Smtp

當原始電子郵件使用 ESMTP 標頭髮送時,通過 IMAP 從我們的郵箱導入郵件時,Gmail SPF 檢查失敗

  • February 20, 2015

我們有一個奇怪的情況:

  • 我們收到一封包含 ESMTP 標頭的電子郵件
  • 我們的伺服器接受它,沒關係
  • 我們將該郵件導入 Gmail 中,就像從我們的郵箱中導入任何其他電子郵件一樣
  • Gmail 進行 SPF 檢查但失敗
  • Gmail 使用我們的伺服器 IP 地址和郵件發件人域進行檢查(原文如此!)

對於本地郵箱之間的郵件,我們也有類似的問題(但 Gmail 使用我們的伺服器域和客戶端的 IP):當通過 SMTP 從一個本地郵箱發送到另一個郵箱時,由於客戶端 IP 而不是伺服器的消息,因此導入到 Gmail 的電子郵件的 SPF 失敗

例子:

Received-SPF: fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) client-ip=188.40.153.39;
Authentication-Results: mx.google.com;
  spf=fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) smtp.mail=example@msit.gov.pl

更多標題:

Delivered-To: example@gmail.com
Received: by 10.194.168.164 with SMTP id zx4csp522020wjb;
   Thu, 19 Feb 2015 06:26:04 -0800 (PST)
X-Received: by 10.180.219.66 with SMTP id pm2mr10333511wic.91.1424355964017;
   Thu, 19 Feb 2015 06:26:04 -0800 (PST)
Return-Path: <example@msit.gov.pl>
Received: from server.webvizarts.com  (server.webvizarts.com . [188.40.153.39])
   by mx.google.com with ESMTPS id ge6si41332059wjd.24.2015.02.19.06.26.03
   for <example@gmail.com>
   (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
   Thu, 19 Feb 2015 06:26:04 -0800 (PST)
Received-SPF: fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) client-ip=188.40.153.39;
Authentication-Results: mx.google.com;
  spf=fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) smtp.mail=example@msit.gov.pl
Received: from mx.msit.gov.pl ([77.252.152.34])
   by server.webvizarts.com  with esmtp (Exim 4.83)
   (envelope-from <example@msit.gov.pl>)
   id 1YOS3G-0003eP-T2
   for example@webvizarts.com; Thu, 19 Feb 2015 15:26:03 +0100
Received: from msit.gov.pl (unknown [192.168.10.30])
   by mx.msit.gov.pl (Postfix) with ESMTPS id 5BE2F3B64
   for <example@webvizarts.com>; Thu, 19 Feb 2015 15:24:48 +0100 (CET)
Received: from EX3.sport.local (192.168.10.30) by EX3.sport.local
(192.168.10.30) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 19 Feb
2015 15:22:45 +0100
Received: from EX3.sport.local ([fe80::b8ed:df29:c87:77d2]) by EX3.sport.local
([fe80::b8ed:df29:c87:77d2%15]) with mapi id 15.00.1044.021; Thu, 19 Feb 2015
15:22:45 +0100
From: John Smith <example@msit.gov.pl>
To: Christopher Smith <example@webvizarts.com>
Subject: Re: Some sensitive subject
Thread-Topic: Some sensitive subject
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.168.0.102]

隱藏的標題、郵箱名稱和人名。

我們在基於 Debian 的 VPS 上有 dovecot+exim。

我們尋找一些解決方案來避免這種情況。Gmail 方面的實施是否存在缺陷,或者我們可以對此做些什麼?

編輯:根據評論,它錯誤地將轉發視為導入

$$ … $$

我們將該郵件導入 Gmail 中,就像從我們的郵箱中導入任何其他電子郵件一樣

$$ … $$

那是錯誤的,因為郵件標題顯示不同:

Received: from server.webvizarts.com  (server.webvizarts.com . [188.40.153.39])
   by mx.google.com with ESMTPS id ge6si41332059wjd.24.2015.02.19.06.26.03
   for <example@gmail.com>
   (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
   Thu, 19 Feb 2015 06:26:04 -0800 (PST)

電子郵件由server.webvizarts.comto mx.google.comfor轉發example@gmail.com。顯然沒有設置信封來自:

Authentication-Results: mx.google.com;
  spf=fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) smtp.mail=example@msit.gov.pl

顯然信封的發件人還在example@msit.gov.pl

我可以想到你在這裡有三個選擇:

  1. 使用發件人重寫方案重寫信封,例如使用postfix-srsd
  2. 在發送/中繼之前,在 gmail 進行身份驗證
  3. 將郵件從您的伺服器推送到 Gmail 的 IMAP/POP3 郵箱,或者讓它們通過 Gmail 從您的伺服器中提取(我不知道哪個更容易)

引用自:https://serverfault.com/questions/670113