Have spent 2 days trying to tell Exim to add DKIM signatures on my Debian8 server. No success. Have read many how-tos, forums but none of possible solutions wotk on my server.
Have generated the keys:
cd /etc/exim4/
openssl genrsa -out example.com-private.pem 1024 -outform PEM
openssl rsa -in example.com-private.pem -out example.com.pem -pubout -outform PEM
Have creaded file
00_local_macros
in
/etc/exim4/conf.d/main/
with the following content:
DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
Have published a text DNS record:
20160604._domainkey.example.com
content with public key:
k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRpHpC2q1ycmaqdnYlf5WI5g7ZyiXybd6EFdOqk35Sl7ZNfSeZelbyxqgLN+BzHpbp4Z4JDtKLSgBwugCePhl2xVDtQvO9XfqwQLMO5PAOONCLTwoGYrViwf5ki2zIqS2uN5MpuRTKW/IiK3CtRId+w5gjdACAvkwZWBstKEDrQQIDAQAB
# update-exim4.conf
# service exim4 restart
even rebooted the server.
All emails still arrive without DKIM signature.
Tried to add lines:
dkim_domain = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
dkim_sign_headers = true
to the file /etc/exim4/conf.d./transport/30_exim4-config_remote_smtp as suggested in some forum. No success. Still no DKIM signature.
exim4 -bV
Exim version 4.84_2 #2 built 13-Mar-2016 17:47:19
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
Update
Almost all tutorials are wrong. With single file Exim configuration, the DKIM settings must reside in exim4.conf.template file. It works! But only one domain this configuration:
DKIM_CANON = relaxed
DKIM_DOMAIN = example.com
DKIM_PRIVATE_KEY = /etc/exim4/dkim/example.com-private.pem
DKIM_SELECTOR = 20160604
#DKIM_STRICT = true
Multiple domains still don't work. Tried multiple configurations but still no success. All three below does not work:
DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${sender_address_domain}
DKIM_FILE = /etc/exim4/dkim/{DKIM_DOMAIN}-private.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/dkim/${DKIM_DOMAIN}-private.pem} {/etc/exim4/dkim/${DKIM_DOMAIN}-private.pem}}
DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
dkim_domain = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
Best Answer
Verify that that you are using the
remote_smtp
transport. This should be listed afterT=
in/var/log/exim4/mainlog
on the lines containing=>
. Checking DKIM on locally delivered email will not work as this transport is not used. Use a verification service to check whether your mail is signed such as http://dkimvalidator.comIf you are using the
remote_smtp_smarthost
transport you must modify it to include DKIM signing. On a Debian/Ubuntu machine with split config append the below to the30_exim4-config_remote_smtp_smarthost
file:Verify the permissions on your private key. It must be readable by the use Exim runs as which Debian-exim for Debian and Ubuntu installations. If your transport is to
dkim_strict
, it will requeue messages if it cannot sign the message. It will log the failure causes to themainlog
and thepaniclog
. It may be easier to find the message in thepaniclog
.These are the setting that are required to get DKIM working. You seem to be missing some. (I sign for multiple domains with the same key. Try getting signing with a single key working before trying to get fancy and use seperate keys for different domains.) This configuration should prevent unsigned email from being sent by the
remote_smtp
transport.Once you have signing with a static key working. You could try these changes
You may want to review: