OpenDKIM 和 Mailman

OpenDKIM 和 Mailman

我有一个基于 Fedora 的小型邮件服务器,其中带有 postfix、OpenDKIM、spamassassin 和 mailman。

  • OpenDKIM 签名可用于发送邮件
  • OpenDKIM 验证传入电子邮件

当 DKIM 消息发送到邮件列表时,我会在标题中看到以下内容:

DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li DB09BDFEE4
Authentication-Results: corti.li;
    dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=id.ethz.ch [email protected] header.a=rsa-sha256 header.s=key1-q3-2021 header.b=FOCb7EwF
[...]
DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li A2C29DFED2
Received: from mailg210.ethz.ch (mailg210.ethz.ch [129.132.198.194])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by corti.li (Postfix) with ESMTPS id 98D21DF4AC
 for <[email protected]>; Thu,  2 Dec 2021 14:19:55 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li 98D21DF4AC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=id.ethz.ch;
 s=key1-q3-2021; t=1638451169; h=From:Subject:Date:Message-ID:To
 :MIME-Version:Content-Type; bh=qzmynR6bBoUQ7r53VOIB9APaTNZN6JNW86G7ge/XIj
 U=; b=FOCb7EwFI/pVyk/KvT2kEAFLcKguQN9b+UzfLobMxPe1YwAm1wHrRSs3ZXo8l1DUJTM
 J5/lO3rJAMu8+ZidXMHLSFWl7JwZ2ciqB93RiQMYNONBLZ+HOYpkUxzof3L9MAzdCmGeaJisF
 bk8FF/E8G+rGrBP7xXMpv+MgvofWU9RVCTQZqLOnWqPYyBsEsptByHDgsrUsmPGZSxQ1OUasd
 j6cEkRfXk3EVqVNVZXWfGLWDD4CWd0VKSNMGk/SMPgx9L63SUe1qSv4PUIJn9Lepn6gnvZaE9
 D7+v3uk69Kfglr4gK7OpFB1X/YQrEhQYzcstB6+sUUVTFhA3ROKyuHXA==;

在此示例中

  • corti.li 是我的服务器
  • @id.ethz.ch 是发件域名

OpenDKIM 配置如下/etc/postfix/main.cf

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters

Mailman 通过以下方式配置

./postfix/main.cf:alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases

以及类似的条目

testlist:              "|/usr/lib/mailman/mail/mailman post testlist"

/etc/mailman/aliases

Spamassassin/etc/postfix/master.cf配置如下:

[root@corti etc]# grep spamass /etc/postfix/master.cf
smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
submission inet n      -       n       -       -       smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
smtps    inet  n       -       n       -       -       smtpd  -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
spamassassin unix  -       n       n       -       -       pipe user=spamassassin argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

关于的日志条目A2C29DFED2

Dec 02 14:19:57 corti.li postfix/pickup[190218]: A2C29DFED2: uid=513 from=<[email protected]>
Dec 02 14:19:57 corti.li postfix/cleanup[194198]: A2C29DFED2: message-id=<[email protected]>
Dec 02 14:19:57 corti.li opendkim[192090]: A2C29DFED2: no signing table match for '*****@id.ethz.ch'
Dec 02 14:19:57 corti.li opendkim[192090]: A2C29DFED2: DKIM verification successful
Dec 02 14:19:57 corti.li postfix/qmgr[1080]: A2C29DFED2: from=<[email protected]>, size=12955, nrcpt=1 (queue active)
Dec 02 14:19:57 corti.li postfix/local[194206]: A2C29DFED2: to=<[email protected]>, relay=local, delay=0.1, delays=0.01/0/0/0.09, dsn=2.0.0, status=sent (delivered to command: /usr/lib/mailman/mail/mailman post rpg)
Dec 02 14:19:57 corti.li postfix/qmgr[1080]: A2C29DFED2: removed

Dec 02 14:20:03 corti.li postfix/pickup[190218]: DB09BDFEE4: uid=513 from=<[email protected]>
Dec 02 14:20:03 corti.li postfix/cleanup[194198]: DB09BDFEE4: message-id=<[email protected]>
Dec 02 14:20:03 corti.li opendkim[192090]: DB09BDFEE4: no signing table match for '*****@id.ethz.ch'
Dec 02 14:20:03 corti.li opendkim[192090]: DB09BDFEE4: bad signature data
Dec 02 14:20:03 corti.li postfix/qmgr[1080]: DB09BDFEE4: from=<[email protected]>, size=14580, nrcpt=1 (queue active)
Dec 02 14:20:03 corti.li postfix/local[194206]: DB09BDFEE4: passing <[email protected]> to transport=procmail
Dec 02 14:20:04 corti.li postfix/pipe[194207]: DB09BDFEE4: to=<[email protected]>, relay=procmail, delay=0.15, delays=0.07/0/0/0.08, dsn=2.0.0, status=sent (delivered via procmail service)
Dec 02 14:20:04 corti.li postfix/qmgr[1080]: DB09BDFEE4: removed

为什么要检查发送邮件的 DKIM 签名?mailman 修改了邮件,原始签名不再相关。

答案1

我可以通过告诉邮递员来解决问题总是删除 DKIM 签名:

# Some list posts and mail to the -owner address may contain DomainKey or                                                                        
# DomainKeys Identified Mail (DKIM) signature headers <http://www.dkim.org/>.                                                                    
# Various list transformations to the message such as adding a list header or                                                                    
# footer or scrubbing attachments or even reply-to munging can break these                                                                       
# signatures.  It is generally felt that these signatures have value, even if                                                                    
# broken and even if the outgoing message is resigned.  However, some sites                                                                      
# may wish to remove these headers.  Possible values and meanings are:                                                                           
# No, 0, False -> do not remove headers.                                                                                                         
# Yes, 1, True -> remove headers only if we are munging the from header due                                                                      
#                 to from_is_list or dmarc_moderation_action.                                                                                    
# 2 -> always remove headers.                                                                                                                    
# 3 -> always remove, rename and preserve original DKIM headers.                                                                                 
REMOVE_DKIM_HEADERS = 2

相关内容