Why is exim not adding the DKIM header to emails

emailemail-serverexim

My emails used to be getting signed with DKIM in the header. Now if you check the email source it is not signing.

Whatis wrong? How can I debug, what logs can I look at?

cat /etc/exim4/conf.d/main/00_local_macros

Returns:

DKIM_CANON = relaxed
DKIM_SELECTOR = mail
DKIM_DOMAIN = ${sg{${lc:${domain:$h_from:}}}{^www\.}{}}
DKIM_FILE = /etc/exim4/keys/${dkim_domain}/mail.private
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

The location of the keys:

ls -la /etc/exim4/keys/example.co.za/

Returns:

-rwxr-x--- 1 Debian-exim Debian-exim  887 Mar  7 17:26 mail.private
-rwxr-x--- 1 Debian-exim Debian-exim  305 Mar  7 17:26 mail.txt

Best Answer

Check your mainlog to verify which transport is delivering your mail (T= lines). The only standard transport that signs email is remote_smtp. If mail, is being delivered by a different transport, it won't be signed.

EDIT: I believe this maybe where your problem is as ${dkim_domain} likely doesn't contain the value of DKIM_DOMAIN :

DKIM_DOMAIN = ${sg{${lc:${domain:$h_from:}}}{^www\.}{}}
DKIM_FILE = /etc/exim4/keys/${dkim_domain}/mail.private

Try:

DKIM_DOMAIN = ${sg{${lc:${domain:$h_from:}}}{^www\.}{}}
DKIM_FILE = /etc/exim4/keys/{DKIM_DOMAIN}/mail.private

Although I would recommend not sending from www domains so you could define DKIM_DOMAIN as follows. You could use domain rewriting to remove the www portion of the domain, although I would try to avoid getting it there in the first place.

DKIM_DOMAIN = ${lc:${domain:$h_from:}}

I prefer to use a split configuration, although the single file configuration works if you only have simple modifications. Any changes I make are new files, with new names. I have a couple of modified versions of Exim provided configuration files modified to my needs. This method retains my changes when an Exim upgrade includes configuration changes. In either case, consider using a revision control system to track your changes.

The user id running exim needs to be able to read the key files, and all directories leading to the files. However, it should not be able to write or replace the keys. If you have keys in dedicated directory you can protect it by change the mode to 750, changing the owner to root and the group to Debian-exim or whatever group Exim runs as. Protect the keys likewise, but set the mode to 440 or 640.

Related Solutions

Exim DKIM Error: DKIM: signing failed (RC -101) no matter what private key I try

I've solved this issue with exim and dkim by setting the absolute path to my private key (thanks to @cjc):

The final DKIM configuration section goes like this:

remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp

  dkim_domain = my_domain.com
  dkim_selector = dkim
  dkim_private_key = /absolute/path/to/my/private.key
  dkim_canon = relaxed

Thats all! Then just restarted Exim

Exim 4.71 does not add DKIM signature to outgoing emails

I am using a smarthost and I have the following configuration:

/etc/exim4/conf.d/main/00_local_macros:

DKIM_CANON = relaxed
DKIM_SELECTOR = 12345
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/keys/${dkim_domain}/12345.private
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

Then in /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost:

.ifdef DKIM_DOMAIN
dkim_domain = DKIM_DOMAIN
.endif
.ifdef DKIM_SELECTOR
dkim_selector = DKIM_SELECTOR
.endif
.ifdef DKIM_PRIVATE_KEY
dkim_private_key = DKIM_PRIVATE_KEY
.endif
.ifdef DKIM_CANON
dkim_canon = DKIM_CANON
.endif
.ifdef DKIM_STRICT
dkim_strict = DKIM_STRICT
.endif
.ifdef DKIM_SIGN_HEADERS
dkim_sign_headers = DKIM_SIGN_HEADERS
.endif

Best Answer

Related Solutions

Exim DKIM Error: DKIM: signing failed (RC -101) no matter what private key I try

Exim 4.71 does not add DKIM signature to outgoing emails

Related Topic