kn007的个人博客
♥ You are here: > > > Postfix添加DKIM协议,完善DNS中的SPF解析

Postfix添加DKIM协议,完善DNS中的SPF解析

by | 43 Comments

3859558255
最近一些博友反馈说收不到我博邮件,经过检查,发现少许邮箱出现了,如下所示回馈:

mail server rejected a message that claimed an envelope sender address of kn007.net
it was rejected by the server for the recipient domain mta-189.21cn.com

为此,我专门为VPS的DNS解析,添加了如下所示的SPF信息:

v=spf1 a mx mx:kn007.net ip4:50.2.54.2 ~all

MX记录:

kn007.net.

default._domainkey记录TXT的DKIM协议:

v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPY9DY0gk18N7osVZA6JzLoUzUuP7Q6s5DJyfGVKJUGxxwhg2WXY3jBN/McJdNg+jyUOr7+XVm9+VguJSZDfzCsCHJOei0fTUpW7Xi4xRJaGMoIMiV1wovBHDSTk55xX4ihuMHZcLKVGALuQtK+skeHEEvDE4nxaktNvTS2MaXnQIDAQAB

最后为postfix添加了DKIM协议,具体DKIM安装,有些麻烦,反正我是用wget来build安装没成功,估计是没搞site.config.m4或者define的不对。

提供另外一种安装方式,原创(保留了之前错误的尝试,以#注释):

#本教程可以保存为sh,执行安装 

rpm -ivh http://download4.fedora.redhat.com/pub/epel/5/`uname -i`/dkim-milter-2.8.3-8.el5.`uname -i`.rpm --nodeps
wget -O dkim-milter.tar.gz http://sourceforge.net/projects/dkim-milter/files/latest/download?source=files
#wget -O dk-milter.tar.gz http://sourceforge.net/projects/dk-milter/files/latest/download
tar zxvf dkim-milter.tar.gz
#tar zxvf dk-milter.tar.gz
cd  dkim-milter-*
#ln -s ../dk-milter-*/libdk
#cp site.config.m4.dist site.config.m4
#echo "define(`confMANROOT', `/usr/share/man/man')"  >> site.config.m4
#cp ./site.config.m4 devtools/Site/site.config.m4
#./Build
#./Build install
mkdir -p /etc/dkim-milter/keys/
cp ./dkim-filter/dkim-genkey.sh /etc/dkim-milter/keys/
cd /etc/dkim-milter/keys/
chmod +x ./dkim-genkey.sh
chown dkim-milter /etc/dkim-milter
chmod 700 /etc/dkim-milter
chgrp postfix /var/run/dkim-milter
chmod 770 /var/run/dkim-milter
./dkim-genkey.sh -r -d `hostname -f`
chown dkim-milter /etc/dkim-milter/keys/default.private
mv /etc/dkim-milter/keys/default.private /etc/dkim-milter/keys/default.key.pem

#会生成default.txt 和 default.private
#根据default.txt 里面的内容,将DNS的TXT记录添加好
#default.private已安置好,并改名为default.key.pem,可以使用了
#下面的命令,大家根据实际微调

echo "*@kn007.net:kn007.net:/etc/dkim-milter/keys/default.key.pem" >> /etc/mail/dkim-milter/keys/keylist

echo 'USER="dkim-milter"' >> /etc/sysconfig/dkim-milter
echo 'PORT=local:/var/run/dkim-milter/dkim.sock' >> /etc/sysconfig/dkim-milter
echo 'SELECTOR_NAME="default"' >> /etc/sysconfig/dkim-milter
echo 'SIGNING_DOMAIN="kn007.net"' >> /etc/sysconfig/dkim-milter
echo 'KEYFILE="/etc/dkim-milter/keys/default.key.pem"' >> /etc/sysconfig/dkim-milter
echo 'SIGNER=yes' >> /etc/sysconfig/dkim-milter
echo 'VERIFIER=yes' >> /etc/sysconfig/dkim-milter
echo 'CANON=simple' >> /etc/sysconfig/dkim-milter
echo 'SIGALG=rsa-sha256' >> /etc/sysconfig/dkim-milter
echo 'REJECTION="bad=r,dns=t,int=t,no=a,miss=r"' >> /etc/sysconfig/dkim-milter
echo 'EXTRA_ARGS="-h -l -D"' >> /etc/sysconfig/dkim-milter

echo 'Canonicalization simple' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'AutoRestart yes' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'AutoRestartRate 10/1h' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'Domain kn007.net' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'SubDomains yes' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'Selector default' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'MTA MSA' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'KeyFile /etc/dkim-milter/keys/default.key.pem' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'Background yes' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'Socket local:/var/run/dkim-milter/dkim.sock' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'X-Header yes' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'LogWhy yes' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'Userid dkim-milter' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'SignatureAlgorithm rsa-sha256' >> /etc/mail/dkim-milter/dkim-filter.conf

echo 'smtpd_milters = local:/var/run/dkim-milter/dkim.sock' >> /etc/postfix/main.cf
echo 'non_smtpd_milters = local:/var/run/dkim-milter/dkim.sock' >> /etc/postfix/main.cf
echo 'milter_protocol = 2' >> /etc/postfix/main.cf
echo 'milter_default_action = accept' >> /etc/postfix/main.cf

chkconfig --level 345 dkim-milter on
service dkim-milter start
service postfix reload

#有bug或者一些错误,欢迎交流!

以上安装方式适用于centos。

目前已有DNS解析:
QQ截图20130623105217
有几个测试网站,测试后的结果都是没问题了:
http://www.openspf.org/Why?show-form=1

The domain kn007.net has authorized 50.2.54.2 to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.

http://dkimcore.org/c/keycheck

This is a valid DKIM key record

http://www.brandonchecketts.com/emailtest.php

As long as your score is below 5, you shouldn't run into any serious delivery issues.

这样完成后DKIM到底有没有作用,我也不晓得,因为我发出的邮件还是没带DKIM签名,或许这个问题需要高手来解答下。

转载请注明转自:kn007的个人博客的《Postfix添加DKIM协议,完善DNS中的SPF解析

donate
有所帮助?

Comments

43 Comments立即评论
Loading...
  1. 好复杂。。

    1. MOD回复

      @Arch!Tech: 也不是很复杂,最后发现SPF是生效的。但是DKIM由于托管商不支持而告一段落。。

  2. 一直搞不懂这个有啥用 也不会设置 评论回复通知就看见用163域名邮箱的会出现错误

    1. MOD回复

      @空空裤兜: 出现错误?这个是一种验证方法,这种验证能有效降低被判定为spam的几率

  3. 回复

    原来也是这么做的,但是奈何太麻烦,就放弃了,换用gmail

    1. MOD回复

      @kslr: 不习惯SMTP :o

  4. 从你的DNS解析中可以看到,你的DKIM是不完整的,DKIM说简单也简单,但要做好还是有点麻烦
    SPF check: pass
    DomainKeys check: pass
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham
    我的算是做得很完整了!

    1. MOD回复

      @今夜无眠: :lol: 你在哪里测试的呢?或许可以指教指教?

    2. @kn007:
      加我QQ:83922808
      这个过程有点复杂,而且也不知道你主要是发哪些邮件
      测试过程的话有二种
      check-auth-97500391=qq.com@verifier.port25.com
      check-auth-sogouwz=163.com@verifier.port25.com
      能看得懂吧?
      所回复邮件地址修改下即可,97500391 sogouwz修改成你的,你就能收到回复了,要用你的服务器发送哟
      第二种方法
      http://www.mail-tester.com/
      这里可以查看你的IP信誉,希望对你有帮助,呵呵
      你这个DKIM按理是简单的验证,要达到我的效果还是需要在基础上学习下
      没那么简单!

    3. MOD回复

      @今夜无眠: 嗯,我一会有时间试一试,谢谢。
      另已加Q。

  5. 回复

    大神,你的DKIM彻底解决了吗?

    1. MOD回复

      @trier: 早解决了啊。不是还有后续文章么。

    2. 回复

      @kn007: 实在不好意思,没看完所有文章。
      你这个系列文档总结的真的很棒!很受用!

icon_wink.gificon_neutral.gificon_mad.gificon_twisted.gificon_smile.gificon_eek.gificon_sad.gificon_rolleyes.gificon_razz.gificon_redface.gificon_surprised.gificon_mrgreen.gificon_lol.gificon_idea.gificon_biggrin.gificon_evil.gificon_cry.gificon_cool.gificon_arrow.gificon_confused.gificon_question.gificon_exclaim.gif