Installing DKIM with DA Exim 4.71

neil.hearn

Verified User
Joined
Jan 21, 2010
Messages
6
Just so everyone has a point of reference:
Here is how I have Exim setup to sign all outgoing mail and check incomming.

in exim.conf:
add
PHP:
acl_smtp_dkim = acl_check_dkim
just below
PHP:
# These options specify the Access Control Lists (ACLs) that
# are used for incoming SMTP messages - after the RCPT and DATA
# commands, respectively.

Then add this in the ACL Section - generally below check_helo:
PHP:
acl_check_dkim:

        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = invalid
                condition       = ${if eq {${lc:$dkim_verify_status}{invalid}{true}{false}}}

        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = fail
                condition       = ${if eq {${lc:$dkim_verify_status}{fail}{true}{false}}}

        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = none
                condition       = ${if eq {${lc:$dkim_verify_status}{none}{true}{false}}}

        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = pass
                condition       = ${if eq {${lc:$dkim_verify_status}{pass}{true}{false}}}
        accept

then in the transport section - under driver = smtp add:
PHP:
  dkim_domain = ${sender_address_domain}
  dkim_selector = x
  dkim_private_key = /etc/virtual/${lookup{$sender_address_domain}lsearch{/etc/virtual/domains}{$sender_address_domain}{ERROR}}/dkim.private.key
  dkim_canon = relaxed

then create the following script:
Code:
#!/bin/bash
openssl genrsa -out /etc/virtual/$1/dkim.private.key 768
openssl rsa -in /etc/virtual/$1/dkim.private.key -out /etc/virtual/$1/dkim.public.key -pubout -outform PEM
chown mail:mail /etc/virtual/$1/*.key
echo
echo "x._domainkey.$1.       14400   IN      TXT     \"v=DKIM1; k=rsa; p=`cat /etc/virtual/$1/dkim.public.key|grep -v "\-\-\-\-\-"|sed ':a;N;$!ba;s/\n//g'`\"">>/var/named/$1.db
echo Domain $1, has been configured for DKIM signing.
The usage would be:
Code:
add_dkim [I][domain][/I]
      e.g. add_dkim example.com

Then for each domain you have, run the script. Or add it to the post_process part of da for domain creation.

of course - if you have lots of domains you could run:
Code:
 ls -d */|xargs -n1|cut -d"/" -f1|xargs -n1 add_dkim $1
in the /etc/virtual directory. that is assuming you have chmodded add_dkim to 0755 and placed it in the executable path.

This is how I set this up - and hope it works well for others.
I'm sorry if this all looks very untidy and hacky. I am not really a liux sysadmin or anything (as you can probably tell). I am learning slowly.
Any improvments are more than welcome!

Thanks all

Neil.
 
If this guide can be verified it works can it be moved to the how-to section.
 
Interested. I'm waiting for some third-party verifications and also some discussions on using DKIM.

Jeff
 
Discussions please. On the advantages and disadvantages (if any) of using DKIM with outgoing email.

And of advantages of checking it on incoming mail since all it appears to do is add headers to the incoming messages. Where/how would we check those headers?

Thanks.

Jeff
 
Advantages/Disadvanteges

Signing outgoing mail ensures your company/business is taking responsibility for e-mails sent from its domain. Meaning that any e-mails forged to appear that they come from your domain are screamingly obvious that they are not yours.

It also helps in regards to tracing if your mail server has been used to send spam - as any spam sent via your mail server will be DKIM signed. Thus you can take appropriate measures to ensure it stops occuring.

Adding headers to incoming mail is useful for custom Spamassassin rules, filter rules, OE rules, and anything that can check mail headers. Specifically, giving you control of what you wish to do with your signed/not-signed mails.

Thats my 2 pence worth.

Neil.
 
i think that would be nice if implemented in your spamblocker jlasman, anyone will decide what domain add in it or if add by default to all already exist and newer ones...

regards
 
Signing outgoing mail ensures your company/business is taking responsibility for e-mails sent from its domain. Meaning that any e-mails forged to appear that they come from your domain are screamingly obvious that they are not yours.
I don't see how I can agree with you. For example, in my case, mail from the nobaloney.net domain may come from our billing provider (we use an external billing service at this time), our domain registration system (which uses LogicBoxes software and runs on their servers) our Certificate issuing system (which runs on Certification Authority's servers), from certain other providers, and even from gmail. They won't be signed by DKIM. Or if they will (I'm not sure and I'm not checking now) they won't be signed by our DKIM. But they're all legitimate and all from us.
It also helps in regards to tracing if your mail server has been used to send spam - as any spam sent via your mail server will be DKIM signed. Thus you can take appropriate measures to ensure it stops occuring.
Signed by whom? By the domain the user has set up on your server? That doesn't help the outside world or me much; it simply leads me back to the guy sending spam on my server, which I certainly can identify by other means.

Perhaps I'm misunderstanding, but I just read the Wikipedia article (wikipedia.org) again, and DKIM doesn't seem to give any more information to the spam recipient to use to trace the spam than s/he already has. Nor does it give me any more information about the spammer than I already have.

I suppose if it can be set up to only work for certain domains it doesn't do harm, but except for possible protection on the receiving end from accepting phishing email, I still don't understand much good.

Please consider continuing to educate me (and others here).
Adding headers to incoming mail is useful for custom Spamassassin rules, filter rules, OE rules, and anything that can check mail headers. Specifically, giving you control of what you wish to do with your signed/not-signed mails.
This I simply don't understand. I see DKIM headers in my incoming email all the time, and my exim.conf SpamBlocker file is no different from yours. The DKIM headers match the return-path. Please explain how we could do anything different.

Jeff
 
i think that would be nice if implemented in your spamblocker jlasman, anyone will decide what domain add in it or if add by default to all already exist and newer ones...
Do you remember when I wrote that I'd stopped accepting new features, so I could finally bring out the new SpamBlocker version? That was many months ago.

Are you suggesting I begin work on a new version? My current version works well for me, and so far I've made a total of under $300 in installation fees after years of hard work, so I'm not sure I want to spend years more hard work. Nor am I sure those of us with many systems want to do yet another update; the files require a lot of customizations.

You can possibly talk me into it, but not just by saying you want it.

More on the advantages, and more on what would it require besides changes to the exim.conf file?

Jeff
 
Sorry jlasman wasnt my intention mean "i want it, do it".. i was just supposing that should be a nice feature... honeslty i forget you sayd me that u stopped new features, my fault :)
 
No problem. And I'm still awaiting more discussion to see how much interest really exists.

Jeff
 
Today ive received an email from yahoo support cause im having problem with them and they suggest me those things:

Code:
-	Make sure you provided the correct IPs and that these IPs are sending 
traffic to Yahoo! Mail.

-	Send to opted-in and engaged subscribers only.

-	Use DKIM to authenticate your email, so you can enroll in our feedback
loop program.

-	Process bounces and complaints in an efficient manner.

The problem im having is that they blocked my server ip, prolly for too much traffic.. the real problem is that traffic is made by newsletter and mailing list from my customer.. and who receive the email is cause he asked for it...

im not so good on english, ive tryed to explain better i can to them what is going on but... seems they dont understand me so well...

but they mention the DKIM thing as a way to solve the problem (i think they meant that).

this ofc is off topic but maybe some other user having this problem and find out a "solution"

but i would ask you (cause u ofc more expert then me on email and, i think, on sysadmin in general) how should i check an email sent with U=apache or... stop apache to send email and so force user to use smtp auth with your spamblocker (if exim have to do something for that or is another thing to edit)...

as usual, thanks for your time, i really appreciate.
 
Let's look at this one at a time:
- Make sure you provided the correct IPs and that these IPs are sending traffic to Yahoo! Mail.
Make sure that you've listed with them the IP# your server uses to send email.
- Send to opted-in and engaged subscribers only.
Unfortunately you're responsible to Yahoo to make sure that all who get the email have asked for it, and that all returns due to undeliverables, and all addresses from people who unsubscribe, are immediately removed from the list. Also that each outgoing email includes a remove from list link. If you can't guarantee that to Yahoo, then don't allow your client to send using a mailing list. This needs to be in your terms of service to your client.
- Use DKIM to authenticate your email, so you can enroll in our feedback loop program.
You can certainly use the information in this thread to install DKIM-authenticated email.
- Process bounces and complaints in an efficient manner.[/CODE]
What I wrote above.
The problem im having is that they blocked my server ip, prolly for too much traffic..
They'll unblock once you've done all they ask and open up a feedback loop with them (ask them how).

Note that they don't require everyone sending them email to use DKIM; I don't know the threshold, but I do know I can successfully send email to Yahoo, even list mail, and I don't run DKIM.
the real problem is that traffic is made by newsletter and mailing list from my customer..
No, the real problem is that you're responsible for that email even though it's your customer sending it. If you're not willing to take that responsibility then put your client on his own server and VPS and have him manage his email settings himself.
and who receive the email is cause he asked for it...
You don't know that and can't prove it At least some people are complaining to Yahoo, or they wouldn't be getting involved.
im not so good on english, ive tryed to explain better i can to them what is going on but... seems they dont understand me so well...
Your english doesn't matter to them at all. All they care about is that you do what they're asking.
but they mention the DKIM thing as a way to solve the problem (i think they meant that).
You'll still need to make sure your client is handling list management and content correctly. Yahoo is a US-based company, and they want all your outgoing mail to them to be in compliance with the US Can Spam Act (wikipedia.org).
]stop apache to send email and so force user to use smtp auth with your spamblocker (if exim have to do something for that or is another thing to edit)...
You can turn off the sendmail interface by deleting the sendmail link. You can turn off local unauthenticated smtp by removing 127.0.0.1 from the relay_hosts hostlist. But these are both server-wide settings.

Jeff
 
Signing outgoing mail ensures your company/business is taking responsibility for e-mails sent from its domain. Meaning that any e-mails forged to appear that they come from your domain are screamingly obvious that they are not yours.
Neil,

I'd be happy to work with you and trying out adding DKIM to outoing email on the server I use personally, for testing purposes. Please contact me by email at the address below in my siglines.

Jeff
 
Thanks for your reply and suggestions.

im trying to find out a solution so i try to ask you the stuff i didnt completly get

Code:
1 ]stop apache to send email and so force user to use smtp auth with your spamblocker (if exim have to do something for that or is another thing to edit)...
You can turn off the sendmail interface by deleting the sendmail link. You can turn off local unauthenticated smtp by removing 127.0.0.1 from the relay_hosts hostlist. But these are both server-wide settings.

what do u mean for server-wide settings? should cause prooblems that modify of exim.conf?

2 does majordomo send the unsubscribe link automatically?

Code:
3 - Use DKIM to authenticate your email, so you can enroll in our feedback loop program.
You can certainly use the information in this thread to install DKIM-authenticated email.
[quote]- Process bounces and complaints in an efficient manner.
What I wrote above.[/CODE]

what process bounces opt-in means? and what double opt-in?
if i understood fine is a way to subscribe, but i should be wrong

opt-in is user subscribe to newsletter/email (or majordomo owner insert the email?)
doube opt-in is user subscribe and receive an email for confirm the email or something like that?

how should i check what every single user is using as method for add user? i mean, some using majordomo, some the "built in website" newsletter for registered user.

and, how should i check if they send with the confirmation for get removed?
and (sorry for those bounce of question) does majordomo delete automatically the emails that get frozen or got errors?

and last question... in case im not able to understnad who and how, how much should cost hire you for those check/fix?

thanks in advance, as usual

PS.. sorry for my english.. im sure there is a better way to ask those stuff... just english is not my main language :)
 
what do u mean for server-wide settings? should cause prooblems that modify of exim.conf?
If you turn off the sendmail interface than no php or perl programs that use it will be able to send email. If you turn off local unauthenticated smtp, then no proram on the server will be able to send email by direct connection on port 25.
2 does majordomo send the unsubscribe link automatically?
No. In fact majordomo does nothing by itself to make it compliant, except that you can set it to not automatically sign up people unless they send a confirmation email.
Code:
3 - Use DKIM to authenticate your email, so you can enroll in our feedback loop program.
You can certainly use the information in this thread to install DKIM-authenticated email.
- Process bounces and complaints in an efficient manner.
What I wrote above.
I don't understand what you wrote above.
what process bounces opt-in means? and what double opt-in?
if i understood fine is a way to subscribe, but i should be wrong

opt-in is user subscribe to newsletter/email (or majordomo owner insert the email?)
doube opt-in is user subscribe and receive an email for confirm the email or something like that?
You're correct.
how should i check what every single user is using as method for add user? i mean, some using majordomo, some the "built in website" newsletter for registered user.
That's for you to decide. You may need to sign up for their lists to see if they follow the rules. You should have a strong Terms of Service so you can immediately shut down any client who doesn't do it right.
and, how should i check if they send with the confirmation for get removed?
Again, try subscribing and unsubscribing yourself.

Also make sure your clients know that they MUST do this and if they don't you'll either suspend their account or their email.
and (sorry for those bounce of question) does majordomo delete automatically the emails that get frozen or got errors?
No.
and last question... in case im not able to understnad who and how, how much should cost hire you for those check/fix?
Please feel free to contact me by email with this question. If you do, please put everything in your email. Do not expect me; to log back on to DirectAdmin forums to understand what you're writing about.

And note that it's not easy for or anyone else to figure out what your clients are doing. Do you really want every line of code in every site audited? That could take hundreds of hours. Best you narrow down your problem users, check their sites, try signing up to their forms, etc.
thanks in advance, as usual

PS.. sorry for my english.. im sure there is a better way to ask those stuff... just english is not my main language :)
You're very welcome. Don't worry about your English and I won't worry about my utter lack of acquaintance with Italian :).

Jeff
 
SeLLeRoNe :
I myself try to monitore every now and then the exim pile to see witch custommers are sending alot of emails. After a while you know what your average normal email "outgoing" or "incoming" is and can spot the differences pretty easy.

(i do not have many customers ... so its perhaps not a good way for you)

From there i check there website. Its manual, but it works.

Having the problem has you with yahoo, im looking into the same things and i am very interested in if your going to implement DKIM or not.


jlasman :
Thanks again for your great work on spamblocker. I love it and the doc is great :)
 
ok ive installed dkim on mine exim.conf (sb4) but i had to make a modify in add_dkim file cause he was pointing to /var/named and ive /etc/bind (os related maybe, im using debian).

and on the command to add all domain i made a change to point to correct file path

Code:
ls -d */|xargs -n1|cut -d"/" -f1|xargs -n1 /etc/virtual/add_dkim $1

email are still working (at least seems) but i would like to understand how who receive my email can understand im using dkim or not (if he can check that)

for the edit on exim.conf i made in this places:

Code:
#EDIT#13:
acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
acl_smtp_dkim = acl_check_dkim
acl_smtp_rcpt = acl_check_recipient
acl_smtp_data = acl_check_message

Code:
#EDIT#25:
acl_check_helo:
  # accept mail originating on this server unconditionally
  accept  hosts = @[] : @
  # deny if the HELO pretends to be this host
    deny message = Bad HELO - Host impersonating hostname [$sender_helo_name]
      condition = ${if or { \
                            {match{$sender_helo_name}{$smtp_active_hostname}} \
                            {eq{$sender_helo_name}{[$interface_address]}} \
                          } {true}{false} }
  # deny if the HELO is an IP address
    deny message = HELO is an IP address (See RFC2821 4.1.3)
         condition   = ${if isip{$sender_helo_name}}
  # deny if the HELO pretends to be one of the domains hosted on the server
    deny message = Bad HELO - Host impersonating domain name [$sender_helo_name]
        condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}}
        hosts = ! +relay_hosts
  accept

acl_check_dkim:

        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = invalid
                condition       = ${if eq {${lc:$dkim_verify_status}{invalid}{true}{false}}}

        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = fail
                condition       = ${if eq {${lc:$dkim_verify_status}{fail}{true}{false}}}

        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = none
                condition       = ${if eq {${lc:$dkim_verify_status}{none}{true}{false}}}

        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = pass
                condition       = ${if eq {${lc:$dkim_verify_status}{pass}{true}{false}}}
        accept

Code:
#COMMENT#61:
remote_smtp:
  driver = smtp
  dkim_domain = ${sender_address_domain}
  dkim_selector = x
  dkim_private_key = /etc/virtual/${lookup{$sender_address_domain}lsearch{/etc/virtual/domains}{$sender_address_domain}{ERROR}}/dkim.private.key
  dkim_canon = relaxed

hope is helpfull to someone.

regards
 
oh, ive a question btw...

on the post script how should i put the command line?

/etc/virtual/add_dkim DOMAIN

my question is.. how i grep the domain name? Which variable it is?
 
Ok now ive made some test, seems that on local relay messages in header doesnt appear dkim signature but on external relay it appear.

Im having just one problem on header atm

Code:
X-DKIM-Status: invalid [(crazynetwork.it) - 81.174.67.21]

did i missed something?

the ip of the domain is that one so i dont get why he fail on check.. (or maybe i understood that error in a wrong way)

#EDIT
Just noticed that if i send an email from the same server but different domain (that is on a different/shared ip) the dkim pass

X-DKIM-Status: pass [(iannucci.net) - 81.174.67.21]

but dkim check always the server main ip and iannucci.net domain is on 194.177.98.234 ip and not on 81.174.67.21

Any suggestion?

thanks
 
Last edited:
Back
Top