]: DB09BDFEE4: uid=513 from=<[email protected]>
Dec 02 14:20:03 corti.li postfix/cleanup[194198]: DB09BDFEE4: message-id=<[email protected]>
Dec 02 14:20:03 corti.li opendkim[192090]: DB09BDFEE4: no signing table match for '*****@id.ethz.ch'
Dec 02 14:20:03 corti.li opendkim[192090]: DB09BDFEE4: bad signature data
Dec 02 14:20:03 corti.li postfix/qmgr[1080]: DB09BDFEE4: from=<[email protected]>, size=14580, nrcpt=1 (queue active)
Dec 02 14:20:03 corti.li postfix/local[194206]: DB09BDFEE4: passing <[email protected]> to transport=procmail
Dec 02 14:20:04 corti.li postfix/pipe[194207]: DB09BDFEE4: to=<[email protected]>, relay=procmail, delay=0.15, delays=0.07/0/0/0.08, dsn=2.0.0, status=sent (delivered via procmail service)
Dec 02 14:20:04 corti.li postfix/qmgr[1080]: DB09BDFEE4: removed
为什么要检查发送邮件的 DKIM 签名?mailman 修改了邮件,原始签名不再相关。
答案1
我可以通过告诉邮递员来解决问题总是删除 DKIM 签名:
# Some list posts and mail to the -owner address may contain DomainKey or
# DomainKeys Identified Mail (DKIM) signature headers <http://www.dkim.org/>.
# Various list transformations to the message such as adding a list header or
# footer or scrubbing attachments or even reply-to munging can break these
# signatures. It is generally felt that these signatures have value, even if
# broken and even if the outgoing message is resigned. However, some sites
# may wish to remove these headers. Possible values and meanings are:
# No, 0, False -> do not remove headers.
# Yes, 1, True -> remove headers only if we are munging the from header due
# to from_is_list or dmarc_moderation_action.
# 2 -> always remove headers.
# 3 -> always remove, rename and preserve original DKIM headers.
REMOVE_DKIM_HEADERS = 2