DKIM and DirectAdmin

T

tincboy

Verified User
Joined
Aug 14, 2009
Messages
126
Hello,
I'm using exim 4.72 but my emails are not signed with DKIM,

Any configuration that I've missed?

exim -bV
Exim version 4.72 #1 built 14-Sep-2010 07:47:14
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (July 12, 2010)
Support for: crypteq iconv() IPv6 Perl OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 4
OpenSSL compile-time version: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
OpenSSL runtime version: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Configuration file is /etc/exim.conf
 
Some step to do :

On file /etc/exim.conf

in the first lines, add :

Code: 
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/dkim/${lc:${domain:$h_from:}}.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}


Find :
Code: 
remote_smtp:
  driver = smtp


And replace by :
Code: 
remote_smtp:
  driver = smtp
  dkim_domain = DKIM_DOMAIN
  dkim_selector = x
  dkim_private_key = DKIM_PRIVATE_KEY
  dkim_canon = relaxed
  dkim_strict = 0

This will make Exim do the DKIM signing on outgoing mail but only if it can find a certificate.

=> To make the certificates is pretty easy, we'll use a domain example.com:
===> REPLACE EXAMPLE.COM !!!
Code: 
mkdir /etc/dkim/ && cd /etc/dkim/
$ openssl genrsa -out example.com.pem 768 
$ openssl rsa -in example.com.pem -out example.com-public.pem -pubout -outform PEM


All that's left now is to update your dns, sticking to example.com you'd add something like this into your bind zone file the text to add after p= is the stuff you'll find in the public key called example.com-public.pem in our example:

Code: 
    x._domainkey     IN      TXT     "v=DKIM1\; t=y\; k=rsa\; p=MIGfMA0<snip>AQAB"
    _domainkey       IN      TXT     "t=y\; o=~\;"

The x matches up with your dkim_selector in the SMTP transport above. The t=y tells the world you're still testing your setup so remove that only when you're all 100% certain it works. The o=~ tells everyone you will sign only some mail. You can make that o=- if all mail from you would be signed.

You can verify your DNS is right like this:

Code: 
    $ dig +short txt x._domainkey.example.com
    "v=DKIM1\; k=rsa\; p=MIGfMA0<snip>AQAB"
And finally if you're sending mail you should now see a header in the mail like this:

Code: 
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=example.com; s=x;
    	h=From:To:Message-Id:Date; bh=g3zLY<snip>5uGs=; b=fonAB<snip>bceHhQ==;
Finally you can send an email to [email protected] and it will reply with all sorts of test output about your domain including DKIM validation details.
 
The thing is that you would need to add those dns records for all domains. It could be done with some customizations I guess, but then I wonder if it would be worth the trouble?
 
It's easy enough to add lines to all your DNS records, by manipulating the DNS templates and rewriting DNS.

Jeff
 
I don't know, if it is so easy.

Because all entries are different for each domain.
So it is necessary to generate key, take key, then put to DNS record.

Each time we add a new domain on the server.
Ok to modify DNS template, but to take the new key for my domain ?

If you have a solution, I am interested
 
I gave it a try, and using the same key for every domain seems to be working.

Both gmail and [email protected] give status pass on dkim when sending from two diffrent domains.

If that's not a good idea though please say so.

A problem I did came across is the layout in DNS control. It's strechted out to 1500 pixels, because the full key is in the record. I've tried modifying the html so it would give a scrollbar, but |DNS_ROWS| contains the HTML rows which cannot be modified (as far as I know).

I've tried editting class list2 to css overflow, but a td doesn't seem to be effected by it. I've also tried putting a div overflow around the whole DNS table, but that only worked half, and not in IE.
 
Hi,

I find very strange that every domains have the same key.
I understand a key is for one domain.

But maybe I am wrong.

For the problem of layout in DNS control, I post something asking DA admin, to modify the code, so we can read page easily. But no answer from some days (maybe my english was so bad, that they do not understand my problem :rolleyes: )
 
I'm not sure what the disadvantages are of using the same key. As I see that the domain names themselves have nothing to do with how the key is generated. I can imagine that a key can be banned on abuse, and that all mails using that key could be effected.

Maybe someone with dkim knowledge can answer this.
 
Do you mean :
Code: 
$ openssl genrsa -out example.com.pem 768 
$ openssl rsa -in example.com.pem -out example.com-public.pem -pubout -outform PEM

This command does not generate the same key, if I do it several times ?
 
Yes, it generates a random key as I understand it. But why wouldn't it be possible to use the same for all domains.

Code: 
remote_smtp:
  driver = smtp
  dkim_domain = $sender_address_domain
  dkim_selector = x
  dkim_private_key = /etc/dkim.private.key
  dkim_canon = relaxed
 
You must log in or register to reply here.
Back
Top