kn007的个人博客
♥ You are here: Home > > > Postfix添加DKIM协议,完善DNS中的SPF解析

Postfix添加DKIM协议,完善DNS中的SPF解析

by | 40 Comments

3859558255
最近一些博友反馈说收不到我博邮件,经过检查,发现少许邮箱出现了,如下所示回馈:
mail server rejected a message that claimed an envelope sender address of kn007.net
it was rejected by the server for the recipient domain mta-189.21cn.com
为此,我专门为VPS的DNS解析,添加了如下所示的SPF信息:
v=spf1 a mx mx:kn007.net ip4:50.2.54.2 ~allMX记录:
kn007.net.default._domainkey记录TXT的DKIM协议:
v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPY9DY0gk18N7osVZA6JzLoUzUuP7Q6s5DJyfGVKJUGxxwhg2WXY3jBN/McJdNg+jyUOr7+XVm9+VguJSZDfzCsCHJOei0fTUpW7Xi4xRJaGMoIMiV1wovBHDSTk55xX4ihuMHZcLKVGALuQtK+skeHEEvDE4nxaktNvTS2MaXnQIDAQAB最后为postfix添加了DKIM协议,具体DKIM安装,有些麻烦,反正我是用wget来build安装没成功,估计是没搞site.config.m4或者define的不对。

提供另外一种安装方式,原创(保留了之前错误的尝试,以#注释):

#本教程可以保存为sh,执行安装 

rpm -ivh http://download4.fedora.redhat.com/pub/epel/5/`uname -i`/dkim-milter-2.8.3-8.el5.`uname -i`.rpm --nodeps
wget -O dkim-milter.tar.gz http://sourceforge.net/projects/dkim-milter/files/latest/download?source=files
#wget -O dk-milter.tar.gz http://sourceforge.net/projects/dk-milter/files/latest/download
tar zxvf dkim-milter.tar.gz
#tar zxvf dk-milter.tar.gz
cd  dkim-milter-*
#ln -s ../dk-milter-*/libdk
#cp site.config.m4.dist site.config.m4
#echo "define(`confMANROOT', `/usr/share/man/man')"  >> site.config.m4
#cp ./site.config.m4 devtools/Site/site.config.m4
#./Build
#./Build install
mkdir -p /etc/dkim-milter/keys/
cp ./dkim-filter/dkim-genkey.sh /etc/dkim-milter/keys/
cd /etc/dkim-milter/keys/
chmod +x ./dkim-genkey.sh
chown dkim-milter /etc/dkim-milter
chmod 700 /etc/dkim-milter
chgrp postfix /var/run/dkim-milter
chmod 770 /var/run/dkim-milter
./dkim-genkey.sh -r -d `hostname -f`
chown dkim-milter /etc/dkim-milter/keys/default.private
mv /etc/dkim-milter/keys/default.private /etc/dkim-milter/keys/default.key.pem

#会生成default.txt 和 default.private
#根据default.txt 里面的内容,将DNS的TXT记录添加好
#default.private已安置好,并改名为default.key.pem,可以使用了
#下面的命令,大家根据实际微调

echo "*@kn007.net:kn007.net:/etc/dkim-milter/keys/default.key.pem" >> /etc/mail/dkim-milter/keys/keylist

echo 'USER="dkim-milter"' >> /etc/sysconfig/dkim-milter
echo 'PORT=local:/var/run/dkim-milter/dkim.sock' >> /etc/sysconfig/dkim-milter
echo 'SELECTOR_NAME="default"' >> /etc/sysconfig/dkim-milter
echo 'SIGNING_DOMAIN="kn007.net"' >> /etc/sysconfig/dkim-milter
echo 'KEYFILE="/etc/dkim-milter/keys/default.key.pem"' >> /etc/sysconfig/dkim-milter
echo 'SIGNER=yes' >> /etc/sysconfig/dkim-milter
echo 'VERIFIER=yes' >> /etc/sysconfig/dkim-milter
echo 'CANON=simple' >> /etc/sysconfig/dkim-milter
echo 'SIGALG=rsa-sha256' >> /etc/sysconfig/dkim-milter
echo 'REJECTION="bad=r,dns=t,int=t,no=a,miss=r"' >> /etc/sysconfig/dkim-milter
echo 'EXTRA_ARGS="-h -l -D"' >> /etc/sysconfig/dkim-milter

echo 'Canonicalization simple' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'AutoRestart yes' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'AutoRestartRate 10/1h' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'Domain kn007.net' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'SubDomains yes' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'Selector default' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'MTA MSA' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'KeyFile /etc/dkim-milter/keys/default.key.pem' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'Background yes' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'Socket local:/var/run/dkim-milter/dkim.sock' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'X-Header yes' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'LogWhy yes' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'Userid dkim-milter' >> /etc/mail/dkim-milter/dkim-filter.conf
echo 'SignatureAlgorithm rsa-sha256' >> /etc/mail/dkim-milter/dkim-filter.conf

echo 'smtpd_milters = local:/var/run/dkim-milter/dkim.sock' >> /etc/postfix/main.cf
echo 'non_smtpd_milters = local:/var/run/dkim-milter/dkim.sock' >> /etc/postfix/main.cf
echo 'milter_protocol = 2' >> /etc/postfix/main.cf
echo 'milter_default_action = accept' >> /etc/postfix/main.cf

chkconfig --level 345 dkim-milter on
service dkim-milter start
service postfix reload

#有bug或者一些错误,欢迎交流!

以上安装方式适用于centos。

目前已有DNS解析:
QQ截图20130623105217
有几个测试网站,测试后的结果都是没问题了:
http://www.openspf.org/Why?show-form=1
The domain kn007.net has authorized 50.2.54.2 to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.http://dkimcore.org/c/keycheck
This is a valid DKIM key recordhttp://www.brandonchecketts.com/emailtest.php
As long as your score is below 5, you shouldn't run into any serious delivery issues.这样完成后DKIM到底有没有作用,我也不晓得,因为我发出的邮件还是没带DKIM签名,或许这个问题需要高手来解答下。

转载请注明转自:kn007的个人博客的《Postfix添加DKIM协议,完善DNS中的SPF解析

donate
有所帮助?

Comments

40 Comments立即评论
Loading...
  1. 好复杂。。

    1. MOD回复

      @Arch!Tech: 也不是很复杂,最后发现SPF是生效的。但是DKIM由于托管商不支持而告一段落。。

  2. 一直搞不懂这个有啥用 也不会设置 评论回复通知就看见用163域名邮箱的会出现错误

    1. MOD回复

      @空空裤兜: 出现错误?这个是一种验证方法,这种验证能有效降低被判定为spam的几率

  3. 回复

    原来也是这么做的,但是奈何太麻烦,就放弃了,换用gmail

    1. MOD回复

      @kslr: 不习惯SMTP :o

  4. 从你的DNS解析中可以看到,你的DKIM是不完整的,DKIM说简单也简单,但要做好还是有点麻烦
    SPF check: pass
    DomainKeys check: pass
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham
    我的算是做得很完整了!

    1. MOD回复

      @今夜无眠: :lol: 你在哪里测试的呢?或许可以指教指教?

    2. @kn007:
      加我QQ:83922808
      这个过程有点复杂,而且也不知道你主要是发哪些邮件
      测试过程的话有二种
      check-auth-97500391=qq.com@verifier.port25.com
      check-auth-sogouwz=163.com@verifier.port25.com
      能看得懂吧?
      所回复邮件地址修改下即可,97500391 sogouwz修改成你的,你就能收到回复了,要用你的服务器发送哟
      第二种方法
      http://www.mail-tester.com/
      这里可以查看你的IP信誉,希望对你有帮助,呵呵
      你这个DKIM按理是简单的验证,要达到我的效果还是需要在基础上学习下
      没那么简单!

    3. MOD回复

      @今夜无眠: 嗯,我一会有时间试一试,谢谢。
      另已加Q。

icon_wink.gificon_neutral.gificon_mad.gificon_twisted.gificon_smile.gificon_eek.gificon_sad.gificon_rolleyes.gificon_razz.gificon_redface.gificon_surprised.gificon_mrgreen.gificon_lol.gificon_idea.gificon_biggrin.gificon_evil.gificon_cry.gificon_cool.gificon_arrow.gificon_confused.gificon_question.gificon_exclaim.gif