Home | 簡體中文 | 繁體中文 | 雜文 | 知乎專欄 | Github | OSChina 博客 | 雲社區 | 雲棲社區 | Facebook | Linkedin | 視頻教程 | 打賞(Donations) | About
知乎專欄多維度架構 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者”

62.4. dkim

DKIM(DomainKeys Identified Mail) 是一種電子郵件的驗證技術,使用密碼學的基礎提供了簽名與驗證的功能。DKIM 能增加你郵件的信任度。

安裝 OpenDKIM 環境是CentOS 7

			yum install -y opendkim
		

查看配置檔案

			[root@mail.netkiller.cn ~]# egrep -v "^#|^$" /etc/opendkim.conf
			PidFile /var/run/opendkim/opendkim.pid
			Mode sv
			Syslog yes
			SyslogSuccess yes
			LogWhy yes
			UserID opendkim:opendkim
			Socket inet:8891@localhost
			Umask 002
			SendReports yes
			SoftwareHeader yes
			Canonicalization relaxed/relaxed
			Selector default
			MinimumKeyBits 1024
			KeyFile /etc/opendkim/keys/default.private
			KeyTable /etc/opendkim/KeyTable
			SigningTable refile:/etc/opendkim/SigningTable
			InternalHosts refile:/etc/opendkim/TrustedHosts
			OversignHeaders From
		

生成公鑰和私鑰example.com 替換成你的域名

			mkdir /etc/opendkim/keys/example.com
			opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default
			chown -R opendkim: /etc/opendkim/keys/example.com
			ln -s /etc/opendkim/keys/example.com/default.private /etc/opendkim/keys/default.private
		

將你域名example.com添加到/etc/opendkim/KeyTable格式如下:

			default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private
		

接下來修改 /etc/opendkim/SigningTable 並添加如下記錄

			*@example.com default._domainkey.example.com
		

添加信任主機到/etc/opendkim/TrustedHosts,通常是 example.com / mail.example.com

			example.com
			mail.example.com
		

注意:TrustedHosts 是發送郵件機器的IP,不是郵件伺服器的IP,例如你的WEB伺服器連接到郵件伺服器發送電子郵件,那麼TrustedHosts 就是你的WEB伺服器IP地址。

至此 opendkim 已經配置完畢。

現在需要配置域名TXT記錄解析,開打檔案 /etc/opendkim/keys/example.com/default.txt 參照下面配置

			cat /etc/opendkim/keys/example.com/default.txt
			default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
			"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5anjIUkTgJT8DSBL2tiydi6DZLIMnPnveFBcyKshwIuGeRzIN2PwQW5F/bvQWdatPLGuw0w5mKXtATJtarbWXy89BgjcJgAGrPSr8GdzsNH0RXRqTy1A21BQyGER3Mx2Fbr6J62reTG2i7jY0w3/cxzuFIGlSn/RP/KrlMze4zQIDAQAB" ) ; ----- DKIM key default for example.com
		

接下來配置postfix把OpenDKIM整合到Postfix修改/etc/postfix/main.cf

			smtpd_milters = inet:127.0.0.1:8891
			non_smtpd_milters = $smtpd_milters
			milter_default_action = accept
			milter_protocol = 2
		

啟動 opendkim,重啟 postfix

			systemctl enable opendkim.service
			systemctl start opendkim.service
			systemctl restart postfix.service
		

檢查opendkim狀態與連接埠

			# systemctl status opendkim.service
			● opendkim.service - DomainKeys Identified Mail (DKIM) Milter
			Loaded: loaded (/usr/lib/systemd/system/opendkim.service; enabled; vendor preset: disabled)
			Active: active (running) since Thu 2016-08-25 02:07:42 EDT; 6s ago
			Docs: man:opendkim(8)
			man:opendkim.conf(5)
			man:opendkim-genkey(8)
			man:opendkim-genzone(8)
			man:opendkim-testadsp(8)
			man:opendkim-testkey
			http://www.opendkim.org/docs.html
			Process: 12577 ExecStart=/usr/sbin/opendkim $OPTIONS (code=exited, status=0/SUCCESS)
			Main PID: 12578 (opendkim)
			CGroup: /system.slice/opendkim.service
			└─12578 /usr/sbin/opendkim -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid

			Aug 25 02:07:42 localhost.localdomain systemd[1]: Starting DomainKeys Identified Mail (DKIM) Milter...
			Aug 25 02:07:42 localhost.localdomain systemd[1]: Started DomainKeys Identified Mail (DKIM) Milter.
			Aug 25 02:07:42 localhost.localdomain opendkim[12578]: OpenDKIM Filter v2.10.3 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)


			# ss -lnt |
			grep 8891
			LISTEN 0 128 127.0.0.1:8891 *:*
		

62.4.1. 增加域名

創建證書

				mkdir /etc/opendkim/keys/mydomain.com
				opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -r -d mydomain.com
				chown -R opendkim: /etc/opendkim/keys/mydomain.com
			

配置 KeyTable

				default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default.private
			

配置 SigningTable

				*@mydomain.com default._domainkey.mydomain.com
			

62.4.2. 測試

/var/log/maillog

			
Aug 26 03:02:03 localhost postfix/smtpd[5837]: connect from unknown[155.133.82.144]
Aug 26 03:02:03 localhost opendkim[5762]: configuration reloaded from /etc/opendkim.conf
Aug 26 03:02:04 localhost postfix/smtpd[5837]: lost connection after AUTH from unknown[155.133.82.144]
Aug 26 03:02:04 localhost postfix/smtpd[5837]: disconnect from unknown[155.133.82.144]
Aug 26 03:02:09 localhost postfix/smtpd[5837]: connect from unknown[202.130.101.34]
Aug 26 03:02:10 localhost postfix/smtpd[5837]: 27EEC802C1C5: client=unknown[202.130.101.34]
Aug 26 03:02:10 localhost postfix/cleanup[5843]: 27EEC802C1C5: message-id=<1770496307.0.1472194929612@Server>
Aug 26 03:02:10 localhost opendkim[5762]: 27EEC802C1C5: DKIM-Signature field added (s=default, d=mydomain.com)
Aug 26 03:02:10 localhost postfix/qmgr[4605]: 27EEC802C1C5: from=<neo@netkiller.cn>, size=531, nrcpt=1 (queue active)
Aug 26 03:02:10 localhost postfix/smtpd[5837]: disconnect from unknown[202.130.101.34]
Aug 26 03:02:10 localhost postfix/smtp[5844]: connect to gmail-smtp-in.l.google.com[2607:f8b0:400e:c03::1b]:25: Network is unreachable
Aug 26 03:02:11 localhost postfix/smtp[5844]: 27EEC802C1C5: to=<netkiller@msn.com>, relay=gmail-smtp-in.l.google.com[74.125.25.26]:25, delay=1.6, delays=0.58/0.01/0.48/0.49, dsn=2.0.0, status=sent (250 2.0.0 OK 1472194931 om6si19759602pac.41 - gsmtp)
Aug 26 03:02:11 localhost postfix/qmgr[4605]: 27EEC802C1C5: removed			
			
			

查看原件原文,如果正常會顯示DKIM-Filter和DKIM-Signature兩項

			
Delivered-To: netkiller@msn.com
Received: by 10.28.169.3 with SMTP id s3csp180808wme;
        Fri, 26 Aug 2016 00:02:11 -0700 (PDT)
X-Received: by 10.66.10.234 with SMTP id l10mr3141577pab.69.1472194931522;
        Fri, 26 Aug 2016 00:02:11 -0700 (PDT)
Return-Path: <neo@netkiller.cn>
Received: from mail.mydomain.com ([104.243.134.186])
        by mx.google.com with ESMTP id om6si19759602pac.41.2016.08.26.00.02.11
        for <netkiller@msn.com>;
        Fri, 26 Aug 2016 00:02:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of neo@netkiller.cn designates 104.243.134.186 as permitted sender) client-ip=104.243.134.186;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@mydomain.com;
       spf=pass (google.com: domain of neo@netkiller.cn designates 104.243.134.186 as permitted sender) smtp.mailfrom=neo@netkiller.cn
Received: from Server (unknown [202.130.101.34])
	by mail.mydomain.com (Postfix) with ESMTP id 27EEC802C1C5
	for <netkiller@msn.com>; Fri, 26 Aug 2016 03:02:09 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.mydomain.com 27EEC802C1C5
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com;
	s=default; t=1472194930;
	bh=aTYsMuMwFaanDPkTLEncpu/hxKsNsCaozbJRmQJ6aho=;
	h=Date:From:To:Subject:From;
	b=qPYy2TPDv+zxHQ2gqGOwVsgRm42E3p6WvSxdXgUaLtkY6LH6657cdEa96HYJLVqHC
	 EygkTz+3n7WePhGH9jAJrb/PBrGIK1XVCREz4ayfUxc3QUwFSQ9o+5ULkExxdhyRUu
	 4TiCbkcUMbYI3YXJqGiU0OBCyTq655trOaWBby+k=
Date: Fri, 26 Aug 2016 15:02:09 +0800 (CST)
From: neo@netkiller.cn
To: netkiller@msn.com
Message-ID: <1770496307.0.1472194929612@Server>
Subject: =?UTF-8?B?5Li76aKY77ya566A5Y2V6YKu5Lu2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64

5rWL6K+V6YKu5Lu25YaF5a65