web-dev-qa-db-ja.com

OpenDKIMが私の電子メールに署名および検証しないのはなぜですか? (CentOS 6.5、PostfixおよびOpenDKIM)

私が実行している:

CentOS 6.5
Postfix 2.6.6
opendkim: OpenDKIM Filter v2.9.0
    Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    Active code options:
        USE_DB
        USE_UNBOUND
    libopendkim 2.9.0:

Zarafaをインストールしましたが、everythignは完全に実行されています。次に、OpenDKIMをインストールしようとしましたが、問題が発生しました。 Zimbraを実行している別のサーバーにこれをインストールしましたが、まったく問題はありませんでした。ただし、このサーバーは連携していません。私の/ var/log/maillogファイルには、openDKIMの兆候すら表示されていません。 opendkimに関しては何もログに記録されていません。

DNSレコードが正しく追加されます。 (Digでテスト)2つの異なる設定ファイルを試しましたが、これは現在のものです:

AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    s
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

/ etc/opendkim/SigningTableは次のとおりです。

# OPENDKIM SIGNING TABLE
# This table controls how to apply one or more signatures to outgoing messages based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM "how" to apply your keys.

# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
# then uncomment one of the usage examples below and replace example.com with your
# domain name, then restart OpenDKIM.

# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.

#*@example.com default._domainkey.example.com

# NON-WILDCARD EXAMPLE
# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
# wildcards will not work. Instead, full user@Host is checked first, then simply Host,
# then [email protected] (with all superdomains checked in sequence, so "foo.example.com"
# would first check "[email protected]", then "[email protected]", then "[email protected]"),
# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
# "SigningTable" for more details.

#example.com default._domainkey.example.com
*@mydomain.com dk_default._domainkey.mydomain.com


Here is /etc/opendkim/KeyTable:

# OPENDKIM KEY TABLE
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

#default._domainkey.example.com example.comefault:/etc/opendkim/keys/default.private
dk_default._domainkey.mydomain.com mydomain.comk_default:/etc/opendkim/keys/mydomain.com/dk_default


Here is /etc/opendkim/TrustedHosts:
# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
#Host.example.com
#192.168.1.0/24
172.20.6.178
mydomain.com
zarafa.mydomain.com

編集:

/etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/opt/yaffas/etc/ssl/certs/postfix.crt
smtpd_tls_key_file=/opt/yaffas/etc/ssl/certs/postfix.key
smtpd_use_tls=yes
smtp_tls_security_level = may
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mydestination =
myorigin = $mydomain
mynetworks = [::1]/128, [::ffff:127.0.0.0]/104, 127.0.0.0/8
virtual_mailbox_domains = localhost, zarafa.mydomain.com, mydomain.com
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps = regexp:/etc/postfix/virtual_users_global, hash:/opt/yaffas/config/postfix/local-aliases.cf, hash:/opt/yaffas/config/postfix/public-folder-aliases.cf, hash:/etc/postfix/ldap-group.cf, ldap:/etc/postfix/ldap-aliases.cf
virtual_transport = lmtp:127.0.0.1:2003

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

content_filter = amavis:[127.0.0.1]:10024
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_mynetworks,
                             permit_sasl_authenticated,
                             reject_unauth_destination,
                             reject_unknown_recipient_domain,
                             check_client_access hash:/opt/yaffas/config/postfix/whitelist-postfix,
                             check_policy_service inet:127.0.0.1:12525,

sender_canonical_maps = hash:/etc/postfix/sender_canonical

transport_maps = hash:/opt/yaffas/config/postfix/transport-deliver-to-public
zarafa-publicfolder_destination_recipient_limit = 1
myhostname = zarafa.mydomain.com
message_size_limit = 20971520
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

/etc/postfix/master.cf:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
    -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -   -   n   -   1   scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

amavis unix - - n - 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

zarafa-publicfolder unix -      n      n    -    10      pipe
     flags=DORu user=vmail argv=/opt/yaffas/libexec/mailalias/zarafa-deliver-to-public ${nexthop}

編集:また、OpenDKIMが電子メールを検証しないのはなぜですか?メールを送信すると、常に次のようなメッセージがログに返されます。

10月25日21:13:32zarafa postfix/smtp [7201]:megawatt.resistor.net [208.69.177.116]の証明書検証に失敗しました:25:信頼できない発行者/ C = US/ST = New York/L = Brooklyn/O = Eland Systems/OU = Eland CA/CN = Eland/emailAddress = [email protected]

そして、私がどこにメッセージを送るかは問題ではありません。 DKIM検証に合格していることがわかっているサーバーで自分に送信しましたが、まだ取得しています。

1
Jim Thornton

電子メールを検証するには、opendkim.confの-​​ モードパラメータsvとして設定する必要があります(sは署名を意味し、vは検証を意味します)。デフォルトでは、InternalHostsの外部から送信されたすべての電子メールを検証します。

現在の構成では、InternalHostsからのメッセージに署名するだけです。

2
tpml7

他の人があなたの電子メールの署名を確認できるようにするには、DNSゾーンファイルのtxtレコードでdkim公開鍵を公開する必要があります。

0
Sergey