差異處

這裏顯示兩個版本的差異處。

--- tech:install_spf_dkim [2012/06/13 15:38] – jonathan
+++ tech:install_spf_dkim [2018/05/20 15:04] (目前版本) – 網址更改為 https Jonathan Tsai
@@ 行 1: / 行 1: @@
+====== CentOS5 安裝 SPF/DKIM 郵件認證 ======
+  * SPF (Sender Policy Framework)
+  * DKIM (DomainKeys Identified Mail)
+安裝前先確認已經安裝以下套件 <code sh>
+yum install openssl openssl-devel sendmail sendmail-devel
+</code>
+===== - 設定 SPF 方式 =====
+設定 SPF 只是在 DNS 內增加兩行有關 mail server 的定義
+  - 連上 http://www.openspf.org/Project_Overview 使用 **Deploying SPF** 來快速產生你的 SPF 在 DNS 需要的資料.
+  - Exp: everplast.net -> http://old.openspf.org/wizard.html?mydomain=everplast.net&submit=Go!
+  - 產生給 BIND 的資訊:<code>
+everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
+mail.everplast.net. IN TXT "v=spf1 a -all"
+</code>
+  - 在 everplast.net 的 DNS 定義檔 ((/var/named/data/internal.everplast.net , /var/named/data/named.everplast.net)) 增加這兩行<code>
+;
+; Mail Server
+;
+@                       A       192.168.0.250
+@               IN      MX      10 mail
+everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
+mail            IN      A       192.168.0.251
+mail            IN      MX      10 mail
+mail.everplast.net. IN TXT "v=spf1 a -all"
+;
+</code>
+  - 定義完成後, 重新啟動 named <code sh>
+service named restart
+</code>
+  - 使用 nslookup 確認設定是否正確<code sh>
+[root@ag320-mail data]# nslookup
+> set type=TXT
+> everplast.net
+Server:         192.168.0.251
+Address:        192.168.0.251#53
+everplast.net   text = "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
+> mail.everplast.net
+Server:         192.168.0.251
+Address:        192.168.0.251#53
+mail.everplast.net      text = "v=spf1 a -all"
+</code>
+  - 透過 mail.everplast.net 寄信到 <[email protected]> 可得到設定結果的回信. 內容如:<file>
+:
+Summary of Results
+==========================================================
+SPF check:          pass
+DomainKeys check:   neutral
+DKIM check:         neutral
+Sender-ID check:    pass
+SpamAssassin check: ham
+:
+</file>
+===== - 安裝與設定 DKIM 方式 =====
+<note>
+  * dkim-milter 已經改由 OpenDKIM 專案取代
+  * 參考網址
+    - http://sourceforge.net/projects/dkim-milter/
+    - http://opendkim.org/
+</note>
+==== OpenDKIM =====
+  - 透過 rpmforge 直接安裝 <code sh>
+yum install opendkim
+</code><file>
+================================================================================
+ Package            Arch          Version                 Repository       Size
+================================================================================
+Installing:
+ opendkim           x86_64        2.5.2-1.el5.rf          rpmforge        259 k
+Installing for dependencies:
+ libopendkim        x86_64        2.5.2-1.el5.rf          rpmforge        164 k
+</file>
+  - 到 http://www.socketlabs.com/services/dkwiz 產生 Domain Key / DKIM Key Exp:<code>
+Domain : e-plast.com.tw
+Selector : key2
+</code>
+  - 將產生結果的 Private Key 貼到 mail server 內的 /etc/opendkim/keys/e-plast.com.tw/key2 並設定權限<code sh>
+mkdir -p /etc/opendkim/keys/e-plast.com.tw
+vi /etc/opendkim/keys/e-plast.com.tw/key2
+chmod 600 /etc/opendkim/keys/e-plast.com.tw/key2
+chown -R opendkim:opendkim /etc/opendkim/keys
+</code>
+  - 將產生結果的 domainkey 放入 e-plast.com.tw DNS 定義檔內<file>
+;
+; Mail Server
+;
+@                       A       220.130.139.7
+@               IN      MX      10 mail
+e-plast.com.tw. IN TXT "v=spf1 a mx include:e-plast.com.tw ~all"
+mail            IN      A       220.130.139.7
+mail            IN      MX      10 mail
+mail.e-plast.com.tw. IN TXT "v=spf1 a -all"
+_domainkey.e-plast.com.tw.      IN TXT  "t=y;o=~;"
+key2._domainkey.e-plast.com.tw. IN TXT  "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlbTzfHiT8i11cZGW4WbFtgjEdB/S9HqK8CwmlDA011/vngx9/27DGWXdqGaq4bMosnt6TJuUHaVRLMgXFI9Tap3m0Ob1ioggocECEnJ1xjUdKMamhBCjLoqSQVV2DyOYyfxB3y+xdkfBo7NYwob8C7bDD51oYPrA5drwPyuRErQIDAQAB"
+;
+</file>
+  - 編輯相關 mail domain name 清單 <code sh>
+vi /etc/opendkim/TrustedHosts
+</code><file>
+.0.0.1
+localhost
+mail.e-plast.com.tw
+e-plast.com.tw
+</file>
+  - 修改 /etc/opendkim.conf <code sh>
+vi /etc/opendkim.conf
+</code><file>
+:
+Mode    sv
+:
+Socket  inet:8891@localhost
+:
+Canonicalization        relaxed/simple
+:
+#Domain  e-plast.com.tw
+:
+#Selector                key2
+:
+#KeyFile /etc/opendkim/keys/e-plast.com.tw/key2
+:
+KeyTable        /etc/opendkim/KeyTable
+:
+SigningTable    /etc/opendkim/SigningTable
+:
+InternalHosts   refile:/etc/opendkim/TrustedHosts
+:
+</file>**當發現時常因為驗簽章失敗退別人的信, 想關閉驗簽失敗退信的功能可修改一下參數:**<code>
+:
+On-Default              reject
+On-BadSignature         accept
+On-DNSError             tempfail
+:
+</code>
+  - 修改 /etc/opendkim/KeyTable<code sh>
+vi /etc/opendkim/KeyTable
+</code><file>
+:
+key2._domainkey.e-plast.com.tw e-plast.com.tw:key2:/etc/opendkim/keys/e-plast.com.tw/key2
+</file>
+  - 修改 /etc/opendkim/SigningTable<code sh>
+vi /etc/opendkim/SigningTable
+</code><file>
+:
+*@e-plast.com.tw key2._domainkey.e-plast.com.tw
+*@mail.e-plast.com.tw key2._domainkey.e-plast.com.tw
+:
+e-plast.com.tw key2._domainkey.e-plast.com.tw
+mail.e-plast.com.tw key2._domainkey.e-plast.com.tw
+</file>
+  - 啟動 opendkim 服務<code sh>
+service opendkim start
+chkconfig opendkim on
+</code><file>
+[root@e-plast-mail keys]# service opendkim restart
+Stopping OpenDKIM Milter:                                  [  確定  ]
+Generating default DKIM keys:                              [警告]
+Cannot determine host's domain name, so skipping default key generation.
+Starting OpenDKIM Milter:                                  [  確定  ]
+</file> 如果覺得這樣的訊息很礙眼, 可以在 keys 目錄內產生 default.private 檔, 可用之前的 key2 建立連結方式, 執行以下語法來解決<code sh>
+cd /etc/opendkim/keys
+ln -s e-plast.com.tw/key2 default.private
+</code>
+  - 更改 sendmail 使用 dkim 服務<code sh>
+vi /etc/mail/sendmail.mc
+</code><file>
+:
+:
+INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')
+</file><code sh>
+cd /etc/mail
+mv sendmail.cf sendmail.cf.back1
+m4 sendmail.mc > sendmail.cf
+</code>
+  - 重新啟動 MailServer <code sh>
+service MailScanner restart
+</code>
+==== DKIM-Milter =====
+  - 下載安裝 dkim-milter
+    - ++使用原始碼安裝程序|<code sh>
+wget http://downloads.sourceforge.net/project/dkim-milter/DKIM%20Milter/2.8.3/dkim-milter-2.8.3.tar.gz
+tar -zxvf dkim-milter-2.8.3.tar.gz
+cd dkim-milter-2.8.3
+cp site.config.m4.dist site.config.m4
+vi site.config.m4
+</code><file>
+:
+define(`bld_LIBDKIM_SHARED', `true')
+:
+dnl OpenSSL -- cryptography library
+APPENDDEF(`confINCDIRS', `-I/usr/include/openssl ')
+APPENDDEF(`confLIBDIRS', `-L/usr/lib ')
+:
+dnl libmilter -- Sendmail's milter library
+APPENDDEF(`bld_dkim_filter_INCDIRS', `-I/usr/include/libmilter')
+APPENDDEF(`bld_dkim_filter_LIBDIRS', `-L/usr/lib')
+:
+</file><code sh>
+cp site.config.m4 devtools/Site/
+sh Build
+sh Build install
+(http://brneurosci.org/linuxsetup97.html)  --- //[[[email protected]|蔡宗融]] 2009-08-06 06:43//
+</code>++
+    - ++使用 rpm 安裝程序|<code sh>
+wget https://www.ichiayi.com/wiki_file/dkim-milter-2.8.3-1.x86_64.rpm
+rpm -ivh dkim-milter-2.8.3-1.x86_64.rpm
+</code>++
+  - 到 http://www.socketlabs.com/services/dkwiz 產生 Domain Key / DKIM Key Exp:<code>
+Domain : everplast.net
+Selector : key1
+</code>
+  - 將產生結果的 Private Key 貼到 mail server 內的 /etc/mail/dkim/keys/everplast.net/key1 並設定權限<code sh>
+mkdir -p /etc/mail/dkim/keys/everplast.net
+vi /etc/mail/dkim/keys/everplast.net/key1
+chmod 600 /etc/mail/dkim/keys/everplast.net/key1
+chown -R dkim-milt:dkim-milt /etc/mail/dkim/keys
+</code>
+  - 將產生結果的 domainkey 放入 everplast.net DNS 定義檔內<file>
+;
+; Mail Server
+;
+@                       A       192.168.0.250
+@               IN      MX      10 mail
+everplast.net. IN TXT "v=spf1 a mx include:everplast.com.tw include:e-plast.com.tw ~all"
+mail            IN      A       192.168.0.251
+mail            IN      MX      10 mail
+mail.everplast.net. IN TXT "v=spf1 a -all"
+_domainkey.everplast.net.       IN TXT  "t=y;o=~;"
+key1._domainkey.everplast.net.  IN TXT  "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNPwPm7Q/OONldTMPV8pkXbmSXqxyMCGbQu9bBqK8HtsNZzqxE1kyFCiQ/7BJ6W9CK82pOtP97Z8XyoEp2JDSxNkSTr/36kIaAkzmZhWpsNYhZLNhD707XunD27BpNWtDIMc2wdGMHUq3ErghUUuDkiC7pTNjz9L9E2Q+EzxXZpwIDAQAB"
+;
+</file>
+  - 編輯相關 mail domain name 清單 <code sh>
+vi /etc/mail/dkim/trusted-hosts
+</code><file>
+mail.everplast.net
+everplast.net
+mail.e-plast.com.tw
+e-plast.com.tw
+mail.everplast.com.tw
+everplast.com.tw
+localhost
+.0.0.1
+</file>
+  - 修改 /etc/dkim-filter.conf <code sh>
+vi /etc/dkim-filter.conf
+</code><file>
+:
+Canonicalization        simple/simple
+:
+Domain                  everplast.net
+:
+KeyFile /etc/mail/dkim/keys/everplast.net/key1
+:
+Selector                key1
+:
+Socket                  inet:8891@localhost
+:
+Mode                    sv
+:
+InternalHosts           /etc/mail/dkim/trusted-hosts
+:
+</file>**當發現時常因為驗簽章失敗退別人的信, 想關閉驗簽失敗退信的功能可修改一下參數:**<code>
+:
+On-Default              reject
+On-BadSignature         accept
+On-DNSError             tempfail
+:
+</code>
+  - 修改 /etc/mail/dkim/keylist<code sh>
+vi /etc/mail/dkim/keylist
+</code><file>
+:
+*@everplast.net:everplast.net:/etc/mail/dkim/keys/everplast.net/key1
+</file>
+  - 啟動 dkim-milter 服務<code sh>
+service dkim-milter start
+chkconfig dkim-milter on
+</code>
+  - 更改 sendmail 使用 dkim 服務<code sh>
+vi /etc/mail/sendmail.mc
+</code><file>
+:
+:
+INPUT_MAIL_FILTER(`dkim-filter', `S=inet:8891@localhost')
+</file><code sh>
+cd /etc/mail
+mv sendmail.cf sendmail.cf.back1
+m4 sendmail.mc > sendmail.cf
+</code>
+  - 重新啟動 MailServer <code sh>
+service MailScanner restart
+</code>
+<note>
+如果有使用 [[http://www.mailscanner.info/|MailScanner]], 在 /etc/MailScanner/MailScanner.conf 內的 Sign Clean Messages 要設定 no
+  * Sign Clean Messages = no
+否則收信端檢核信件 dkim 簽章時會驗簽失敗, 出現 dkim=fail 的狀況.
+</note>
+===== 參考網址 =====
+  * http://www.itworld.com/software/67334/how-deploy-dkim-email-authentication-4-steps
+  * http://www.pinpointe.com/blog/install-an-spf-record-to-improve-email-delivery
+  * http://www.openspf.org/Project_Overview
+  * http://www.port25.com/support/support_dkwz.php
+  * http://www.socketlabs.com/services/dkwiz
+  * http://brneurosci.org/linuxsetup97.html
+  * http://sourceforge.net/projects/dkim-milter/
+  * http://eric.lubow.org/2009/mail/setting-up-dkim-and-postfix/
+  * http://www.mail-archive.com/[email protected]/msg01497.html
+  * http://sourceforge.net/projects/dk-milter/
+  * http://www.howtoforge.com/how-to-implement-domainkeys-in-postfix-using-dk-milter-centos5.1
+  * http://www.mw.net.tw/user/samson/blog/2007/07/23/1561/62235/
+{{tag>mail 安裝 郵件 install_mail}}