后缀。OpenDmarc拒绝所有邮件。5.7.1被DMARC政策拒绝

Question

我在服务器上激活了opendmarc，但是它拒绝所有的电子邮件。我试过用谷歌和雅虎的电子邮件发送邮件，但不起作用

知道有什么不对吗？

5.7.1 rejected by DMARC policy for remoteserver.domain.ltd
5.7.1 rejected by DMARC policy for yahoo.com
...

/etc/postfix/main.cf

allow_percent_hack = no
milter_default_action = accept
milter_protocol = 2
dmarc_milter = , inet:localhost:8893
#dmarc_milter =
smtpd_milters = inet:localhost:8891 $dmarc_milter
non_smtpd_milters = $smtpd_milters

/etc/opendmarc.conf

AuthservID OpenDMARC
IgnoreHosts /etc/opendmarc/ignore.hosts
PidFile /var/run/opendmarc.pid
RejectFailures true
RequiredHeaders true
Socket inet:8893@localhost
SoftwareHeader true
Syslog true
SyslogFacility mail
UMask 0002
UserID opendmarc:opendmarc
#SPFSelfValidate true
IgnoreHosts /etc/opendmarc/ignore.hosts
HistoryFile /var/run/opendmarc/opendmarc.dat

/etc/opendmarc/ignore.hosts

127.0.0.0/8
::1/128
localhost
192.168.0.0/24

/var/log/mail.log

Oct 16 22:40:14 myserver postfix/smtpd[25265]: connect from remoteserver.domain.ltd[22.22.22.22]
Oct 16 22:40:14 myserver postfix/smtpd[25265]: Anonymous TLS connection established from remoteserver.domain.ltd[22.22.22.22]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 16 22:40:14 myserver postfix/smtpd[25265]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
Oct 16 22:40:14 myserver postfix/smtpd[25265]: warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support
Oct 16 22:40:14 myserver policyd-spf[25268]: None; identity=helo; client-ip=22.22.22.22; helo=remoteserver.domain.ltd; envelope-from=mail@remoteserver.domain.ltd; receiver=myserver@myserver.ltd
Oct 16 22:40:14 myserver policyd-spf[25268]: Pass; identity=mailfrom; client-ip=22.22.22.22; helo=remoteserver.domain.ltd; envelope-from=mail@remoteserver.domain.ltd; receiver=myserver@myserver.ltd
Oct 16 22:40:14 myserver postgrey[2548]: action=pass, reason=client AWL, client_name=remoteserver.domain.ltd, client_address=22.22.22.22, sender=mail@remoteserver.domain.ltd, recipient=myserver@myserver.ltd
Oct 16 22:40:14 myserver postfix/smtpd[25265]: C878281433: client=remoteserver.domain.ltd[22.22.22.22]
Oct 16 22:40:14 myserver postfix/cleanup[25147]: C878281433: replace: header Message-ID: <f4d01e44d05cf2df477efc36b8969112@remoteserver.domain.ltd> from remoteserver.domain.ltd[22.22.22.22]; from=<mail@remoteserver.domain.ltd> to=<myserver@myserver.ltd> proto=ESMTP helo=<remoteserver.domain.ltd>: Message-ID: <f4d01e44d05cf2df477efc36b8969112@remoteserver.domain.ltd>
Oct 16 22:40:14 myserver postfix/cleanup[25147]: C878281433: message-id=<f4d01e44d05cf2df477efc36b8969112@remoteserver.domain.ltd>
Oct 16 22:40:14 myserver opendkim[4159]: C878281433: s=mail d=remoteserver.domain.ltd SSL
Oct 16 22:40:14 myserver opendmarc[18621]: C878281433 ignoring Authentication-Results at 0 from myserver.myserver.ltd
Oct 16 22:40:14 myserver opendmarc[18621]: C878281433: remoteserver.domain.ltd fail
Oct 16 22:40:14 myserver postfix/cleanup[25147]: C878281433: milter-reject: END-OF-MESSAGE from remoteserver.domain.ltd[22.22.22.22]: 5.7.1 rejected by DMARC policy for remoteserver.domain.ltd; from=<mail@remoteserver.domain.ltd> to=<myserver@myserver.ltd> proto=ESMTP helo=<remoteserver.domain.ltd>
Oct 16 22:40:14 myserver postfix/smtpd[25265]: disconnect from remoteserver.domain.ltd[22.22.22.22]

/var/run/opendmarc/opendmarc.dat

job 0EC0180962
reporter ptr_remoteserver.ltd
received 1602938133
ipaddr 22.22.22.22
from remoteserver.domain.ltd
mfrom remoteserver.domain.ltd
spf -1
pdomain remoteserver.domain.ltd
policy 16
rua -
pct 100
adkim 114
aspf 114
p 114
sp 0
align_dkim 5
align_spf 5
action 0

netstat -ltnp _ grep :8893

tcp        0      0 127.0.0.1:8893          0.0.0.0:*               LISTEN      14990/opendmarc

Answer 1

看来您正在使用CentOS。

确保您的SPF和DKIM设置正确。您可以遵循以下指南：https://www.linuxbabe.com/redhat/set-up-spf-dkim-postfix-centos

然后按照本指南设置OpenDMARC。https://www.linuxbabe.com/redhat/opendmarc-postfix-centos-rhel

建议在/etc/opendmarc.conf文件中将SPFSelfValidate设置为true，因此当OpenDMARC无法在头文件中找到SPF结果时，将执行SPF检查。

还建议在/etc/opendmarc.conf文件中设置受托人also。

TrustedAuthservIDs mail.yourdomain.com

用真正的后缀主机名替换主机名。这告诉OpenDMARC使用ID中的mail.yourdomain.com信任身份验证结果。当运行OpenDKIM来执行DKIM验证时，这是必需的。如果托管Authentication中没有包含后缀主机名，那么OpenDMARC可能忽略OpenDKIM生成的身份验证-结果标头。