Do you use let's encrypt?





4990 votes ~ 18 comments

 

XML logo

Selective and multiple domain DKIM with Exim
Posted by lee on Mon 9 Nov 2015 at 11:40
Tags: ,
My previous config from 2011 suggested the use of custom router and transport files for supporting selective domain use for DKIM in exim, but since the Debian package contains "ifdef" for expansions, you can achieve the same effect with lookups. Assuming the correct DNS records have been set up, add the key into /etc/exim4/dkim-foo.key and make it readable by the exim user (Debian-exim). Create /etc/exim4/dkim_senders with a list of addresses that should have mail signed.
test@example.com
*@example.net
Create /etc/exim4/dkim_domains with the per-domain configs
example.com: selector=foo key=/etc/exim4/dkim-foo.key canon=relaxed
example.net: selector=bar key=/etc/exim4/dkim-bar.key
Create /etc/exim4/conf.d/main/00_local_dkim (if you're using split config)
 DKIM_DOMAIN =      ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}{$sender_address_domain}{}}

 ## make the following active instead if all mail from selected domains should be signed
 # DKIM_DOMAIN =      ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}}

 DKIM_SELECTOR =    ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
 DKIM_PRIVATE_KEY = ${extract{key}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
 DKIM_CANON =       ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}}
 DKIM_STRICT =      ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}}
Run update-exim4.conf and reload exim. For addresses not listed in /etc/exim4/dkim_senders exim should not attempt DKIM signing. This config assumes that the signing domain is the sender's domain. It's reasonable, but not necessarily always true. It also assumes users on the same sender domain use the same signing key. If necessary it wouldn't be too hard to swap the lookups around to allow domains to support different selectors.