CentOS5 安裝 SPF/DKIM 郵件認證

  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)

安裝前先確認已經安裝以下套件

yum install openssl openssl-devel sendmail sendmail-devel

設定 SPF 只是在 DNS 內增加兩行有關 mail server 的定義

  1. 連上 http://www.openspf.org/Project_Overview 使用 Deploying SPF 來快速產生你的 SPF 在 DNS 需要的資料.
  2. 產生給 BIND 的資訊:
    everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
    mail.everplast.net. IN TXT "v=spf1 a -all"
  3. 在 everplast.net 的 DNS 定義檔 1) 增加這兩行
    ;
    ; Mail Server
    ;
    @                       A       192.168.0.250
    @               IN      MX      10 mail
    everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
    mail            IN      A       192.168.0.251
    mail            IN      MX      10 mail
    mail.everplast.net. IN TXT "v=spf1 a -all"
    ;
  4. 定義完成後, 重新啟動 named
    service named restart
  5. 使用 nslookup 確認設定是否正確
    [root@ag320-mail data]# nslookup
    > set type=TXT
    > everplast.net
    Server:         192.168.0.251
    Address:        192.168.0.251#53
     
    everplast.net   text = "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
    > mail.everplast.net
    Server:         192.168.0.251
    Address:        192.168.0.251#53
     
    mail.everplast.net      text = "v=spf1 a -all"
  6. 透過 mail.everplast.net 寄信到 check-auth@verifier.port25.com 可得到設定結果的回信. 內容如:
    :
    Summary of Results
    ==========================================================
    SPF check:          pass
    DomainKeys check:   neutral
    DKIM check:         neutral
    Sender-ID check:    pass
    SpamAssassin check: ham
    :
  1. 透過 rpmforge 直接安裝
    yum install opendkim
    ================================================================================
     Package            Arch          Version                 Repository       Size
    ================================================================================
    Installing:
     opendkim           x86_64        2.5.2-1.el5.rf          rpmforge        259 k
    Installing for dependencies:
     libopendkim        x86_64        2.5.2-1.el5.rf          rpmforge        164 k
  2. http://www.socketlabs.com/services/dkwiz 產生 Domain Key / DKIM Key Exp:
    Domain : e-plast.com.tw
    Selector : key2
  3. 將產生結果的 Private Key 貼到 mail server 內的 /etc/opendkim/keys/e-plast.com.tw/key2 並設定權限
    mkdir -p /etc/opendkim/keys/e-plast.com.tw
    vi /etc/opendkim/keys/e-plast.com.tw/key2
    chmod 600 /etc/opendkim/keys/e-plast.com.tw/key2
    chown -R opendkim:opendkim /etc/opendkim/keys
  4. 將產生結果的 domainkey 放入 e-plast.com.tw DNS 定義檔內
    ;
    ; Mail Server
    ;
    @                       A       220.130.139.7
    @               IN      MX      10 mail
    e-plast.com.tw. IN TXT "v=spf1 a mx include:e-plast.com.tw ~all"
    mail            IN      A       220.130.139.7
    mail            IN      MX      10 mail
    mail.e-plast.com.tw. IN TXT "v=spf1 a -all"
    _domainkey.e-plast.com.tw.      IN TXT  "t=y;o=~;"
    key2._domainkey.e-plast.com.tw. IN TXT  "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlbTzfHiT8i11cZGW4WbFtgjEdB/S9HqK8CwmlDA011/vngx9/27DGWXdqGaq4bMosnt6TJuUHaVRLMgXFI9Tap3m0Ob1ioggocECEnJ1xjUdKMamhBCjLoqSQVV2DyOYyfxB3y+xdkfBo7NYwob8C7bDD51oYPrA5drwPyuRErQIDAQAB"
    ;
  5. 編輯相關 mail domain name 清單
    vi /etc/opendkim/TrustedHosts
    127.0.0.1
    localhost
    mail.e-plast.com.tw
    e-plast.com.tw
  6. 修改 /etc/opendkim.conf
    vi /etc/opendkim.conf
    :
    Mode    sv
    :
    Socket  inet:8891@localhost
    :
    Canonicalization        relaxed/simple
    :
    #Domain  e-plast.com.tw
    :
    #Selector                key2
    :
    #KeyFile /etc/opendkim/keys/e-plast.com.tw/key2
    :
    KeyTable        /etc/opendkim/KeyTable
    :
    SigningTable    /etc/opendkim/SigningTable
    :
    InternalHosts   refile:/etc/opendkim/TrustedHosts
    :

    當發現時常因為驗簽章失敗退別人的信, 想關閉驗簽失敗退信的功能可修改一下參數:

    :
    On-Default              reject
    On-BadSignature         accept
    On-DNSError             tempfail
    :
  7. 修改 /etc/opendkim/KeyTable
    vi /etc/opendkim/KeyTable
    :
    key2._domainkey.e-plast.com.tw e-plast.com.tw:key2:/etc/opendkim/keys/e-plast.com.tw/key2
  8. 修改 /etc/opendkim/SigningTable
    vi /etc/opendkim/SigningTable
    :
    *@e-plast.com.tw key2._domainkey.e-plast.com.tw
    *@mail.e-plast.com.tw key2._domainkey.e-plast.com.tw
    :
    e-plast.com.tw key2._domainkey.e-plast.com.tw
    mail.e-plast.com.tw key2._domainkey.e-plast.com.tw
  9. 啟動 opendkim 服務
    service opendkim start
    chkconfig opendkim on
    [root@e-plast-mail keys]# service opendkim restart
    Stopping OpenDKIM Milter:                                  [  確定  ]
    Generating default DKIM keys:                              [警告]
    Cannot determine host's domain name, so skipping default key generation.
    Starting OpenDKIM Milter:                                  [  確定  ]

    如果覺得這樣的訊息很礙眼, 可以在 keys 目錄內產生 default.private 檔, 可用之前的 key2 建立連結方式, 執行以下語法來解決

    cd /etc/opendkim/keys
    ln -s e-plast.com.tw/key2 default.private
  10. 更改 sendmail 使用 dkim 服務
    vi /etc/mail/sendmail.mc
    :
    :
    INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
    cd /etc/mail
    mv sendmail.cf sendmail.cf.back1
    m4 sendmail.mc > sendmail.cf
  11. 重新啟動 MailServer
    service MailScanner restart
  1. 下載安裝 dkim-milter
    1. 使用原始碼安裝程序
    2. 使用 rpm 安裝程序
  2. http://www.socketlabs.com/services/dkwiz 產生 Domain Key / DKIM Key Exp:
    Domain : everplast.net
    Selector : key1
  3. 將產生結果的 Private Key 貼到 mail server 內的 /etc/mail/dkim/keys/everplast.net/key1 並設定權限
    mkdir -p /etc/mail/dkim/keys/everplast.net
    vi /etc/mail/dkim/keys/everplast.net/key1
    chmod 600 /etc/mail/dkim/keys/everplast.net/key1
    chown -R dkim-milt:dkim-milt /etc/mail/dkim/keys
  4. 將產生結果的 domainkey 放入 everplast.net DNS 定義檔內
    ;
    ; Mail Server
    ;
    @                       A       192.168.0.250
    @               IN      MX      10 mail
    everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
    mail            IN      A       192.168.0.251
    mail            IN      MX      10 mail
    mail.everplast.net. IN TXT "v=spf1 a -all"
    _domainkey.everplast.net.       IN TXT  "t=y;o=~;"
    key1._domainkey.everplast.net.  IN TXT  "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNPwPm7Q/OONldTMPV8pkXbmSXqxyMCGbQu9bBqK8HtsNZzqxE1kyFCiQ/7BJ6W9CK82pOtP97Z8XyoEp2JDSxNkSTr/36kIaAkzmZhWpsNYhZLNhD707XunD27BpNWtDIMc2wdGMHUq3ErghUUuDkiC7pTNjz9L9E2Q+EzxXZpwIDAQAB"
    ;
  5. 編輯相關 mail domain name 清單
    vi /etc/mail/dkim/trusted-hosts
    mail.everplast.net
    everplast.net
    mail.e-plast.com.tw
    e-plast.com.tw
    mail.everplast.com.tw
    everplast.com.tw
    localhost
    127.0.0.1
  6. 修改 /etc/dkim-filter.conf
    vi /etc/dkim-filter.conf
    :
    Canonicalization        simple/simple
    :
    Domain                  everplast.net
    :
    KeyFile /etc/mail/dkim/keys/everplast.net/key1
    :
    Selector                key1
    :
    Socket                  inet:8891@localhost
    :
    Mode                    sv
    :
    InternalHosts           /etc/mail/dkim/trusted-hosts
    :

    當發現時常因為驗簽章失敗退別人的信, 想關閉驗簽失敗退信的功能可修改一下參數:

    :
    On-Default              reject
    On-BadSignature         accept
    On-DNSError             tempfail
    :
  7. 修改 /etc/mail/dkim/keylist
    vi /etc/mail/dkim/keylist
    :
    *@everplast.net:everplast.net:/etc/mail/dkim/keys/everplast.net/key1
  8. 啟動 dkim-milter 服務
    service dkim-milter start
    chkconfig dkim-milter on
  9. 更改 sendmail 使用 dkim 服務
    vi /etc/mail/sendmail.mc
    :
    :
    INPUT_MAIL_FILTER(`dkim-filter', `S=inet:8891@localhost')
    cd /etc/mail
    mv sendmail.cf sendmail.cf.back1
    m4 sendmail.mc > sendmail.cf
  10. 重新啟動 MailServer
    service MailScanner restart
如果有使用 MailScanner, 在 /etc/MailScanner/MailScanner.conf 內的 Sign Clean Messages 要設定 no
  • Sign Clean Messages = no

否則收信端檢核信件 dkim 簽章時會驗簽失敗, 出現 dkim=fail 的狀況.


1)
/var/named/data/internal.everplast.net , /var/named/data/named.everplast.net
  • tech/install_spf_dkim.txt
  • 上一次變更: 2018/05/20 15:04
  • Jonathan Tsai