{"id":4439,"date":"2014-09-24T15:27:28","date_gmt":"2014-09-24T12:27:28","guid":{"rendered":"http:\/\/skeletor.org.ua\/?p=4439"},"modified":"2024-09-16T10:10:35","modified_gmt":"2024-09-16T07:10:35","slug":"exim-spfdkim","status":"publish","type":"post","link":"https:\/\/skeletor.org.ua\/?p=4439","title":{"rendered":"[exim] SPF\/DKIM"},"content":{"rendered":"

\u0414\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f, \u0447\u0442\u043e \u0431\u044b Exim<\/strong> \u0431\u044b\u043b \u0441\u043e\u0431\u0440\u0430\u043d \u0441 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u043e\u0439 SPF\/DKIM<\/strong>. \u0414\u043b\u044f Debian<\/strong> \u044d\u0442\u043e \u043e\u0437\u043d\u0430\u0447\u0430\u0435\u0442 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0443 \u043f\u0430\u043a\u0435\u0442\u0430\u00a0exim4-daemon-heavy<\/strong>.<\/p>\n

SPF<\/span><\/strong><\/h2>\n

\u0414\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0432 DNS<\/strong> \u0442\u0430\u043a\u0438\u0435 \u0437\u0430\u043f\u0438\u0441\u0438 (\u043f\u0440\u0435\u0434\u043f\u043e\u0447\u0442\u0438\u0442\u0435\u043b\u044c\u043d\u0435\u0435):<\/p>\n

mydomain.ru. IN TXT \"v=spf1 a mx ~all\"<\/code><\/p>\n

\u0430 \u0435\u0441\u043b\u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 DNS<\/strong>, \u0442\u043e \u0442\u0430\u043a\u0443\u044e:<\/p>\n

mydomain.ru. IN SPF \"v=spf1 a mx ~all\"<\/code><\/p>\n

<\/p>\n

\u0414\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0442\u043e\u0433\u043e, \u0447\u0442\u043e \u0437\u0430\u043f\u0438\u0441\u044c \u0434\u043e\u0431\u0430\u0432\u0438\u043b\u0430\u0441\u044c \u0438 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442, \u0435\u0451 \u043d\u0443\u0436\u043d\u043e \u043f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c \u0447\u0435\u0440\u0435\u0437\u00a0spfquery<\/strong>:<\/p>\n

# dig -t spf mydomain.ru +short
\n\"v=spf1 +a +mx ~all\"
\n# apt-get install libspf2-2 libmail-spf-perl spf-tools-perl
\n# spfquery --ip 1.1.1.1 --mail-from a@mydomain.ru --helo mydomain.ru
\nsoftfail
\nmydomain.ru: Sender is not authorized by default to use 'mydomain.ru' in 'helo' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)
\nmydomain.ru: Sender is not authorized by default to use 'mydomain.ru' in 'helo' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)
\nReceived-SPF: softfail (mydomain.ru: Sender is not authorized by default to use 'mydomain.ru' in 'helo' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=mydomain.ru; identity=helo; helo=mydomain.ru; client-ip=1.1.1.1
\n# spfquery --ip XX.XX.XX.XX --mail-from a@mydomain.ru --helo mydomain.ru
\npass
\nmydomain.ru: XX.XX.XX.XX is authorized to use 'mydomain.ru' in 'helo' identity (mechanism 'a' matched)
\nmydomain.ru: XX.XX.XX.XX is authorized to use 'mydomain.ru' in 'helo' identity (mechanism 'a' matched)
\nReceived-SPF: pass (mydomain.ru: XX.XX.XX.XX is authorized to use 'mydomain.ru' in 'helo' identity (mechanism 'a' matched)) receiver=mydomain.ru; identity=helo; helo=mydomain.ru; client-ip=XX.XX.XX.XX
\n<\/code>
\n\u0413\u0434\u0435 XX.XX.XX.XX<\/strong> – \u044d\u0442\u043e \u043e\u0434\u0438\u043d \u0431\u044b\u043b IN A<\/strong> \u0432 DNS<\/strong> \u0434\u043b\u044f \u0434\u043e\u043c\u0435\u043d\u0430 mydomain.ru<\/strong><\/p>\n

\u041f\u0440\u0438\u043c\u0435\u0447\u0430\u043d\u0438\u0435.<\/span><\/strong><\/em><\/p>\n

\u041d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, gmail<\/strong>) \u0432 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u044e\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e\u0431 SPF<\/strong>:<\/p>\n

spf=pass (google.com: domain of user@domain.ru designates XX.XX.XX.XX\u00a0as permitted sender) smtp.mail=user@domain.ru<\/code><\/p>\n

\u041d\u0430\u0441\u0442\u0440\u043e\u0438\u043c \u0434\u0435\u043c\u043e\u043d spfd<\/strong>.<\/p>\n

\u0414\u043b\u044f \u0437\u0430\u043f\u0443\u0441\u043a\u0430 \u043f\u0438\u0448\u0435\u043c \u0442\u0430\u043a\u043e\u0439 init<\/strong>-\u0441\u043a\u0440\u0438\u043f\u0442:<\/p>\n

#!\/bin\/sh\n\nUSER=Debian-exim\nGROUP=mail\n\nSOCK=\/var\/run\/spfd\/spfd.sock\nPID=\/var\/run\/spfd\/spfd.pid\n\nSPFD=\/usr\/sbin\/spfd\nDESC=\"SPF Daemon\"\n\nARGS=\"-path=${SOCK} -setuser=${USER} -setgroup=${GROUP} -pathuser=${USER} -pathgroup=${GROUP}\"\n\ncase \"$1\" in\n    start)\n        echo -n \"Starting $DESC:\"\n            start-stop-daemon --start --quiet --background --make-pidfile \\\n                --pidfile ${PID} \\\n                --exec ${SPFD} -- ${ARGS}\n        echo \".\"\n        ;;\n\n    stop)\n        echo -n \"Stopping $DESC:\"\n            start-stop-daemon --stop --quiet --oknodo --signal 9 --pidfile \"${PID}\"\n            rm -f $SOCK $PID\n        echo \".\"\n        ;;\n\n    restart|force-reload)\n        \/etc\/init.d\/spfd stop\n        \/etc\/init.d\/spfd start\n        ;;\n\n    *)\n        N=\/etc\/init.d\/$NAME\n        echo \"Usage: $N {start|stop|restart|force-reload}\" >&2\n        exit 1\n        ;;\nesac\n\nexit 0\n<\/pre>\n
# update-rc.d spfd defaults<\/code><\/p>\n
\u0414\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 exim’\u043e\u043c<\/strong> SPF<\/strong>-\u0437\u0430\u043f\u0438\u0441\u0435\u0439, \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0442\u0430\u043a\u043e\u0435:<\/p>\n
begin acl\n\nspf_rcpt_acl:\n\n    # Check envelope sender\n    warn     set acl_m8  = $sender_address\n    deny     !acl        = spf_check     \n    warn     message     = Received-SPF: $acl_m8 ($acl_m7)\n    accept                                               \n\nspf_from_acl:\n\n    # Check header From:\n    warn     set acl_m8  = ${address:$h_from:}\n    deny     !acl        = spf_check         \n    warn     message     = Received-SPF: $acl_m8 ($acl_m7)\n    accept                                               \n\nspf_check:\n\n    warn     set acl_m9  = ${readsocket{\/var\/run\/spfd\/spfd.sock}\\\n                           {ip=$sender_host_address\\n\\\n                           helo=${if def:sender_helo_name\\\n                           {$sender_helo_name}{NOHELO}}\\ \n                           \\nsender=$acl_m8\\n\\n}{20s}{\\n}{socket failure}}\n\n    # Defer on socket error\n    defer    condition   = ${if eq{$acl_m9}{socket failure}{yes}{no}}\n             message     = Cannot connect to spfd                   \n\n    # Prepare answer and get results\n    warn     set acl_m9  = ${sg{$acl_m9}{\\N=(.*)\\n\\N}{=\\\"\\$1\\\" }}\n             set acl_m8  = ${extract{result}{$acl_m9}{$value}{unknown}}\n             set acl_m7  = ${extract{header_comment}{$acl_m9}{$value}{}}\n\n    # Check for fail\n    deny     condition   = ${if eq{$acl_m8}{fail}{yes}{no}}\n             message     = ${extract{smtp_comment}{$acl_m9}{$value}{}}\n             log_message = Not authorized by SPF                      \n\n    accept\n\nacl_check_mail:\n   \n  accept authenticated = *\n  deny    message       = $sender_host_address is not allowed to send mail from $sender_address_domain\n          !acl          = spf_rcpt_acl\n          hosts         = !+relay_from_hosts\n  accept\n\n\nacl_check_data:\n  deny senders = :\n       !acl = spf_from_acl\n  accept\n<\/pre>\n
DKIM<\/span><\/strong><\/h2>\n
\u0413\u0435\u043d\u0435\u0440\u0438\u0440\u0443\u0435\u043c \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u044b\u0439 \u043a\u043b\u044e\u0447:<\/p>\n
$ openssl genrsa -out \/usr\/local\/etc\/exim\/dkim\/mydomain.ru.key 1024
\nGenerating RSA private key, 1024 bit long modulus
\n...++++++
\n.....................................................................++++++
\ne is 65537 (0x10001)<\/code><\/p>\n
\u0422\u0435\u043f\u0435\u0440\u044c \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u044b\u0439:<\/p>\n
$ openssl rsa -in \/usr\/local\/etc\/exim\/dkim\/mydomain.ru.key -pubout
\nwriting RSA key
\n-----BEGIN PUBLIC KEY-----
\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYw9Ddhod6jZZkp0S0lf4I\/j57
\nG8DnW5HDoKHDr0OwmbOhg0QOefHIpfrhBCrTK08dAvvvFnXs5\/g1i9YU2ZDHE1uB
\npSrtm33ZBAC9tUneqTM6J4PYAHKs1hOchoOZCYJBdZiNBFUtxT9Ma2Gldkgy5lhX
\nZkS3pbIpEHYvI3PbewIDAQAB
\n-----END PUBLIC KEY-----<\/code><\/p>\n
\u041a\u043e\u043f\u0438\u0440\u0443\u0435\u043c \u043a\u043b\u044e\u0447 \u0438 \u0432\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c \u0432 \u0414\u041d\u0421 \u0437\u043e\u043d\u0435 \u043d\u0430\u0448\u0435\u0433\u043e \u0434\u043e\u043c\u0435\u043d\u0430 mydomain.ru\u00a0<\/strong>\u0432 \u043f\u043e\u043b\u0435:<\/p>\n
dkim._domainkey TXT \"k=rsa; p=MIGfMA0GCSqGSIb3D.........;\"<\/code><\/p>\n
\u041f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u043c:<\/p>\n
$ host -t txt dkim._domainkey.mydomain.ru.
\n;; Truncated, retrying in TCP mode.
\ndkim._domainkey.mydomain.ru. descriptive text \"k=rsa\\; p=MIGfMA0GCSqGS.....\\;\"<\/code><\/p>\n
\u0422\u0435\u043f\u0435\u0440\u044c \u043f\u0440\u0430\u0432\u0438\u043c \u0441\u0430\u043c exim<\/strong>:<\/p>\n
## DKIM:\nDKIM_DOMAIN                     = ${lc:${domain:$h_from:}}\nDKIM_FILE                       = \/usr\/local\/etc\/exim\/dkim\/${lc:${domain:$h_from:}}.key\nDKIM_PRIVATE_KEY                = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}\n...\n## \u0447\u0443\u0442\u044c \u043f\u0440\u0430\u0432\u0438\u043c \u0442\u0440\u0430\u043d\u0441\u043f\u043e\u0440\u0442:\nremote_smtp:\n  driver                = smtp\n  dkim_domain           = DKIM_DOMAIN\n  dkim_selector         = dkim\n  dkim_private_key      = DKIM_PRIVATE_KEY\n...\n<\/pre>\n
\u0422\u0435\u043f\u0435\u0440\u044c, \u0435\u0441\u043b\u0438 \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u0442\u044c \u043f\u0438\u0441\u044c\u043c\u043e, \u0442\u043e \u0432 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430\u0445 \u043c\u043e\u0436\u043d\u043e \u0443\u0432\u0438\u0434\u0435\u0442\u044c \u0442\u0430\u043a\u043e\u0435:<\/p>\n
DKIM-Signature: v=1; a=rsa-sha256; q=dns\/txt; c=relaxed\/relaxed; d=domain.org; s=dkim;
\nh=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Subject:To:From:Message-ID; bh=47DEQpj8HBSa+\/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
\nb=bfxwjczWz5OFi4LMTs4qpcOcl5p3RhKeC4iZp9KvOb6iI66ZxDSdYZSezJ5n3rdCHeQeTabF8NCTgUB65............YOlII=;
\n<\/code><\/p>\n
\u0427\u0442\u043e \u043e\u0437\u043d\u0430\u0447\u0430\u0435\u0442, \u0447\u0442\u043e \u043f\u0438\u0441\u044c\u043c\u0430 \u043f\u043e\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u044e\u0442\u0441\u044f.<\/p>\n
\u041f\u0440\u0438\u043c\u0435\u0447\u0430\u043d\u0438\u0435.<\/p>\n
\u0414\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0440\u0430\u0431\u043e\u0442\u043e\u0441\u043f\u043e\u0441\u043e\u0431\u043d\u043e\u0441\u0442\u0438 SPF\/DKIM \u043c\u043e\u0436\u043d\u043e \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f online \u0441\u0435\u0440\u0432\u0438\u0441\u0430\u043c\u0438:<\/p>\n
http:\/\/www.mail-tester.com\/
\nhttp:\/\/dkimvalidator.com\/<\/p>\n
 <\/p>\n
\u041f\u0440\u0438\u043c\u0435\u0447\u0430\u043d\u0438\u0435.<\/strong><\/span><\/em><\/h2>\n
\u041a\u043e\u0433\u0434\u0430 SPF, DMARK, DKIM \u043d\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442 – \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438<\/a> \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u043e\u0432<\/p>\n","protected":false},"excerpt":{"rendered":"
\u0414\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f, \u0447\u0442\u043e \u0431\u044b Exim \u0431\u044b\u043b \u0441\u043e\u0431\u0440\u0430\u043d \u0441 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u043e\u0439 SPF\/DKIM. \u0414\u043b\u044f Debian \u044d\u0442\u043e \u043e\u0437\u043d\u0430\u0447\u0430\u0435\u0442 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0443 \u043f\u0430\u043a\u0435\u0442\u0430\u00a0exim4-daemon-heavy. SPF \u0414\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0432 DNS \u0442\u0430\u043a\u0438\u0435 \u0437\u0430\u043f\u0438\u0441\u0438 (\u043f\u0440\u0435\u0434\u043f\u043e\u0447\u0442\u0438\u0442\u0435\u043b\u044c\u043d\u0435\u0435): mydomain.ru. IN TXT “v=spf1 a mx ~all” \u0430 \u0435\u0441\u043b\u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 DNS, \u0442\u043e \u0442\u0430\u043a\u0443\u044e: mydomain.ru. IN SPF “v=spf1 a mx ~all”<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-4439","post","type-post","status-publish","format-standard","hentry","category-mail"],"_links":{"self":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4439"}],"version-history":[{"count":6,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4439\/revisions"}],"predecessor-version":[{"id":6471,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4439\/revisions\/6471"}],"wp:attachment":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}