Google宣布发送给Gmail的91.4%邮件都采用DKIM或SPF反伪造标准
spf
在域名的dns管理中增加txt记录
以邮件服务器mta.c1gstudio.com ip:208.133.199.7 为例
1.SPF 记录指向A主机记录
@ IN TXT “v=spf1 include:mta.c1gstudio.com -all”
2.这个mta记录下增加spf IP地址(ip地址为邮件服务器对外ip)
mta IN TXT “v=spf1 ip4: 208.133.199.7 -all”
如果需要ip段
mta IN TXT “v=spf1 ip4: 208.133.199.0/24 -all”
使用nslookup命令进行查询验证 windows下cmd->nslookup
查询的类型(type)为txt (SPF记录都是txt类型文件)set type=txt
输入要查询SPF记录的域名。这里要查询的域名是”163.com”。如果邮件地址是 [email protected] ,那么需要查询的域名就是 yy.com
查询的结果,从结果里的”include”这个关键字可以知道,163.com的SPF记录包含在”spf.163.com”的”txt”类型中
所以,再一次查询”spf.163.com”的”txt”类型
最终结果出来了
检查输出的IP,确认是否已经包含了所有发信IP
Received-SPF: neutral (google.com: 60.195.249.163 is neither permitted nor denied by domain of [email protected])
发送邮件到gmail后,查看邮件头,包含SPF: pass为通过
Received-SPF: pass (google.com: domain of #####@yeah.net designates 60.12.227.137 as permitted sender
以上spf算是完成了.
dkim
安装opendkim可以使用epel库方便快捷
rhel5/centos5用这个
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rhel6/centos6用这个
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
安装opendkim会增加opendkim用户和组
如果密码文件/etc/passwd已加锁,记得解锁
yum clean all
yum install opendkim
Installing:
opendkim x86_64 2.8.4-1.el5 epel 262 k
Installing for dependencies:
ldns x86_64 1.6.16-1.el5 epel 507 k
libopendkim x86_64 2.8.4-1.el5 epel 75 k
unbound-libs x86_64 1.4.20-2.el5 epel 258 k
安装完成后,输入如下命令,会在当前目录下生成公钥和私钥两个文件:default.private 和 default.txt
1.
cd /etc/opendkim/keys
opendkim-genkey -r -d mta.c1gstudio.com
default.txt 里面的内容类似如下:
default._domainkey IN TXT ( “v=DKIM1; k=rsa; s=email; ”
“p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTEMk2ow/WZuQheCMxZrowErith/LVsaWLVhkkrONT2S4LZcuuVbgCkr2EGaoJUNjc/Ztu0Z47RPbLDkGGjtCwy6VnUeKWh7ijwu2+AHyq6mJIn33z7TGz90Io0o30PjQLSeO1E/ozRpBSljvJMikYUDYfZpWZSxcIhtOetOp8mwIDAQAB” ) ; —– DKIM key default for mta.c1gstudio.com
2.修改文件属性
chown opendkim default.private
3.编缉配置文件
vi /etc/opendkim.conf
Mode sv
UserID opendkim:opendkim
Socket inet:8891@localhost
Canonicalization relaxed/simple
Domain mta.c1gstudio.com
KeyFile /etc/opendkim/keys/default.private
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
InternalHosts refile:/etc/opendkim/TrustedHosts
SyslogSuccess No
LogWhy No
4.信任的发信ip地址
vi /etc/opendkim/TrustedHosts
127.0.0.1
#hostname1.example1.com
192.168.1.0/24
5.private key
vi /etc/opendkim/KeyTable
default._domainkey.mta.c1gstudio.com mta.c1gstudio.com:default:/etc/opendkim/keys/default.private
6.多个域名可以指定使用哪个public key
vi /etc/opendkim/SigningTable
*@mta.c1gstudio.com [email protected]
*@c1gstudio.com [email protected]
7.启动opendkim
/etc/init.d/opendkim start
Starting OpenDKIM Milter: [ OK ]
开机启动
chkconfig opendkim on
8.编辑postfix,在末尾加入
vi /etc/postfix/main.cf
#################dkim###################
smtpd_milters= inet:localhost:8891
milter_default_action = accept
milter_protocol = 2
non_smtpd_milters = inet:localhost:8891
如果Postfix 版本小于2.6需加上
milter_protocol = 2
9.重启postfix
/usr/local/postfix/sbin/postfix reload
10.设置域名dns
将public key加入到mta.c1gstudio.com的txt记录中
default._domainkey IN TXT ( “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTEMk2ow/WZuQheCMxZrowErith/LVsaWLVhkkrONT2S4LZcuuVbgCkr2EGaoJUNjc/Ztu0Z47RPbLDkGGjtCwy6VnUeKWh7ijwu2+AHyq6mJIn33z7TGz90Io0o30PjQLSeO1E/ozRpBSljvJMikYUDYfZpWZSxcIhtOetOp8mwIDAQAB” )
这里吐槽下商务中国的域名面板无法加含”_”下划线的主机名,转战dnspod.
11.验证域名
http://dkimcore.org/tools/
Check a published DKIM Core Key:
Selector:default
Domain name:mail.c1gstudio.com
12.邮件测试
tail -f /var/log/maillog
Dec 12 17:36:48 c1g opendkim[30546]: 9F36E1A181C8: DKIM-Signature field added (s=default, d=mta.c1gstudio.com)
接着再发邮件到gmail和hotmail中查看dkim是否有签名。
给gmail发邮件,然后查看邮件头,看到spf=pass和dkim=pass
Received-SPF: pass (google.com: domain of [email protected] designates 208.133.199.7 as permitted sender) client-ip=208.133.199.7;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 208.133.199.7 as permitted sender) [email protected];
dkim=pass [email protected]
Received: from c1g (c1g [208.133.199.7])
by mta.c1gstudio.com (Postfix) with ESMTP id C3BB21A1825C
for
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mta.c1gstudio.com;
s=default; t=1386902822;
bh=spJ3t+Wlf7qUYsyf9zBZsdaztFW9Vj9zn2URNGhfZ3o=;
h=Date:From:To:Subject;
b=R7gyGPsyKqNq3ceDTQYq958qRkdJE04xKCCKOseCb/Gi5v9rLr6jyZyUWsP5PstqX
WhfTjErGippcxJEe84B4yTOE0gYDRJB//I8pEF+jux/qF7JhmIc3+Cs/yqI
powsNbGdwkJaB3WlCPwroBk88/wP8W64tWda4oyGTVYZzNU=
trouble shooting:
1.
tail -f /var/log/maillog
opendkim no signature data
没有签名,需改成将opendkim.conf中的模式改成sv
Mode sv
2.
Dec 13 16:15:03 localhost opendkim[3248]: can’t load key from /etc/opendkim/keys/default.private: Permission denied
cd /etc/opendkim/keys/
chown opendkim default.private
参考:
http://mail.163.com/hd/all/chengxin/3.htm
http://stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/
http://www.banping.com/2011/07/19/postfix-dkim/
http://www.info110.com/mailserver/in27377-1.htm
近期评论