Skip to content


给邮件服务器postfix增加spf和dkim

Google宣布发送给Gmail的91.4%邮件都采用DKIM或SPF反伪造标准

spf 在域名的dns管理中增加txt记录 以邮件服务器mta.c1gstudio.com ip:208.133.199.7 为例 1.SPF 记录指向A主机记录 @ IN TXT “v=spf1 include:mta.c1gstudio.com -all”

2.这个mta记录下增加spf IP地址(ip地址为邮件服务器对外ip) mta IN TXT “v=spf1 ip4: 208.133.199.7 -all” 如果需要ip段 mta IN TXT “v=spf1 ip4: 208.133.199.0/24 -all”

使用nslookup命令进行查询验证 windows下cmd->nslookup 查询的类型(type)为txt (SPF记录都是txt类型文件)set type=txt 输入要查询SPF记录的域名。这里要查询的域名是”163.com”。如果邮件地址是 [email protected] ,那么需要查询的域名就是 yy.com 查询的结果,从结果里的”include”这个关键字可以知道,163.com的SPF记录包含在”spf.163.com”的”txt”类型中 所以,再一次查询”spf.163.com”的”txt”类型 最终结果出来了 检查输出的IP,确认是否已经包含了所有发信IP

Received-SPF: neutral (google.com: 60.195.249.163 is neither permitted nor denied by domain of [email protected]) 发送邮件到gmail后,查看邮件头,包含SPF: pass为通过 Received-SPF: pass (google.com: domain of #####@yeah.net designates 60.12.227.137 as permitted sender

以上spf算是完成了.

dkim 安装opendkim可以使用epel库方便快捷 rhel5/centos5用这个 rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm rhel6/centos6用这个 rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

安装opendkim会增加opendkim用户和组 如果密码文件/etc/passwd已加锁,记得解锁

yum clean all yum install opendkim

Installing: opendkim x86_64 2.8.4-1.el5 epel 262 k Installing for dependencies: ldns x86_64 1.6.16-1.el5 epel 507 k libopendkim x86_64 2.8.4-1.el5 epel 75 k unbound-libs x86_64 1.4.20-2.el5 epel 258 k

安装完成后,输入如下命令,会在当前目录下生成公钥和私钥两个文件:default.private 和 default.txt

1. cd /etc/opendkim/keys opendkim-genkey -r -d mta.c1gstudio.com default.txt 里面的内容类似如下:

default._domainkey IN TXT ( “v=DKIM1; k=rsa; s=email; ” “p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTEMk2ow/WZuQheCMxZrowErith/LVsaWLVhkkrONT2S4LZcuuVbgCkr2EGaoJUNjc/Ztu0Z47RPbLDkGGjtCwy6VnUeKWh7ijwu2+AHyq6mJIn33z7TGz90Io0o30PjQLSeO1E/ozRpBSljvJMikYUDYfZpWZSxcIhtOetOp8mwIDAQAB” ) ; —– DKIM key default for mta.c1gstudio.com

2.修改文件属性 chown opendkim default.private

3.编缉配置文件 vi /etc/opendkim.conf

Mode sv UserID opendkim:opendkim Socket inet:8891@localhost Canonicalization relaxed/simple Domain mta.c1gstudio.com KeyFile /etc/opendkim/keys/default.private KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable InternalHosts refile:/etc/opendkim/TrustedHosts SyslogSuccess No LogWhy No

4.信任的发信ip地址 vi /etc/opendkim/TrustedHosts

127.0.0.1 #hostname1.example1.com 192.168.1.0/24

5.private key vi /etc/opendkim/KeyTable

default._domainkey.mta.c1gstudio.com mta.c1gstudio.com:default:/etc/opendkim/keys/default.private

6.多个域名可以指定使用哪个public key vi /etc/opendkim/SigningTable

*@mta.c1gstudio.com [email protected] *@c1gstudio.com [email protected]

7.启动opendkim /etc/init.d/opendkim start Starting OpenDKIM Milter: [ OK ]

开机启动 chkconfig opendkim on

8.编辑postfix,在末尾加入 vi /etc/postfix/main.cf

#################dkim################### smtpd_milters= inet:localhost:8891 milter_default_action = accept milter_protocol = 2 non_smtpd_milters = inet:localhost:8891

如果Postfix 版本小于2.6需加上 milter_protocol = 2

9.重启postfix /usr/local/postfix/sbin/postfix reload

10.设置域名dns 将public key加入到mta.c1gstudio.com的txt记录中

default._domainkey IN TXT ( “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTEMk2ow/WZuQheCMxZrowErith/LVsaWLVhkkrONT2S4LZcuuVbgCkr2EGaoJUNjc/Ztu0Z47RPbLDkGGjtCwy6VnUeKWh7ijwu2+AHyq6mJIn33z7TGz90Io0o30PjQLSeO1E/ozRpBSljvJMikYUDYfZpWZSxcIhtOetOp8mwIDAQAB” )

这里吐槽下商务中国的域名面板无法加含”_”下划线的主机名,转战dnspod.

11.验证域名 http://dkimcore.org/tools/ Check a published DKIM Core Key: Selector:default Domain name:mail.c1gstudio.com

12.邮件测试 tail -f /var/log/maillog Dec 12 17:36:48 c1g opendkim[30546]: 9F36E1A181C8: DKIM-Signature field added (s=default, d=mta.c1gstudio.com)

接着再发邮件到gmail和hotmail中查看dkim是否有签名。 给gmail发邮件,然后查看邮件头,看到spf=pass和dkim=pass

Received-SPF: pass (google.com: domain of [email protected] designates 208.133.199.7 as permitted sender) client-ip=208.133.199.7; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 208.133.199.7 as permitted sender) [email protected]; dkim=pass [email protected] Received: from c1g (c1g [208.133.199.7]) by mta.c1gstudio.com (Postfix) with ESMTP id C3BB21A1825C for ; Fri, 13 Dec 2013 10:47:02 +0800 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mta.c1gstudio.com; s=default; t=1386902822; bh=spJ3t+Wlf7qUYsyf9zBZsdaztFW9Vj9zn2URNGhfZ3o=; h=Date:From:To:Subject; b=R7gyGPsyKqNq3ceDTQYq958qRkdJE04xKCCKOseCb/Gi5v9rLr6jyZyUWsP5PstqX WhfTjErGippcxJEe84B4yTOE0gYDRJB//I8pEF+jux/qF7JhmIc3+Cs/yqI powsNbGdwkJaB3WlCPwroBk88/wP8W64tWda4oyGTVYZzNU=

trouble shooting: 1. tail -f /var/log/maillog opendkim no signature data 没有签名,需改成将opendkim.conf中的模式改成sv Mode sv

2. Dec 13 16:15:03 localhost opendkim[3248]: can’t load key from /etc/opendkim/keys/default.private: Permission denied cd /etc/opendkim/keys/ chown opendkim default.private

参考: http://mail.163.com/hd/all/chengxin/3.htm http://stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ http://www.banping.com/2011/07/19/postfix-dkim/ http://www.info110.com/mailserver/in27377-1.htm

Posted in Mail/Postfix.

Tagged with , , , .