Postfix

即使 SPF 和 DKIM 成功,將郵件轉發到 Gmail(後綴+SRS)也會出現 DMARC 失敗

  • November 12, 2020

我執行自己的域,但將許多電子郵件地址轉發到我的 gmail 帳戶。最近,我開始看到很多被 gmail 標記為垃圾郵件的郵件。我為我的外發電子郵件設置了 SPF,並使用 SRS 將發件人地址重寫為我自己的地址。我也設置了 DKIM,儘管據我了解,這不應該適用於轉發的電子郵件,只適用於從我的伺服器生成的電子郵件(實際上,我看到轉發的電子郵件不會添加 DKIM,但本地發送的消息會)。但是,我看到 gmail 報告 DMARC 失敗,我不確定我還需要做什麼(它主要發生在兩個域中;來自chas.com 的電子郵件和來自 gmail.com 本身的電子郵件)。

以下是一組郵件標頭範例:

Delivered-To: MYADDRESS@gmail.com
Received: by 2002:a25:4c89:0:0:0:0:0 with SMTP id z131csp247333yba;
       Wed, 11 Nov 2020 21:37:05 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwFbRvhPcki/xyFiq4i6zpnks1uM/l10A2Q0Qo3g0AKeqKWLHd+p2gIj+yngrgvIwswgLV1
X-Received: by 2002:a0c:e443:: with SMTP id d3mr18173382qvm.18.1605159425248;
       Wed, 11 Nov 2020 21:37:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1605159425; cv=none;
       d=google.com; s=arc-20160816;
       b=JX6leDybyKeQegfcvVUv1g5UjEG5W+C3mE2k+UlyR1/OB9QvRqrtQfEAUqT/311ilI
        qJPsXtXu8evavgz2mho2Mjh84FHntAXHgG+USzMM1xeGLu/VxtNgiZ1TW9cgzWXxXe6K
        84eYdyQeHs4X79tF0BpS6ifuogVtAr3MKFXWvWcSo28c28clL8oByG3xManz7B7aRls5
        Aua8MS/FcBU616aSiFCRTVMbAdnhpDBG8VCkFd6UJfdmUN2jD3L5OPvN3ANTDpu72jAu
        cx6CffRzzlFLo8yHLHZN+BxNbf1HGaQUQZlc6TKDSsaIBal8ZyfZb3AKpTxh83G9zdMM
        gmow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
       h=dkim-signature:list-post:delivered-to:mailing-list:list-id:sender
        :list-unsubscribe:precedence:to:subject:message-id:date:from
        :mime-version:delivered-to;
       bh=JSHgjvIPGqD5iT5NfXIkWoWBKPw2mHWXehrTFtzq6B8=;
       b=0dx9mxfBcmy+az6LMznOVBqHvj4hGiTtOz9oI287B4b7snUmCsa8IGfraZ445n4VBU
        sVDTtXzO+kOxdz+nLs4zwFjrIGplowy6N9cvUmm1VsXTd3ZuEmfhIxl7Fo79DZ7Xrs7L
        6WYg0CR+b3DrCMDKQ/kHEN5h8eH31CeruJgM/NRY+lqX1SVYX6gQfyFG2HNFLJO/ksfD
        eediGpY5T/K9WzvX0+J5PM5QonUGbpbhd5PAZsFwVneqPcDQj3uOwUWuUAw3dLdNLL9y
        Y6w/lJIx89Sya53Kja2j15eT5d+FjPE9OeogRuK9qAJxGNn54xA9kb6sT0vFrWftNvA3
        QynQ==
ARC-Authentication-Results: i=1; mx.google.com;
      dkim=pass header.i=@groups.io header.s=20140610 header.b=OmM+mk8Y;
      spf=pass (google.com: domain of srs0=uwyv=es=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net designates 34.224.146.155 as permitted sender) smtp.mailfrom="SRS0=Uwyv=ES=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net";
      dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <SRS0=Uwyv=ES=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net>
Received: from aws1.mikeage.net (aws1.mikeage.net. [34.224.146.155])
       by mx.google.com with ESMTPS id v10si2417871qtw.367.2020.11.11.21.37.05
       for < MYADDRESS@gmail.com>
       (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
       Wed, 11 Nov 2020 21:37:05 -0800 (PST)
Received-SPF: pass (google.com: domain of srs0=uwyv=es=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net designates 34.224.146.155 as permitted sender) client-ip=34.224.146.155;
Authentication-Results: mx.google.com;
      dkim=pass header.i=@groups.io header.s=20140610 header.b=OmM+mk8Y;
      spf=pass (google.com: domain of srs0=uwyv=es=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net designates 34.224.146.155 as permitted sender) smtp.mailfrom="SRS0=Uwyv=ES=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net";
      dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: by aws1.mikeage.net (Postfix) id 1BFFA3EF14; Thu, 12 Nov 2020 05:37:05 +0000 (UTC)
Delivered-To: MYADDRESSORIGINAL@mikeage.net
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=66.175.222.108; helo=mail02.groups.io; envelope-from=bounce+69030+554308+4680414+8404272@groups.io; receiver=<UNKNOWN>
Authentication-Results: aws1.mikeage.net; dkim=pass (1024-bit key; unprotected) header.d=groups.io header.i=@groups.io header.a=rsa-sha256 header.s=20140610 header.b=OmM+mk8Y; dkim-atps=neutral
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by aws1.mikeage.net (Postfix) with ESMTPS id EB7DB3EC4B for < MYADDRESSORIGINAL@mikeage.net>; Thu, 12 Nov 2020 05:37:04 +0000 (UTC)
X-Received: by 127.0.0.2 with SMTP id oLsLYY4681749xG4qmmeW9rb; Wed, 11 Nov 2020 21:37:04 -0800
X-Received: from mail-vs1-f52.google.com (mail-vs1-f52.google.com [209.85.217.52]) by mx.groups.io with SMTP id smtpd.web10.9563.1605113448380395017 for <list@shemesh.groups.io>; Wed, 11 Nov 2020 08:50:48 -0800
X-Received: by mail-vs1-f52.google.com with SMTP id z123so1546706vsb.0
       for <list@shemesh.groups.io>; Wed, 11 Nov 2020 08:50:48 -0800 (PST)
X-Gm-Message-State: uBHNPLbE3sy8KcE8rImAnZFdx4680414AA=
X-Received: by 2002:a67:f708:: with SMTP id m8mr15122860vso.58.1605113447617; Wed, 11 Nov 2020 08:50:47 -0800 (PST)
MIME-Version: 1.0
From: Safta Chavi <SENDER@gmail.com>
Date: Wed, 11 Nov 2020 18:50:36 +0200
Message-ID: <CAB5sq-wzZZ13bfOpxWo2n+AV_AQNBLim4x_9PNZfWz+n7Evi1g@mail.gmail.com>
Subject: [BS/RBS List] Oven recommendations? #question
To: undisclosed-recipients:;
Precedence: Bulk
List-Unsubscribe: <https://shemesh.groups.io/g/list/unsub>
Sender: list@shemesh.groups.io
List-Id: <list.shemesh.groups.io>
Mailing-List: list list@shemesh.groups.io; contact list+owner@shemesh.groups.io
Delivered-To: mailing list <list@shemesh.groups.io>
List-Post: <mailto:list@shemesh.groups.io>
Content-Type: multipart/alternative; boundary="000000000000de985705b3d798e3"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1605159424; bh=Xn5E1cyGj2ayBjpZKnm7oR5ODzG3Kta9nWJlOKpgTcs=; h=Content-Type:Date:From:Subject:To; b=OmM+mk8YnCxE98j+3aPaH3UafJpARH0ImGXbaRpc39IaqG764aNGPZ5q5EGvPAX3F2h f+WhRaKb+ZbIThuuuMgtm13iaaCy7TNRQ4ge2qs/sEzLeF3y/dKo02nt5Q1eQxcWmPB69 VE51OhCC1/B2T8YQKoC2Czq7kO85AW2ZtkE=

(為了減少垃圾郵件,我用 MYADDRESSORIGINAL 替換了發送電子郵件的地址,用 MYADDRESS 替換了實際的收貨地址(我的 gmail),用 SENDER 替換了來源,但除此之外,一切都沒有改變)

gmail 報告:SPF:通過 IP 34.224.146.155 DKIM:通過域 groups.io“通過”DMARC:“失敗”了解更多資訊

我該怎麼做才能讓 DMARC 通過?我想我可能需要以某種方式使用 ARC……但我到底該怎麼做?

後綴配置(相同的審查):

$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = all
local_recipient_maps =
luser_relay = MYADDRESS@gmail.com
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, mikeage.net, localhost
myhostname = aws1.mikeage.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = local:opendkim/opendkim.sock
policyd-spf_time_limit = 3600
readme_directory = no
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:localhost:10002
recipient_delimiter = +
relayhost =
sender_canonical_classes = envelope_sender
sender_canonical_maps = tcp:localhost:10001
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = local:opendkim/opendkim.sock
smtpd_recipient_restrictions = permit_sasl_authenticated reject_invalid_helo_hostname reject_unauth_destination reject_unknown_recipient_domain reject_unverified_recipient check_policy_service unix:private/policyd-spf
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/letsencrypt/live/aws1.mikeage.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/aws1.mikeage.net/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

(10001和10002上的地圖是postsrsd)

我昨天剛剛回答了類似的問題。根本原因是一樣的,但情況卻大不相同。

結果:

Authentication-Results: mx.google.com;
      dkim=pass header.i=@groups.io header.s=20140610 header.b=OmM+mk8Y;
      spf=pass (google.com: domain of srs0=uwyv=es=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net designates 34.224.146.155 as permitted sender) smtp.mailfrom="SRS0=Uwyv=ES=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net";
      dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

From: Safta Chavi <SENDER@gmail.com>

DMARC 不會測試 SPF 或 DKIM 是否已通過,但其中之一必須同時通過並與From:標頭中使用的域對齊。在這裡,SPF 與mikeage.netDKIM 一起傳遞groups.io。它們與 ie do not match From:…不一致gmail.com,因此 DMARC 失敗。

在這種情況下,有兩個嵌套轉發會導致問題。

  1. 該郵件最初是從 Gmail 發送到 Groups.io 郵件列表的,因此標題From:@gmail.com.
  2. Gmail 可能已對原始郵件進行了 DKIM 簽名,但由於郵件列表可能會修改正文以添加其退訂資訊,因此 DKIM 再次使用groups.io.
  3. 您的伺服器再次轉發該消息。它必須更改信封發件人才能通過 SPF 測試,但現在信封發件人mikeage.net,不再對齊。

雖然 Google 可以直接從 Groups.io 信任 ARC ARC-Message-SignatureARC-Authentication-Results但他們不太可能從您自己的郵件伺服器信任 ARC。 4. 由於 DKIM 和 SPF 的 2 和 3 DMARC 對齊失敗。

除了不轉發到 Gmail 之外,您無能為力。通過這種方式,您可以完全控制為此類情況添加例外。

郵件列表也可以通過更改From標題來解決此問題,同時重寫正文。

引用自:https://serverfault.com/questions/1042255