Re: [exim] DKIM d= field and corresponding key

2021-10-14 Thread Andy Bennett via Exim-users 

Hi,


I remember how hard was good resources/tutorial about setting DKIM with
exim, a will provide you my observations and settings (which can be
good or not).




Thanks for this Slavko! It's exactly what I was looking for (and more), 
especially the remarks about how it interacts with DMARC.

I appreciate you taking the time to write it up for me (and the list!).


I'll have a go at updating my exim config in the next few days.



Finally i found default headers list for signing as not optimal, i and
borrow settings from rspamd with conditional owersign and sign headers
(can be wrap) and adapted it for exim:


Is there any reason why the default settings are not optimal?

...and how to choose between relaxed and strict modes?




Best wishes,
@ndy

--
andy...@ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] DKIM d= field and corresponding key

2021-10-14 Thread Slavko via Exim-users 
Hi,

Dňa Thu, 14 Oct 2021 14:34:19 +0100 Andy Bennett via Exim-users
 napísal:

> I have been trying to find good resources for how DKIM is commonly
> deployed on The Internet: all the DKIM RFCs and early guides seem to
> shift almost all of the policy decisions to the implementors and
> documentation from them seems to be sparse or confusing!

You can use whatever you want in the d= field, the only requirement for
DKIM is, that the TXT record for chosen domain (and selector) exists
and is valid. It have no more requirements, nor any relation with other
headers in mail nor SMTP commands.

But when you will use DMARC too, the requirements for DKIM is more
strict and the value of d= have to match RFC5322.From (header From:)
domain for strict match or have to be its subdomain for relaxed match.

I remember how hard was good resources/tutorial about setting DKIM with
exim, a will provide you my observations and settings (which can be
good or not).

To fulfill DMARC requirements i use:

dkim_domain = ${domain:$h_from:}

This setting can be not appropriate for you, as when expansion returns
empty string (not valid domain in header or multiple From: headers),
the DKIM signing will not happen.

One can choose some more advanced expansion to set default/fallback
value, but i have forced valid and only one From: header elsewhere in
ACL, thus it is always valid in transport.

When expansion of dkim_domain was success, the domain value is
available in $dkim_domain variable, which then can be used in next
settings. Note, that the $dkim_domains was set from mail header, thus
it will be tainted and cannot be used directly to access in new
exim versions files (see latter).

Next is needed to choose valid selector for this domain. You can use
common selector for all domains, but i different per domain base, thus
i store mapping in file, eg. map-dkim:

domain.tld:  selector
...

Or you can choose to use multiple selectors in it (e.g. for dual sign):

domain.tld:  sel_rsa:sel_ed
...

And then i setup selector based on domain name lookup in this file:

dkim_selector = ${lookup{$dkim_domain} lsearch{DKIMMAPPING}}

When domain is not found in this mapping, it returns empty string,
which means, that DKIM processing is stopped and no DKIM signature will
be added into mail. Thus using lookup filters "invalid" domains and in
the same step it de-taints the value of $dkim_domain. One can setup
some faillback value here, but i consider it as useless, as it can ends
with nonexistent TXT records, which is the same as not sign at all.

When expansion of dkim_selector returns some value, it is latter
accessible in $dkim_selector variable, which is not tainted (as result
of lookup).

Finally ou have to choose private key, i use keys in files, which are
stored in separate directory with access rights limited to exim's user
and they are stored in form:

..key

Then i use $dkim_domain and $dkim_selector variables to access them:

dkim_private_key = ${lookup {$dkim_selector.$dkim_domain.key} \
 dsearch,ret=full{DKIMDIR}}

Note of use the dsearch, to allow use of tainted $dkim_domain variabe.
Once again, if key file is not found, the expansion is empty and no
DKIM signing happen.

I use all other DKIM settings the same for all domains, thus i setup
them statically, but one can use the "expand" expansion for result of
DKIM mapping lookup and setup this mapping file eg. as this:

domain.tld:  selector=sel_rsa:sel_ed cannon=...

Finally i found default headers list for signing as not optimal, i and
borrow settings from rspamd with conditional owersign and sign headers
(can be wrap) and adapted it for exim:

dkim_sign_headers = +From:+Reply-To:+Subject:+To:+Cc\
${if def:h_Sender: {:+Sender}{}}\
${if def:h_Date: {:+Date}{}}\
${if def:h_Message-Id: {:+Message-Id}{}}\
${if def:h_Mime-Version: {:+Mime-Version}{}}\
${if def:h_Content-Description: {:+Content-Description}{}}\
${if def:h_Content-Id: {:+Content-Id}{}}\
${if def:h_Content-Type: {:+Content-Type}{}}\
${if def:h_Content-Type-Encoding: {:+Content-Type-Encoding}{}}\
${if def:h_In-Reply-To: {:+In-Reply-To}{}}\
${if def:h_References: {:+References}{}}\
${if def:h_Openpgp: {:+Openpgp}{}}\
${if def:h_Autocrypt: {:+Autocrypt}{}}\

:=Resent-To:=Resent-Cc:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-Message-Id\

:=List-Archive:=List-Id:=List-Help:=List-Owner:=List-Unsubscribe:=List-Subscribe:=List-Post

> I have a low enough volume that Google Postmaster tools won't tell me 
> anything about my domain.

You can enable DMARC rua reports to see auth results.

While i do not use gmail at all, i cannot tell what it means, but i
will guess that mentioned signature is added for its outgoing mails.
You have to setup own DKIM, if you are not using some smarthost which
cat do it for you.

Do not mix google's reputation

Re: [exim] How to use DKIM with Ed25519 - Dual DKIM signing

2021-10-14 Thread Slavko via Exim-users 
Dňa 14. októbra 2021 14:50:23 UTC používateľ Odhiambo Washington via Exim-users 
 napísal:

>> |  This sets the key selector string. After expansion, which can use
>> |  $dkim_domain, this can be a list. Each element in turn is put in the
>> |  expansion variable $dkim_selector which may be used in the
>> |  dkim_private_key option along with $dkim_domain.
>>
>>  Does the assignment dkim_selector="key1:key2" work?
>>
>
>I don't think that would work, because I have to then match a selector to a
>key.

Use something as (from my memory only):

dkim_private_key = $dkim_selector.$dkim_domain.key

Add "if exists" and path as appropriate (i use dsearch) and store your keys as:

path/selector.domain.key

regards

Slavko

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim.org still incorrectly configured

2021-10-14 Thread Heiko Schlittermann via Exim-users 

Randy Bush  (Do 14 Okt 2021 21:02:56 CEST):
> readdressing the key server use fixed it
> 
> server 37.221.193.62 { keys {
>   hummus-exim-rip.psg.com;
>   }; };
> server 2a03:4000:8:637::2 { keys {
>   hummus-exim-rip.psg.com;
>   }; };
> 
> my bad.  i missed any memo about the move and was hacking.

Ok. I believe, my co-worker, who did the move, tried to contact you
or any responsible person, but I'm not sure, if he succeeded. Anyway, it
is solved now and we are happy again :)

Thank you for serving as a secondary.
-- 
Heiko


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim.org still incorrectly configured

2021-10-14 Thread Randy Bush via Exim-users 
readdressing the key server use fixed it

server 37.221.193.62 { keys {
  hummus-exim-rip.psg.com;
  }; };
server 2a03:4000:8:637::2 { keys {
  hummus-exim-rip.psg.com;
  }; };

my bad.  i missed any memo about the move and was hacking.

randy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim.org still incorrectly configured

2021-10-14 Thread Heiko Schlittermann via Exim-users 
Randy Bush  (Do 14 Okt 2021 20:49:37 CEST):
> rip.psg.com:/root# dig +norec @37.221.193.62 exim.org. axfr

According to the name server configuration you need a TSIG key to
initiate the AXFR.

dig -k … 
or
did -y …

-- 
Heiko


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim.org still incorrectly configured

2021-10-14 Thread Heiko Schlittermann via Exim-users 
Don't you want to try AXFR instead of AXF?
-- 
Heiko Schlittermann (unterwegs)

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim.org still incorrectly configured

2021-10-14 Thread Randy Bush via Exim-users 
rip.psg.com:/root# dig +norec @37.221.193.62 exim.org. axfr

; <<>> DiG 9.16.21 <<>> +norec @37.221.193.62 exim.org. axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim.org still incorrectly configured

2021-10-14 Thread Heiko Schlittermann via Exim-users 
I'll check if we can see what the issue is.
-- 
Heiko Schlittermann (unterwegs)

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim.org still incorrectly configured

2021-10-14 Thread Randy Bush via Exim-users 
as the exim.org hostmaster and site admin seem unable to respond to
email, rip.psg.com is ceasing to serve the exim.org domain rather than
serve incorrect data.

randy

rip.psg.com:/root# dig +norec @37.221.193.62 exim.org. axf

; <<>> DiG 9.16.21 <<>> +norec @37.221.193.62 exim.org. axf
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11014
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;exim.org.  IN  A

;; ANSWER SECTION:
exim.org.   900 IN  A   37.221.193.62

;; AUTHORITY SECTION:
exim.org.   900 IN  NS  hh.schlittermann.de.
exim.org.   900 IN  NS  pu.schlittermann.de.
exim.org.   900 IN  NS  rn.schlittermann.de.
exim.org.   900 IN  NS  ns0.firedrake.org.
exim.org.   900 IN  NS  rip.psg.com.
exim.org.   900 IN  NS  nlns.globnix.net.
exim.org.   900 IN  NS  us1ns.pennock-tech.net.

;; Query time: 149 msec
;; SERVER: 37.221.193.62#53(37.221.193.62)
;; WHEN: Thu Oct 14 17:59:52 UTC 2021
;; MSG SIZE  rcvd: 236

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 4031
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;axf.   IN  A

;; Query time: 151 msec
;; SERVER: 37.221.193.62#53(37.221.193.62)
;; WHEN: Thu Oct 14 17:59:52 UTC 2021
;; MSG SIZE  rcvd: 32

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] How to use DKIM with Ed25519 - Dual DKIM signing

2021-10-14 Thread Evgeniy Berdnikov via Exim-users 
On Thu, Oct 14, 2021 at 05:50:23PM +0300, Odhiambo Washington via Exim-users 
wrote:
> On Thu, Oct 14, 2021 at 4:25 PM Evgeniy Berdnikov via Exim-users <
> exim-users@exim.org> wrote:
> > |  dkim_selectorUse: smtp   Type: string list†  Default:
> > unset
> > |
> > |  This sets the key selector string. After expansion, which can use
> > |  $dkim_domain, this can be a list. Each element in turn is put in the
> > |  expansion variable $dkim_selector which may be used in the
> > |  dkim_private_key option along with $dkim_domain.
> >
> >  Does the assignment dkim_selector="key1:key2" work?
> >
> 
> I don't think that would work, because I have to then match a selector to a
> key.

 The last sentense in the cited paragraph explains how this match works.
 Read it again carefully. Description of dkim_private_key repeats it:

|  dkim_private_key Use: smtp   Type: string†   Default: unset
|
|  This sets the private key to use. You can use the $dkim_domain and
|  $dkim_selector expansion variables to determine the private key to use.
-- 
 Eugene Berdnikov

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] How to use DKIM with Ed25519 - Dual DKIM signing

2021-10-14 Thread Odhiambo Washington via Exim-users 
On Thu, Oct 14, 2021 at 4:25 PM Evgeniy Berdnikov via Exim-users <
exim-users@exim.org> wrote:

> On Thu, Oct 14, 2021 at 03:24:56PM +0300, Odhiambo Washington via
> Exim-users wrote:
> > 1. I have 2 private keys - dkim.priv.key and dkim_ed25519.priv.key
> > 2. I have published a DNS record for key1._domainkey.example.com for the
> > RSA, and key2._domainkey.example.com for the ED25519 keys respectively
> >
> > Any easier way to integrate that into my transport?
>
>  Documentation states:
>
> |  dkim_selectorUse: smtp   Type: string list†  Default:
> unset
> |
> |  This sets the key selector string. After expansion, which can use
> |  $dkim_domain, this can be a list. Each element in turn is put in the
> |  expansion variable $dkim_selector which may be used in the
> |  dkim_private_key option along with $dkim_domain.
>
>  Does the assignment dkim_selector="key1:key2" work?
>

I don't think that would work, because I have to then match a selector to a
key.

I found a write-up by Phil Pennock that addresses this kind of situation:

https://lists.exim.org/lurker/message/20180416.043034.5a61f10d.en.html

I just need to make heads/tails of the config.



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' :-)
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] How to use DKIM with Ed25519 - Dual DKIM signing

2021-10-14 Thread Evgeniy Berdnikov via Exim-users 
On Thu, Oct 14, 2021 at 03:24:56PM +0300, Odhiambo Washington via Exim-users 
wrote:
> 1. I have 2 private keys - dkim.priv.key and dkim_ed25519.priv.key
> 2. I have published a DNS record for key1._domainkey.example.com for the
> RSA, and key2._domainkey.example.com for the ED25519 keys respectively
> 
> Any easier way to integrate that into my transport?

 Documentation states:

|  dkim_selectorUse: smtp   Type: string list†  Default: unset
|
|  This sets the key selector string. After expansion, which can use
|  $dkim_domain, this can be a list. Each element in turn is put in the
|  expansion variable $dkim_selector which may be used in the
|  dkim_private_key option along with $dkim_domain.

 Does the assignment dkim_selector="key1:key2" work?
-- 
 Eugene Berdnikov

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] DKIM d= field and corresponding key

2021-10-14 Thread Andy Bennett via Exim-users 

Hi,

I have been (finally!) looking at setting up DKIM on my outgoing exim 
relay.


It is set up to handle several domains for incoming and outgoing mail.

I have been trying to find good resources for how DKIM is commonly deployed 
on The Internet: all the DKIM RFCs and early guides seem to shift almost 
all of the policy decisions to the implementors and documentation from them 
seems to be sparse or confusing!



It seems to me that the DKIM signing domain (the d= field in the DKIM 
header) is the "reputation" that becomes associated to the domain and 
doesn't have to correspond to the actual domain in the From: address or 
other headers or the SMTP greetings.


https://support.google.com/a/answer/174124?hl=en

Seems to support this, saying "If you don't generate your own DKIM domain 
key, Gmail signs all outgoing messages with this default DKIM domain key: 
d=*.gappssmtp.com"



So, my question is, what should I use in the d= field for my server?

I have a low enough volume that Google Postmaster tools won't tell me 
anything about my domain.


Should I use "my" domain and associate that reputation with all outgoing 
mail across all domains in the hope that it will earn me a good reputation 
by aggregating all my volume into one place?


...or should I use the domain of the sender of the eMail and generate a 
DKIM key for each of them and let them accrue their own reputations that 
they can take with them if they decide to host elsewhere in the future?




Thanks for any tips you can give me about the best course of action and how 
my DKIM signatures will be interpreted by the current common receiving 
implementations.







Best wishes,
@ndy

--
andy...@ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] How to use DKIM with Ed25519 - Dual DKIM signing

2021-10-14 Thread Odhiambo Washington via Exim-users 
On Thu, Oct 14, 2021 at 3:08 PM Wolfgang Breyha via Exim-users <
exim-users@exim.org> wrote:

> On 14/10/2021 13:12, Odhiambo Washington via Exim-users wrote:
> > Is anyone already doing this with Exim?
>
> Sure. Simply set dkim_selector and dkim_private_key accordingly. Meaning
> set both your RSA and ED selectors and keys.
>

My current transport, in a multi-domain setup:

remote_smtp:
  driver = smtp
  dkim_domain= ${if
exists{/etc/exim/DKIM/${lc:$sender_address_domain}}{${lc:$sender_address_domain}}{}}
  dkim_selector  = key1
  dkim_private_key   = ${lookup {${sender_address_domain}} \
   dsearch,ret=full {/etc/exim/DKIM} \
   {$value/dkim.priv.key} {false}}
  dkim_canon = relaxed
  dkim_strict   = true


Given:
1. I have 2 private keys - dkim.priv.key and dkim_ed25519.priv.key
2. I have published a DNS record for key1._domainkey.example.com for the
RSA, and key2._domainkey.example.com for the ED25519 keys respectively

Any easier way to integrate that into my transport?


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' :-)
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] How to use DKIM with Ed25519 - Dual DKIM signing

2021-10-14 Thread Wolfgang Breyha via Exim-users 
On 14/10/2021 13:12, Odhiambo Washington via Exim-users wrote:
> Is anyone already doing this with Exim?

Sure. Simply set dkim_selector and dkim_private_key accordingly. Meaning
set both your RSA and ED selectors and keys.

Greetings, Wolfgang
--
Wolfgang Breyha  | https://www.blafasel.at/
Vienna University Computer Center | Austria

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] How to use DKIM with Ed25519 - Dual DKIM signing

2021-10-14 Thread Jeremy Harris via Exim-users 

On 14/10/2021 12:12, Odhiambo Washington via Exim-users wrote:

In the section where it discusses the "Transition period considerations"


Strangely enough, the Exim docs says pretty much the same.

--
Cheers,
  Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] How to use DKIM with Ed25519 - Dual DKIM signing

2021-10-14 Thread Odhiambo Washington via Exim-users 
I was looking at this article How to use DKIM with Ed25519 - Mailhardener
knowledge base
.
In the section where it discusses the "Transition period considerations" it
says, and I quote:

""
As with any new standard in email, it is expected that it will take some
time before Ed25519 validation
is a common feature in email validators (the receiving services). As such,
it is not recommended to
exclusively rely on Ed25519 for DKIM.
The signer (sending email service) should use a dual DKIM signature
approach where the email is
signed with both an Ed25519 signature, as well as an RSA signature for
backward compatibility.

This means that 2 DKIM DNS records must be created. One containing the
Ed25519 key, and one
with a fall-back RSA type key. The two DKIM DNS records must use a
different selector, as DKIM
does not allow multiple DKIM records to exist with the same selector.

""

Is anyone already doing this with Exim?



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' :-)
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/