Ubuntu

Spf 通過或失敗取決於接收方地址

  • July 17, 2014

我在 Ubuntu 13.10 上設置了帶有 dovecot 的後綴。我通過節點應用程序(使用電子郵件模板)發送電子郵件。

如果我從noreply@mydomain.comto myacccount@gmail.com( email 1 ) 發送電子郵件,則 spf 記錄通過。如果我從noreply@mydomain.comto support@mydomain.com( email 2 ) 發送電子郵件,則 spf 記錄失敗。

我的 spf 記錄:

v=spf1 a mx ~all

我通過指定 ip 嘗試了一種變體,但是對於電子郵件12我得到了相同的通過/軟失敗。

我已將我的 @mydomain.com 電子郵件連結到 gmail,因此我可以從那裡閱讀它們並檢查 gmail 的標題。

這是電子郵件 1的標頭,它通過了:

Delivered-To: myaccount@gmail.com
Received: by 10.220.131.9 with SMTP id v9csp9729vcs;
       Thu, 3 Apr 2014 02:07:44 -0700 (PDT)
X-Received: by 10.204.243.137 with SMTP id lm9mr3945288bkb.33.1396516062351;
       Thu, 03 Apr 2014 02:07:42 -0700 (PDT)
Return-Path: <noreply@mydomain.com>
Received: from mydomain.com (mydomain.com. [81.4.107.88])
       by mx.google.com with ESMTPS id de1si2116722bkc.265.2014.04.03.02.07.41
       for <myaccount@gmail.com>
       (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
       Thu, 03 Apr 2014 02:07:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@mydomain.com designates 81.4.107.88 as permitted sender) client-ip=81.4.107.88;
Authentication-Results: mx.google.com;
      spf=pass (google.com: domain of noreply@mydomain.com designates 81.4.107.88 as permitted sender) smtp.mail=noreply@mydomain.com
Received: from [127.0.0.1] (mydomain [127.0.0.1])
   (Authenticated sender: username)
   by mydomain.com (Postfix) with ESMTPA id 2FE0730A095F
   for <myaccount@gmail.com>; Thu,  3 Apr 2014 05:07:41 -0400 (EDT)
X-Mailer: Nodemailer (0.6.1; +http://github.com/andris9/nodemailer;
smtp/0.3.23)
Date: Thu, 03 Apr 2014 09:07:41 GMT
Message-Id: <688fb886bd83cff1bb5e299cb01e69@mydomain.com>
From: noreply@mydomain.com
To: myaccount@gmail.com
Subject: Welcome to mydomain

這是失敗的電子郵件 2的標頭:

Delivered-To: myaccount@gmail.com
Received: by 10.220.131.9 with SMTP id v9csp9756vcs;
       Thu, 3 Apr 2014 02:08:20 -0700 (PDT)
X-Received: by 10.220.103.141 with SMTP id k13mr2007429vco.25.1396516099631;
       Thu, 03 Apr 2014 02:08:19 -0700 (PDT)
Authentication-Results: mx.google.com;
      spf=softfail (google.com: best guess record for domain of transitioning noreply@mydomain.com does not designate <unknown> as permitted sender) smtp.mail=noreply@mydomain.com
Received-SPF: softfail (google.com: best guess record for domain of transitioning noreply@mydomain.com does not designate <unknown> as permitted sender)
Received: by 10.220.241.77 with POP3 id ld13mf1851813vcb.12;
       Thu, 03 Apr 2014 02:08:19 -0700 (PDT)
X-Gmail-Fetch-Info: support@mydomain.com 3 mail.mydomain.com 110 support
Return-Path: <noreply@mydomain.com>
X-Original-To: support@mydomain.com
Delivered-To: support@mydomain.com
Received: from [127.0.0.1] (mydomain [127.0.0.1])
   (Authenticated sender: username)
   by mydomain.com (Postfix) with ESMTPA id 2DF0730A095E
   for <support@mydomain.com>; Thu,  3 Apr 2014 05:07:41 -0400 (EDT)
X-Mailer: Nodemailer (0.6.1; +http://github.com/andris9/nodemailer;
smtp/0.3.23)
Date: Thu, 03 Apr 2014 09:07:41 GMT
Message-Id: <732468ffa47870963332c0e2dcebf3@mydomain.com>
From: noreply@mydomain.com
To: support@mydomain.com
Subject: New user signed-up
Content-Type: multipart/alternative;
boundary="----Nodemailer-0.6.1-?=_1-1396516061189"
MIME-Version: 1.0

我認為問題不在於發送電子郵件的 node.js 程式碼,因為它們都使用相同的傳輸和登錄。這是程式碼的簡化但仍然很長的版本:

var transport = nodemailer.createTransport("SMTP", {
     service: "mydomain.com",
       auth: {
               user: "username",
               pass: "password"
       }

   })

//THIS EMAIL FAILS SPF CHECK
exports.send_new_registration = function(username, email){
       emailTemplates(templatesDir, function(err, template) {
               console.log("Attempting to send email.");
         if (err) {
           console.log(err);
         } else {

           var locals = {
               email : email,
               username :username 
           };

           // Send a single email
           template('new_user', locals, function(err, html, text) {
             if (err) {
               console.log(err);
             } else {
               transport.sendMail({
                 from: 'noreply@mydomain.com',
                 to: 'support@mydomain.com',
                 subject: "New user signed-up",
                 html: html,
                 // generateTextFromHTML: true,
                 text: text
               }, function(err, responseStatus) {
                 if (err) {
                   console.log(err);
                 } else {
                   console.log(responseStatus.message);
                 }
               });
             }
           });
         }

//THIS EMAIL PASSES SPF CHECK
exports.send_confirmation_email = function(email, token){
       var link = "https://mydomain.com/email-confirmation/" + token;  
       emailTemplates(templatesDir, function(err, template) {
               console.log("Attempting to send email.");
         if (err) {
           console.log(err);
         } else {

               var locals = {
               link : link
               };

           // Send a single email
           template('register', locals, function(err, html, text) {
             if (err) {
               console.log(err);
             } else {
               transport.sendMail({
                 from: 'noreply@mydomain.com',
                 to: email,
                 subject: "Welcome to mydomain",
                 html: html,
                 // generateTextFromHTML: true,
                 text: text
               }, function(err, responseStatus) {
                 if (err) {
                   console.log(err);
                 } else {
                   console.log(responseStatus.message);
                 }
               });
             }
           });
         }
       });     
}

我認為這無關緊要,但我還沒有讓 TLS 在後綴上工作。我也嘗試過postfix-policyd-spf-perl工作,但沒有成功。從我自己的帳戶向我自己的帳戶發送電子郵件時,這會添加一個額外的標題。我猜它是相關的,但我不確定。

作為一個僅供參考,如果我添加check_policy_service unix:private/policy-spf到 my ,我在to/etc/postfix/main.cf的電子郵件中看到的附加標題是:noreply@mydomain.com``support@mydomain.com

   Received-SPF: softfail (mydomain.com: Sender is not authorized by default to use 
'support@mydomain.com' in 'mfrom' identity, however domain is not currently prepared for false
failures (mechanism '~all' matched)) receiver=mydomain.com; identity=mailfrom; envelope-
from="support@mydomain.com"; helo="[an_ip]"; client-ip=a_diff_ip

我只添加這是因為我不確定這是否與 google softfail 檢查有關…

編輯:為了明確問題,我不清楚為什麼如果我向 gmail 帳戶發送電子郵件,它會通過 spf 檢查,但如果我向自己的域發送電子郵件,它會失敗。

SPF 沒有失敗。你誤解了結果。

當郵件發送到 GMail 帳戶時,Google 正在(正確地)進行檢查。Google 在通過 POP3 檢索時也添加了檢查。它不知道它來自哪裡,因此它標誌著一個軟失敗。

我不確定 Google 為什麼要檢查 POP3 檢索到的電子郵件,但不應該這樣。

您需要將它發送到一個地址,它自己進行 SPF 檢查並直接獲取它,而不是讓 Google 使用標題。

引用自:https://serverfault.com/questions/586370