後綴標頭指出錯誤的 IP
我在 Debian 8.0 上使用 Postfix 2.11.3
我將 Postfix 配置為執行多個實例 (3),每個實例用於連接到我們伺服器的每個公共 IP,以便根據服務平衡傳出流量。
我為所有子域配置了 DKIM 和 SPF(每個 IP 1 個子域),但有時我從 GMail 和其他提供商那裡收到 SPF 和 DKIM 失敗,並且查看標頭看起來接收郵件伺服器無法解析我的 IP。
例如,請檢查以下標題
Delivered-To: XX@XXXX.com Received: by 10.28.221.87 with SMTP id u84csp184407wmg; Fri, 5 Jun 2015 19:26:17 -0700 (PDT) X-Received: by 10.52.116.162 with SMTP id jx2mr11374004vdb.80.1433557576885; Fri, 05 Jun 2015 19:26:16 -0700 (PDT) Return-Path: <chris@hello3.much.cheap> Received: from hello3.much.cheap ([2607:5300:60:6516::]) by mx.google.com with ESMTP id f2si9741219vdb.2.2015.06.05.19.26.14 for <XX@XXXX.com>; Fri, 05 Jun 2015 19:26:15 -0700 (PDT) Received-SPF: permerror (google.com: domain of chris@hello3.much.cheap uses a mechanism not recognized by this client. unknown mechanisms: )) client-ip=2607:5300:60:6516::; Authentication-Results: mx.google.com; spf=permerror (google.com: domain of chris@hello3.much.cheap uses a mechanism not recognized by this client. unknown mechanisms: )) smtp.mail=chris@hello3.much.cheap; dkim=pass header.i=@much.cheap; dmarc=pass (p=NONE dis=NONE) header.from=hello3.much.cheap Message-Id: <55725a47.220a340a.cc4f.ffffada7SMTPIN_ADDED_MISSING@mx.google.com> Received: from hello3.much.cheap (hello3.much.cheap [167.114.180.233]) by hello3.much.cheap (Postfix) with ESMTP id 27F7940083 for <XX@XXXX.com>; Fri, 5 Jun 2015 22:26:10 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=much.cheap; s=hello; t=1433557570; bh=z/R8LvudDLyZmOBbw+42+SG7pLmnI+4/+E4YxHqibK4=; h=Date:To:From:Subject:From; b=tJdvbP1c+me6BwXx4Qayzwvw7GR+OFd/xG+OwCqXz/YNPVhTIS56HxGxRkEvnztTr ClouAavusckmwXfQ5GmwjWvzVlcIZc7eT9rkBrAL8Th+2YPXNiw4k36ZDRik9lfICp qpvcGIhruOCE4BBQFE31j2qEDTl6qVh2D0jSAbD8= Received: from [167.114.180.233] by hello3.much.cheap with HTTP; Fri, 05 Jun 2015 22:26:09 -0400 Date: Fri, 5 Jun 2015 22:26:10 -0400 To: XX@XXXX.com From: Chris <chris@hello3.much.cheap> Subject: Wonderful trip with family! Bounces-To: chris@hello3.much.cheap
如您所見,由於解析錯誤 ip: 2607:5300:60:6516:: 導致 SPF 和 DKIM 都失敗了,最奇怪的是,在 SPF 和 DKIM 記錄之後,Google實際上可以看到我的真實 IP(收到:來自
$$ 167.114.180.233 $$通過 hello3.much.cheap) 錯誤不是恆定的,有時即使在第一個標頭中它也會獲得正確的 IP (167.114.180.233) 並且所有檢查都通過。
請注意我不在防火牆/代理後面,並且相關的後綴實例綁定到正確的 IP 地址
master.cf
67.114.180.233:2533 inet n - n - - smtpd
main.cf
myorigin = hello3.much.cheap myhostname = hello3.much.cheap mydomain = hello3.much.cheap queue_directory = /var/spool/postfix-3 data_directory = /var/lib/postfix-3 multi_instance_group = outgoing multi_instance_name = postfix-3 inet_interfaces = all smtp_bind_address = 167.114.180.233 mynetworks = 127.0.0.0/8 167.114.64.22 167.114.180.232/29 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 multi_instance_enable = yes smtp_generic_maps = hash:/etc/postfix-3/generic sender_canonical_classes = envelope_sender, header_sender sender_canonical_maps = regexp:/etc/postfix-3/sender_canonical_maps smtp_header_checks = regexp:/etc/postfix-3/header_check mime_header_checks = regexp:/etc/postfix-3/header_check header_checks = regexp:/etc/postfix-3/header_check strict_mailbox_ownership = no
任何的想法?
這個標題
Received: from hello3.much.cheap ([2607:5300:60:6516::]) by mx.google.com with ESMTP id f2si9741219vdb.2.2015.06.05.19.26.14 for <XX@XXXX.com>; Fri, 05 Jun 2015 19:26:15 -0700 (PDT)
表示後綴通過 IPv6 向 mx.google.com 發送電子郵件。在其他情況下,postfix 將通過 IPv4 發送電子郵件。
SPF 檢查器 mx.google.com 將使用您的 IPv6 地址與您的 SPF 記錄進行比較
v=spf1 mx a ptr include:much.cheap ~all
如您所見,SPF 記錄中未列出 IPv6 記錄,因此Google警告您有關 SPF 檢查失敗。伺服器 mx.google.com 在解析您的 IP 地址時不會出錯。使用 IPv6 發送它的是您的伺服器。
修復應該是將 IPv6 記錄添加到您的 SPF。
我仍然不知道為什麼後綴通過 IPv6 發送電子郵件,因為您有參數
smtp_bind_address = 167.114.180.233
不過,以詳細級別跟踪郵件日誌可能會揭示問題。