DKIM not working / New Install / Deb 11

[beatkamp]

/var/log/exim/paniclog* shows nothing whatsoever over dkim

Sent emails are just quietly not being DKIM tagged, even though its configured, without any information anywhere.
I don't, for example, see any errors generated by EXIM telling me something like "I cannot tag outgoing emails with DKIM because .... "

 

[beatkamp]

exim.dkim.conf is v1.7

This line has me interested:

dkim_private_key = ${if exists{/etc/virtual/$dkim_domain/dkim.private.key}{/etc/virtual/$dkim_domain/dkim.private.key}{0}}

My key files are there but what if $dkim_domain is incorrect? No error is generated, it will just silently not work if I read this correctly.

Does anyone know how I can see what this variables are? Is there a way to get logging on this?

 

[Richard G]

Enable it in the exim configs and Exim:
da build exim
da build eximconf

Back to basics.
So the DKIM key appears on the email page of the account. Did you add this key to your external DNS?

At this moment we're at Exim 4.98 #2
exim.pl does not have a version stated anymore
exim.dkim.conf is version 1.7

I use an external DNS. All my DKIM stuff is there. So far this is irrelevant as outgoing emails
are not tagged at all.

That is not irrelevant, in the contrairy. Your external DNS should contain your DKIM key.

This is how the key permissions and ownership should look like:

-rw-------    1 mail      mail   1.7K 2023-12-20 15:00 dkim.private.key
-rw-------    1 mail      mail    451 2023-12-20 15:00 dkim.public.key

 

[beatkamp]

Back to basics.
So the DKIM key appears on the email page of the account. Did you add this key to your external DNS?

Hi, thank you so much for the reply.

Yes, it is added at Contabo, where my server is hosted.

Stupid question perhaps: If the key pasted at the external DNS had any error in it, would this cause this failure mode?

I ask as many forums on Exim / DKIM seem to mention spaces being added to the key when pasting. If this were the case,
would the DKIM not be added to the outgoing email?

At this moment we're at Exim 4.98 #2
exim.pl does not have a version stated anymore
exim.dkim.conf is version 1.7

I am at Exim 4.98, exim.conf 4.5.50 (non custom), exim.dkim.conf 1.7 so that it looks like I am up to date.

That is not irrelevant, in the contrairy. Your external DNS should contain your DKIM key.

This is how the key permissions and ownership should look like:

-rw-------    1 mail      mail   1.7K 2023-12-20 15:00 dkim.private.key
-rw-------    1 mail      mail    451 2023-12-20 15:00 dkim.public.key

Thank you. I put them back to 600 after a very brief probe.

 

[beatkamp]

Back to basics.
So the DKIM key appears on the email page of the account. Did you add this key to your external DNS?

I just verified again, under DNS in DirectAdmin, the x._domainkey is present.

Next, I am going to verify that this is correctly pasted at the host/DNS site.

 

[beatkamp]

Back to basics.

I just verified that my key is on the external DNS. Using dmarcian.com service the key comes back as valid.

Version: DKIM1
KeyType: RSA
Public Key Length 2048

"Your DKIM record is valid"

I also checked with what is stored on the DirectAdmin server and that matches.

One thing I noticed is that my DKIM selector is "x" and I do not have a "default" selector.

Most everyone seems to simply call their one and only DKIM record "default". Could this be it? Could this be the mistake I am making?

 

[beatkamp]

Duh.... ok, I read some more and it doesn't matter what my "selector" is called as long as that is what is in the "exim.dkim.conf"

I verified this, and its correct there.

So as things stand now, I have a valid DKIM key on my DNS, I have followed the guides and installed everything according to those guides, my server is otherwise working.

No DKIM is added to outgoing emails, there are no panic logs.

Now I wonder if the path to the key is somehow being handed to the exim.dkim.conf incorrectly. Going to try hard coding that path to see if I can get something to happen.

 

[beatkamp]

Nope. Hard coding stuff into exim.conf & exim.dkim.conf was a bad idea and broke exim. Reverted.

 

[Richard G]

One thing I noticed is that my DKIM selector is "x" and I do not have a "default" selector.

Everybody on Directadmin has the default selector set to "x" so that is correct. One can change it but it's not required.

Stupid question perhaps: If the key pasted at the external DNS had any error in it, would this cause this failure mode?

Not on the signing, but it would cause DKIM failure at the receiver, because the DKIM in DNS is checked against the DKIM signature in your mail header.

I am at Exim 4.98

If you give the exim --version command I presume you also see the #2 in there.

Hardcoding is mostly a bad idea, things should just work.
Do you have any customisation anywhere which could influence Exim, like in the /usr/local/directadmin/custombuild/custom directory (or subdirectory from there), custom template directory or any other custom directory or maybe some exim.variables.conf.custom or exim.strings.conf.custom file?

I have a valid DKIM key on my DNS

Oke and that key is also visible on the appropriate e-mail page of the domain I presume.

The path should be oke, it's just all default. I also use the same 1.7 version for exim dkim.

So if you use mail-tester.com then this will show you that the mail is not signed or what exact error is given there?

 

[beatkamp]

Tests show that the email is not signed at all.

I am on Deb 11 too.

After trying hard coded paths, and very briefly breaking Exim, I backed off and away from that approach. This is something for a sandbox machine and not a live server. As no DKIM was being appended, I was exploring the possibility of an environment variable being wrong or a key file being in the wrong place. A good idea for one with greater knowledge than myself, or rather, a bad idea for one at my level of understanding,.

Your comment on the other thread in regards to peculiarities of Deb 11 got my attention. As I do not know the inner workings of Exim nor where Deb 11 may block things from working, I would have to spend a good deal of effort to ramp up my knowledge on both.

I have raised a ticket with DirectAdmin for support on this issue.

Until I have evidence to the contrary, I will suspect that I have misconfigured something.

Will keep this thread updated as progress is made.

 

[beatkamp]

My Deb:
======
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye

 

[beatkamp]

Exim Version:
========
root@server:~# exim --version
Exim version 4.98 #2 built 14-Dec-2024 22:56:25
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2024
Hints DB:
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: Content_Scanning crypteq iconv() IPv6 Perl move_frozen_messages OpenSSL TLS_resume DANE DKIM DNSSEC ESMTP_Limits ESMTP_Wellknown Event OCSP PIPECONNECT PRDR Queue_Ramp SPF SRS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb
Authenticators: cram_md5 dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
2024-12-15 15:45:51 cwd=/root 2 args: exim --version
Configuration file is /etc/exim.conf

 

[beatkamp]

I have no customization of which I am aware. This should be a vanilla install.

 

[Richard G]

Let's call in some help just to be sure.
@Zhenyapan weren't you also with some server on Debian 11? Any clue what could be wrong here? Maybe @mxroute or @zEitEr a clue?

Did you check if your /etc/exim.variables.conf file contains these lines?
tls_dhparam = /etc/exim_dh.pem
tls_dh_max_bits = 4096

 

[beatkamp]

Did you check if your /etc/exim.variables.conf file contains these lines?
tls_dhparam = /etc/exim_dh.pem
tls_dh_max_bits = 4096

I just checked and yes, those lines are present in /etc/exim.variables.conf

 

[beatkamp]

Top bit of /etc/exim.variables.conf :
======================
#Do not edit this file directly
#edit /etc/exim.variables.conf.custom
daemon_smtp_ports=25 : 587 : 465
tls_on_connect_ports=465
disable_ipv6=false
message_size_limit=50M
smtp_receive_timeout=5m
smtp_accept_max=100
message_body_visible=3000
print_topbitchars=true
recipients_max=150
smtp_accept_queue_per_connection=10
smtp_accept_max_per_connection=100
deliver_queue_load_max=10.0
queue_only_load=100.0
queue_run_max=20
ignore_bounce_errors_after=2d
timeout_frozen_after=3d
trusted_users=mail:majordomo:diradmin
split_spool_directory=yes
keep_environment=PWD:HOME

 

[beatkamp]

Yay! Ok, its all working now.

I opened a support ticket and it came back with "you do not have dmarc set anywhere". They could also have said "you big dummy"

All of my problems were at the DNS side. I had pasted the DKIM public key wrong, I did not set a dmarc record. Really basic stuff.

Instead of catching this I got tunnel vision and began to study the API for EXIM, reading scripts, looking at low level details.

Richard G. thank you very much for the dialogue. It helped me to snap out of the tunnel and change what I was doing. You were very helpful.

For anyone else hitting this thread with the same basic symptom just follow this guide:

Configuring and customizing Exim | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

Then take your time and be patient with setting all the records on your DNS whether you have your own or it is upstream with your server host.

Also, feel free to message me. I have made all of the most basic and silly errors possible so perhaps this could make me helpful.

Thank you all!

 

[Richard G]

I opened a support ticket and it came back with "you do not have dmarc set anywhere".

Yeah so what? You don't need to have DMARC set or enabled to have DKIM signing working. I also have DKIM on some accounts without DMARC.

But not pasting the DKIM public key correctly is only DNS, that should not have prevented the mail being signed, and you didn't see any signing in the headers you said. So I still don't understand the solution.

Anyway, glad you fixed it now, but for anybody reading, DMARC is a plus and wise to use, but it's certainly not mandatory to have DKIM working.

 

[beatkamp]

I cannot explain why it is signing now and was not before. I did bang my wrench on many things during this process.

In other words, I actually cannot tell you why it was not working and I do not now know why it is. The DNS stuff was an ugly mess, that was also my doing

 

[beatkamp]

I did toggle "ENABLE DKIM" on and off a few times. I nuked my keys, regenerated. I updated everything including Exim. I hacked a few config scripts, backed those changes out. I cleared out the DNS entries and re-did them. I also raised a ticket with DirectAdmin and they peered under the hood of my server.

Somewhere in there, things started to work. I am sorry, I just don't know where the issue was.