Назад | Перейти на главную страницу

Почему OpenDKIM не подписывает и не проверяет мои электронные письма? (CentOS 6.5, Postfix и OpenDKIM)

Я бегу:

CentOS 6.5
Postfix 2.6.6
opendkim: OpenDKIM Filter v2.9.0
    Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    Active code options:
        USE_DB
        USE_UNBOUND
    libopendkim 2.9.0:

Я установил Zarafa, и все работает отлично. Затем я попытался установить OpenDKIM, и у меня возникли проблемы. Я установил это на другой сервер, на котором работает Zimbra, и никаких проблем не возникло. Однако этот сервер не работает. Мой файл / var / log / maillog даже не показывает НИКАКИХ указаний на openDKIM. По opendkim вообще ничего не логируется.

Мои записи DNS добавлены правильно. (проверено через DIG) Я пробовал два разных файла конфигурации, но это текущий:

AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    s
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

Вот / etc / opendkim / SigningTable:

# OPENDKIM SIGNING TABLE
# This table controls how to apply one or more signatures to outgoing messages based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM "how" to apply your keys.

# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
# then uncomment one of the usage examples below and replace example.com with your
# domain name, then restart OpenDKIM.

# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.

#*@example.com default._domainkey.example.com

# NON-WILDCARD EXAMPLE
# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
# wildcards will not work. Instead, full user@host is checked first, then simply host,
# then user@.domain (with all superdomains checked in sequence, so "foo.example.com"
# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),
# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
# "SigningTable" for more details.

#example.com default._domainkey.example.com
*@mydomain.com dk_default._domainkey.mydomain.com


Here is /etc/opendkim/KeyTable:

# OPENDKIM KEY TABLE
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

#default._domainkey.example.com example.comefault:/etc/opendkim/keys/default.private
dk_default._domainkey.mydomain.com mydomain.comk_default:/etc/opendkim/keys/mydomain.com/dk_default


Here is /etc/opendkim/TrustedHosts:
# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
#host.example.com
#192.168.1.0/24
172.20.6.178
mydomain.com
zarafa.mydomain.com

РЕДАКТИРОВАТЬ:

/etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/opt/yaffas/etc/ssl/certs/postfix.crt
smtpd_tls_key_file=/opt/yaffas/etc/ssl/certs/postfix.key
smtpd_use_tls=yes
smtp_tls_security_level = may
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mydestination =
myorigin = $mydomain
mynetworks = [::1]/128, [::ffff:127.0.0.0]/104, 127.0.0.0/8
virtual_mailbox_domains = localhost, zarafa.mydomain.com, mydomain.com
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps = regexp:/etc/postfix/virtual_users_global, hash:/opt/yaffas/config/postfix/local-aliases.cf, hash:/opt/yaffas/config/postfix/public-folder-aliases.cf, hash:/etc/postfix/ldap-group.cf, ldap:/etc/postfix/ldap-aliases.cf
virtual_transport = lmtp:127.0.0.1:2003

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

content_filter = amavis:[127.0.0.1]:10024
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_mynetworks,
                             permit_sasl_authenticated,
                             reject_unauth_destination,
                             reject_unknown_recipient_domain,
                             check_client_access hash:/opt/yaffas/config/postfix/whitelist-postfix,
                             check_policy_service inet:127.0.0.1:12525,

sender_canonical_maps = hash:/etc/postfix/sender_canonical

transport_maps = hash:/opt/yaffas/config/postfix/transport-deliver-to-public
zarafa-publicfolder_destination_recipient_limit = 1
myhostname = zarafa.mydomain.com
message_size_limit = 20971520
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

/etc/postfix/master.cf:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
    -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -   -   n   -   1   scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

amavis unix - - n - 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

zarafa-publicfolder unix -      n      n    -    10      pipe
     flags=DORu user=vmail argv=/opt/yaffas/libexec/mailalias/zarafa-deliver-to-public ${nexthop}

РЕДАКТИРОВАТЬ: Кроме того, почему OpenDKIM не проверяет электронные письма? Когда я отправляю электронное письмо, я всегда получаю такие сообщения в моем журнале:

25 октября 21:13:32 zarafa postfix / smtp [7201]: ошибка проверки сертификата для megawatt.resistor.net [208.69.177.116]: 25: ненадежный эмитент / C = US / ST = New York / L = Brooklyn / O = Eland Systems / OU = Eland CA/CN=Eland/emailAddress=sm@elandsys.com

И не имеет значения, куда я отправляю сообщение. Я отправил его себе на сервер, который, как я ЗНАЮ, проходит проверку DKIM, и я все еще получаю его.

Для проверки электронной почты необходимо установить параметр режима в opendkim.conf так как sv (s означает подписание, v означает подтверждение). По умолчанию он проверяет все электронные письма, приходящие извне InternalHosts.

В вашей текущей конфигурации вы просто подписываете сообщение, пришедшее от InternalHosts.

Чтобы другие могли проверить вашу подпись электронной почты, вам необходимо опубликовать открытый ключ dkim в txt-записи файла зоны DNS.