後綴:當退回電子郵件來自空發件人“<>”時,管理子域 DMARC、DKIM 和 SPF
我有幾個代表我的域(example.com)發送郵件的後綴伺服器。提供發件人地址後,DKIM 和 SPF 將正確通過。但是,我注意到在我的 DMARC 通知中,我的 postfix 伺服器發送了許多失敗的電子郵件。
每個後綴伺服器都映射到我們 DNS 中的一個子域(smtp1.example.com、smtp2.example.com)。在 AWS 上為發送 IP 配置反向查找。
當郵件退回時,postfix 會向發件人發送未送達通知郵件,但它來自空發件人。這些消息似乎無法通過 DKIM 有時 SPF,因為它們是從 MAILER-DAEMON@smtp1.example.com 而不是 MAILER-DAEMON@example.com 發送的。
管理此問題的最佳方法是什麼?我應該為每個子域創建 DKIM 和 SPF 記錄嗎?有沒有辦法在 postfix 中自定義 mailer-daemon 發件人,使其從域而不是子域發送?
更新:
我發現在“/etc/postfix/main.cf”中我需要更改 $ mydomain variable to example.com and set $ myorigin 使用 $mydomain,但未附加 DKIM。我使用 OpenDKIM 將 DKIM 應用於每封外發郵件,但是因為 postfix 使用 from=<> 而不是 mailer-daemon@example.com 它似乎跳過了它,儘管我不確定這是否是原因。
更新:
通過將“internal_mail_filter_classes =bounce”添加到“/etc/postfix/main.cf”中,我能夠為退回的電子郵件發送 DKIM:
http://www.postfix.org/MILTER_README.html
我仍然想知道這是否是實現我的目標的最佳方式。
更新:
退回的電子郵件是從 MAILER-DAEMON@example.com 發送的,但收件人會看到該電子郵件是從 smtp1.example.com 發送並由 example.com 簽名的。這需要我為 smtp1.example.com 配置另一個 spf 記錄,我不希望需要它。退回郵件應顯示為由根域發送。
我該如何做到這一點?
更新:
添加電子郵件標題和
postconf -n
. 我只混淆了 IP 地址和域名。該電子郵件是由 gmail 託管域收到的。電子郵件標題
Delivered-To: customerservice@example.com Received: by 2002:a2e:45d5:0:0:0:0:0 with SMTP id s204-v6csp753516lja; Wed, 26 Sep 2018 10:59:51 -0700 (PDT) X-Google-Smtp-Source: ACcGV62LaRKlAeJoVcCqIQRgHXwen7bLAev7n/gyBtIF7yWMLpmgBaL1q8D3Qm0zEMcDjPEmCjCz X-Received: by 2002:a0c:a9d2:: with SMTP id c18-v6mr54933qvb.191.1537984791474; Wed, 26 Sep 2018 10:59:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537984791; cv=none; d=google.com; s=arc-20160816; b=0LNTMB+qiHPz1eHGcLyPLE1FcSmW30xptS1xcbd9Vmy1Wdx3/tg96AUrAeuoDSznHE b96zAG+sJHLASokmbete92FHI1G8rD8PgjH/IUCJ48Tl6fBZwkdKU7AGYAJ/2TTCBAuV V5qcBCIuomDpUVXLeDNYSpTPEpAtaUrm+l5S3wIkZXlyzTsEL9utiVdoKTmYNcyXzM53 afDdaokbJdrmm6h904P49QEgm1/76LVyjh3QvpzVmVkmz7bsRleBypROkS4GERE0UD87 ZVEKMlCkVw8y2lUJwx8OvYTIALGHLsrjHk3cICv8uCsCQleDeMK+Y7mxJ4og8isdmEJm aNTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:mime-version:auto-submitted:to:subject:from:date :dkim-signature; bh=/kHg6GHVOA4im8+tNe6f5EdTttqwbtTK3EvxVBpLPe0=; b=VNuEQyKlo1YCgSBznYzBqNzJzJHaTqIxYzzEOhVfWH7KP4IdBvSQ5nwbigujfhq+a1 ch04W6nNbOaeTvC6hRdztL+Qw+lria0hOIx6eo3Hc8swQseAv6+iKh8hwbL4DM1tr84l wDmcPy808/tamGIBHacA1vhe7LU1ZWhaFmBcynllMaLXJDxDsJuZc2pAfQe3cu+1da0h twdEY+fYo8tVlVC/A0fb6iedP57tYygfg1LMSZhOxqwWiFDuNsOOn2Px0geyYcHWiyTj uZEtS4L1nfYr2J2tbeZsHMzrjPkM4etZMK52duSiNpMZnV0CN4dioHQcSskrik8Jgnmh Ki/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@example.com header.s=example header.b="Kh/wMFFv"; spf=pass (google.com: domain of postmaster@smtp1.example.com designates <IP-Address> as permitted sender) smtp.helo=smtp1.example.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com Return-Path: <> Received: from smtp1.example.com (smtp1.example.com. [<IP-Address>]) by mx.google.com with ESMTPS id 144-v6si4528390qkh.294.2018.09.26.10.59.51 for <customerservice@example.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Sep 2018 10:59:51 -0700 (PDT) Received-SPF: pass (google.com: domain of postmaster@smtp1.example.com designates <IP-Address> as permitted sender) client-ip=<IP-Address>; Authentication-Results: mx.google.com; dkim=pass header.i=@example.com header.s=example header.b="Kh/wMFFv"; spf=pass (google.com: domain of postmaster@smtp1.example.com designates <IP-Address> as permitted sender) smtp.helo=smtp1.example.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com Received: by smtp1.example.com (Postfix) id 1CEE260DBC; Wed, 26 Sep 2018 17:59:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com; s=example; t=1537984791; bh=DalucSR/izsrTI/4cwdDwKrGi8R0OywUerOF7byykLI=; h=Date:From:Subject:To; b=Kh/wMFFvEE/uPx/7qKnYVZZACU6zzLl9S+Jwr1hXSBhIg0mfkqpVXgxvhUxqNkJXw xIPvmuJU9ERlA5RqT+xUC3y4kkxIbig6gBogUEFtOkbp1bNj+yWEKxcFpHJXEnDneP Na3dzhGZScaUK83sKEPMFkjubyiPR/6uoc5zcEVc= Date: Wed, 26 Sep 2018 17:59:51 +0000 (UTC) From: Mail Delivery System <MAILER-DAEMON@example.com> Subject: Undelivered Mail Returned to Sender To: customerservice@example.com Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="DF7BD600B7.1537984791/smtp1.example.com" Message-Id: <20180926175951.1CEE260DBC@smtp1.example.com>
的輸出
postconf -n
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases bounce_notice_recipient = mailer-daemon@example.com command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost inet_protocols = ipv4 internal_mail_filter_classes = bounce mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man milter_default_action = accept milter_protocol = 2 mydestination = $myhostname, localhost.$mydomain, localhost mydomain = example.com myhostname = smtp1.example.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = $smtpd_milters queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_security_level = may smtpd_milters = inet:127.0.0.1:8891
正如 Michael 所提到的,對於 NDR 郵件,建議使用空的 Return-Path <>。如您所見,許多 MTA 都基於此標頭應用 DKIM 簽名。這導致失去了您已經能夠解決的 DKIM 簽名。
如果缺少返迴路徑,則 SPF 會回退到 HELO/EHLO 域,如規範中所述:
http://www.openspf.org/svn/project/specs/rfc4408.txt
例如,如果反向路徑為空,則使用 EHLO/HELO 域,並存在相關問題(參見第 2.1 節)
如果您的主要問題是在這些郵件上獲得 DMARC 對齊,您只需確保在 NDR 郵件上應用 DKIM 就足夠了。在這種情況下,您不需要為 smtp 子域設置單獨的 SPF 記錄。建議這樣做以防止失去不支持 DMARC 的接收者的 NDR 郵件。
如果您有很長的 SMTP 伺服器列表,您還可以發布一個萬用字元 SPF,它專門允許您的 IP 地址。
這對你有幫助嗎?
問候,
邁克爾
DMARC 分析儀