主页 / user-303903

Karl.S's questions

Martin Hope
Karl.S
Asked: 2022-10-27 12:19:32 +0800 CST
  • 6

我的 DMARC 设置似乎无法按预期工作。

首先,有几点需要注意:

  • 域是mydomain.com (显然不是真实的)
  • 域和邮件提供商是gandi.net
  • 我使用Amazon SES从使用的网站发送电子邮件noreply@mydomain.com
  • 我使用Gmail发送和接收电子邮件me@mydomain.com

SPF记录设置为TXTon :mydomain.com

"v=spf1 include:_mailcust.gandi.net include:amazonses.com include:_spf.google.com ~all"
  • include:_mailcust.gandi.net允许gandi.net使用mydomain.com;发送电子邮件
  • include:amazonses.com允许amazonses.com使用mydomain.com;发送电子邮件
  • include:google.com允许google.com使用mydomain.com;发送电子邮件
  • ~all允许任何其他服务器使用发送电子邮件,mydomain.com但会导致 SPF 检查失败(softfail)

DMARC记录设置为TXTon :_dmarc.mydomain.com

"v=DMARC1; p=quarantine; sp=reject; pct=5; fo=1; rua=mailto:dmarc@mydomain.com;"
  • p=quarantine递送未通过 SPF/DKIM 检查的电子邮件并将其标记为垃圾邮件;
  • sp=reject拒绝使用具有子域的地址发送的电子邮件,例如noreply@news.mydomain.com
  • pct=5将政策(p而不是sp?)应用于 5% 的电子邮件;
  • fo=1发送 DKIM 故障SPF 故障报告;

现在奇怪的事情,在这个 DMARC RUA 报告中:

  <record>
    <row>
      <source_ip>40.107.12.85</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>GovSIPF.onmicrosoft.com</domain>
        <result>pass</result>
        <selector>selector1-GovSIPF-onmicrosoft-com</selector>
      </dkim>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
        <selector>gm1</selector>
      </dkim>
      <spf>
        <domain>administration.gov.pf</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  • 源IP40.107.12.85来自outlook.com但我不使用outlook;
  • 域有一个 DKIM 块GovSIPF.onmicrosoft.com,GovSIPF 是我的客户之一;
  • 域中有一个 SPF 块,该域administration.gov.pf是他们用于电子邮件地址的域,例如someone@administration.gov.pf

我不明白为什么我看到该域的 SPF 阻止administration.gov.pf,这是否意味着他们发送了一封电子邮件,其地址类似于someone@mydomain.com通过 outlook.com 服务器?

另一个 DMARC 报告略有不同:

  <record>
    <row>
      <source_ip>202.90.68.50</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
        <selector>gm1</selector>
      </dkim>
      <spf>
        <domain>mydomain.com</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>
  • 源 IP202.90.68.50来自mana.pf本地 ISP,但我们不使用它;
spf dkim
Martin Hope
Karl.S
Asked: 2015-08-09 14:43:47 +0800 CST
  • 0

我有一个网站@www.eshipp.com,所有域都受 SSL 保护,因此任何 HTTP 流量都由 NGINX 重定向到 HTTPS 等效 URL。

但是,似乎某些用户没有被重定向,然后出现“不可访问”的 http 错误。

由于我自己在浏览器上没有错误,因此很难调试,但幸运的是我发现使用 Curl 会发生此错误:

$ curl -v http://eshipp.com/
* Hostname was NOT found in DNS cache
*   Trying 198.199.96.110...
* connect to 198.199.96.110 port 80 failed: Connection timed out
* Failed to connect to eshipp.com port 80: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to eshipp.com port 80: Connection timed out

上面的命令不起作用,但下面的命令起作用:

curl -v https://eshipp.com/

* Hostname was NOT found in DNS cache
*   Trying 198.199.96.110...
* Connected to eshipp.com (198.199.96.110) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: OU=Domain Control Validated; OU=Gandi Standard SSL; CN=eshipp.com
*        start date: 2015-07-13 00:00:00 GMT
*        expire date: 2016-07-13 23:59:59 GMT
*        subjectAltName: eshipp.com matched
*        issuer: C=FR; ST=Paris; L=Paris; O=Gandi; CN=Gandi Standard SSL CA 2
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: eshipp.com
> Accept: */*
> 
< HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
< Date: Sat, 08 Aug 2015 22:10:56 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Accept-Encoding
< Strict-Transport-Security: max-age=31536000; includeSubdomains
< 
<!DOCTYPE html>

这是 NGINX 配置:

# HTTP
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name www.eshipp.com eshipp.com;
        return 301 https://$server_name$request_uri;
}

# HTTPS
server {
        listen 443 ssl spdy;
        server_name www.eshipp.com eshipp.com;
        keepalive_timeout 10m;

        # Certificats SSL
        ssl_certificate /etc/nginx/ssl/eshipp.com.crt;
        ssl_certificate_key /etc/nginx/ssl/eshipp.com.key;

        # Amélioration des performances SSL
        ssl_stapling on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;

        # Amélioration de la sécurité SSL
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SH$

        # Active le HSTS to avoid SSL stripping
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

        # If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
        # This works because IE 11 does not present itself as MSIE anymore
        if ($http_user_agent ~ "MSIE" ) {
                return 303 https://browser-update.org/update.html;
        }

        location / {
                proxy_pass http://127.0.0.1:3000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade; # allow websockets
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP

                # this setting allows the browser to cache the application in a way compatible with Meteor
                # on every application update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 da$
                # the root path (/) MUST NOT be cached
                if ($uri != '/') {
                        expires 30d;
                }
        }
}

编辑

好的,我发现,问题来自防火墙中的一条规则,但我不知道哪个规则阻止了 HTTP 流量,有人可以帮我吗?

# INPUT rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

编辑 2

我必须添加此规则来解锁流量,但这是一个问题,因为我不想在 Internet 上公开端口 3000,它仅由 NodeJS 应用程序在本地使用..我尝试过-i lo但它不起作用..

iptables -A INPUT -i eth0 -p tcp --dport 3000 -j ACCEPT
nginx