Weblog entry #41 for lee
See all weblog entries made by lee.
Support for DKIM signing in Exim is available since version 4.70, and the configuration supplied with Debian makes it fairly straightforward to implement. However it suggests an all or nothing configuration wherein all outgoing mail is signed with the same domain authority.
Where multiple domains are used it may be necessary to selectively switch on DKIM signing, and be able to specify the signing domain. The following details provide a mechanism to do so within the standard Debian Exim configuration.
(This assumes that the keys have been created and the requisite records have been added to DNS for the affected domains. It also assumes a split config.)
Set up a simple look up file such as /etc/exim4/dkim_senders
*@example.com: example.com test@example.org: example.org
This config should mean that anything sent from any address at example.com is signed as example.com, but only test@example.org will be signed with the example.org key. If default DKIM is not enabled, then no other example.org mail will be signed.
Now create a new router that sits in front of the main router for external main (whatever uses remote_smtp as a transport e.g. dnslookup) such as /etc/exim4/conf.d/router/180_local_primary_dkim (basically a copy of dnslookp with a modified transport)
dnslookup_dkim:
debug_print = "R: dnslookup_dkim for $local_part@$domain"
driver = dnslookup
domains = ! +local_domains
senders = lsearch*@;/etc/exim4/dkim_senders
transport = remote_smtp_dkim
same_domain_copy_routing = yes
# ignore private rfc1918 and APIPA addresses
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
255.255.255.255
no_more
Then add in a new transport /etc/exim4/conf.d/transport/30_local_remote_smtp_dkim (basically a modified version of remote_smtp)
remote_smtp_dkim:
debug_print = "T: remote_smtp_dkim for $local_part@$domain"
driver = smtp
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
helo_data=REMOTE_SMTP_HELO_DATA
.endif
dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}}
dkim_selector = yourhostname
dkim_private_key = /etc/ssl/private/dkim.key
dkim_canon = relaxed
dkim_strict = false
#dkim_sign_headers = DKIM_SIGN_HEADERS
I've left the selector and keys the same since there doesn't appear to be any problem sharing these across domains, but these could also be found via lookups if needed.
Comments on this Entry
The entry "example.com" should be interpreted by the transport router as "*@example.com" because the search type in the transport is specified as "lsearch*@" (See Exim Documentation Chapter 9.6)
The location of the transport file was indeed a bad cut-n-paste and has been amended in the article, thanks.
[ Parent | Reply to this comment ]
Oddly, according to the documentation, an ""@" needs to appear in the entry but I'm using the file without one and it still seems to work (a quirk of how senders is queried?). I've modified the entry to suggest "*@".
[ Parent | Reply to this comment ]
[ Send Message ]
- The file /etc/exim4/dkim_senders should contain : This way it works as descriibed.
- The transport file 30_local_remote_smtp_dkim should be in the folder /etc/exim4/conf.d/transport/.
Anyway, thanks for sharing this technique :)[ Parent | Reply to this comment ]