Re: [exim] DKIM for specific virtual domains

Wed, 20 Feb 2013 15:17:08 -0800 

On 2013-02-20 at 16:21 +0100, [email protected] wrote:
> remote_smtp:
>    driver = smtp
>    dkim_domain = ${sender_address_domain}
>    dkim_selector = dkimxy
>    dkim_private_key = 
> /usr/local/etc/exim/${sender_address_domain}/dkim.private.key
>    dkim_canon = relaxed
> 
> I was just wondering what the recommended config would be to have DKIM 
> only used on specific domains. One option is to simply have no domain 
> private key for domains without DKIM and let Exim fail reading the key 
> and send anyway (this will log an error everytime to the mainlog), but I 
> guess there must be a cleaner way to do this.
> Can anyone advise?

Set the dkim_private_key to "false" instead of a path that doesn't exist.

  dkim_private_key = ${if exists \
    {/usr/local/etc/exim/${sender_address_domain}/dkim.private.key}\
    {/usr/local/etc/exim/${sender_address_domain}/dkim.private.key}\
    {false}}

I recommend also thinking about how you will *roll* your keys, which
you'll need to do periodically; how often depends upon the keysize and
how desirable your domain is to attack, but you should probably roll
them at least once a year, just to make sure that people remember how to
do it.

-Phil

----------------------------8< cut here >8------------------------------
+----------------+---------+-------------+--------------+
|dkim_private_key|Use: smtp|Type: string*|Default: unset|
+----------------+---------+-------------+--------------+

MANDATORY: This sets the private key to use. You can use the $dkim_domain and 
$dkim_selector expansion variables to determine the private key to use. The
result can either

  * be a valid RSA private key in ASCII armor, including line breaks.

  * start with a slash, in which case it is treated as a file that contains the
    private key.

  * be "0", "false" or the empty string, in which case the message will not be
    signed. This case will not result in an error, even if dkim_strict is set.
----------------------------8< cut here >8------------------------------


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to