這一個禮拜時間,被自己把自己搞傻了…
好不容易把Mailscanner整合Clamav掃毒和spamassassin防垃圾信的套件架設好,強化POSTFIX郵件伺服器的功能性。
卻又遇到卡關,因為Mailscanner過濾會把Header格式破壞,會影響到OpenDKIM的簽名認證,造成外面信箱服務的網站都會拒絕收信。
花了很大的力氣再GOOGLE找答案、問CHATGPT,有限的知識和破英文,一直無法順利弄出正常的功能。
最終,還是讓我搞懂、搞動POSFIX + OpenDKIM + Mailscanner工作了。
趁現在記憶猶新,趕快紀錄一下相關細節,以後遇到重灌或架設,至少還能給自己筆記。
*** POSTFIX部分:
因為我的裝法不是用官網建議的milter設定,而是大部分網站說明的。
用/etc/postfix/header_checks,新增一行/^Received:/ HOLD啟用功能。
這個時候/etc/postfix/main.cf設定檔要留意呼叫的先後順序。
DKIM的認證簽名要先讓POSTFIX處理,最後才是放到Mailscanner處理的hold待掃描狀態。
...(以上略)
### openDKIM 這個要先呼叫執行
milter_default_action = accept
milter_protocol = 6
### openDKIM + OpenDMARC
smtpd_milters = inet:localhost:8891, local:opendmarc/opendmarc.sock
non_smtpd_milters = $smtpd_milters
...(中間略)
### Mailscanner function active 這個放在此檔案最後面呼叫
header_checks = regexp:/etc/postfix/header_checks
#body_checks = regexp:/etc/postfix/body_checks
###
*** OPENDKIM部分:
因為Mailscanner會破壞header格式,讓處理的程式或信件閱讀者看到已經有掃過安全核發。
為了不要讓它也把 DKIM-Signature:這段重要的辨識用訊息給篩除。
設定檔/etc/opendkim.conf要把這段#忽略刪除和修改使用參數,才能不被誤消除。
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization simple
### for Mailscanner adjustment
Canonicalization relaxed
Mode sv
SubDomains yes
*** MAILSCANNER部分:
大部分看到的說明,要修改這三個地方。但是掃描通過後的信尾簽名檔,目前這樣設定後,啟用狀態並不影響DKIM認證行的格式破壞。
# What to do when you get several MailScanner headers in one message,
# from multiple MailScanner servers. Values are
# "append" : Append the new data to the existing header
# "add" : Add a new header
# "replace" : Replace the old data with the new data
# Default is "append"
# This can also be the filename of a ruleset.
#Multiple Headers = append
### avoid DKIM breaking.
Multiple Headers = add
# Some people prefer that message headers are added in strict order with
# the newest headers at the top and the oldest headers at the bottom.
# This is also required if you receive a message which is authenticated by
# DKIM, and you are forwarding that message onto somewhere else, and want
# not to break the DKIM signature.
# **Note**: To avoid breaking DKIM signatures, you *must* also set
# Multiple Headers = add
# So if some of your users forward mail from PayPal, Ebay or Yahoo! to
# accounts stored on Gmail or Googlemail, then you need to set this to "yes"
# and "Multiple Headers = add" to avoid breaking the DKIM signature.
# It may be worth using a ruleset to just apply this to messages sent by
# the companies mentioned above.
# This can also be the filename of a ruleset.
#Place New Headers At Top Of Message = no
### avoid broken DKIM
Place New Headers At Top Of Message = yes
# Add the "Inline HTML Signature" or "Inline Text Signature" to the end
# of uninfected messages?
# If you add your own signature in your email application, and include the
# magic token "_SIGNATURE_" in your email message, the signature will be
# inserted just there, rather than at the end of the message.
# This can also be the filename of a ruleset.
Sign Clean Messages = yes
### DKIM is not influenced here
#Sign Clean Messages = no
這三個服務設定檔都修改以後,記得重啟OPENDKIM、MAILSCANNER、POSTFIX。
sudo systemctl restart opendkim mailscanner postfix
除了自己寄給自己看信件header內容有無正常以外,以下兩個網站可以幫忙確認信箱伺服器和DNS伺服器是否有SPF、DKIM的設定正確狀態。
測試驗證的網站:1. https://dkimvalidator.com/ 、
2. https://mxtoolbox.com/。
總之,出現這兩位置的關鍵字就成功了,也應該不會再被GMAIL、YAHOO或HOTMAIL的郵件伺服器退信了。
X-Spam-Status: No
X-yoursite-MailScanner-From:
X-yoursite-MailScanner: Found to be clean
X-yoursite-MailScanner-ID:
X-yoursite-MailScanner-Information: Please contact the ISP for more information
Received: from (localhost [127.0.0.1])
by (Postfix) with ESMTPSA id ;
Thu, 5 Dec 2024 19:56:38 +0800 (CST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=; s=2024;
t=1733399798; i=@;
bh=AdvQ………………………lw=
MIME-Version: 1.0
Date: Thu, 05 Dec 2024 19:56:38 +0800
From: jir
Be the first to reply