gmail-smtp-in.l.google.com[2a00:1450:400c:c09::1a] said: 550-5.7.1
Unauthenticated email from example.com is not accepted due to 550-5.7.1
domain's DMARC policy. Please contact the administrator of 550-5.7.1
example.com domain if this was a legitimate mail. Please visit 550-5.7.1
https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1
DMARC initiative. 45si7665571wrz.435 - gsmtp (in reply to end of DATA
command)
Leider kann ich aufgrund dieses Fehlers keine E-Mails an Gmail-Adressen senden. Jede Nachricht wird zurückgewiesen und ich erhalte eine E-Mail mit der Meldung „Nicht zugestellte E-Mail an Absender zurückgeschickt“. Ich habe openDMARC konfiguriert und die DNS-Einträge festgelegt. Anscheinend war dies nicht genug. Ich habe überprüftMail-Tester.comund DMARC scheint zu funktionieren.
Feedback von[email geschützt]:
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>[email protected]</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>3720877337221476870</report_id>
<date_range>
<begin>1520035200</begin>
<end>1520121599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>example.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>reject</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>1.2.3.4</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>example.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
DNS-Einträge
mail IN A 1.2.3.4
@ IN MX 10 mail
@ IN TXT "v=spf1 mx -all"
default._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2jjp/PoG+sdeuzlZ6uXIxoKSKphQvVwVB2MU8rye0wdxBvQhGrRquYBIc+Hz/vZX+ZNL5aQPWKP6HLA0OsFhCHlURxolQiv0aOYq7n4l+p00ToXxW6C+hinrK+N13+ast24znQ9zdIdkjf/z9ATdoxWmbTKAyNYQXC1vnGGoZclEq8AJID143MWtyXCRE5cvkUcDHUhukfupqm" "6Ho65JPyc4OKYP2v56zrrUvpuItLwdxRd50//tQy6Klorst+MltgsY7Ph9CMtXVEc9gMFbeYXVe6MMmp/WaLEU1Sx1N7ZkRxJrBXuWtBY5D1ZfyLP0e7LsMRqkl5W29+fi8+7O3wIDAQAB"
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
Postfix main.cf
myhostname = mail.example.com
mydomain = example.com
mydestination = $myhostname, $mydomain, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
relayhost =
inet_interfaces = all
inet_protocols = all
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
delay_warning_time = 4h
readme_directory = no
compatibility_level = 2
# SSL/TLS parameters
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
# Incoming
smtpd_tls_loglevel = 1
smtpd_tls_cert_file=/etc/letsencrypt/live/$mydomain/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/$mydomain/privkey.pem
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_auth_only=yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers=high
smtpd_tls_eecdh_grade=ultra
smtpd_tls_dh1024_param_file=/etc/ssl/dh_2048.pem
smtpd_tls_dh512_param_file=/etc/ssl/dh_512.pem
# Outgoing
smtp_tls_loglevel = 1
smtp_tls_cert_file=/etc/letsencrypt/live/$mydomain/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/$mydomain/privkey.pem
smtp_use_tls=yes
smtp_tls_security_level=may
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_mandatory_ciphers=high
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
# Mailbox
home_mailbox = Maildir/
mailbox_command =
# DOVECOT
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = no
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
check_policy_service unix:private/policy-spf,
check_sender_access hash:/etc/postfix/sender_access,
check_recipient_access hash:/etc/postfix/recipient_access,
permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
# DKIM
milter_default_action = accept
milter_protocol = 6
# DKIM und OpenDMARC
smtpd_milters = inet:localhost:12345, inet:localhost:6789
non_smtpd_milters = inet:localhost:12345, inet:localhost:6789
# SPF
policy-spf_time_limit = 3600s
# Amavis
content_filter = smtp-amavis:127.0.0.1:10024
receive_override_options = no_address_mappings
disable_vrfy_command = yes
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
Ich habe keine Ahnung, wie ich damit umgehen soll. Ich bin für jede Hilfe dankbar.
Ein weiterer Punkt ist, dass „hostname --fqdn“ „example.com“ lautet. Muss ich es auf „mail.example.com“ setzen?
Antwort1
Ich glaube, ich habe es behoben. Der fehlerhafte Teil war opendkim, nicht openDMARC.
Ich habe die Konfiguration abgespeckt und den richtigen Selector hinzugefügt. Jetzt kommen alle E-Mails in Gmail an.
Vor:
AutoRestartRate 10/1M
AutoRestart yes
Background yes
Canonicalization relaxed/simple
DNSTimeout 5
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy yes
Mode sv
OversignHeaders From
PidFile /var/run/opendkim/opendkim.pid
#ResolverConfiguration /etc/unbound/unbound.conf
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/opendkim/SigningTable
Socket local:/var/run/opendkim/opendkim.sock
Syslog yes
TemporaryDirectory /var/tmp
TrustAnchorFile /usr/share/dns/root.key
UMask 0002
UserID opendkim:opendkim
Nameservers 8.8.8.8,8.8.4.4
Nach:
Domain example.com
Selector default
KeyFile /etc/opendkim/keys/example.com/default.private
Canonicalization relaxed/simple
AutoRestart yes
AutoRestartRate 10/1M
Background yes
PidFile /var/run/opendkim/opendkim.pid
Socket local:/var/run/opendkim/opendkim.sock
LogResults yes
LogWhy yes
SyslogSuccess yes
Statistics /var/log/dkim-filter/dkim-stats
TemporaryDirectory /var/tmp
UMask 0002
UserID opendkim:opendkim
TrustAnchorFile /var/lib/unbound/root.key
Ungebunden als lokaler Resolver und TrustAnchorFile:
apt install unbound resolvconf
su -c "unbound-anchor -a /var/lib/unbound/root.key" - unbound
systemctl reload unbound
echo "nameserver 127.0.0.1" >> /etc/resolvconf/resolv.conf.d/head