SPF和OpenDMARC不工作在后缀

Question

我正在为我的邮件服务器实现SPF和OpenDMARC/DKIM。目前，我有两个邮件服务器在不同的子网，每个单独的DNS服务器和域名。他们可以成功地交换电子邮件。

我用pypolicyd SPF设置spf，用OpenDMARC设置DMARC，用OpenDKIM设置DKIM。DKIM的工作完美，但我有一些问题，DMARC和SPF，他们可能是与我的地形有关(它的图表放在下面)。

我在每个邮件服务器上都有用户，我通过Squirrelmail在他们之间交换邮件。

如何使SPF和DMARC工作？在我的电子邮件标题中我得到：

Received-SPF: None (mailfrom) identity=mailfrom; client-ip=192.168.22.132
Authentication-Results: OpenDKIM; dmarc=none (p=none dis=none) header.from=another.com

我认为日志中的本地主机IP有问题，但我不知道是什么原因造成的：

policyd-spf[2183]: prepend X-Comment: SPF check N/A for local connections - client-ip=127.0.0.1; helo=[192.168.22.128]; envelope-from=centos1@example.com; receiver=
postfix/smtpd[2177]: D5DA9C0F5F38: client=localhost[127.0.0.1]

我的postconf -n输出：

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = $myhostname
myhostname = example.com
mynetworks = 127.0.0.0/8, 192.168.22.0/24
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
smtpd_recipient_restrictions = check_policy_service unix:private/policy-spf, permit_mynetworks, 
reject_unauth_destination
unknown_local_recipient_reject_code = 550

网络图：

我可以提供任何额外的信息，如果需要。

当然，DNS中的所有条目都是生成的。

example.com.     IN      TXT     "v=spf1 mx ~all"
default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=XXXkeyXXX" )  ; ----- DKIM key default for example.com
_dmarc.example.com.       IN      TXT      "v=DMARC1; p=none; pct=100"

保险单-spf日志：

policyd-spf[2681]: Read line: "request=smtpd_access_policy"
policyd-spf[2681]: Read line: "protocol_state=RCPT"
policyd-spf[2681]: Read line: "protocol_name=ESMTP"
policyd-spf[2681]: Read line: "client_address=192.168.22.132"
policyd-spf[2681]: Read line: "client_name=gateway"
policyd-spf[2681]: Read line: "reverse_client_name=gateway"
policyd-spf[2681]: Read line: "helo_name=example.com"
policyd-spf[2681]: Read line: "sender=daniel@example.com"
policyd-spf[2681]: Read line: "recipient=marek@another.com"
policyd-spf[2681]: Read line: "recipient_count=0"
policyd-spf[2681]: Read line: "queue_id="
policyd-spf[2681]: Read line: "instance=a73.5fe8c4e7.510b9.0"
policyd-spf[2681]: Read line: "size=935"
policyd-spf[2681]: Read line: "etrn_domain="
policyd-spf[2681]: Read line: "stress="
policyd-spf[2681]: Read line: "sasl_method="
policyd-spf[2681]: Read line: "sasl_username="
policyd-spf[2681]: Read line: "sasl_sender="
policyd-spf[2681]: Read line: "ccert_subject="
policyd-spf[2681]: Read line: "ccert_issuer="
policyd-spf[2681]: Read line: "ccert_fingerprint="
policyd-spf[2681]: Read line: "ccert_pubkey_fingerprint="
policyd-spf[2681]: Read line: "encryption_protocol="
policyd-spf[2681]: Read line: "encryption_cipher="
policyd-spf[2681]: Read line: "encryption_keysize=0"
policyd-spf[2681]: Read line: ""
policyd-spf[2681]: Found the end of entry
policyd-spf[2681]: Config: {'Whitelist_Lookup_Time': 10, 'skip_addresses': '127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'Reason_Message': 'Message {rejectdefer} due to: {spf}. Please see {url}', 'PermError_reject': 'False', 'Header_Type': 'SPF', 'TestOnly': 0, 'SPF_Enhanced_Status_Codes': 'Yes', 'TempError_Defer': 'False', 'Lookup_Time': 20, 'debugLevel': 4, 'Authserv_Id': 'centos2.another.agh.edu.pl', 'Mail_From_reject': 'Fail', 'Hide_Receiver': 'Yes', 'HELO_reject': 'Fail', 'Void_Limit': 2, 'Mock': False}
Dec 27 12:31:19 centos2 policyd-spf[2681]: Cached data for this instance: []
Dec 27 12:31:19 centos2 policyd-spf[2681]: skip_addresses enabled.
Dec 27 12:31:29 centos2 policyd-spf[2681]: spfcheck: pyspf result: "['None', '', 'helo']"
Dec 27 12:31:29 centos2 policyd-spf[2681]: None; identity=no SPF record; client-ip=192.168.22.132; helo=example.com; envelope-from=daniel@example.com; receiver=
Dec 27 12:31:29 centos2 policyd-spf[2681]: spfcheck: pyspf result: "['None', '', 'mailfrom']"
Dec 27 12:31:29 centos2 policyd-spf[2681]: None; identity=mailfrom; client-ip=192.168.22.132; helo=example.com; envelope-from=daniel@example.agh.edu.pl; receiver=
Dec 27 12:31:29 centos2 policyd-spf[2681]: not peruser
Dec 27 12:31:29 centos2 policyd-spf[2681]: Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=192.168.22.132; helo=example.com; envelope-from=daniel@example.com; receiver=  Reject action: 550 5.7.23

Answer 1

经过几天与SPF的斗争，我终于知道出了什么问题。

我的拓扑包括两个DNS服务器，邮件服务器上的/etc/ both文件有两个DNS服务器。

OpenDMARC SPF就像一种魅力，对两种DNS上spf记录的变化都有反应，但是pyspf没有。

答案是:pypolicyd spf不支持resolv.conf中的两个dns。一个简单的解决方法是在一个DNS服务器中创建两个区域。突然，pyspf开始工作了。