Exim mail not signing DKIM. Don't find whats wrong. (detailed description of steps taken)

December 13, 2014 4.5k views

Hi,

I'd like to setup my fresh server for hosting my www.bolleboos.be website and enable
sending of email from my php scripts.
So... I installed apache, php, mysql, ... and for the mail exim4

Sending mail allready works fine and I also managed to get SPF working .

If I send a mail to check-auth@verifier.port25.com then it returns me

SPF check:          pass
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    pass
SpamAssassin check: ham

So logical next step would be to enable DKIM

I created a 1024 bits private key with

#openssl genrsa -out dkim.private.key 1024

and then the public key with

#openssl rsa -in dkim.private.key -out dkim.public.key -pubout -outform PEM

These files are now in /etc/exim4/

Then I edited the file /etc/exim4/conf.d/transport/00exim4-configheader and added the following content

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################

# A transport is used only when referenced from a router that successfully
# handles an address.

begin transports

DKIM_CANON = relaxed
DKIM_DOMAIN = bolleboos.be
DKIM_SELECTOR = dkim
DKIM_PRIVATE_KEY = /etc/exim4/dkim.private.key

After that I execute the following commands (as root user)

/etc/init.d/exim4 stop
update-exim4.conf
/etc/init.d/exim4 stop

All executes fine

I also added a few things to my DNS

My zone file looks like this now

$ORIGIN bolleboos.be.
$TTL 1800
bolleboos.be. IN SOA ns1.digitalocean.com. hostmaster.bolleboos.be. 1418477398 10800 3600 604800 1800
bolleboos.be. 1800 IN NS ns1.digitalocean.com.
bolleboos.be. 1800 IN NS ns2.digitalocean.com.
bolleboos.be. 1800 IN NS ns3.digitalocean.com.
bolleboos.be. 1800 IN A 128.199.43.113
*.bolleboos.be. 1800 IN CNAME bolleboos.be.
bolleboos.be. 1800 IN MX 10 mx.mailprotect.be.
bolleboos.be. 1800 IN MX 50 mx.backup.mailprotect.be.
bolleboos.be. 1800 IN TXT "v=spf1 a:bolleboos.be -all"
dkim._domainkey.bolleboos.be. 1800 IN TXT "TXT v=DKIM1; t=y; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWdCBmsPYub6KXNdiuntRwQJ8y LLh1viv3YLeoNW7ayPDHXFpR3O1pcU3fHQimhSBH67KXpH7oWAfka09GRUCh7UBm iEbjldlrTXdX7QBr4Ff70vRIhBogkwN8rRPlF+c69lRkrALJp6psOD4D1Gwx58kZ LDQrM19qwVH+SKIaBQIDAQAB"

When I now send mail to the port25 checker, I still get message back with DKIM as neutral and it also says my mail was not signed. So it looks like exim doesn't sign my mail ?

Is there something I might have done wrong or can I check certain logfiles to see if something is not right ?

Kind regards,
Bart

1 comment
2 Answers

You have wrong TXT-record:
Use value TXT-record:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWdCBmsPYub6KXNdiuntRwQJ8y LLh1viv3YLeoNW7ayPDHXFpR3O1pcU3fHQimhSBH67KXpH7oWAfka09GRUCh7UBm iEbjldlrTXdX7QBr4Ff70vRIhBogkwN8rRPlF+c69lRkrALJp6psOD4D1Gwx58kZ LDQrM19qwVH+SKIaBQIDAQAB

You put your conifg in /etc/exim4/conf.d/transport/00exim4-configheader which assumes that you are using split configuration. By default, when setting up Exim (at least on Ubuntu) "<No>" is selected when asked "Split configuration into small files?". If you went with the defaults, then you should add you config options to /etc/exim4/exim4.conf.localmacros.

This was exactly my problem. I followed a guide that had me create /etc/exim4/conf.d/main/00_config_dkimoptions and after updating the config and restarting Exim, it still was not signing. Eventually, I found a post on Server Fault (Exim4 doesn't add DKIM signatures) and realized my problem.

I looked at the output form:

exim -bV

Which pointed me to /var/lib/exim4/config.autogenerated. There I found this:

#########
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# This file was generated dynamically from
# non-split config (/etc/exim4/exim4.conf.localmacros
# and /etc/exim4/exim4.conf.template).
# The config files are supplemented with package installation/configuration
# settings managed by debconf. This data is stored in
# /etc/exim4/update-exim4.conf.conf
# Any changes you make here will be lost.
# See /usr/share/doc/exim4-base/README.Debian.gz and update-exim4.conf(8)
# for instructions of customization.
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
#########

Since /etc/exim4/exim4.conf.localmacros didn't exist, I just copied the config to that new file:

sudo cp /etc/exim4/conf.d/main/00_config_dkimoptions /etc/exim4/exim4.conf.localmacros

Now, after applying those updates:

sudo update-exim4.conf
sudo service exim4 restart

IT WORKS!!

Basically, here is everything I did:

SELECTOR=`date +%Y%m%d%H%M%S`
DOMAIN=example.com

openssl genrsa -out ${SELECTOR}._domainkey.${DOMAIN}-private.pem 1024 -outform PEM
openssl rsa -in ${SELECTOR}._domainkey.${DOMAIN}-private.pem -out ${SELECTOR}._domainkey.${DOMAIN}.pem -pubout -outform PEM

sudo mkdir -p /etc/exim4/dkim/
sudo cp ${SELECTOR}._domainkey.${DOMAIN}* /etc/exim4/dkim/

sudo tee -a /etc/exim4/conf.d/main/00_config_dkimoptions > /dev/null <<EOF
DKIM_CANON = relaxed
DKIM_SELECTOR = ${SELECTOR}
DKIM_DOMAIN = ${DOMAIN}
DKIM_FILE = /etc/exim4/dkim/${SELECTOR}._domainkey.${DOMAIN}-private.pem
DKIM_SIGN_HEADERS = true
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
EOF

cat /etc/exim4/conf.d/main/00_config_dkimoptions | sudo tee -a /etc/exim4/exim4.conf.localmacros > /dev/null

sudo update-exim4.conf
sudo service exim4 restart

Also, make sure that your DNS matches:

${SELECTOR}._domainkey IN TXT "k=rsa; p=$(cat /etc/exim4/dkim/${SELECTOR}._domainkey.${DOMAIN}.pem | sed 's/^-.*-$//' | tr '\n' ',' | sed 's/,//g')"
  • Oops. I left a bad line in there. That DKIM_SIGN_HEADERS shouldn't be in there. And to make thinks a little cleaner, I made the value of DKIM_PRIVATE_KEY the actual file (value of DKIM_FILE) and removed DKIM_FILE.

Have another answer? Share your knowledge.