Exim mail not signing DKIM. Don't find whats wrong. (detailed description of steps taken)

December 13, 2014 5.2k views
educa
By:
educa

Hi,

I'd like to setup my fresh server for hosting my www.bolleboos.be website and enable
sending of email from my php scripts.
So... I installed apache, php, mysql, ... and for the mail exim4

Sending mail allready works fine and I also managed to get SPF working .

If I send a mail to check-auth@verifier.port25.com then it returns me

SPF check:          pass
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    pass
SpamAssassin check: ham

So logical next step would be to enable DKIM

I created a 1024 bits private key with 

#openssl genrsa -out dkim.private.key 1024

and then the public key with

#openssl rsa -in dkim.private.key -out dkim.public.key -pubout -outform PEM

These files are now in /etc/exim4/

Then I edited the file /etc/exim4/conf.d/transport/00exim4-configheader and added the following content

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################

# A transport is used only when referenced from a router that successfully
# handles an address.

begin transports

DKIM_CANON = relaxed
DKIM_DOMAIN = bolleboos.be
DKIM_SELECTOR = dkim
DKIM_PRIVATE_KEY = /etc/exim4/dkim.private.key

After that I execute the following commands (as root user)

/etc/init.d/exim4 stop
update-exim4.conf
/etc/init.d/exim4 stop

All executes fine

I also added a few things to my DNS

My zone file looks like this now

$ORIGIN bolleboos.be.
$TTL 1800
bolleboos.be. IN SOA ns1.digitalocean.com. hostmaster.bolleboos.be. 1418477398 10800 3600 604800 1800
bolleboos.be. 1800 IN NS ns1.digitalocean.com.
bolleboos.be. 1800 IN NS ns2.digitalocean.com.
bolleboos.be. 1800 IN NS ns3.digitalocean.com.
bolleboos.be. 1800 IN A 128.199.43.113
*.bolleboos.be. 1800 IN CNAME bolleboos.be.
bolleboos.be. 1800 IN MX 10 mx.mailprotect.be.
bolleboos.be. 1800 IN MX 50 mx.backup.mailprotect.be.
bolleboos.be. 1800 IN TXT "v=spf1 a:bolleboos.be -all"
dkim._domainkey.bolleboos.be. 1800 IN TXT "TXT v=DKIM1; t=y; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWdCBmsPYub6KXNdiuntRwQJ8y LLh1viv3YLeoNW7ayPDHXFpR3O1pcU3fHQimhSBH67KXpH7oWAfka09GRUCh7UBm iEbjldlrTXdX7QBr4Ff70vRIhBogkwN8rRPlF+c69lRkrALJp6psOD4D1Gwx58kZ LDQrM19qwVH+SKIaBQIDAQAB"

When I now send mail to the port25 checker, I still get message back with DKIM as neutral and it also says my mail was not signed. So it looks like exim doesn't sign my mail ?

Is there something I might have done wrong or can I check certain logfiles to see if something is not right ?

Kind regards,
Bart

1 comment
Log In to Comment
2 Answers
totx December 23, 2014

You have wrong TXT-record:
Use value TXT-record:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWdCBmsPYub6KXNdiuntRwQJ8y LLh1viv3YLeoNW7ayPDHXFpR3O1pcU3fHQimhSBH67KXpH7oWAfka09GRUCh7UBm iEbjldlrTXdX7QBr4Ff70vRIhBogkwN8rRPlF+c69lRkrALJp6psOD4D1Gwx58kZ LDQrM19qwVH+SKIaBQIDAQAB
Reply
karlwilbur April 23, 2018

You put your conifg in /etc/exim4/conf.d/transport/00exim4-configheader which assumes that you are using split configuration. By default, when setting up Exim (at least on Ubuntu) "<No>" is selected when asked "Split configuration into small files?". If you went with the defaults, then you should add you config options to /etc/exim4/exim4.conf.localmacros.

This was exactly my problem. I followed a guide that had me create /etc/exim4/conf.d/main/00_config_dkimoptions and after updating the config and restarting Exim, it still was not signing. Eventually, I found a post on Server Fault (Exim4 doesn't add DKIM signatures) and realized my problem.

I looked at the output form:

exim -bV

Which pointed me to /var/lib/exim4/config.autogenerated. There I found this:

#########
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# This file was generated dynamically from
# non-split config (/etc/exim4/exim4.conf.localmacros
# and /etc/exim4/exim4.conf.template).
# The config files are supplemented with package installation/configuration
# settings managed by debconf. This data is stored in
# /etc/exim4/update-exim4.conf.conf
# Any changes you make here will be lost.
# See /usr/share/doc/exim4-base/README.Debian.gz and update-exim4.conf(8)
# for instructions of customization.
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
#########

Since /etc/exim4/exim4.conf.localmacros didn't exist, I just copied the config to that new file:

sudo cp /etc/exim4/conf.d/main/00_config_dkimoptions /etc/exim4/exim4.conf.localmacros

Now, after applying those updates:

sudo update-exim4.conf
sudo service exim4 restart

IT WORKS!!

Basically, here is everything I did:

SELECTOR=`date +%Y%m%d%H%M%S`
DOMAIN=example.com

openssl genrsa -out ${SELECTOR}._domainkey.${DOMAIN}-private.pem 1024 -outform PEM
openssl rsa -in ${SELECTOR}._domainkey.${DOMAIN}-private.pem -out ${SELECTOR}._domainkey.${DOMAIN}.pem -pubout -outform PEM

sudo mkdir -p /etc/exim4/dkim/
sudo cp ${SELECTOR}._domainkey.${DOMAIN}* /etc/exim4/dkim/

sudo tee -a /etc/exim4/conf.d/main/00_config_dkimoptions > /dev/null <<EOF
DKIM_CANON = relaxed
DKIM_SELECTOR = ${SELECTOR}
DKIM_DOMAIN = ${DOMAIN}
DKIM_FILE = /etc/exim4/dkim/${SELECTOR}._domainkey.${DOMAIN}-private.pem
DKIM_SIGN_HEADERS = true
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
EOF

cat /etc/exim4/conf.d/main/00_config_dkimoptions | sudo tee -a /etc/exim4/exim4.conf.localmacros > /dev/null

sudo update-exim4.conf
sudo service exim4 restart

Also, make sure that your DNS matches:

${SELECTOR}._domainkey IN TXT "k=rsa; p=$(cat /etc/exim4/dkim/${SELECTOR}._domainkey.${DOMAIN}.pem | sed 's/^-.*-$//' | tr '\n' ',' | sed 's/,//g')"
Reply
  • karlwilbur April 23, 2018

    Oops. I left a bad line in there. That DKIM_SIGN_HEADERS shouldn't be in there. And to make thinks a little cleaner, I made the value of DKIM_PRIVATE_KEY the actual file (value of DKIM_FILE) and removed DKIM_FILE.

Have another answer? Share your knowledge.