Centos
SPF 和 OpenDMARC 在 Postfix 中不起作用
我正在為我的郵件伺服器實施 SPF 和 OpenDMARC/DKIM。目前我在不同的子網中有兩台郵件伺服器,每台都有單獨的 DNS 伺服器和域名。他們可以成功地交換電子郵件。
我使用 pypolicyd-spf 設置 SPF,使用 OpenDMARC 設置 DMARC,使用 OpenDKIM 設置 DKIM。DKIM 工作完美,但我對 DMARC 和 SPF 有一些問題,可能它們與我的地形有關(它的圖表放在下面)。
我在每個郵件伺服器上都有使用者,我通過 Squirrelmail 在他們之間交換郵件。
如何使 SPF 和 DMARC 工作?在我的電子郵件標題中,我得到:
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=192.168.22.132 Authentication-Results: OpenDKIM; dmarc=none (p=none dis=none) header.from=another.com
我認為日誌中的本地主機 IP 有問題,但我不知道是什麼原因造成的:
policyd-spf[2183]: prepend X-Comment: SPF check N/A for local connections - client-ip=127.0.0.1; helo=[192.168.22.128]; envelope-from=centos1@example.com; receiver=<UNKNOWN> postfix/smtpd[2177]: D5DA9C0F5F38: client=localhost[127.0.0.1]
我的
postconf -n
輸出:alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man milter_default_action = accept mydestination = $myhostname, localhost.$mydomain, localhost mydomain = $myhostname myhostname = example.com mynetworks = 127.0.0.0/8, 192.168.22.0/24 myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = $smtpd_milters queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES sample_directory = /usr/share/doc/postfix-2.10.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893 smtpd_recipient_restrictions = check_policy_service unix:private/policy-spf, permit_mynetworks, reject_unauth_destination unknown_local_recipient_reject_code = 550
網路圖:
如果需要,我可以提供任何其他資訊。
當然,DNS 中的所有條目都已生成。
example.com. IN TXT "v=spf1 mx ~all" default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=XXXkeyXXX" ) ; ----- DKIM key default for example.com _dmarc.example.com. IN TXT "v=DMARC1; p=none; pct=100"
策略 spf 日誌:
policyd-spf[2681]: Read line: "request=smtpd_access_policy" policyd-spf[2681]: Read line: "protocol_state=RCPT" policyd-spf[2681]: Read line: "protocol_name=ESMTP" policyd-spf[2681]: Read line: "client_address=192.168.22.132" policyd-spf[2681]: Read line: "client_name=gateway" policyd-spf[2681]: Read line: "reverse_client_name=gateway" policyd-spf[2681]: Read line: "helo_name=example.com" policyd-spf[2681]: Read line: "sender=daniel@example.com" policyd-spf[2681]: Read line: "recipient=marek@another.com" policyd-spf[2681]: Read line: "recipient_count=0" policyd-spf[2681]: Read line: "queue_id=" policyd-spf[2681]: Read line: "instance=a73.5fe8c4e7.510b9.0" policyd-spf[2681]: Read line: "size=935" policyd-spf[2681]: Read line: "etrn_domain=" policyd-spf[2681]: Read line: "stress=" policyd-spf[2681]: Read line: "sasl_method=" policyd-spf[2681]: Read line: "sasl_username=" policyd-spf[2681]: Read line: "sasl_sender=" policyd-spf[2681]: Read line: "ccert_subject=" policyd-spf[2681]: Read line: "ccert_issuer=" policyd-spf[2681]: Read line: "ccert_fingerprint=" policyd-spf[2681]: Read line: "ccert_pubkey_fingerprint=" policyd-spf[2681]: Read line: "encryption_protocol=" policyd-spf[2681]: Read line: "encryption_cipher=" policyd-spf[2681]: Read line: "encryption_keysize=0" policyd-spf[2681]: Read line: "" policyd-spf[2681]: Found the end of entry policyd-spf[2681]: Config: {'Whitelist_Lookup_Time': 10, 'skip_addresses': '127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'Reason_Message': 'Message {rejectdefer} due to: {spf}. Please see {url}', 'PermError_reject': 'False', 'Header_Type': 'SPF', 'TestOnly': 0, 'SPF_Enhanced_Status_Codes': 'Yes', 'TempError_Defer': 'False', 'Lookup_Time': 20, 'debugLevel': 4, 'Authserv_Id': 'centos2.another.agh.edu.pl', 'Mail_From_reject': 'Fail', 'Hide_Receiver': 'Yes', 'HELO_reject': 'Fail', 'Void_Limit': 2, 'Mock': False} Dec 27 12:31:19 centos2 policyd-spf[2681]: Cached data for this instance: [] Dec 27 12:31:19 centos2 policyd-spf[2681]: skip_addresses enabled. Dec 27 12:31:29 centos2 policyd-spf[2681]: spfcheck: pyspf result: "['None', '', 'helo']" Dec 27 12:31:29 centos2 policyd-spf[2681]: None; identity=no SPF record; client-ip=192.168.22.132; helo=example.com; envelope-from=daniel@example.com; receiver=<UNKNOWN> Dec 27 12:31:29 centos2 policyd-spf[2681]: spfcheck: pyspf result: "['None', '', 'mailfrom']" Dec 27 12:31:29 centos2 policyd-spf[2681]: None; identity=mailfrom; client-ip=192.168.22.132; helo=example.com; envelope-from=daniel@example.agh.edu.pl; receiver=<UNKNOWN> Dec 27 12:31:29 centos2 policyd-spf[2681]: not peruser Dec 27 12:31:29 centos2 policyd-spf[2681]: Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=192.168.22.132; helo=example.com; envelope-from=daniel@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23
在 pypolicyd-spf 與 SPF 鬥爭了幾天之後,我終於知道出了什麼問題。
我的拓撲包括 2 個 DNS 伺服器,我在郵件伺服器上的 /etc/resolv.conf 文件有兩個 DNS 伺服器。
OpenDMARC SPF 就像一個魅力一樣,響應了兩個 DNS 上 spf 記錄的變化,但 pyspf 沒有。
答案是:pypolicyd-spf 不支持 resolv.conf 中的兩個 dns。一個簡單的解決方法是在一個 DNS 伺服器中創建兩個區域。然後突然 pyspf 開始工作。