Estoy trabajando en implementar SPF y OpenDMARC/DKIM en mis servidores de correo. Actualmente tengo dos servidores de correo en subredes diferentes, cada uno con un servidor DNS y un nombre de dominio separados. Pueden intercambiar correos electrónicos con éxito.
Configuré SPF con pypolicyd-spf, DMARC con OpenDMARC y DKIM con OpenDKIM. DKIM funciona perfectamente, pero tengo algunos problemas con DMARC y SPF, probablemente estén relacionados con mi topografía (a continuación se muestra un gráfico).
Tengo usuarios creados en cada servidor de correo e intercambio correos entre ellos a través de Squirrelmail.
¿Cómo hacer que SPF y DMARC funcionen? En los encabezados de mis correos electrónicos obtengo:
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=192.168.22.132
Authentication-Results: OpenDKIM; dmarc=none (p=none dis=none) header.from=another.com
Creo que hay algún problema con la IP del host local en los registros, pero no tengo idea de qué lo causa:
policyd-spf[2183]: prepend X-Comment: SPF check N/A for local connections - client-ip=127.0.0.1; helo=[192.168.22.128]; [email protected]; receiver=<UNKNOWN>
postfix/smtpd[2177]: D5DA9C0F5F38: client=localhost[127.0.0.1]
mi postconf -nsalida:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = $myhostname
myhostname = example.com
mynetworks = 127.0.0.0/8, 192.168.22.0/24
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
smtpd_recipient_restrictions = check_policy_service unix:private/policy-spf, permit_mynetworks,
reject_unauth_destination
unknown_local_recipient_reject_code = 550
Gráfico de red:
Puedo proporcionar cualquier información adicional si es necesario.
Por supuesto, se realizan todas las entradas en DNS.
example.com. IN TXT "v=spf1 mx ~all"
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=XXXkeyXXX" ) ; ----- DKIM key default for example.com
_dmarc.example.com. IN TXT "v=DMARC1; p=none; pct=100"
registros de Policyd-SPF:
policyd-spf[2681]: Read line: "request=smtpd_access_policy"
policyd-spf[2681]: Read line: "protocol_state=RCPT"
policyd-spf[2681]: Read line: "protocol_name=ESMTP"
policyd-spf[2681]: Read line: "client_address=192.168.22.132"
policyd-spf[2681]: Read line: "client_name=gateway"
policyd-spf[2681]: Read line: "reverse_client_name=gateway"
policyd-spf[2681]: Read line: "helo_name=example.com"
policyd-spf[2681]: Read line: "[email protected]"
policyd-spf[2681]: Read line: "[email protected]"
policyd-spf[2681]: Read line: "recipient_count=0"
policyd-spf[2681]: Read line: "queue_id="
policyd-spf[2681]: Read line: "instance=a73.5fe8c4e7.510b9.0"
policyd-spf[2681]: Read line: "size=935"
policyd-spf[2681]: Read line: "etrn_domain="
policyd-spf[2681]: Read line: "stress="
policyd-spf[2681]: Read line: "sasl_method="
policyd-spf[2681]: Read line: "sasl_username="
policyd-spf[2681]: Read line: "sasl_sender="
policyd-spf[2681]: Read line: "ccert_subject="
policyd-spf[2681]: Read line: "ccert_issuer="
policyd-spf[2681]: Read line: "ccert_fingerprint="
policyd-spf[2681]: Read line: "ccert_pubkey_fingerprint="
policyd-spf[2681]: Read line: "encryption_protocol="
policyd-spf[2681]: Read line: "encryption_cipher="
policyd-spf[2681]: Read line: "encryption_keysize=0"
policyd-spf[2681]: Read line: ""
policyd-spf[2681]: Found the end of entry
policyd-spf[2681]: Config: {'Whitelist_Lookup_Time': 10, 'skip_addresses': '127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'Reason_Message': 'Message {rejectdefer} due to: {spf}. Please see {url}', 'PermError_reject': 'False', 'Header_Type': 'SPF', 'TestOnly': 0, 'SPF_Enhanced_Status_Codes': 'Yes', 'TempError_Defer': 'False', 'Lookup_Time': 20, 'debugLevel': 4, 'Authserv_Id': 'centos2.another.agh.edu.pl', 'Mail_From_reject': 'Fail', 'Hide_Receiver': 'Yes', 'HELO_reject': 'Fail', 'Void_Limit': 2, 'Mock': False}
Dec 27 12:31:19 centos2 policyd-spf[2681]: Cached data for this instance: []
Dec 27 12:31:19 centos2 policyd-spf[2681]: skip_addresses enabled.
Dec 27 12:31:29 centos2 policyd-spf[2681]: spfcheck: pyspf result: "['None', '', 'helo']"
Dec 27 12:31:29 centos2 policyd-spf[2681]: None; identity=no SPF record; client-ip=192.168.22.132; helo=example.com; [email protected]; receiver=<UNKNOWN>
Dec 27 12:31:29 centos2 policyd-spf[2681]: spfcheck: pyspf result: "['None', '', 'mailfrom']"
Dec 27 12:31:29 centos2 policyd-spf[2681]: None; identity=mailfrom; client-ip=192.168.22.132; helo=example.com; [email protected]; receiver=<UNKNOWN>
Dec 27 12:31:29 centos2 policyd-spf[2681]: not peruser
Dec 27 12:31:29 centos2 policyd-spf[2681]: Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=192.168.22.132; helo=example.com; [email protected]; receiver=<UNKNOWN> Reject action: 550 5.7.23
Respuesta1
Después de unos días de luchar con SPF por pypolicyd-spf, finalmente pude saber qué está mal.
Mi topología incluía 2 servidores DNS y mis archivos /etc/resolv.conf en los servidores de correo tenían ambos servidores DNS.
OpenDMARC SPF funcionó a las mil maravillas y respondió a los cambios de registros spf en ambos DNS, pero pyspf no.
La respuesta es: pypolicyd-spf no admite dos dns en resolv.conf. Una solución sencilla es crear dos zonas en un servidor DNS. Entonces, de repente, pyspf comienza a funcionar.