gmail-smtp-in.l.google.com[2a00:1450:400c:c09::1a] said: 550-5.7.1
Unauthenticated email from example.com is not accepted due to 550-5.7.1
domain's DMARC policy. Please contact the administrator of 550-5.7.1
example.com domain if this was a legitimate mail. Please visit 550-5.7.1
https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1
DMARC initiative. 45si7665571wrz.435 - gsmtp (in reply to end of DATA
command)
К сожалению, из-за этой ошибки я не могу отправлять электронные письма на адреса Gmail. Каждое сообщение возвращается, и я получаю сообщение «Недоставленное письмо возвращено отправителю». Я настроил openDMARC и установил записи DNS. Видимо этого было недостаточно. Я проверил Mail-Tester.com и DMARC, кажется, работает.
Отзыв от noreply-dmarc-support@google.com:
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>3720877337221476870</report_id>
<date_range>
<begin>1520035200</begin>
<end>1520121599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>example.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>reject</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>1.2.3.4</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>example.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
Записи DNS
mail IN A 1.2.3.4
@ IN MX 10 mail
@ IN TXT "v=spf1 mx -all"
default._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2jjp/PoG+sdeuzlZ6uXIxoKSKphQvVwVB2MU8rye0wdxBvQhGrRquYBIc+Hz/vZX+ZNL5aQPWKP6HLA0OsFhCHlURxolQiv0aOYq7n4l+p00ToXxW6C+hinrK+N13+ast24znQ9zdIdkjf/z9ATdoxWmbTKAyNYQXC1vnGGoZclEq8AJID143MWtyXCRE5cvkUcDHUhukfupqm" "6Ho65JPyc4OKYP2v56zrrUvpuItLwdxRd50//tQy6Klorst+MltgsY7Ph9CMtXVEc9gMFbeYXVe6MMmp/WaLEU1Sx1N7ZkRxJrBXuWtBY5D1ZfyLP0e7LsMRqkl5W29+fi8+7O3wIDAQAB"
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc_reports@example.com"
Постфикс main.cf
myhostname = mail.example.com
mydomain = example.com
mydestination = $myhostname, $mydomain, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
relayhost =
inet_interfaces = all
inet_protocols = all
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
delay_warning_time = 4h
readme_directory = no
compatibility_level = 2
# SSL/TLS parameters
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
# Incoming
smtpd_tls_loglevel = 1
smtpd_tls_cert_file=/etc/letsencrypt/live/$mydomain/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/$mydomain/privkey.pem
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_auth_only=yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers=high
smtpd_tls_eecdh_grade=ultra
smtpd_tls_dh1024_param_file=/etc/ssl/dh_2048.pem
smtpd_tls_dh512_param_file=/etc/ssl/dh_512.pem
# Outgoing
smtp_tls_loglevel = 1
smtp_tls_cert_file=/etc/letsencrypt/live/$mydomain/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/$mydomain/privkey.pem
smtp_use_tls=yes
smtp_tls_security_level=may
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_mandatory_ciphers=high
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
# Mailbox
home_mailbox = Maildir/
mailbox_command =
# DOVECOT
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = no
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
check_policy_service unix:private/policy-spf,
check_sender_access hash:/etc/postfix/sender_access,
check_recipient_access hash:/etc/postfix/recipient_access,
permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
# DKIM
milter_default_action = accept
milter_protocol = 6
# DKIM und OpenDMARC
smtpd_milters = inet:localhost:12345, inet:localhost:6789
non_smtpd_milters = inet:localhost:12345, inet:localhost:6789
# SPF
policy-spf_time_limit = 3600s
# Amavis
content_filter = smtp-amavis:127.0.0.1:10024
receive_override_options = no_address_mappings
disable_vrfy_command = yes
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
Я совершенно не понимаю, как с этим бороться. Любая помощь приветствуется.
Еще один момент: «hostname --fqdn» означает «example.com». Мне нужно установить его на mail.example.com?
Думаю, я исправил это, неисправная часть была opendkim, а не openDMARC.
Я обрезал его конфигурацию и добавил правильный селектор. Теперь все письма приходят в Gmail.
Перед:
AutoRestartRate 10/1M
AutoRestart yes
Background yes
Canonicalization relaxed/simple
DNSTimeout 5
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy yes
Mode sv
OversignHeaders From
PidFile /var/run/opendkim/opendkim.pid
#ResolverConfiguration /etc/unbound/unbound.conf
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/opendkim/SigningTable
Socket local:/var/run/opendkim/opendkim.sock
Syslog yes
TemporaryDirectory /var/tmp
TrustAnchorFile /usr/share/dns/root.key
UMask 0002
UserID opendkim:opendkim
Nameservers 8.8.8.8,8.8.4.4
После:
Domain example.com
Selector default
KeyFile /etc/opendkim/keys/example.com/default.private
Canonicalization relaxed/simple
AutoRestart yes
AutoRestartRate 10/1M
Background yes
PidFile /var/run/opendkim/opendkim.pid
Socket local:/var/run/opendkim/opendkim.sock
LogResults yes
LogWhy yes
SyslogSuccess yes
Statistics /var/log/dkim-filter/dkim-stats
TemporaryDirectory /var/tmp
UMask 0002
UserID opendkim:opendkim
TrustAnchorFile /var/lib/unbound/root.key
Не привязан как локальный преобразователь и TrustAnchorFile:
apt install unbound resolvconf
su -c "unbound-anchor -a /var/lib/unbound/root.key" - unbound
systemctl reload unbound
echo "nameserver 127.0.0.1" >> /etc/resolvconf/resolv.conf.d/head