使用amavisd-new作DKIM签名验证失败解决

时间 2019-12-07

标签使用 amavisd new dkim 签名验证失败解决繁體版

原文原文链接

邮件服务器使用amavisd-new来签署DKIM，发现发往gmail的邮件DKIM验证失败服务器

Authentication-Results: mx.google.com; spf=pass (google.com: domain of mark@myhost.com designates 61.128.xxx.xxx as permitted sender) smtp.mail=mark@myhost.com; dkim=neutral (bad format) header.i=@myhost.com

安装邮件服务器当时调试是成功验证了的。dom

因而研究发现 amavisd.conf中dkim_key配置决定接收服务器去查询发送服务器DKIM公钥的变量：google

#!! the 2rd param is for DNS TXT recorde like dkim._domainkey spa

#if use other word eg. issence,then DNS TXT hostname must be issence._domainkey !!! 调试

dkim_key('myhost.com', 'dkim', '/var/amavis/myhost-dkim.key');orm

如上，粗体的dkim决定你本身服务器域名保存DKIM的TXT记录中的主机名必须是域名

dkim._domainkey.myhost.com

我在DNS记录中保存的是dkim._domainkey.myhost.com但amavisd中却不是dkim这个标志符，不知道何时被改为了mail，因而致使接受服务器查询DNS记录失败，而且使用amavisd自带命令验证也失败：it

# amavisd testkeys TESTING#1: mail._domainkey.myhost.com => invalid (public key: not available)

修改amavisd.conf中相关位置为dkim因而验证成功：io

# amavisd testkeys form

TESTING#1: dkim._domainkey.myhost.com => pass

如下是gmail收信后邮件信头：

Authentication-Results: mx.google.com; spf=pass (google.com: domain of mark@myhost.com designates 61.128.xxx.xxx as permitted sender) smtp.mail=mark@myhost.com; dkim=pass header.i=@myhost.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=myhost.com; h= content-transfer-encoding:content-type:content-type:subject :subject:mime-version:user-agent:from:from:date:date:message-id :received:received; s=dkim; t=1322140024; x=1323954425; bh=uZ....Hy9hw=; b=Vq/2zo.....ztTOwVc=

注：文中以myhost代替实际域名tld部分