Debian – Exim doesn’t want to do DKIM signing correctly

debiandkimexim

I'm using exim 4.82 on Debian sid. I've followed several tutorials on how to configure exim to sign outgoing emails, but it seems like something is not behaving as it should be.

My diagnosis is that $sender_address_domain is always set to the hostname of the server (/etc/hostname), regardless what the From: field is in the email message.

I've defined the following macros in /etc/exim4/conf.d/transport/00_exim4-config_header:

DKIM_CANON = relaxed
DKIM_DOMAIN = ${sender_address_domain}
DKIM_SELECTOR = dkim
DKIM_PRIVATE_KEY = /etc/exim4/dkim.private.key

This current setup signs outgoing emails, but the domain in the DKIM signature is always set to euvps.rolisoft.net, regardless of the From: field. My best guess is $sender_address_domain is set to euvps.rolisoft.net, when it should be set to the domain of the email address in the From: field.

Because of this, the verification fails with bad version message:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=euvps.rolisoft.net; s=dkim;  // <- d= should be set to whatever is in From
    h=Date:Message-Id:From:Subject:To; bh=...; b=...;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of root@euvps.rolisoft.net designates 188.226.159.108 as permitted sender) smtp.mail=root@euvps.rolisoft.net;
       dkim=neutral (bad version) header.i=@euvps.rolisoft.net;
       dmarc=fail (p=NONE dis=NONE) header.from=seriesinfos.com

Setting DKIM_DOMAIN manually to a domain name I'm going to send message from solves this, and the DKIM signature becomes valid. However, I'm using multiple domain names, so it would be best if the DKIM_DOMAIN would be automatically set to whatever email I'm sending the message from.

I have not set up custom routers and transports as some tutorials suggest it. (I've done it at some point, but it had the same results, so I removed them.)

Setting DKIM_DOMAIN to ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}} (with dkim_senders properly set-up) will simply not sign the messages, however dkim_senders doesn't have euvps.rolisoft.net in it, so I'm guessing here $sender_address is also set to euvps.rolisoft.net, which is why the lack of signing.

I'm not exactly sure how to debug what $sender_address_domain is set to.

Best Answer

Although I'm still not sure why isn't $sender_address correctly populated, I found a workaround solution to my problem using another variable:

DKIM_DOMAIN = ${lc:${domain:$h_from:}}

This sets the domain name correctly on the DKIM signature.

To stop signing domains I don't have a key for, I've set up two other macros:

DKIM_FILE = /etc/exim4/keys/${lc:${domain:$h_from:}}.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

These essentially just look for a private key in /etc/exim4/keys/*domain*.pem and won't sign if it doesn't exist.

Related Solutions

Postfix – DKIM Sign Outgoing Mail from Any Domain

Ok I managed to figure this out on my own, but I wanted to post the steps here for posterity because there was zero documentation on this (that I could find) and it was practically guess and check.

After I set "Domain *" as described above, it would sign it like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=clientdomain.com;
    s=main; t=1250005729;
    bh=twleuNpYDuUTZQ/ur9Y2wxCprI0RpF4+LlFYMG81xwE=;
    h=Date:From:To:Message-Id:Subject:Mime-Version:Content-Type;
    b=kohI7XnLlw/uG4XMJoloc4m9zC13g48+Av5w5z7CVE0u3NxsfEqwfDriapn7s7Upi
     31F3k8PDT+eF57gOu2riXaOi53bH3Fn/+j0xCgJf8QpRVfk397w4nUWP/y8tz4jfRx
     GhH21iYo05umP0XflHNglpyEX02bssscu2VzXwMc=

notice the "d=clientdomain.com". It was generating this based on the from address in the email, where the from address was something like "contact@clientdomain.com". Obviously if it checked the client's domain and not mine no DNS TXT record was there and the verification would fail.

So anyway I found out in this documentaion that you can set a KeyList parameter. http://manpages.ubuntu.com/manpages/hardy/man5/dkim-filter.conf.5.html

It didn't really describe what I wanted to do, but I figured I'd play with it. I commented out KeyFile and set KeyList to "/etc/mail/dkim_domains.key" which is an arbitrary file name I made up. I then created that file and put this in it "*:feedmailpro.com:/etc/mail/dkim.key". This tells it for any client domain, sign it with my domain (feedmailpro.com), and use the dkim.key file.

Restarted DKIM and postfix

sudo /etc/init.d/dkim-filter restart
sudo /etc/init.d/postfix restart

Now this is the key it generated when I sent a test email.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=feedmailpro.com;
    s=dkim.key; t=1250005729;
    bh=twleuNpYDuUTZQ/ur9Y2wxCprI0RpF4+LlFYMG81xwE=;
    h=Date:From:To:Message-Id:Subject:Mime-Version:Content-Type;
    b=kohI7XnLlw/uG4XMJoloc4m9zC13g48+Av5w5z7CVE0u3NxsfEqwfDriapn7s7Upi
     31F3k8PDT+eF57gOu2riXaOi53bH3Fn/+j0xCgJf8QpRVfk397w4nUWP/y8tz4jfRx
     GhH21iYo05umP0XflHNglpyEX02bssscu2VzXwMc=

Improvement, you see the d= now is set to my domain (even though the from address of the email was not my domain). However s= got changed to "dkim.key" instead of the selector I chose in dkim-filter.conf. In the original setup instructions I'd set the selector to "mail". That was weird, but I noticed it changed it to the filename of my key, dkim.key.

So I went and renamed "/etc/mail/dkim.key" to "/etc/mail/mail". Also updated the reference to it in "/etc/mail/dkim_domains.key".

Restart dkim-filter and postfix again same as above, and now it started working. Here is the final header which signs correctly using the right selector (apparently based off the filename of the key).

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=feedmailpro.com;
    s=mail; t=1250006218;
    bh=tBguOuDhBDlhv0m4KF66LG10V/8ijLcAKZ4JbjpLXFM=;
    h=Date:From:To:Message-Id:Subject:Mime-Version:Content-Type;
    b=c9eqvd+CY86BJDUItWVVRvI3nibfEDORZbye+sD1PVltrcSBOiLZAxF3Y/4mP6vRX
     MUUNCC004oIH1u7FYafgF32lpuioMP1cd7bi6x3AZ5zH4BYETNBnnz4AhAPBtqlIh/
     FFMz8jkhhLhcM2hDpwJkuKjAe3LzfNVDP8kD11ZI=

Now s=mail is right, and d=feedmailpro.com is right. It works!

Overall this was way harder than I expected and there seemed to be zero documentation on how to do this (signing for all outgoing domains), but I guess it's open source software so I can't complain.

One final note, to check if the TXT DNS record was setup correctly you can do a command like with your domain

dig mail._domainkey.feedmailpro.com TXT

May need to install dig (sudo apt-get install dig). If you're using Slicehost manager to add the DNS entry, you'd enter the TXT record like this.

Type: TXT
Name: mail._domainkey
Data: k=rsa; t=s; p=M5GfMA0...YOUR LONG KEY...fIDAQAB
TTL seconds: 86400

I don't really understand why the name is set to "mail._domainkey" without a period on the end or without my domain, like "mail._domainkey.feedmailpro.com". But whatever, it seems to work so I'm happy.

If you're trying to duplicate this, here are the instructions I started with: https://help.ubuntu.com/community/Postfix/DKIM

Exim DKIM Error: DKIM: signing failed (RC -101) no matter what private key I try

I've solved this issue with exim and dkim by setting the absolute path to my private key (thanks to @cjc):

The final DKIM configuration section goes like this:

remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp

  dkim_domain = my_domain.com
  dkim_selector = dkim
  dkim_private_key = /absolute/path/to/my/private.key
  dkim_canon = relaxed

Thats all! Then just restarted Exim

Best Answer

Related Solutions

Postfix – DKIM Sign Outgoing Mail from Any Domain

Exim DKIM Error: DKIM: signing failed (RC -101) no matter what private key I try

Related Topic