OVH Community, your new community space.

Configuration d'un serveur mail en SMTP


snktre59
16/01/2015, 09h34
Bonjour,
Je possède un serveur dédié KS-3 sous DEBIAN 7.5 x64. J'ai récemment voulu configurer un serveur mail sous Postfix qui n'utilise que le SMTP.
J'ai relié mon domaine vers mon serveur. Cependant j'ai entendu parlé de SPF et DKIM et mes mails vont directement dans les Spams..Surtout chez Gmail et hotmail. Chez Free ça passe très bien mais comme tout le monde est sur Gmail ou Hotmail..

Je n'arrive pas à configurer ces deux éléments.

J'ai cette nuit procédé à un changement de DNS pour le domaine :

Principal : ns348862.ip-91-121-109.eu (mon dédié)

Secondaire : ns.kimsufi.com

/etc/hosts :

Code PHP:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
91.121.109.27           undershift.fr   ns348862
2001:41D0:1:A41b::1     undershift.fr   ns348862
 
# The following lines are desirable for IPv6 capable hosts
#(added automatically by netbase upgrade)
 
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

/etc/bind/undershift.fr.hosts

;SPF
ownercheck IN TXT bd863d60
undershift.frIN TXT "v=spf1 ip4:91.121.109.27 a mx ~all"
undershift.frIN SPF "v=spf1 ip4:91.121.109.27 a mx ~all"
mail.undershift.frIN  TXT  "v=spf1 ip4:91.121.109.27 a ~all"
mail.undershift.frIN  SPF  "v=spf1 ip4:91.121.109.27 a ~all"
 
;DKIM
mail._domainkey IN TXT "v=DKIM1; h=rsa-sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQU$----COUPE---- 
/etc/bind/db.undershift.fr

Code PHP:
$TTL 86400
undershift.fr.    IN    SOA    ns348862.ip-91-121-109.euhostmaster.undershift$
                2013121206  serial à changer à chaque modification
                43200       refresh12h
                3600        retry1h
                1209600     expire
                86400 )     ; negative cache24h
undershift.fr.    IN     NS   ns348862.ip-91-121-109.eu.
undershift.fr.    IN     NS   ns.kimsufi.com.
undershift.fr.    IN     A    91.121.109.27
www             IN     A    91.121.109.27
;
mail           IN     A    91.121.109.27
undershift.fr.   IN     A    91.121.109.27
undershift.fr.   IN     MX   undershift.fr
 
undershift.frIN TXT "v=spf1 ip4:91.121.109.27 mx ~all"
undershift.frIN SPF "v=spf1 ip4:91.121.109.27 mx ~all"
mail.undershift.frIN  TXT  "v=spf1 ip4:91.121.109.27 a ~all"
mail.undershift.frIN  SPF  "v=spf1 ip4:91.121.109.27 a ~all" 
/etc/bind/named.conf.local

Code PHP:
  GNU nano 2.2.6       Fichier : /etc/bind/named.conf.local                    
 
//
// Do any local configuration here
//
 
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "undershift.fr" {
    type master;
    file "/etc/bind/db.undershift.fr";
    allow-transfer {213.186.33.199;};
    allow-query{any;};
    notify yes;
}; 
/etc/bind/named.conf.options

Code PHP:
options {
        directory "/var/cache/bind";
 
        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
 
        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.
 
        // forwarders {
        //      0.0.0.0;
        // };
 
        //=====================================================================$
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //=====================================================================$
        dnssec-validation auto;
 
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { ::1; };
        listen-on any; };
        allow-recursion 127.0.0.1; ::1; };
}; 
Voici le rapport généré par mail checker :

Code HTML:
This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com.  The service allows email senders to perform
a simple check of various sender authentication mechanisms.  It is provided
free of charge, in the hope that it is useful to the email community.  While
it is not officially supported, we welcome any feedback you may have at
.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          neutral
DomainKeys check:   neutral
DKIM check:         permerror
Sender-ID check:    fail
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  ns348862.ip-91-121-109.eu
Source IP:      2001:41d0:1:a41b::1
mail-from:      www-data@ns348862.ip-91-121-109.eu

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         neutral (SPF-Result: None)
ID(s) verified: smtp.mailfrom=www-data@ns348862.ip-91-121-109.eu
DNS record(s):
    ns348862.ip-91-121-109.eu. SPF (no records)
    ns348862.ip-91-121-109.eu. TXT (no records)

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=no-reply@undershift.fr
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         permerror (key "mail._domainkey.undershift.fr" doesn't exist)
ID(s) verified:
Canonicalized Headers:
    to:check-auth-pamart.nicolas2=gmail.com@verifier.port25.com'0D''0A'
    subject:Activez'20'votre'20'compte'20'!'0D''0A'
    from:UNDER'20'SHIFT'20''0D''0A'
    date:Fri,'20'16'20'Jan'20'2015'20'08:47:53'20'+0100'20'(CET)'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=undershift.fr;'20's=mail;'20't=1421394473;'20'bh=8zSUcwR9A5W2Ab//lXrt1GZmgoNWM6teppOGvkUHtUM=;'20'h=To:Subject:From:Date:From;'20'b=

Canonicalized Body:
    Il'20'sagit'20'dun'20'outil'20'de'20'test'20'de'20'DKIM'20'fourni'20'par'20'AdminSystem'20'Software'20'Limited.'0D''0A'
    '0D''0A'
    Comment'20'tester'20'la'20'signature'20'DKIM'0D''0A'
    Tout'20'dabord,'20'veuillez'20'cliquez'20'sur'20'le'20'bouton'20'suivant'20'pour'20'obtenir'20'une'20'adresse'20'de'20'courriel'20'de'20'test.'20'Deuxi'C3''A8'mement,'20'vous'20'pouvez'20'envoyer'20'un'20'courriel'20''C3''A0''20'cette'20'adresse'20'de'20'courriel.'20'Enfin,'20'un'20'rapport'20'DKIM'20'sera'20'envoy'C3''A9''20''C3''A0''20'votre'20'adresse'20'de'20'courriel'20'dexp'C3''A9'diteur'20'en'20'peu'20'de'20'temps.'0D''0A'
    '0D''0A'
    '0D''0A'
    Utiliser'20'Gmail'20'pour'20'tester'20'DKIM'0D''0A'
    Si'20'vous'20'avez'20'un'20'compte'20'Gmail,'20'vous'20'pouvez'20''C3''A9'galement'20'envoyer'20'test'20'courriel'20''C3''A0''20'votre'20'adresse'20'de'20'courriel'20'de'20'Gmail.'20'Puis'20'ouvrez'20'votre'20'courriel'20'en'20'courrier'20'web'20'de'20'Gmail,'20'cliquez'20'sur'20''C2''AB''20'show'20'details'20''C2''BB'.'20'Sil'20'y'20'a'20'"signed-by:'20'your'20'domain",'20'votre'20'signature'20'DKIM'20'est'20'ok.'0D''0A'


DNS record(s):
    mail._domainkey.undershift.fr. TXT (NXDOMAIN)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         fail (not permitted)
ID(s) verified: header.From=no-reply@undershift.fr
DNS record(s):
    undershift.fr. SPF (no records)
    undershift.fr. 86400 IN TXT "v=spf1 ip4:91.121.109.27 mx -all"
    undershift.fr. MX (no records)

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.3.2 (2011-06-06)

Result:         ham  (0.3 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
                            domain
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                             for more information.
                            [URIs: undershift.fr]
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 0.4 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
 0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid
 1.0 BODY_URI_ONLY          Message body is only a URI in one line of text or for
                            an image

==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================

SPF and Sender-ID Results
=========================

"none"
      No policy records were published at the sender's DNS domain.

"neutral"
      The sender's ADMD has asserted that it cannot or does not
      want to assert whether or not the sending IP address is authorized
      to send mail using the sender's DNS domain.

"pass"
      The client is authorized by the sender's ADMD to inject or
      relay mail on behalf of the sender's DNS domain.

"policy"
     The client is authorized to inject or relay mail on behalf
      of the sender's DNS domain according to the authentication
      method's algorithm, but local policy dictates that the result is
      unacceptable.

"fail"
      This client is explicitly not authorized to inject or
      relay mail using the sender's DNS domain.

"softfail"
      The sender's ADMD believes the client was not authorized
      to inject or relay mail using the sender's DNS domain, but is
      unwilling to make a strong assertion to that effect.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability to
      retrieve a policy record from DNS.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being absent or
      a syntax error in a retrieved DNS TXT record.  A later attempt is
      unlikely to produce a final result.


DKIM and DomainKeys Results
===========================

"none"
      The message was not signed.

"pass"
      The message was signed, the signature or signatures were
      acceptable to the verifier, and the signature(s) passed
      verification tests.

"fail"
      The message was signed and the signature or signatures were
      acceptable to the verifier, but they failed the verification
      test(s).

"policy"
      The message was signed but the signature or signatures were
      not acceptable to the verifier.

"neutral"
      The message was signed but the signature or signatures
      contained syntax errors or were not otherwise able to be
      processed.  This result SHOULD also be used for other
      failures not covered elsewhere in this list.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability
      to retrieve a public key.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being
      absent. A later attempt is unlikely to produce a final result.


==========================================================
Original Email
==========================================================

Return-Path: 
Received: from ns348862.ip-91-121-109.eu (2001:41d0:1:a41b::1) by verifier.port25.com id hn313620i3g2 for ; Fri, 16 Jan 2015 02:48:03 -0500 (envelope-from )
Authentication-Results: verifier.port25.com; spf=neutral (SPF-Result: None) smtp.mailfrom=www-data@ns348862.ip-91-121-109.eu
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=no-reply@undershift.fr
Authentication-Results: verifier.port25.com; dkim=permerror (key "mail._domainkey.undershift.fr" doesn't exist)
Authentication-Results: verifier.port25.com; sender-id=fail (not permitted) header.From=no-reply@undershift.fr
Received: by ns348862.ip-91-121-109.eu (Postfix, from userid 33)
        id F0C1320CFA; Fri, 16 Jan 2015 08:47:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=undershift.fr;
        s=mail; t=1421394473;
        bh=8zSUcwR9A5W2Ab//lXrt1GZmgoNWM6teppOGvkUHtUM=;
        h=To:Subject:From:Date:From;
        b=jF8CJP5hfs2wvXlfbPau0YLkEKGDHfTiikE68mz3M7DKNqtReDSq6qDNLC1LNX7vP
         2W9gUwy+Y9xmyWRHCgsZnsHkyoGc2JgTLoKAvhdR+L5W1JD0rKzwV/JsI0GDGCaK5e
         wF+B8ZzRxp081SXyVONUcUKRGhQTcWw0WXwfknvU=
To: check-auth-pamart.nicolas2=gmail.com@verifier.port25.com
Subject: Activez votre compte !
X-PHP-Originating-Script: 1000:mail.php
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: UNDER SHIFT 
Message-Id: <20150116074753.F0C1320CFA@ns348862.ip-91-121-109.eu>
Date: Fri, 16 Jan 2015 08:47:53 +0100 (CET)

Il sagit dun outil de test de DKIM fourni par AdminSystem Software Limited.

Comment tester la signature DKIM
Tout dabord, veuillez cliquez sur le bouton suivant pour obtenir une adresse de courriel de test. Deuxièmement, vous pouvez envoyer un courriel à cette adresse de courriel. Enfin, un rapport DKIM sera envoyé à votre adresse de courriel dexpéditeur en peu de temps.


Utiliser Gmail pour tester DKIM
Si vous avez un compte Gmail, vous pouvez également envoyer test courriel à votre adresse de courriel de Gmail. Puis ouvrez votre courriel en courrier web de Gmail, cliquez sur « show details ». Sil y a "signed-by: your domain", votre signature DKIM est ok.
J'espère que ces éléments de réponse vont vous aider. J'ai vraiment cherché partout à la recherche d'une solution mais sans succès..

Merci pour votre aide !