我已成功在我的服务器上安装了 Postfix 和 OpenDkim,并且它正确地对来自多个不同域的邮件进行了签名。我们将主机称为 webhost.example.com。它运行的是 Ubuntu 18.04.2 LTS、Postfix 3.3.0 和 OpenDKIM v2.11.0
今天,我想获取发送到我的 Gmail 帐户的一些 CRON 作业的输出,因此我在 KeyTable 和 SigningTable 中设置了所需的条目并生成了密钥,并通过一封发给我自己的电子邮件对其进行了测试。
echo "Test message" | mail -s "Test message" [email protected]
这将生成一封电子邮件[电子邮件保护]。确实如此,它由 OpenDKIM 正确签名,并发送到我的 Gmail 帐户,并成功通过验证。
以下是我在 GMail 上收到的信息:
Delivered-To: [email protected]
Received: by 2002:a5d:48c4:0:0:0:0:0 with SMTP id p4csp257074wrs;
Tue, 19 Mar 2019 21:00:38 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzzFOWDKe9HXwsYXMKgDAYZjyoHVQj0EcFTzj7zrlnhiY0QBCN2DaEXqiXjh8T71ZiLDzqc
X-Received: by 2002:a62:5789:: with SMTP id i9mr27645136pfj.75.1553054437831;
Tue, 19 Mar 2019 21:00:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553054437; cv=none;
d=google.com; s=arc-20160816;
b=bBqJW5ba0CKQdhBlKSOmx8A+D++aHf/NwbCWSD5V0Mq/+E2NSAwtSU9Yi/sOpp0dAl
VZ2fbB1PNjhB1KGTT2vwoOambDbYUwWB2nIMG5w3aFlUVoOFgYLmLFZwHx6EeTm+nKbQ
tu6XzdsjT0Vl9HtH44hXed4WU5eRe4KGcblkKSswF3xQ3k57PPOSOea0qdqSN+K3Usj1
yv9B81pxTRKdBa3Ihkxmy6q0BPfiwwVRD1rb22/swhC/QS7O7M/9AKGxlxBhl1zgks9a
55Sm1ghGyN3HFoDlZ8bWNo0qImV4bQPsDaTVDykueHOxC2tXBdxA8559io4QKwBU2yc1
TFFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=from:date:message-id:to:subject:dkim-signature;
bh=vMryiu7Ey0Nro6WC0HJ1+2DMJ4hQ10+LmaSady45MSs=;
b=RN6/AsO7ejyBlwkSuPyLIgktIttKp2ar60+D0vyf4Le/RP543qL/OQUSC5su1tbc7l
fbEaCSnDuuBpB0OlJiBjQHeu0y3+FvK4cjmElRgPMyMFbk3q6PxbEXLrgeKs9tiKFHSG
TFAu+Czb32yhOVgmJQNwQ4cpyOKEZmfz7eXFwXBvw69D4qGUrW6q7j54xoQGl8kTVDM5
kUz/N4JoiS9rAFNxft/fg0druQaoMCFhuPR8d5a7NYJBp3vV+bWyonLD2kGbqxFujU97
RjAMko+eMvuWS7zWOnqYF3Di3MyGDLBlue4+rXz65o0VxrTS/MZhsKZFG/LzlBdi4vPF
0thA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=webhost header.b=eMU0P6hB;
spf=pass (google.com: domain of [email protected] designates 13.238.180.128 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=example.com
Return-Path: <[email protected]>
Received: from webhost.example.com (ec2-13-238-180-128.ap-southeast-2.compute.amazonaws.com. [13.238.180.128])
by mx.google.com with ESMTP id j134si770928pgc.42.2019.03.19.21.00.37
for <[email protected]>;
Tue, 19 Mar 2019 21:00:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 13.238.180.128 as permitted sender) client-ip=13.238.180.128;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=webhost header.b=eMU0P6hB;
spf=pass (google.com: domain of [email protected] designates 13.238.180.128 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=example.com
Received: by webhost.example.com (Postfix, from userid 1000)
id 3E9A8FA106; Wed, 20 Mar 2019 04:00:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=webhost.example.com; s=webhost; t=1553054436;
bh=vMryiu7Ey0Nro6WC0HJ1+2DMJ4hQ10+LmaSady45MSs=;
h=Subject:To:Date:From:From;
b=eMU0P6hBtTMDVSU5aw1dTR7CSlrBSHjK4And4uaFeo+HnSnD5+bBAKObTk3WxeLgr
Tf/1/httpjXNUdphU5STlFSqeunuZJafxDqLVzuoYHJOCuQ8vfGoZqyI2hGaJ9ql8E
dSp1j1mOVRBYC8KpSYbnA+Uc2+ut68mQDDRc2pZQWdQLzmxWwCiz+tAAXdHQFVsx+D
sobOHN/cq9CgJNkEs0qnjsE9zdnTdMrO+1AbnJBCHKeQBZAoDdg4OjjlMmg4kTmLli
fyVtcYBHaY8OjM15qiKL0YvjzfnCP50L7VjT9EBAhtJn2d9lYGyhQ/sLbwx91nL/yG
OTxMRE82pD6wQ==
Subject: This is a test message
To: <[email protected]>
X-Mailer: mail (GNU Mailutils 3.4)
Message-Id: <[email protected]>
Date: Wed, 20 Mar 2019 04:00:36 +0000 (UTC)
From: Ubuntu <[email protected]>
This is a test message. You know the drill!
到目前为止,一切都很好。
我设置了我的 cron 任务并添加了行
[email protected]
输出已生成、签名并邮寄,但 GMail 未通过 DKIM 验证,原因如下:
dkim=neutral (body hash did not verify) [email protected] header.s=webhost header.b=tXJM8ih0;
这是完整的电子邮件。如果有用的话,这是 curl 请求的输出。
Delivered-To: [email protected]
Received: by 2002:a5d:48c4:0:0:0:0:0 with SMTP id p4csp776152wrs;
Wed, 20 Mar 2019 07:14:04 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyZdMJuwpApjkjfxfh/rsHg67hLBtQSS5j0BUCq8NaaxUqV+sIDf7CPy+sYjS2b817v9pAu
X-Received: by 2002:a63:5541:: with SMTP id f1mr7627593pgm.38.1553091244323;
Wed, 20 Mar 2019 07:14:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553091244; cv=none;
d=google.com; s=arc-20160816;
b=h3SPkfLIm9BjWS+SlJc4Wd/8XFE2YT3QNSOkzzLY858wldyOXMn3OR8rFcU6UVmbEL
stCPHuXM7ouP0s7ICTC4TAyv+DiqWNokBsRkwXjdP6+mEEmXlP6VUk8H/+nL89BrMp4E
FhzVM4sE5/3VphjuXPom0Ux+e+WrLDWBZbKMbMOLSMkbmCL6B3/llK3FMwPfAGPzS2O8
o+cfm6r15W0aND02eIvNg6px2kNmD+wHAI993/BZJ3vIPvNzsEHFUWwbD10iYkIUwmvA
DMUVB3jx+pXtFhv17+Fpx0zsSx5806vieOVoLxXAnlJgdykNH/DuZY3NM1DVyR1Renxw
eTPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=date:message-id:content-transfer-encoding:mime-version:subject:to
:from:dkim-signature;
bh=lkMik4Dz2hOPxvMLwTHlE8QE1l4G/X7DcjAYikPMEMc=;
b=N85+olM3406vk7LhpV03QNxCZQLELh+ZLjUIUg1xt5u7z/aJZS0CRa1q4JJcBn8Fm0
nRBvMLFJXIrm0Y11s5kET6Xvzkk9G/szfJNqthy7e80mHs2Q7xgfYeVpYmQmL3DxjVjm
mzlnJVzVyx0XLMcAKaneb0CkOIsuOo6nkCGMakPsS9e+vMpfdnBggZZQv1zqkGHzTnML
+QMIVMEH7kgQphYo6GiCVb1LWThuwYyI+nSclPDw9fNLRPGTNqbiBqWQuEdgM3/K46Zy
gY4SgTXwL+MOCVgIbN33ZG3FuVHwyr5bQZGrpR48HXS68zYA5jbcgF9eFDBtuBOQPDo+
HkKw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) [email protected] header.s=webhost header.b=tXJM8ih0;
spf=pass (google.com: domain of [email protected] designates 13.238.180.128 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=example.com
Return-Path: <[email protected]>
Received: from webhost.example.com (ec2-13-238-180-128.ap-southeast-2.compute.amazonaws.com. [13.238.180.128])
by mx.google.com with ESMTP id b7si1705816pgl.20.2019.03.20.07.14.03
for <[email protected]>;
Wed, 20 Mar 2019 07:14:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 13.238.180.128 as permitted sender) client-ip=13.238.180.128;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) [email protected] header.s=webhost header.b=tXJM8ih0;
spf=pass (google.com: domain of [email protected] designates 13.238.180.128 as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=example.com
Received: by webhost.example.com (Postfix, from userid 1000)
id 0FACCFA104; Wed, 20 Mar 2019 14:14:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=webhost.example.com; s=webhost; t=1553091242;
bh=20rEKrmO1yPqlIJwX4HLsjr/kx4SaM/AaK17/OmPhLA=;
h=From:To:Subject:Date:From;
b=tXJM8ih006AjxwXJNAD30k7Fjo/HYTsi5bEfOCaxr0D8BiEAA/mIiDvaexjHPWNQ6
B5DrCGlhvLVZIRs1Zp2v4pbYYYvpmrzOTB99vXk0lEEGTRIwdhvAYKT31Jt2N5VMq3
hifps7hj3TD/Eevks82VvcIu2xJWXFPNEZMGvjcRa3hFSE2IIcfOhMJhwX5Rcnx+F4
wjtxqROgxXpHxgJkXzkVe3HbpKVK5eOrsBoeRnUhR4SWa2f7UKhT4k28KOuTQo8bG3
E63PoPwcOQU4cPiiqnPEdWO7ERvSHetgh/1yjpigcbch9SWwQHwA4FPSmcfOfLeIov
+wxrbVKHXtzMA==
From: [email protected] (Cron Daemon)
To: [email protected]
Subject: Cron <ubuntu@webhost> curl https://invoicing2018.example.com/tasks/run
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <[email protected]>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/home/ubuntu>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=ubuntu>
Message-Id: <[email protected]>
Date: Wed, 20 Mar 2019 14:14:02 +0000 (UTC)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
来自 cron 的电子邮件也失败了Port25 验证器同样地
因此,问题是:
为什么我的 DKIM 配置可以正确签署除 CRON 输出之外的所有内容?
我该如何修复此问题?
我可以尝试使用脚本来运行卷曲请求并发送电子邮件邮件,但我还有许多其他的 cron 作业需要添加,我宁愿在尝试解决方法之前解决潜在的问题。
答案1
由于这里的回复很少,所以我将这个问题发布在服务器故障. 这是答案我得到了科拉。设置 FixCRLF 标志解决了这个问题。我还没有调查临时文件,看看那里是否有更多信息。
mx.google.com 完成的身份验证结果表明,您在命令行上发送的消息和通过 cron 作业发送的消息在各自的正文中存在不同:“正文哈希未经验证”。
OpenDKIM 的一个常见问题是行尾不规则。RFC 5322 规定“CR 和 LF 必须以 CRLF 的形式一起出现;它们不得在正文中单独出现。”因此,也许您手动发送的消息有正确的行尾,但 cron 作业发送的消息却没有。您可以尝试在 OpenDKIM 的配置中设置“FixCRLF yes”。
无论这是否是原因,您都可以在 OpenDKIM 中启用“KeepTemporaryFiles”:“指示过滤器创建临时文件,其中包含已签名或已验证邮件的标头和正文规范化。可以使用 TemporaryDirectory 参数设置这些文件的位置。仅用于调试验证问题。”这样,您可以比较原始正文和发送到 GMail 的正文,并可能找出导致验证错误的差异。