Skip to content


给邮件服务器postfix增加spf和dkim

Google宣布发送给Gmail的91.4%邮件都采用DKIM或SPF反伪造标准

spf
在域名的dns管理中增加txt记录
以邮件服务器mta.c1gstudio.com ip:208.133.199.7 为例
1.SPF 记录指向A主机记录
@ IN TXT “v=spf1 include:mta.c1gstudio.com -all”

2.这个mta记录下增加spf IP地址(ip地址为邮件服务器对外ip)
mta IN TXT “v=spf1 ip4: 208.133.199.7 -all”
如果需要ip段
mta IN TXT “v=spf1 ip4: 208.133.199.0/24 -all”

使用nslookup命令进行查询验证 windows下cmd->nslookup
查询的类型(type)为txt (SPF记录都是txt类型文件)set type=txt
输入要查询SPF记录的域名。这里要查询的域名是”163.com”。如果邮件地址是 xx@yy.com ,那么需要查询的域名就是 yy.com
查询的结果,从结果里的”include”这个关键字可以知道,163.com的SPF记录包含在”spf.163.com”的”txt”类型中
所以,再一次查询”spf.163.com”的”txt”类型
最终结果出来了
检查输出的IP,确认是否已经包含了所有发信IP

Received-SPF: neutral (google.com: 60.195.249.163 is neither permitted nor denied by domain of apache@localhost.localdomain)
发送邮件到gmail后,查看邮件头,包含SPF: pass为通过
Received-SPF: pass (google.com: domain of #####@yeah.net designates 60.12.227.137 as permitted sender

以上spf算是完成了.
dkim
安装opendkim可以使用epel库方便快捷
rhel5/centos5用这个
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rhel6/centos6用这个
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

安装opendkim会增加opendkim用户和组
如果密码文件/etc/passwd已加锁,记得解锁

yum clean all
yum install opendkim

Installing:
opendkim x86_64 2.8.4-1.el5 epel 262 k
Installing for dependencies:
ldns x86_64 1.6.16-1.el5 epel 507 k
libopendkim x86_64 2.8.4-1.el5 epel 75 k
unbound-libs x86_64 1.4.20-2.el5 epel 258 k

安装完成后,输入如下命令,会在当前目录下生成公钥和私钥两个文件:default.private 和 default.txt

1.
cd /etc/opendkim/keys
opendkim-genkey -r -d mta.c1gstudio.com
default.txt 里面的内容类似如下:

default._domainkey IN TXT ( “v=DKIM1; k=rsa; s=email; ”
“p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTEMk2ow/WZuQheCMxZrowErith/LVsaWLVhkkrONT2S4LZcuuVbgCkr2EGaoJUNjc/Ztu0Z47RPbLDkGGjtCwy6VnUeKWh7ijwu2+AHyq6mJIn33z7TGz90Io0o30PjQLSeO1E/ozRpBSljvJMikYUDYfZpWZSxcIhtOetOp8mwIDAQAB” ) ; —– DKIM key default for mta.c1gstudio.com

2.修改文件属性
chown opendkim default.private

3.编缉配置文件
vi /etc/opendkim.conf

Mode sv
UserID opendkim:opendkim
Socket inet:8891@localhost
Canonicalization relaxed/simple
Domain mta.c1gstudio.com
KeyFile /etc/opendkim/keys/default.private
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
InternalHosts refile:/etc/opendkim/TrustedHosts
SyslogSuccess No
LogWhy No

4.信任的发信ip地址
vi /etc/opendkim/TrustedHosts

127.0.0.1
#hostname1.example1.com
192.168.1.0/24

5.private key
vi /etc/opendkim/KeyTable

default._domainkey.mta.c1gstudio.com mta.c1gstudio.com:default:/etc/opendkim/keys/default.private

6.多个域名可以指定使用哪个public key
vi /etc/opendkim/SigningTable

*@mta.c1gstudio.com default._domainkey.@mta.c1gstudio.com
*@c1gstudio.com default._domainkey.@mta.c1gstudio.com

7.启动opendkim
/etc/init.d/opendkim start
Starting OpenDKIM Milter: [ OK ]

开机启动
chkconfig opendkim on

8.编辑postfix,在末尾加入
vi /etc/postfix/main.cf

#################dkim###################
smtpd_milters= inet:localhost:8891
milter_default_action = accept
milter_protocol = 2
non_smtpd_milters = inet:localhost:8891

如果Postfix 版本小于2.6需加上
milter_protocol = 2

9.重启postfix
/usr/local/postfix/sbin/postfix reload

10.设置域名dns
将public key加入到mta.c1gstudio.com的txt记录中

default._domainkey IN TXT ( “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTEMk2ow/WZuQheCMxZrowErith/LVsaWLVhkkrONT2S4LZcuuVbgCkr2EGaoJUNjc/Ztu0Z47RPbLDkGGjtCwy6VnUeKWh7ijwu2+AHyq6mJIn33z7TGz90Io0o30PjQLSeO1E/ozRpBSljvJMikYUDYfZpWZSxcIhtOetOp8mwIDAQAB” )

这里吐槽下商务中国的域名面板无法加含”_”下划线的主机名,转战dnspod.

11.验证域名
http://dkimcore.org/tools/
Check a published DKIM Core Key:
Selector:default
Domain name:mail.c1gstudio.com

12.邮件测试
tail -f /var/log/maillog
Dec 12 17:36:48 c1g opendkim[30546]: 9F36E1A181C8: DKIM-Signature field added (s=default, d=mta.c1gstudio.com)

接着再发邮件到gmail和hotmail中查看dkim是否有签名。
给gmail发邮件,然后查看邮件头,看到spf=pass和dkim=pass

Received-SPF: pass (google.com: domain of service@mta.c1gstudio.com designates 208.133.199.7 as permitted sender) client-ip=208.133.199.7;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of service@mta.c1gstudio.com designates 208.133.199.7 as permitted sender) smtp.mail=service@mta.c1gstudio.com;
dkim=pass header.i=@mta.c1gstudio.com
Received: from c1g (c1g [208.133.199.7])
by mta.c1gstudio.com (Postfix) with ESMTP id C3BB21A1825C
for ; Fri, 13 Dec 2013 10:47:02 +0800 (CST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mta.c1gstudio.com;
s=default; t=1386902822;
bh=spJ3t+Wlf7qUYsyf9zBZsdaztFW9Vj9zn2URNGhfZ3o=;
h=Date:From:To:Subject;
b=R7gyGPsyKqNq3ceDTQYq958qRkdJE04xKCCKOseCb/Gi5v9rLr6jyZyUWsP5PstqX
WhfTjErGippcxJEe84B4yTOE0gYDRJB//I8pEF+jux/qF7JhmIc3+Cs/yqI
powsNbGdwkJaB3WlCPwroBk88/wP8W64tWda4oyGTVYZzNU=

trouble shooting:
1.
tail -f /var/log/maillog
opendkim no signature data
没有签名,需改成将opendkim.conf中的模式改成sv
Mode sv

2.
Dec 13 16:15:03 localhost opendkim[3248]: can’t load key from /etc/opendkim/keys/default.private: Permission denied
cd /etc/opendkim/keys/
chown opendkim default.private

参考:
http://mail.163.com/hd/all/chengxin/3.htm
http://stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/
http://www.banping.com/2011/07/19/postfix-dkim/
http://www.info110.com/mailserver/in27377-1.htm

Posted in Mail/Postfix.

Tagged with , , , .