知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
DKIM(DomainKeys Identified Mail) 是一種電子郵件的驗證技術,使用密碼學的基礎提供了簽名與驗證的功能。DKIM 能增加你郵件的信任度。
安裝 OpenDKIM 環境是CentOS 7
yum install -y opendkim
查看配置檔案
[root@mail.netkiller.cn ~]# egrep -v "^#|^$" /etc/opendkim.conf PidFile /var/run/opendkim/opendkim.pid Mode sv Syslog yes SyslogSuccess yes LogWhy yes UserID opendkim:opendkim Socket inet:8891@localhost Umask 002 SendReports yes SoftwareHeader yes Canonicalization relaxed/relaxed Selector default MinimumKeyBits 1024 KeyFile /etc/opendkim/keys/default.private KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable InternalHosts refile:/etc/opendkim/TrustedHosts OversignHeaders From
生成公鑰和私鑰example.com 替換成你的域名
mkdir /etc/opendkim/keys/example.com opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default chown -R opendkim: /etc/opendkim/keys/example.com ln -s /etc/opendkim/keys/example.com/default.private /etc/opendkim/keys/default.private
將你域名example.com添加到/etc/opendkim/KeyTable格式如下:
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private
接下來修改 /etc/opendkim/SigningTable 並添加如下記錄
*@example.com default._domainkey.example.com
添加信任主機到/etc/opendkim/TrustedHosts,通常是 example.com / mail.example.com
example.com mail.example.com
注意:TrustedHosts 是發送郵件機器的IP,不是郵件伺服器的IP,例如你的WEB伺服器連接到郵件伺服器發送電子郵件,那麼TrustedHosts 就是你的WEB伺服器IP地址。
至此 opendkim 已經配置完畢。
現在需要配置域名TXT記錄解析,開打檔案 /etc/opendkim/keys/example.com/default.txt 參照下面配置
cat /etc/opendkim/keys/example.com/default.txt default._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5anjIUkTgJT8DSBL2tiydi6DZLIMnPnveFBcyKshwIuGeRzIN2PwQW5F/bvQWdatPLGuw0w5mKXtATJtarbWXy89BgjcJgAGrPSr8GdzsNH0RXRqTy1A21BQyGER3Mx2Fbr6J62reTG2i7jY0w3/cxzuFIGlSn/RP/KrlMze4zQIDAQAB" ) ; ----- DKIM key default for example.com
接下來配置postfix把OpenDKIM整合到Postfix修改/etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept milter_protocol = 2
啟動 opendkim,重啟 postfix
systemctl enable opendkim.service systemctl start opendkim.service systemctl restart postfix.service
檢查opendkim狀態與連接埠
# systemctl status opendkim.service ● opendkim.service - DomainKeys Identified Mail (DKIM) Milter Loaded: loaded (/usr/lib/systemd/system/opendkim.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2016-08-25 02:07:42 EDT; 6s ago Docs: man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html Process: 12577 ExecStart=/usr/sbin/opendkim $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 12578 (opendkim) CGroup: /system.slice/opendkim.service └─12578 /usr/sbin/opendkim -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid Aug 25 02:07:42 localhost.localdomain systemd[1]: Starting DomainKeys Identified Mail (DKIM) Milter... Aug 25 02:07:42 localhost.localdomain systemd[1]: Started DomainKeys Identified Mail (DKIM) Milter. Aug 25 02:07:42 localhost.localdomain opendkim[12578]: OpenDKIM Filter v2.10.3 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid) # ss -lnt | grep 8891 LISTEN 0 128 127.0.0.1:8891 *:*
創建證書
mkdir /etc/opendkim/keys/mydomain.com opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -r -d mydomain.com chown -R opendkim: /etc/opendkim/keys/mydomain.com
配置 KeyTable
default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default.private
配置 SigningTable
*@mydomain.com default._domainkey.mydomain.com
/var/log/maillog
Aug 26 03:02:03 localhost postfix/smtpd[5837]: connect from unknown[155.133.82.144] Aug 26 03:02:03 localhost opendkim[5762]: configuration reloaded from /etc/opendkim.conf Aug 26 03:02:04 localhost postfix/smtpd[5837]: lost connection after AUTH from unknown[155.133.82.144] Aug 26 03:02:04 localhost postfix/smtpd[5837]: disconnect from unknown[155.133.82.144] Aug 26 03:02:09 localhost postfix/smtpd[5837]: connect from unknown[202.130.101.34] Aug 26 03:02:10 localhost postfix/smtpd[5837]: 27EEC802C1C5: client=unknown[202.130.101.34] Aug 26 03:02:10 localhost postfix/cleanup[5843]: 27EEC802C1C5: message-id=<1770496307.0.1472194929612@Server> Aug 26 03:02:10 localhost opendkim[5762]: 27EEC802C1C5: DKIM-Signature field added (s=default, d=mydomain.com) Aug 26 03:02:10 localhost postfix/qmgr[4605]: 27EEC802C1C5: from=<neo@netkiller.cn>, size=531, nrcpt=1 (queue active) Aug 26 03:02:10 localhost postfix/smtpd[5837]: disconnect from unknown[202.130.101.34] Aug 26 03:02:10 localhost postfix/smtp[5844]: connect to gmail-smtp-in.l.google.com[2607:f8b0:400e:c03::1b]:25: Network is unreachable Aug 26 03:02:11 localhost postfix/smtp[5844]: 27EEC802C1C5: to=<netkiller@msn.com>, relay=gmail-smtp-in.l.google.com[74.125.25.26]:25, delay=1.6, delays=0.58/0.01/0.48/0.49, dsn=2.0.0, status=sent (250 2.0.0 OK 1472194931 om6si19759602pac.41 - gsmtp) Aug 26 03:02:11 localhost postfix/qmgr[4605]: 27EEC802C1C5: removed
查看原件原文,如果正常會顯示DKIM-Filter和DKIM-Signature兩項
Delivered-To: netkiller@msn.com Received: by 10.28.169.3 with SMTP id s3csp180808wme; Fri, 26 Aug 2016 00:02:11 -0700 (PDT) X-Received: by 10.66.10.234 with SMTP id l10mr3141577pab.69.1472194931522; Fri, 26 Aug 2016 00:02:11 -0700 (PDT) Return-Path: <neo@netkiller.cn> Received: from mail.mydomain.com ([104.243.134.186]) by mx.google.com with ESMTP id om6si19759602pac.41.2016.08.26.00.02.11 for <netkiller@msn.com>; Fri, 26 Aug 2016 00:02:11 -0700 (PDT) Received-SPF: pass (google.com: domain of neo@netkiller.cn designates 104.243.134.186 as permitted sender) client-ip=104.243.134.186; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@mydomain.com; spf=pass (google.com: domain of neo@netkiller.cn designates 104.243.134.186 as permitted sender) smtp.mailfrom=neo@netkiller.cn Received: from Server (unknown [202.130.101.34]) by mail.mydomain.com (Postfix) with ESMTP id 27EEC802C1C5 for <netkiller@msn.com>; Fri, 26 Aug 2016 03:02:09 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.mydomain.com 27EEC802C1C5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=default; t=1472194930; bh=aTYsMuMwFaanDPkTLEncpu/hxKsNsCaozbJRmQJ6aho=; h=Date:From:To:Subject:From; b=qPYy2TPDv+zxHQ2gqGOwVsgRm42E3p6WvSxdXgUaLtkY6LH6657cdEa96HYJLVqHC EygkTz+3n7WePhGH9jAJrb/PBrGIK1XVCREz4ayfUxc3QUwFSQ9o+5ULkExxdhyRUu 4TiCbkcUMbYI3YXJqGiU0OBCyTq655trOaWBby+k= Date: Fri, 26 Aug 2016 15:02:09 +0800 (CST) From: neo@netkiller.cn To: netkiller@msn.com Message-ID: <1770496307.0.1472194929612@Server> Subject: =?UTF-8?B?5Li76aKY77ya566A5Y2V6YKu5Lu2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 5rWL6K+V6YKu5Lu25YaF5a65