Installing DKIM with DA Exim 4.71

I'm not sure what you mean by local relay. Do you mean for mail delivered on the same server? If so, then that's not relaying, that's local delivery. And there's no need for dkim checking on local delivery.

Jeff
 
sorry... meant delivery not relay.. sometimes i confuse some words...

do you think that i made the edit in the correct section on your spamblocker?

Thanks
 
It looks right to me. It's where I put everything when I recently did a paid conversion for a client to SpamBlocker-powered exim.conf version 4. He never wrote back to complain that it's not working. Unless he does I'm going to presume that's correct.

Jeff
 
Been looking for a way to integrate DKIM. This is nice. I was thinking of creating an actual plugin for this.
 
For what it's worth, I've taken some time today to examine recent emails which have made it through my system but look spammy (they're from mailing companies, and I've never joined the lists). Note that SpamBlocker is working well; there aren't many of these.

They all use DKIM.

Our blocklists aren't removing the ones I'm seeing. That doesn't mean many more aren't being blocked, but these made it through.

And then SpamAssassin autolearned them as ham strictly because they had DKIM enabled.

It appears that mailing list companies I think of as spammers (they think they're not spammers because they conform to Can-SPAM but they don't care where their addresses come from, or they pretend to care but don't check) are using DKIM to make sure their email gets through spam blocking.

Based on this experienced I'd recommend that SpamBlocker never whitelist based on DKIM, and that DKIM whitelisting be disabled in SpamAssassin.

That's my opinion.

Comments welcome.

Jeff
 
I agree with you, dkim enabled doesnt mean that sender is not sending spam.

Btw, where ive to edit something to make spamassassin autolearn? Does it work well?

And last question.. if i make some basic filter.. how should i make them automatic assigned to user alraedy exist and new users?

Thanks in advance.
 
For what it's worth, I've taken some time today to examine recent emails which have made it through my system but look spammy (they're from mailing companies, and I've never joined the lists). Note that SpamBlocker is working well; there aren't many of these.

They all use DKIM.

Our blocklists aren't removing the ones I'm seeing. That doesn't mean many more aren't being blocked, but these made it through.

And then SpamAssassin autolearned them as ham strictly because they had DKIM enabled.

It appears that mailing list companies I think of as spammers (they think they're not spammers because they conform to Can-SPAM but they don't care where their addresses come from, or they pretend to care but don't check) are using DKIM to make sure their email gets through spam blocking.

Based on this experienced I'd recommend that SpamBlocker never whitelist based on DKIM, and that DKIM whitelisting be disabled in SpamAssassin.

That's my opinion.

Comments welcome.

Jeff

Agreed 100%. DKIM is a tool to verify the sender. Anyone can set it up including spammers. However, with that said, I do believe it is a decent tool to help prevent your customers regular emails from ending up in spam boxes.
 
I don't see how I can agree with you. For example, in my case, mail from the nobaloney.net domain may come from our billing provider (we use an external billing service at this time), our domain registration system (which uses LogicBoxes software and runs on their servers) our Certificate issuing system (which runs on Certification Authority's servers), from certain other providers, and even from gmail. They won't be signed by DKIM. Or if they will (I'm not sure and I'm not checking now) they won't be signed by our DKIM. But they're all legitimate and all from us.
Since this was posted a while ago, maybe you now understand better how it works, but I just wanted to add that you don't need to sign all the emails from your domain. A simple change in the DNS entry will indicate that only some of it is signed. This can be re-enforced with ADSP.

Also, regarding this implementation, it's best to usually start in testing mode, in order to avoid being blocked or flagged. Once things are working a 100%, one can switch to production mode.

All the rules for incoming emails simply warn the recipient, so there is no real need for additional rules, but if one wanted to block or delay emails, here are a few tips:
- Use a list of known senders. If an email coming from gmail doesn't have a DKIM signature, "block" it, it's a spoof
- When a signature verification fails, check if the domain sending it is in testing mode. You can then make decisions based on that result.


And if people want more antispam features and Jeff lacks the time to develop his solution further, there is always "spamblocker on steroid", ASSP.
 
Use a list of known senders. If an email coming from gmail doesn't have a DKIM signature, "block" it, it's a spoof
What do you mean by an email coming from gmail? Do you mean with a gmail return address, or from a gmail server? How would you identify it?

Jeff
 
Then what happens if sender uses his gmail.com address but sends from his own server (or any other server)? I don't see blocking that as viable.

Jeff
 
Well, I don't see sending emails using a DA server when the sender is a gmail address as a viable option ;). Doing something like that is one of the first thing that gets you flagged as a potential threat/spammer.
In my filters, I just add a flag when something like this occurs. It will raise the overall spam score.

But adding sites like Facebook, Linkedin, Nespresso, etc. to the list of known DKIM senders does make sense.
 
Last edited:
Code:
Starting exim: 2010-12-23 20:30:57 Exim configuration error in line 196 of /etc/exim.conf:
  main option "acl_check_dkim" unknown

If I remove all this lines my exim works fine!.
Any suggestion?
 
mmm.. I have try the configurations of first post, but if I restart exim I have this error: main option "acl_smtp_dkim" unknown
 
A couple more things that are missing...

You should always start in testing mode.
Add t=y after k=rsa, like this
TXT "k=rsa; t=y; p=fdgdfgdfg


There should be at least one policy.
Example 1
_domainkey.domain.com. 14400 IN TXT "t=y; o=~;"
indicates that we're in testing mode and that only some of the emails are signed

Another example
_adsp._domainkey.domain.com. 14400 IN TXT "dkim=all"
indicates that all emails will be signed
 
I've just checked the acl_check_dkim snippet and there is some redundant and unnecessary code.

First, define this before the ACLs
Code:
dkim_verify_signers = $sender_address_domain:$dkim_signers

Second, get rid of all these lines
Code:
sender_domains  = $sender_address_domain:$dkim_signers 
dkim_signers    = $sender_address_domain:$dkim_signers
That's not the proper way of using them. You should only use that if you want to apply a rule to a specific list of domains.

Third, remove all the "conditions =". dkim_status is already a condition

Here is an example that should work
Code:
warn    dkim_status     = none 
          set acl_m_dkim_hdr = 1
          add_header      = X-DKIM: no dkim signature for $dkim_cur_signer 

warn condition = ${if eq {$acl_m_dkim_hdr}{1}{no}{yes}}
          set acl_m_dkim_hdr = 1
          add_header = X-DKIM: by $primary_hostname on $tod_full

warn    dkim_status     = invalid 
          add_header = Authentication-Results:$primary_hostname; \
                          dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer" 
                
warn    dkim_status     = fail 
          add_header = Authentication-Results:$primary_hostname; \
                          dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer" 
                          
warn    dkim_status     = pass
          add_header = Authentication-Results:$primary_hostname; \
                          dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"
                 
accept

This can be improved by writing to logs, checking against adsp records, list of trusted domains, etc.
 
Back
Top