Назад | Перейти на главную страницу

Текст электронного письма изменен после подписания DKIM

У меня есть почтовый сервер postfix, который использует amavisd-new для сканирования вирусов, спама, проверки DKIM и подписи DKIM. В частности, у меня проблемы с подписью DKIM.

Amavisd-new подписывает электронное письмо, но где-то после подписания электронного письма тело письма изменяется. Я выяснил это с помощью теста доставляемости на mxtoolbox, но не знаю, где это происходит.

Могу ли я помочь определить, где изменяется тело после подписания?

Это мои файлы конфигурации:

master.cf

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/smtpd_sender_login_maps.cf
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch,permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/sql/smtpd_sender_login_maps.cf
  -o smtpd_client_restrictions=permit_mynetworks,permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch,permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

pickup    unix  n       -       n       60      1       pickup
  -o content_filter=
  -o receive_override_options=no_header_body_checks

##### snip #####

# For Amavis
smtp-amavis unix -      -       n       -       2       smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o receive_override_options=no_address_mappings,no_header_body_checks,no_unknown_recipient_checks,no_milters

127.0.0.1:10025 inet n  -       n       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_relay_restrictions=permit_mynetworks,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o strict_rfc821_envelopes=yes
  -o mynetworks=127.0.0.1/32
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_address_mappings,no_header_body_checks,no_unknown_recipient_checks,no_milters

main.cf

##### snip #####

header_checks = regexp:/etc/postfix/header_checks
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks

##### snip #####

milter_default_action = accept
milter_protocol = 6

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_starttls_timeout = 300s
smtp_tls_CApath = /etc/ssl/certs/
smtp_tls_cert_file = /etc/letsencrypt/live/domain.tld/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/domain.tld/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtp_tls_mandatory_ciphers = high
smtp_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_host_lookup = native
smtp_connect_timeout = 60s
smtp_helo_timeout = 600s
#non_smtpd_milters = $smtpd_milters
non_smtpd_milters = inet:[127.0.0.1]:8893

##### snip #####

content_filter = smtp-amavis:[127.0.0.1]:10024
anvil_rate_time_unit = 60s

amadvisd.conf

use strict;

# a minimalistic configuration file for amavisd-new with all necessary settings
#
#   see amavisd.conf-default for a list of all variables with their defaults;
#   for more details see documentation in INSTALL, README_FILES/*
#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html


# COMMONLY ADJUSTED SETTINGS:

# @bypass_virus_checks_maps = (1);  # controls running of anti-virus code
# @bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
# $bypass_decode_parts = 1;         # controls running of decoders&dearchivers

$max_servers = 2;            # num of pre-forked children (2..30 is common), -m
$daemon_user  = 'amavis';    # (no default;  customary: vscan or amavis), -u
$daemon_group = 'amavis';    # (no default;  customary: vscan or amavis), -g

$mydomain = 'domain.tld';   # a convenient default for other settings

$MYHOME = '/var/spool/amavisd';   # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = "$MYHOME/quarantine";      # -Q
# $quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine
# $release_format = 'resend';     # 'attach', 'plain', 'resend'
# $report_format  = 'arf';        # 'attach', 'plain', 'resend', 'arf'

# $daemon_chroot_dir = $MYHOME;   # chroot directory or undef, -R

$db_home   = "$MYHOME/db";        # dir for bdb nanny/cache/snmp databases, -D
# $helpers_home = "$MYHOME/var";  # working directory for SpamAssassin, -S
$lock_file = "/var/run/amavisd/amavisd.lock";  # -L
$pid_file  = "/var/run/amavisd/amavisd.pid";   # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually

$log_level = 1;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$do_syslog = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
# $enable_zmq = 1;           # enable use of ZeroMQ (SNMP and nanny)
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 1;  # enable DKIM signatures verification
$enable_dkim_signing = 1;    # load DKIM signing code, keys defined by dkim_key

dkim_key('domain.tld', 'default', '/etc/amavisd/dkim/domain.tld.pem');
dkim_key('autoreply.domain.tld', 'default', '/etc/amavisd/dkim/autoreply.domain.tld.pem');

@dkim_signature_options_bysender_maps = ({
  "domain.tld" => { d => "domain.tld", a => 'rsa-sha256', ttl => 10*24*3600 },
  "autoreply.domain.tld" => { d => "autoreply.domain.tld", a => 'rsa-sha256', ttl => 10*24*3600 },
});

@local_domains_maps = ( [".$mydomain"] );  # list of all local domains

@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
                  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

$unix_socketname = "/var/run/amavisd/amavisd.sock";  # amavisd-release or amavis-milter
               # option(s) -p overrides $inet_socket_port and $unix_socketname

# $inet_socket_port = 10024;   # listen on this local TCP port(s)
$inet_socket_port = [10024,10026];  # listen on multiple TCP ports

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
};

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';
$interface_policy{'10024'} = 'TERMINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps  => ["postmaster\@$mydomain"],
  spam_admin_maps   => ["postmaster\@$mydomain"],
  banned_admin_maps => ["postmaster\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  #forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};

$policy_bank{'TERMINATING'} = {
  bad_header_lovers_maps => [[qw(.businessconnect.nl)]],
  bypass_header_checks_maps => [[qw(.businessconnect.nl)]],
};

$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname

# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
$policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',
  auth_required_release => 0,  # do not require secret_id for amavisd-release
};

##### snip #####