


A record for server hostname

What is an A recordrecords map a FQDN (fully qualified domain name) to an IP
address. This is usually the most often used record type in any
DNS system. This is the DNS record you should add if you want
to point a domain name to a web server.

添加方法:在A记录里面增加一个mail   然后指向邮件服务器的IP。比如:

A      mail.abc.com    ---->   TTL 和优先级默认。abc.com 视为你的域名。


Reverse PTR record for server
IP address
What is a reverse PTR record
PTR record or more appropriately a reverse PTR record is a
process of resolving an IP address to its associated hostname.
This is the exact opposite of the process of resolving a hostname
to an IP address ( A record). Example, when you ping a name
mail.mydomain.com it will get resolved to the ip address using the
DNS to something like . Reverse PTR record does the
opposite; it looks up the hostname for the given IP address. In
the example above the PTR record for IP address
will get resolved to mail.mydomain.com .


方法:增加一个MX记录,解析值为:mail.abc.com.   <---com后面有个.有的DNS厂家会自动给你补上,有的不会。

NAME               PRIORITY           TYPE           DATA

mydomain.com.    10                    mx           mail.abc.com.


SPF record for your mail  domain name
What is a SPF record SPF is a spam and phishing scam fighting method which uses
DNS SPF-records to define which hosts are permitted to send
e-mails for a domain. For details on SPF, please see
This works by defining a DNS SPF-record for the e-mail domain
name specifying which hosts (e-mail servers) are permitted to
send e-mail from the domain name.

Other e-mail servers can lookup this record when receiving an
e-mail from this domain name to verify that sending e-mail server is connecting from a permitted IP address.



@    TXT "v=spf1 mx mx:mydomain.com  -all"

@    TXT "v=spf1 ip4: -all"      



DKIM record for your mail domain name
What is a DKIM recordDKIM allows an organization to take responsibility for amessage in a way that can be verified by a recipient. The
organization can be a direct handler of the message, such as the
author's, the originating sending site's, or an intermediary's
along the transit path. However, it can also be an indirect
handler, such as an independent service that is providing
assistance to a direct handler. DKIM defines a domain-level
digital signature authentication framework for email through the
use of public-key cryptography and using the domain name
service as its key server technology (RFC4871). It permits
verification of the signer of a message, as well as the integrity of
its contents. DKIM will also provide a mechanism that permits
potential email signers to publish information about their email
signing practices; this will permit email receivers to make
additional assessments of unsigned messages. DKIM's
authentication of email identity can assist in the global control of
"spam" and "phishing".
A person or organization has an "identity" -- that is, a
constellation of characteristics that distinguish them from any
other identity. Associated with this abstraction can be a label
used as a reference, or "identifier". This is the distinction
between a thing and the name of the thing. DKIM uses a domain
name as an identifier, to refer to the identity of a responsible
person or organization. In DKIM, this identifier is called the
Signing Domain IDentifier (SDID) and is contained in the
DKIM-Signature header fields d= tag. Note that the same
identity can have multiple identifiers.



方法:增加一个TXT记录,二级域名填dkim._domainkey.mydomain.com.   改成你的域名。

txt值为:v=DKIM1; p=××××××××××××××××××××××


#amavisd -c /etc/amavisd/amavisd.conf showkeys  运行此命令得来的。




贴上错误日志:tail -20  /var/log/maillog

May  4 09:32:50 mx postfix/smtpd[6996]: NOQUEUE: reject: RCPT from smtpbg329.qq.com[]: 451 4.7.1 <**@wode.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<k*(**@foxmail.com> to=<**@wode.com> proto=ESMTP helo=<smtpbg329.qq.com>




里面先是说了白名单,黑名单种种,我傻乎乎的跟着配,结果,人家是@anyone ->@anyone



It queries SPF and MX records of specified mail domain names, then store all converted IP addresses/networks defined in SPF/MX records in SQL tableiredapd.greylisting_whitelists.

To whitelist IP addresses/networks of some mail domain, for example,outlook.com, microsoft.com, please run command like below:

# cd /opt/iredapd/tools/
# python spf_to_greylist_whitelists.py outlook.com microsoft.com

If you want to whitelist more mail domains, just run the command with the domain names like above sample.

Since iRedAPD-1.8.0, we have SQL table iredapd.greylisting_whitelist_domainsto store these mail domain names. if you run spf_to_greylist_whitelists.pywithout any argument, it will fetch all mail domains stored in sql table greylisting_whitelist_domains instead of fetching from command line arguments.

# python spf_to_greylist_whitelists.py

You should setup a cron job to run this script, so that it can keep the IP addresses/networks up to date. iRedMail sets up the cron job to run every 10 minutes, like below:

*/10   *   *   *   *   /usr/bin/python /opt/iredapd/tools/spf_to_greylist_whitelists.py &>/dev/null


python spf_to_greylist_whitelists.py outlook.com microsoft.com 126.com 163.com qq.com foxmail.com
