IIJのenmaの動作検証をした備忘録です。

■検証環境


■説明
以前、「IIJのenmaをCentOS6にインストールしてみた」でenma環境を構築したので、今回はその動作を検証してみます。
ここでは、3台のマシンを使って検証します。
※検証環境参照

ドメイン兼ホスト名:example.kurobuti.com
このマシンは、enmaを実装してあるマシンです。
ここに送信されるメールは、enamを通るようにします。

ドメイン兼ホスト名:example2.kurobuti.com
このマシンは、dkim-milterを実装してあるマシンです。
メール送信時にDKIMの署名を行います。

DNS
このDNSには、example2.kurobuti.comのSPFとDKIMの公開鍵が登録されています。

◎その他情報
・DKIM実装方法
http://www.kurobuti.com/blog/?p=4794

・OS
CentOS 6 64bit

・MTA
postfix-2.6.6-2.2.el6_1.x86_64

・example2.kurobuti.comのレコードはこんな感じ

$TTL    86400
@       IN      SOA     dkim-dns.kurobuti.com.  root.dkim-dns.kurobuti.com.(
                        2011101502 ; Serial
                        28800      ; Refresh
                        14400      ; Retry
                        3600000    ; Expire
                        86400 )    ; Minimum

        IN      NS      dkim-dns.kurobuti.com.
        IN      MX 10   example2.kurobuti.com.
        IN      A       192.168.0.122
        IN      TXT     "v=spf1 ip4:192.168.0.122  ~all"
mx      IN      A       192.168.0.122
_policy._domainkey IN TXT "t=y; o=~"
kurobuti._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9aXoo/+ekarvSPVaGqQz7cGFp62Wdfmg76YYvE+MLmJGfj0Psu76eWUdOtVAIP1tYAkhKEzRLOkbFhVFFXFkklIDCng0buKpYSZJi0JDFdpMUozutXgN9fNHeJD9oJOuh7gOh/2O9lxA5W0Ehba5j8S3jK2NRnOH8xyFUwJP7JQIDAQAB" ; ----- DKIM kurobuti for example2.kurobuti.com

・example2.kurobuti.comのdkim-milter設定はこんな感じ
# Common settings. See dkim-filter.conf(5) for more information.
# Set the Mode.
# v: verifier
# s: signer
Mode    vs

# Set the domain.
# Please set the domain which signs by DKIM.
Domain         example2.kurobuti.com

# Set the selector.
Selector        kurobuti

# Set the DKIM key.
# KeyList       /etc/mail/dkim-milter/dkim-keylist
# KeyFile       /etc/mail/dkim-milter/dkim.private
KeyFile /etc/mail/dkim-milter/kurobuti.private

# Set the Socket.
# default: inet:10026
# Socket        local:/var/milter/dkim-milter.socket
Socket          inet:10026

# Set the dkim-milter pidfile.
PidFile         /var/milter/dkim-milter.pid

# set the network address list file which signs by DKIM.
InternalHosts   /etc/mail/dkim-milter/ilist

# On-BadSignature
# Selects  the  action to be taken when a signature fails to vali-date.
On-BadSignature         reject

# On-NoSignature
# Selects the action to be taken when a message arrives  unsigned.
On-NoSignature          accept

# SignatureAlgorithm
# Selects the signing algorithm to use when generating signatures.
SignatureAlgorithm      rsa-sha256

Canonicalization        relaxed/simple
※ハイライト部分を「relaxed/simple」にしないとenmaのDKIM認証はうまくいかないです。「simple/simple」の場合(デフォルト)は失敗します。

・example.kurobuti.comのenma設定はこんな感じ
#
# sample of enma configuration
#
# $Id:milter.conf 154 2008-07-07 08:16:11Z tsuruda $


## Milter ##
milter.socket:  inet:10025@127.0.0.1
milter.user:    daemon
milter.pidfile: /var/run/enma/enma.pid
milter.chdir:   /var/tmp
milter.timeout: 7210
milter.loglevel:   0
milter.sendmail813: false
milter.postfix: true


## Network ##
common.exclusion_addresses: 127.0.0.1,::1


## Syslog ##
syslog.ident:       enma
syslog.facility:    mail
syslog.logmask:     info


## SPF ##
spf.auth: true
spf.explog: true


## SIDF ##
sidf.auth: true
sidf.explog: true


## DKIM ##
dkim.auth: true
dkim.signheader_limit: 10
dkim.accept_expired_signature: false
dkim.rfc4871_compatible: false


## DKIM ADSP ##
dkimadsp.auth: true


## Authentication-Results ##
authresult.identifier:  localhost

(1)example2.kurobuti.comで以下のメールを作成
[root@example2 ~]# vi mail_body
To: test@example.kurobuti.com
From: root@example2.kurobuti.com
Subject: Test Mail

This is Test Mail.

(2)example2.kurobuti.comからメールを送信
[root@example2 ~]# sendmail -t < mail_body

(3)example.kurobuti.comのmaillog
Jan  4 21:25:33 example postfix/smtpd[1664]: connect from example2.kurobuti.com[192.168.0.122]
Jan  4 21:25:33 example postfix/smtpd[1664]: AB08B1FF09: client=example2.kurobuti.com[192.168.0.122]
Jan  4 21:25:33 example postfix/cleanup[1669]: AB08B1FF09: message-id=<20120104122533.54194240BA@mx.example2.kurobuti.com>
Jan  4 21:25:33 example enma[1202]: DKIM-Signature[1]: domain=example2.kurobuti.com, selector=kurobuti, pubkeyalg=rsa, digestalg=sha256, hdrcanon=relaxed, bodycanon=simple
Jan  4 21:25:33 example enma[1202]: [AB08B1FF09] [SPF-auth] ipaddr=192.168.0.122, eval=smtp.mailfrom, helo=mx.example2.kurobuti.com, envfrom=<root@example2.kurobuti.com>, score=pass
Jan  4 21:25:33 example enma[1202]: [AB08B1FF09] [SIDF-auth] ipaddr=192.168.0.122, header.From=root@example2.kurobuti.com, score=pass
Jan  4 21:25:33 example enma[1202]: [AB08B1FF09] [DKIM-auth] header.i=@example2.kurobuti.com, score=pass
Jan  4 21:25:33 example enma[1202]: [AB08B1FF09] [DKIM-ADSP-auth] header.From=root@example2.kurobuti.com, score=pass
Jan  4 21:25:33 example postfix/qmgr[1569]: AB08B1FF09: from=<root@example2.kurobuti.com>, size=969, nrcpt=1 (queue active)
Jan  4 21:25:33 example postfix/smtpd[1664]: disconnect from example2.kurobuti.com[192.168.0.122]
Jan  4 21:25:33 example postfix/local[1670]: AB08B1FF09: to=<test@example.kurobuti.com>, relay=local, delay=0.11, delays=0.09/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Jan  4 21:25:33 example postfix/qmgr[1569]: AB08B1FF09: removed
ハイライト部分を見ると、全てpassになっていることが分かります。

(4)example.kurobuti.comで受信したメール
Return-Path: <root@example2.kurobuti.com>
X-Original-To: test@example.kurobuti.com
Delivered-To: test@example.kurobuti.com
Authentication-Results: localhost; spf=pass smtp.mailfrom=root@example2.kurobuti.com; sender-id=pass
         header.From=root@example2.kurobuti.com; dkim=pass
         header.i=@example2.kurobuti.com; dkim-adsp=pass
         header.From=root@example2.kurobuti.com
Received: from mx.example2.kurobuti.com (example2.kurobuti.com [192.168.0.122])
        by mx.example.kurobuti.com (Postfix) with ESMTP id AB08B1FF09
        for <test@example.kurobuti.com>; Wed,  4 Jan 2012 21:25:33 +0900 (JST)
Received: by mx.example2.kurobuti.com (Postfix, from userid 0)
        id 54194240BA; Wed,  4 Jan 2012 21:25:33 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
        d=example2.kurobuti.com; s=kurobuti; t=1325679933;
        bh=8YWeKVa184g6uHoI5gIx2a8eNvx3uAaf9+uUysf1iRU=;
        h=To:From:Subject:Message-Id:Date;
        b=snFsOTMFmskplmgU0MseazmtF0Y3aCL/aMESVJSdIvfo6tlXExQ78UGClTf/WNBeG
         8zwEPWrBbfR8b20uo0hpe+2YXk4tyisC+/LqzgUt0yhtHYMQ0HSilITtwJZpV3SRZj
         /8m+GdzbQfo5uhFEOHX9dan7Z8oC9MNEPJRl3w8o=
To: test@example.kurobuti.com
From: root@example2.kurobuti.com
Subject: Test Mail
Message-Id: <20120104122533.54194240BA@mx.example2.kurobuti.com>
Date: Wed,  4 Jan 2012 21:25:33 +0900 (JST)

This is Test Mail
こちらも同じく。

うまく動作しているようです:-)

ここから少し実験。

■失敗バージョン
dkim-milterで「relaxed/simple」を指定しなかった場合、どうなるかやってみます。

dkim-milterの設定を変更してから、example2.kurobuti.comからメールを送信。

・example.kurobuti.comのmaillog
Jan  4 21:30:53 example postfix/smtpd[1677]: connect from example2.kurobuti.com[192.168.0.122]
Jan  4 21:30:53 example postfix/smtpd[1677]: 06E171FF09: client=example2.kurobuti.com[192.168.0.122]
Jan  4 21:30:53 example postfix/cleanup[1682]: 06E171FF09: message-id=<20120104123052.A3F5A240BA@mx.example2.kurobuti.com>
Jan  4 21:30:53 example enma[1202]: DKIM-Signature[1]: domain=example2.kurobuti.com, selector=kurobuti, pubkeyalg=rsa, digestalg=sha256, hdrcanon=simple, bodycanon=simple
Jan  4 21:30:53 example enma[1202]: [06E171FF09] [SPF-auth] ipaddr=192.168.0.122, eval=smtp.mailfrom, helo=mx.example2.kurobuti.com, envfrom=<root@example2.kurobuti.com>, score=pass
Jan  4 21:30:53 example enma[1202]: [06E171FF09] [SIDF-auth] ipaddr=192.168.0.122, header.From=root@example2.kurobuti.com, score=pass
Jan  4 21:30:53 example enma[1202]: [06E171FF09] Digest of message header mismatch
Jan  4 21:30:53 example enma[1202]: [06E171FF09] [DKIM-auth] header.i=@example2.kurobuti.com, score=fail
Jan  4 21:30:53 example enma[1202]: [06E171FF09] [DKIM-ADSP-auth] header.From=root@example2.kurobuti.com, score=none
Jan  4 21:30:53 example postfix/qmgr[1569]: 06E171FF09: from=<root@example2.kurobuti.com>, size=968, nrcpt=1 (queue active)
Jan  4 21:30:53 example postfix/smtpd[1677]: disconnect from example2.kurobuti.com[192.168.0.122]
Jan  4 21:30:53 example postfix/local[1683]: 06E171FF09: to=<test@example.kurobuti.com>, relay=local, delay=0.11, delays=0.09/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Jan  4 21:30:53 example postfix/qmgr[1569]: 06E171FF09: removed
ハイライト部分を見てみると「fail , none」になっちゃいます。


1月 4, 2012 at 9:30 pm by 黒ぶちメガネ
Category: Postfix, spam対策