What will you miss when this site closes?





204 votes ~ 6 comments

This site will turn read-only at the end of September 2017.

XML logo

Supporting multiple DKIM domains under Exim
Posted by lee on Fri 7 Jan 2011 at 19:48
Tags: , ,
UPDATE: a later entry uses a simplified config.

Support for DKIM signing in Exim is available since version 4.70, and the configuration supplied with Debian makes it fairly straightforward to implement. However it suggests an all or nothing configuration wherein all outgoing mail is signed with the same domain authority.

Where multiple domains are used it may be necessary to selectively switch on DKIM signing, and be able to specify the signing domain. The following details provide a mechanism to do so within the standard Debian Exim configuration.

(This assumes that the keys have been created and the requisite records have been added to DNS for the affected domains. It also assumes a split config.)

Set up a simple look up file such as /etc/exim4/dkim_senders

*@example.com: example.com
test@example.org: example.org

This config should mean that anything sent from any address at example.com is signed as example.com, but only test@example.org will be signed with the example.org key. If default DKIM is not enabled, then no other example.org mail will be signed.

Now create a new router that sits in front of the main router for external main (whatever uses remote_smtp as a transport e.g. dnslookup) such as /etc/exim4/conf.d/router/180_local_primary_dkim (basically a copy of dnslookp with a modified transport)

dnslookup_dkim:
  debug_print = "R: dnslookup_dkim for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains
  senders = lsearch*@;/etc/exim4/dkim_senders
  transport = remote_smtp_dkim
  same_domain_copy_routing = yes
  # ignore private rfc1918 and APIPA addresses
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
                        172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
                        255.255.255.255
  no_more
Then add in a new transport /etc/exim4/conf.d/transport/30_local_remote_smtp_dkim (basically a modified version of remote_smtp)
remote_smtp_dkim:
  debug_print = "T: remote_smtp_dkim for $local_part@$domain"
  driver = smtp
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}}
dkim_selector = yourhostname
dkim_private_key = /etc/ssl/private/dkim.key
dkim_canon = relaxed
dkim_strict = false
#dkim_sign_headers = DKIM_SIGN_HEADERS
I've left the selector and keys the same since there doesn't appear to be any problem sharing these across domains, but these could also be found via lookups if needed.

 

Comments on this Entry

Thanks and small errata
Posted by Hulotte (86.198.xx.xx) on Sun 9 Jan 2011 at 00:42
I might have I've found two small mistakes:
  • The file /etc/exim4/dkim_senders should contain :
    *@example.com: example.com
    test@example.org: example.org
    
    This way it works as descriibed.
  • The transport file 30_local_remote_smtp_dkim should be in the folder /etc/exim4/conf.d/transport/.
Anyway, thanks for sharing this technique :)

[ Parent | Reply to this comment ]

Re: Thanks and small errata
Posted by lee (90.193.xx.xx) on Sun 9 Jan 2011 at 13:19
[ View Weblogs ]

The entry "example.com" should be interpreted by the transport router as "*@example.com" because the search type in the transport is specified as "lsearch*@" (See Exim Documentation Chapter 9.6)

The location of the transport file was indeed a bad cut-n-paste and has been amended in the article, thanks.

[ Parent | Reply to this comment ]

Re: Thanks and small errata
Posted by lee (90.193.xx.xx) on Sun 9 Jan 2011 at 13:30
[ View Weblogs ]

Oddly, according to the documentation, an ""@" needs to appear in the entry but I'm using the file without one and it still seems to work (a quirk of how senders is queried?). I've modified the entry to suggest "*@".

[ Parent | Reply to this comment ]

Re: Supporting multiple DKIM domains under Exim
Posted by Anonymous (121.44.xx.xx) on Fri 14 Jun 2013 at 13:31
Thank you!!!

This was doing my head in. Whilst not using debian, it helped me with adding the stuff I needed in my exim router and transports on a freebsd system.

[ Parent | Reply to this comment ]

Re: Supporting multiple DKIM domains under Exim
Posted by Anonymous (59.164.xx.xx) on Mon 7 Jul 2014 at 20:35
HI,

I want to setup DKIM for multiple domains and followed the procedure which you have mentioned. after this coinfiguration when I restart exim4, it shows -

/etc/init.d/exim4 restart
[....] Stopping MTA for restart:2014-07-07 19:11:22 Exim configuration error:
there are two transports called "remote_smtp_dkim"
Invalid new configfile /var/lib/exim4/config.autogenerated.tmp, not installing
/var/lib/exim4/config.autogenerated.tmp to /var/lib/exim4/config.autogenerated

-
why am I getting this error? Please help!!

[ Parent | Reply to this comment ]

Re: Supporting multiple DKIM domains under Exim
Posted by nitram (93.185.xx.xx) on Wed 15 Apr 2015 at 16:46
Thank you Lee !

[ Parent | Reply to this comment ]