安裝前先確認已經安裝以下套件
yum install openssl openssl-devel sendmail sendmail-devel
設定 SPF 只是在 DNS 內增加兩行有關 mail server 的定義
everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all" mail.everplast.net. IN TXT "v=spf1 a -all"
; ; Mail Server ; @ A 192.168.0.250 @ IN MX 10 mail everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all" mail IN A 192.168.0.251 mail IN MX 10 mail mail.everplast.net. IN TXT "v=spf1 a -all" ;
service named restart
[root@ag320-mail data]# nslookup > set type=TXT > everplast.net Server: 192.168.0.251 Address: 192.168.0.251#53 everplast.net text = "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all" > mail.everplast.net Server: 192.168.0.251 Address: 192.168.0.251#53 mail.everplast.net text = "v=spf1 a -all"
: Summary of Results ========================================================== SPF check: pass DomainKeys check: neutral DKIM check: neutral Sender-ID check: pass SpamAssassin check: ham :
yum install opendkim
================================================================================ Package Arch Version Repository Size ================================================================================ Installing: opendkim x86_64 2.5.2-1.el5.rf rpmforge 259 k Installing for dependencies: libopendkim x86_64 2.5.2-1.el5.rf rpmforge 164 k
Domain : e-plast.com.tw Selector : key2
mkdir -p /etc/opendkim/keys/e-plast.com.tw vi /etc/opendkim/keys/e-plast.com.tw/key2 chmod 600 /etc/opendkim/keys/e-plast.com.tw/key2 chown -R opendkim:opendkim /etc/opendkim/keys
; ; Mail Server ; @ A 220.130.139.7 @ IN MX 10 mail e-plast.com.tw. IN TXT "v=spf1 a mx include:e-plast.com.tw ~all" mail IN A 220.130.139.7 mail IN MX 10 mail mail.e-plast.com.tw. IN TXT "v=spf1 a -all" _domainkey.e-plast.com.tw. IN TXT "t=y;o=~;" key2._domainkey.e-plast.com.tw. IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlbTzfHiT8i11cZGW4WbFtgjEdB/S9HqK8CwmlDA011/vngx9/27DGWXdqGaq4bMosnt6TJuUHaVRLMgXFI9Tap3m0Ob1ioggocECEnJ1xjUdKMamhBCjLoqSQVV2DyOYyfxB3y+xdkfBo7NYwob8C7bDD51oYPrA5drwPyuRErQIDAQAB" ;
vi /etc/opendkim/TrustedHosts
127.0.0.1 localhost mail.e-plast.com.tw e-plast.com.tw
vi /etc/opendkim.conf
: Mode sv : Socket inet:8891@localhost : Canonicalization relaxed/simple : #Domain e-plast.com.tw : #Selector key2 : #KeyFile /etc/opendkim/keys/e-plast.com.tw/key2 : KeyTable /etc/opendkim/KeyTable : SigningTable /etc/opendkim/SigningTable : InternalHosts refile:/etc/opendkim/TrustedHosts :
當發現時常因為驗簽章失敗退別人的信, 想關閉驗簽失敗退信的功能可修改一下參數:
: On-Default reject On-BadSignature accept On-DNSError tempfail :
vi /etc/opendkim/KeyTable
: key2._domainkey.e-plast.com.tw e-plast.com.tw:key2:/etc/opendkim/keys/e-plast.com.tw/key2
vi /etc/opendkim/SigningTable
: *@e-plast.com.tw key2._domainkey.e-plast.com.tw *@mail.e-plast.com.tw key2._domainkey.e-plast.com.tw : e-plast.com.tw key2._domainkey.e-plast.com.tw mail.e-plast.com.tw key2._domainkey.e-plast.com.tw
service opendkim start chkconfig opendkim on
[root@e-plast-mail keys]# service opendkim restart Stopping OpenDKIM Milter: [ 確定 ] Generating default DKIM keys: [警告] Cannot determine host's domain name, so skipping default key generation. Starting OpenDKIM Milter: [ 確定 ]
如果覺得這樣的訊息很礙眼, 可以在 keys 目錄內產生 default.private 檔, 可用之前的 key2 建立連結方式, 執行以下語法來解決
cd /etc/opendkim/keys ln -s e-plast.com.tw/key2 default.private
vi /etc/mail/sendmail.mc
: : INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
cd /etc/mail mv sendmail.cf sendmail.cf.back1 m4 sendmail.mc > sendmail.cf
service MailScanner restart
Domain : everplast.net Selector : key1
mkdir -p /etc/mail/dkim/keys/everplast.net vi /etc/mail/dkim/keys/everplast.net/key1 chmod 600 /etc/mail/dkim/keys/everplast.net/key1 chown -R dkim-milt:dkim-milt /etc/mail/dkim/keys
; ; Mail Server ; @ A 192.168.0.250 @ IN MX 10 mail everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all" mail IN A 192.168.0.251 mail IN MX 10 mail mail.everplast.net. IN TXT "v=spf1 a -all" _domainkey.everplast.net. IN TXT "t=y;o=~;" key1._domainkey.everplast.net. IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNPwPm7Q/OONldTMPV8pkXbmSXqxyMCGbQu9bBqK8HtsNZzqxE1kyFCiQ/7BJ6W9CK82pOtP97Z8XyoEp2JDSxNkSTr/36kIaAkzmZhWpsNYhZLNhD707XunD27BpNWtDIMc2wdGMHUq3ErghUUuDkiC7pTNjz9L9E2Q+EzxXZpwIDAQAB" ;
vi /etc/mail/dkim/trusted-hosts
mail.everplast.net everplast.net mail.e-plast.com.tw e-plast.com.tw mail.everplast.com.tw everplast.com.tw localhost 127.0.0.1
vi /etc/dkim-filter.conf
: Canonicalization simple/simple : Domain everplast.net : KeyFile /etc/mail/dkim/keys/everplast.net/key1 : Selector key1 : Socket inet:8891@localhost : Mode sv : InternalHosts /etc/mail/dkim/trusted-hosts :
當發現時常因為驗簽章失敗退別人的信, 想關閉驗簽失敗退信的功能可修改一下參數:
: On-Default reject On-BadSignature accept On-DNSError tempfail :
vi /etc/mail/dkim/keylist
: *@everplast.net:everplast.net:/etc/mail/dkim/keys/everplast.net/key1
service dkim-milter start chkconfig dkim-milter on
vi /etc/mail/sendmail.mc
: : INPUT_MAIL_FILTER(`dkim-filter', `S=inet:8891@localhost')
cd /etc/mail mv sendmail.cf sendmail.cf.back1 m4 sendmail.mc > sendmail.cf
service MailScanner restart
否則收信端檢核信件 dkim 簽章時會驗簽失敗, 出現 dkim=fail 的狀況.