Debian – Exim4 does not add DKIM signature

debiandkimemailexim

Have spent 2 days trying to tell Exim to add DKIM signatures on my Debian8 server. No success. Have read many how-tos, forums but none of possible solutions wotk on my server.

Have generated the keys:

cd /etc/exim4/

openssl genrsa -out example.com-private.pem 1024 -outform PEM
openssl rsa -in example.com-private.pem -out example.com.pem -pubout -outform PEM

Have creaded file

00_local_macros

/etc/exim4/conf.d/main/

with the following content:

DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}

Have published a text DNS record:

20160604._domainkey.example.com

content with public key:

k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRpHpC2q1ycmaqdnYlf5WI5g7ZyiXybd6EFdOqk35Sl7ZNfSeZelbyxqgLN+BzHpbp4Z4JDtKLSgBwugCePhl2xVDtQvO9XfqwQLMO5PAOONCLTwoGYrViwf5ki2zIqS2uN5MpuRTKW/IiK3CtRId+w5gjdACAvkwZWBstKEDrQQIDAQAB

# update-exim4.conf
# service exim4 restart

even rebooted the server.

All emails still arrive without DKIM signature.

Tried to add lines:

dkim_domain = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
dkim_sign_headers = true

to the file /etc/exim4/conf.d./transport/30_exim4-config_remote_smtp as suggested in some forum. No success. Still no DKIM signature.

exim4 -bV

Exim version 4.84_2 #2 built 13-Mar-2016 17:47:19
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

Update

Almost all tutorials are wrong. With single file Exim configuration, the DKIM settings must reside in exim4.conf.template file. It works! But only one domain this configuration:

DKIM_CANON = relaxed
DKIM_DOMAIN = example.com
DKIM_PRIVATE_KEY = /etc/exim4/dkim/example.com-private.pem
DKIM_SELECTOR = 20160604
#DKIM_STRICT = true

Multiple domains still don't work. Tried multiple configurations but still no success. All three below does not work:

DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${sender_address_domain}
DKIM_FILE = /etc/exim4/dkim/{DKIM_DOMAIN}-private.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}


DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/dkim/${DKIM_DOMAIN}-private.pem} {/etc/exim4/dkim/${DKIM_DOMAIN}-private.pem}}

DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
dkim_domain = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}

Best Answer

Verify that that you are using the remote_smtp transport. This should be listed after T= in /var/log/exim4/mainlog on the lines containing =>. Checking DKIM on locally delivered email will not work as this transport is not used. Use a verification service to check whether your mail is signed such as http://dkimvalidator.com

If you are using the remote_smtp_smarthost transport you must modify it to include DKIM signing. On a Debian/Ubuntu machine with split config append the below to the 30_exim4-config_remote_smtp_smarthost file:

# DKIM setup copied from `30_exim4-config_remove_smtp`
# see: https://serverfault.com/a/782069/117087
.ifdef DKIM_DOMAIN
dkim_domain = DKIM_DOMAIN
.endif
.ifdef DKIM_SELECTOR
dkim_selector = DKIM_SELECTOR
.endif
.ifdef DKIM_PRIVATE_KEY
dkim_private_key = DKIM_PRIVATE_KEY
.endif
.ifdef DKIM_CANON
dkim_canon = DKIM_CANON
.endif
.ifdef DKIM_STRICT
dkim_strict = DKIM_STRICT
.endif
.ifdef DKIM_SIGN_HEADERS
dkim_sign_headers = DKIM_SIGN_HEADERS
.endif

Verify the permissions on your private key. It must be readable by the use Exim runs as which Debian-exim for Debian and Ubuntu installations. If your transport is to dkim_strict, it will requeue messages if it cannot sign the message. It will log the failure causes to the mainlog and the paniclog. It may be easier to find the message in the paniclog.

These are the setting that are required to get DKIM working. You seem to be missing some. (I sign for multiple domains with the same key. Try getting signing with a single key working before trying to get fancy and use seperate keys for different domains.) This configuration should prevent unsigned email from being sent by the remote_smtp transport.

DKIM_CANON = relaxed
DKIM_DOMAIN = ${sender_address_domain}
DKIM_PRIVATE_KEY = CONFDIR/dkim.private.20160604
DKIM_SELECTOR = ${extract{-1}{.}{DKIM_PRIVATE_KEY}}
DKIM_STRICT = true # optional - causes signing failures to defer (requeue)
#DKIM_SIGN_HEADERS = # Use default

Once you have signing with a static key working. You could try these changes

DKIM_PRIVATE_KEY = CONFDIR/${sender_address_domain}.private.201604
DKIM_SELECTOR = 20160604
DKIM_STRICT = false # optional - pass if no key available

You may want to review:

My notes on implementing DKIM - includes the settings for other transports
My notes on detecting forged servers - particularly the list of verification services
The Exim documentation on DKIM

Related Solutions

Debian – gmail dkim=neutral (no signature)

Don't break the key. Just add it as a single string. It will wordwrap in most editors. My key looks like the following.

rsa1._domainkey                 IN      TXT     "v=DKIM1; t=s; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKq2Ul9a5ixDPQm9WMoPI9fUEZU8FZwfux/O9Sl5+GDCR4rt0CsBzyZj4PY5DTtVHix++EZkR5rVdM4W59DtweKCK6XVntq4Y4GSm+gfZkf/fq45BSCQNilbYux4xqsHQIDAQAB"

I don't believe DKIM supports reassembling strings. If you are using a multi-line format verify it is reassembled into one piece. If it is served with the extra quotes, it will likely break. Your DNS lookup shows that this is the case.

All to often I see SPF records showing up as "v=spf1" "a" "-all", which is read as vspf1a-all. This record should be delivered as v=spf1 a -all but would work as "v=spf1 " "a " "-all". SPF does specify support for quoted parts by concatenates the parts as is without introducing extra spaces. This allows lines to be broken mid-word.

EDIT: I am testing using a key formatted in multiple strings. However, I will need to wait until DNS updates. check-auth@verifier.port25.com tells me my new key does not exist.

The format I get from bind does not match the format the documentation leads me to believe I should get. The documentation indicates that I should see a single string concatenating the fragments I entered. Instead I see the fragments as entered in the zone file.

Testing with bind indicates the text fragments can be as large as 255 characters. Anything over that needs to be split. In any case two such fragments will likely exceed the capacity of a UPD packet.

A review of the RFC indicates a 2048 bit key size is likely the practical limit. There is a warning to implementers that the may have to deal with TXT fragments and reassemble them in order.

Exim4 redirect mail sent to @domain1.example.com to @domain2.example.com

Please use example.com instead of domain2.com, example.com (and .org .net) was specifically created for examples and documentation.

In your /etc/exim4/update-exim4.conf.conf you have configured:

dc_use_split_config='false'

However you are changing something in /etc/exim4/conf.d/router/999_exim4-config_redirect which will be ignored because you are not using split configuration.

Either do:

dc_use_split_config='true'

And reload exim4, you may prefer to change it using:

dpkg-reconfigure exim4-config

Or edit /etc/exim4/exim4.conf.template to add your customisations instead and reload exim4 once done.

Debian exim4 has a feature called hubbed_hosts which can be a convenient way to accomplish what you want without having to add your own routers et al.

So if your want your server to send email destined for domain example.org to domain example.com which has MTAs listening on IPs 192.0.2.1 and 192.0.2.10 you do the following:

Create /etc/exim4/hubbed_hosts and add:

example.org: 192.0.2.1:192.0.2.10
reload exim4

Note, no spaces between the IP addresses and they're separated by a colon ':'

What this does is it will relay email destined for example.org to IPs 192.0.2.1,192.0.2.10 (in my example the IPs of example.com). It therefore will ignore the MX records of that domain. The IP address could be anything, as long as it is configured to receive those emails.

Finally there is address rewriting, see: http://www.exim.org/exim-html-current/doc/html/spec_html/ch31.html Perhaps it has something that will fit your requirements. You could use it in addition to hubbed_hosts.

Best Answer

Related Solutions

Debian – gmail dkim=neutral (no signature)

Exim4 redirect mail sent to *@domain1.example.com to *@domain2.example.com

Related Topic

Exim4 redirect mail sent to @domain1.example.com to @domain2.example.com