====== CentOS5 安裝 SPF/DKIM 郵件認證 ======
* SPF (Sender Policy Framework)
* DKIM (DomainKeys Identified Mail)
安裝前先確認已經安裝以下套件
yum install openssl openssl-devel sendmail sendmail-devel
===== - 設定 SPF 方式 =====
設定 SPF 只是在 DNS 內增加兩行有關 mail server 的定義
- 連上 http://www.openspf.org/Project_Overview 使用 **Deploying SPF** 來快速產生你的 SPF 在 DNS 需要的資料.
- Exp: everplast.net -> http://old.openspf.org/wizard.html?mydomain=everplast.net&submit=Go!
- 產生給 BIND 的資訊:
everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
mail.everplast.net. IN TXT "v=spf1 a -all"
- 在 everplast.net 的 DNS 定義檔 ((/var/named/data/internal.everplast.net , /var/named/data/named.everplast.net)) 增加這兩行
;
; Mail Server
;
@ A 192.168.0.250
@ IN MX 10 mail
everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
mail IN A 192.168.0.251
mail IN MX 10 mail
mail.everplast.net. IN TXT "v=spf1 a -all"
;
- 定義完成後, 重新啟動 named
service named restart
- 使用 nslookup 確認設定是否正確
[root@ag320-mail data]# nslookup
> set type=TXT
> everplast.net
Server: 192.168.0.251
Address: 192.168.0.251#53
everplast.net text = "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
> mail.everplast.net
Server: 192.168.0.251
Address: 192.168.0.251#53
mail.everplast.net text = "v=spf1 a -all"
- 透過 mail.everplast.net 寄信到 可得到設定結果的回信. 內容如:
:
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: neutral
Sender-ID check: pass
SpamAssassin check: ham
:
===== - 安裝與設定 DKIM 方式 =====
* dkim-milter 已經改由 OpenDKIM 專案取代
* 參考網址
- http://sourceforge.net/projects/dkim-milter/
- http://opendkim.org/
==== OpenDKIM =====
- 透過 rpmforge 直接安裝
yum install opendkim
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
opendkim x86_64 2.5.2-1.el5.rf rpmforge 259 k
Installing for dependencies:
libopendkim x86_64 2.5.2-1.el5.rf rpmforge 164 k
- 到 http://www.socketlabs.com/services/dkwiz 產生 Domain Key / DKIM Key Exp:
Domain : e-plast.com.tw
Selector : key2
- 將產生結果的 Private Key 貼到 mail server 內的 /etc/opendkim/keys/e-plast.com.tw/key2 並設定權限
mkdir -p /etc/opendkim/keys/e-plast.com.tw
vi /etc/opendkim/keys/e-plast.com.tw/key2
chmod 600 /etc/opendkim/keys/e-plast.com.tw/key2
chown -R opendkim:opendkim /etc/opendkim/keys
- 將產生結果的 domainkey 放入 e-plast.com.tw DNS 定義檔內
;
; Mail Server
;
@ A 220.130.139.7
@ IN MX 10 mail
e-plast.com.tw. IN TXT "v=spf1 a mx include:e-plast.com.tw ~all"
mail IN A 220.130.139.7
mail IN MX 10 mail
mail.e-plast.com.tw. IN TXT "v=spf1 a -all"
_domainkey.e-plast.com.tw. IN TXT "t=y;o=~;"
key2._domainkey.e-plast.com.tw. IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlbTzfHiT8i11cZGW4WbFtgjEdB/S9HqK8CwmlDA011/vngx9/27DGWXdqGaq4bMosnt6TJuUHaVRLMgXFI9Tap3m0Ob1ioggocECEnJ1xjUdKMamhBCjLoqSQVV2DyOYyfxB3y+xdkfBo7NYwob8C7bDD51oYPrA5drwPyuRErQIDAQAB"
;
- 編輯相關 mail domain name 清單
vi /etc/opendkim/TrustedHosts
127.0.0.1
localhost
mail.e-plast.com.tw
e-plast.com.tw
- 修改 /etc/opendkim.conf
vi /etc/opendkim.conf
:
Mode sv
:
Socket inet:8891@localhost
:
Canonicalization relaxed/simple
:
#Domain e-plast.com.tw
:
#Selector key2
:
#KeyFile /etc/opendkim/keys/e-plast.com.tw/key2
:
KeyTable /etc/opendkim/KeyTable
:
SigningTable /etc/opendkim/SigningTable
:
InternalHosts refile:/etc/opendkim/TrustedHosts
:
**當發現時常因為驗簽章失敗退別人的信, 想關閉驗簽失敗退信的功能可修改一下參數:**
:
On-Default reject
On-BadSignature accept
On-DNSError tempfail
:
- 修改 /etc/opendkim/KeyTable
vi /etc/opendkim/KeyTable
:
key2._domainkey.e-plast.com.tw e-plast.com.tw:key2:/etc/opendkim/keys/e-plast.com.tw/key2
- 修改 /etc/opendkim/SigningTable
vi /etc/opendkim/SigningTable
:
*@e-plast.com.tw key2._domainkey.e-plast.com.tw
*@mail.e-plast.com.tw key2._domainkey.e-plast.com.tw
:
e-plast.com.tw key2._domainkey.e-plast.com.tw
mail.e-plast.com.tw key2._domainkey.e-plast.com.tw
- 啟動 opendkim 服務
service opendkim start
chkconfig opendkim on
[root@e-plast-mail keys]# service opendkim restart
Stopping OpenDKIM Milter: [ 確定 ]
Generating default DKIM keys: [警告]
Cannot determine host's domain name, so skipping default key generation.
Starting OpenDKIM Milter: [ 確定 ]
如果覺得這樣的訊息很礙眼, 可以在 keys 目錄內產生 default.private 檔, 可用之前的 key2 建立連結方式, 執行以下語法來解決
cd /etc/opendkim/keys
ln -s e-plast.com.tw/key2 default.private
- 更改 sendmail 使用 dkim 服務
vi /etc/mail/sendmail.mc
:
:
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
cd /etc/mail
mv sendmail.cf sendmail.cf.back1
m4 sendmail.mc > sendmail.cf
- 重新啟動 MailServer
service MailScanner restart
==== DKIM-Milter =====
- 下載安裝 dkim-milter
- ++使用原始碼安裝程序|
wget http://downloads.sourceforge.net/project/dkim-milter/DKIM%20Milter/2.8.3/dkim-milter-2.8.3.tar.gz
tar -zxvf dkim-milter-2.8.3.tar.gz
cd dkim-milter-2.8.3
cp site.config.m4.dist site.config.m4
vi site.config.m4
:
define(`bld_LIBDKIM_SHARED', `true')
:
dnl OpenSSL -- cryptography library
APPENDDEF(`confINCDIRS', `-I/usr/include/openssl ')
APPENDDEF(`confLIBDIRS', `-L/usr/lib ')
:
dnl libmilter -- Sendmail's milter library
APPENDDEF(`bld_dkim_filter_INCDIRS', `-I/usr/include/libmilter')
APPENDDEF(`bld_dkim_filter_LIBDIRS', `-L/usr/lib')
:
cp site.config.m4 devtools/Site/
sh Build
sh Build install
(http://brneurosci.org/linuxsetup97.html) --- //[[tryweb@ichiayi.com|蔡宗融]] 2009-08-06 06:43//
++
- ++使用 rpm 安裝程序|
wget https://www.ichiayi.com/wiki_file/dkim-milter-2.8.3-1.x86_64.rpm
rpm -ivh dkim-milter-2.8.3-1.x86_64.rpm
++
- 到 http://www.socketlabs.com/services/dkwiz 產生 Domain Key / DKIM Key Exp:
Domain : everplast.net
Selector : key1
- 將產生結果的 Private Key 貼到 mail server 內的 /etc/mail/dkim/keys/everplast.net/key1 並設定權限
mkdir -p /etc/mail/dkim/keys/everplast.net
vi /etc/mail/dkim/keys/everplast.net/key1
chmod 600 /etc/mail/dkim/keys/everplast.net/key1
chown -R dkim-milt:dkim-milt /etc/mail/dkim/keys
- 將產生結果的 domainkey 放入 everplast.net DNS 定義檔內
;
; Mail Server
;
@ A 192.168.0.250
@ IN MX 10 mail
everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
mail IN A 192.168.0.251
mail IN MX 10 mail
mail.everplast.net. IN TXT "v=spf1 a -all"
_domainkey.everplast.net. IN TXT "t=y;o=~;"
key1._domainkey.everplast.net. IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNPwPm7Q/OONldTMPV8pkXbmSXqxyMCGbQu9bBqK8HtsNZzqxE1kyFCiQ/7BJ6W9CK82pOtP97Z8XyoEp2JDSxNkSTr/36kIaAkzmZhWpsNYhZLNhD707XunD27BpNWtDIMc2wdGMHUq3ErghUUuDkiC7pTNjz9L9E2Q+EzxXZpwIDAQAB"
;
- 編輯相關 mail domain name 清單
vi /etc/mail/dkim/trusted-hosts
mail.everplast.net
everplast.net
mail.e-plast.com.tw
e-plast.com.tw
mail.everplast.com.tw
everplast.com.tw
localhost
127.0.0.1
- 修改 /etc/dkim-filter.conf
vi /etc/dkim-filter.conf
:
Canonicalization simple/simple
:
Domain everplast.net
:
KeyFile /etc/mail/dkim/keys/everplast.net/key1
:
Selector key1
:
Socket inet:8891@localhost
:
Mode sv
:
InternalHosts /etc/mail/dkim/trusted-hosts
:
**當發現時常因為驗簽章失敗退別人的信, 想關閉驗簽失敗退信的功能可修改一下參數:**
:
On-Default reject
On-BadSignature accept
On-DNSError tempfail
:
- 修改 /etc/mail/dkim/keylist
vi /etc/mail/dkim/keylist
:
*@everplast.net:everplast.net:/etc/mail/dkim/keys/everplast.net/key1
- 啟動 dkim-milter 服務
service dkim-milter start
chkconfig dkim-milter on
- 更改 sendmail 使用 dkim 服務
vi /etc/mail/sendmail.mc
:
:
INPUT_MAIL_FILTER(`dkim-filter', `S=inet:8891@localhost')
cd /etc/mail
mv sendmail.cf sendmail.cf.back1
m4 sendmail.mc > sendmail.cf
- 重新啟動 MailServer
service MailScanner restart
如果有使用 [[http://www.mailscanner.info/|MailScanner]], 在 /etc/MailScanner/MailScanner.conf 內的 Sign Clean Messages 要設定 no
* Sign Clean Messages = no
否則收信端檢核信件 dkim 簽章時會驗簽失敗, 出現 dkim=fail 的狀況.
===== 參考網址 =====
* http://www.itworld.com/software/67334/how-deploy-dkim-email-authentication-4-steps
* http://www.pinpointe.com/blog/install-an-spf-record-to-improve-email-delivery
* http://www.openspf.org/Project_Overview
* http://www.port25.com/support/support_dkwz.php
* http://www.socketlabs.com/services/dkwiz
* http://brneurosci.org/linuxsetup97.html
* http://sourceforge.net/projects/dkim-milter/
* http://eric.lubow.org/2009/mail/setting-up-dkim-and-postfix/
* http://www.mail-archive.com/dkim-milter-discuss@lists.sourceforge.net/msg01497.html
* http://sourceforge.net/projects/dk-milter/
* http://www.howtoforge.com/how-to-implement-domainkeys-in-postfix-using-dk-milter-centos5.1
* http://www.mw.net.tw/user/samson/blog/2007/07/23/1561/62235/
{{tag>mail 安裝 郵件 install_mail}}