Re: [exim] DKIM signing for multiple domains
On Fri, 28 Sep 2018 at 13:21, Odhiambo Washington wrote: > > > On Fri, 28 Sep 2018 at 11:41, Jeremy Harris via Exim-users < > exim-users@exim.org> wrote: > >> On 9/28/18 7:47 AM, Odhiambo Washington via Exim-users wrote: >> > It seems that such local mail are not signed. >> >> What is the result of the expansion you used >> for dkim_domain, when applied to such a message? >> >> (If you can't work it out logically, test using "exim -bem") >> -- >> Cheers, >> Jeremy >> > > Hi Jeremy, > > I must confess that your question has left me floating! It entered through > the left and went out straight through the right. > > I wasn't able to figure out how to achieve what was advised by Jeremy so I decided to use a different way - rewrite rule: \N^(.*)@fq\.domain\.name$$1...@domain.name FfrsTt And now system/cron generated mails which were sent to r...@fq.domain.name (who happens to be odhia...@gmail.com) are now correctly accepted by gmail because they pass the DMARC vrf. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft." -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
On Friday, 28 September 2018 2:19:10 PM AEST Odhiambo Washington wrote: > On Wed, 26 Sep 2018 at 08:47, Richard James Salts via Exim-users < > > exim-users@exim.org> wrote: > > On Tuesday, 25 September 2018 10:28:42 AM AEST Odhiambo Washington via > > Exim-users > > > > wrote: > > > Hi everyone, > > > > > > I have multiple domains hosted on the same server. They are virtual > > > domains. The server has just one IP address and one Exim instance. > > > I am wondering how to easily do DKIM signing for these domains. I > > > decided > > > to use the same selector for all the domains to make life easy. Would > > > the > > > following transport work? If not, what is the best way to do this for > > > multiple domains sharing the same IP address? > > > > > > remote_smtp_DK: > > > driver = smtp > > > dkim_domain = ${sender_address_domain} > > > dkim_selector = csl > > > dkim_private_key = > > > > > > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key" > > > > > > dkim_canon = relaxed > > > dkim_strict = true > > > > I use dkim_domain = > > ${filter{${map{${addresses:$h_from:}}{${domain:$item > > {match_domain{$item}{+local_domains}}} > > which will match any addresses in a from field that are local, in addition > > if dkim_domain is a > > list it will sign with multiple signatures (e.g. From: , > > , > > will add dkim signature for local1 and local2 domains. > > Hi Richard > > When I use your dkim_domain option, the mail does not get signed, but mails > get signed using my option > > dkim_domain = ${if > exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{${lc:$sen > der_address_domain}}{}} #dkim_domain = > ${filter{${map{${addresses:$h_from:}}{${domain:$item{match_domain{$item} > {+local_domains}}} > > How can I test your expansion manually? As Jeremy suggested you can use exim -bem /path/to/message, you probably want a combination of mine and yours in the expansion as you're testing on the existence of a key for a particular domain whereas I'm signing for all domains considered local with the same key. Maybe instead of the {match_domain ...} part of the filter you should instead use your {${if exists{/etc/pki/tls/dk/$ {lc:$item}-dkim.priv.key}} or something like that. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
On Mon, 1 Oct 2018 at 09:55, Richard James Salts wrote: > On Friday, 28 September 2018 2:19:10 PM AEST Odhiambo Washington wrote: > > On Wed, 26 Sep 2018 at 08:47, Richard James Salts via Exim-users < > > > > exim-users@exim.org> wrote: > > > On Tuesday, 25 September 2018 10:28:42 AM AEST Odhiambo Washington via > > > Exim-users > > > > > > wrote: > > > > Hi everyone, > > > > > > > > I have multiple domains hosted on the same server. They are virtual > > > > domains. The server has just one IP address and one Exim instance. > > > > I am wondering how to easily do DKIM signing for these domains. I > > > > decided > > > > to use the same selector for all the domains to make life easy. Would > > > > the > > > > following transport work? If not, what is the best way to do this for > > > > multiple domains sharing the same IP address? > > > > > > > > remote_smtp_DK: > > > > driver = smtp > > > > dkim_domain = ${sender_address_domain} > > > > dkim_selector = csl > > > > dkim_private_key = > > > > > > > > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key" > > > > > > > > dkim_canon = relaxed > > > > dkim_strict = true > > > > > > I use dkim_domain = > > > ${filter{${map{${addresses:$h_from:}}{${domain:$item > > > {match_domain{$item}{+local_domains}}} > > > which will match any addresses in a from field that are local, in > addition > > > if dkim_domain is a > > > list it will sign with multiple signatures (e.g. From: , > > > , > > > will add dkim signature for local1 and local2 domains. > > > > Hi Richard > > > > When I use your dkim_domain option, the mail does not get signed, but > mails > > get signed using my option > > > > dkim_domain = ${if > > > exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{${lc:$sen > > der_address_domain}}{}} #dkim_domain = > > > ${filter{${map{${addresses:$h_from:}}{${domain:$item{match_domain{$item} > > {+local_domains}}} > > > > How can I test your expansion manually? > As Jeremy suggested you can use exim -bem /path/to/message, you probably > want > a combination of mine and yours in the expansion as you're testing on the > existence of a key for a particular domain whereas I'm signing for all > domains > considered local with the same key. Maybe instead of the {match_domain > ...} > part of the filter you should instead use your {${if > exists{/etc/pki/tls/dk/$ > {lc:$item}-dkim.priv.key}} or something like that. > Thank you. Let me run the test for -bem and see what I come up with. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft." -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
On Fri, 28 Sep 2018 at 11:41, Jeremy Harris via Exim-users < exim-users@exim.org> wrote: > On 9/28/18 7:47 AM, Odhiambo Washington via Exim-users wrote: > > It seems that such local mail are not signed. > > What is the result of the expansion you used > for dkim_domain, when applied to such a message? > > (If you can't work it out logically, test using "exim -bem") > -- > Cheers, > Jeremy > Hi Jeremy, I must confess that your question has left me floating! It entered through the left and went out straight through the right. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft." -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
On 9/28/18 7:47 AM, Odhiambo Washington via Exim-users wrote: > It seems that such local mail are not signed. What is the result of the expansion you used for dkim_domain, when applied to such a message? (If you can't work it out logically, test using "exim -bem") -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
On Wed, 26 Sep 2018 at 08:47, Richard James Salts via Exim-users < exim-users@exim.org> wrote: > On Tuesday, 25 September 2018 10:28:42 AM AEST Odhiambo Washington via > Exim-users > wrote: > > Hi everyone, > > > > I have multiple domains hosted on the same server. They are virtual > > domains. The server has just one IP address and one Exim instance. > > I am wondering how to easily do DKIM signing for these domains. I decided > > to use the same selector for all the domains to make life easy. Would the > > following transport work? If not, what is the best way to do this for > > multiple domains sharing the same IP address? > > > > remote_smtp_DK: > > driver = smtp > > dkim_domain = ${sender_address_domain} > > dkim_selector = csl > > dkim_private_key = > > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key" > > dkim_canon = relaxed > > dkim_strict = true > I use dkim_domain = > ${filter{${map{${addresses:$h_from:}}{${domain:$item > {match_domain{$item}{+local_domains}}} > which will match any addresses in a from field that are local, in addition > if dkim_domain is a > list it will sign with multiple signatures (e.g. From: , > , > will add dkim signature for local1 and local2 domains. > > That seems awesome. I am having a problem with system-generated mails though. What I have always had is that those mails that the system generates and sends to root@FQDN or postmaster@FQDN were always redirected to my address ( odhia...@gmail.com). Now, since I enabled strict DKIM signing, those mails cannot be delivered to gmail servers. I am also seeing some bounces not being delivered, and I believe it's because they are unsigned. root@gw:/usr/home/wash # *exim -Mvh 1g5eo8-000Poy-BT* 1g5eo8-000Poy-BT-H mailnull 26 26 <> 1538087452 0 -received_time_usec .355992 -active_hostname gw.titan.co.ke -ident mailnull -received_protocol local -body_linecount 61 -max_received_linelength 441 -allow_unqualified_recipient -allow_unqualified_sender -frozen 1538114959 -localerror -manual_thaw XX 1 r...@gw.titan.co.ke 146P Received: from mailnull by gw.titan.co.ke with local (Exim 4.90_1) id 1g5eo8-000Poy-BT for r...@gw.titan.co.ke; Fri, 28 Sep 2018 01:30:52 +0300 040 X-Failed-Recipients: odhia...@gmail.com 029 Auto-Submitted: auto-replied 058F From: Mail Delivery System 024T To: r...@gw.titan.co.ke 095 Content-Type: multipart/report; report-type=delivery-status; boundary=1538087452-eximdsn-16807 018 MIME-Version: 1.0 059 Subject: Mail delivery failed: returning message to sender 047I Message-Id: 038 Date: Fri, 28 Sep 2018 01:30:52 +0300 When I try a forced delivery for that mail, the error I get is: LOG: MAIN ** odhia...@gmail.com R=dnslookup T=remote_smtp_DK H=gmail-smtp-in.l.google.com [66.102.1.27] I=[197.232.25.162] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com": SMTP error from remote mail server after pipelined end of data: 550-5.7.1 Unauthenticated email from titan.co.ke is not accepted due to domain's\n550-5.7.1 DMARC policy. Please contact the administrator of titan.co.ke domain\n550-5.7.1 if this was a legitimate mail. Please visit\n550-5.7.1 https://support.google.com/mail/answer/2451690 to learn about the\n550 5.7.1 DMARC initiative. t10-v6si1002397wmf.192 - gsmtp So, how do people deal with system mails that are forwarded to external addresses? It seems that such local mail are not signed. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft." -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
On Tuesday, 25 September 2018 10:28:42 AM AEST Odhiambo Washington via Exim-users wrote: > Hi everyone, > > I have multiple domains hosted on the same server. They are virtual > domains. The server has just one IP address and one Exim instance. > I am wondering how to easily do DKIM signing for these domains. I decided > to use the same selector for all the domains to make life easy. Would the > following transport work? If not, what is the best way to do this for > multiple domains sharing the same IP address? > > remote_smtp_DK: > driver = smtp > dkim_domain = ${sender_address_domain} > dkim_selector = csl > dkim_private_key = > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key" > dkim_canon = relaxed > dkim_strict = true I use dkim_domain = ${filter{${map{${addresses:$h_from:}}{${domain:$item {match_domain{$item}{+local_domains}}} which will match any addresses in a from field that are local, in addition if dkim_domain is a list it will sign with multiple signatures (e.g. From: , , will add dkim signature for local1 and local2 domains. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
hi! On 09/25/2018 03:40 PM, Odhiambo Washington via Exim-users wrote: Suppose I had different dkim_selectors, is there a simple way to work around that too? :) Same idea, the option is expandable so you can use a lookup based on $sender_address_domain to get the selector. I've done it the following way, config snippets and script should be self explainable. :-) ;=== /etc/exim4/conf.d/main/00_local-config_macros === # Enable DKIM DKIM_DOMAIN = ${sender_address_domain} #DKIM_DOMAIN = ${lc:${domain:$h_from:}} DKIM_SELECTOR = ${lookup{DKIM_DOMAIN}lsearch*{CONFDIR/dkim.d/dkim_selectors}} DKIM_PRIVATE_KEY = ${if exists{CONFDIR/dkim.d/DKIM_DOMAIN.DKIM_SELECTOR.key}{CONFDIR/dkim.d/DKIM_DOMAIN.DKIM_SELECTOR.key}{0}} DKIM_CANON = relaxed # we just use the same as Heiko Schlittermann schlittermann.de DKIM_SIGN_HEADERS = In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:Cc:Content-Description:Content-ID:Content-Transfer-Encoding:Resent-To ;=== you also will have DKIM towards smarthost. ;=== /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost === .ifdef DKIM_DOMAIN dkim_domain = DKIM_DOMAIN .endif .ifdef DKIM_SELECTOR dkim_selector = DKIM_SELECTOR .endif .ifdef DKIM_PRIVATE_KEY dkim_private_key = DKIM_PRIVATE_KEY .endif .ifdef DKIM_CANON dkim_canon = DKIM_CANON .endif .ifdef DKIM_STRICT dkim_strict = DKIM_STRICT .endif .ifdef DKIM_SIGN_HEADERS dkim_sign_headers = DKIM_SIGN_HEADERS .endif ;=== create dkim keys. ;=== !#/bin/bash DOMAIN=$1 SELECTOR=dflt KEYSIZE=2048 DKIMDIR=dkim.d cd /etc/exim4 mkdir $DKIMDIR openssl genrsa -out $DKIMDIR/$DOMAIN.$SELECTOR.key $KEYSIZE openssl rsa -in $DKIMDIR/$DOMAIN.$SELECTOR.key -out $DKIMDIR/$DOMAIN.$SELECTOR.pub -pubout -outform PEM echo -e "$DOMAIN:\t$SELECTOR" >> $DKIMDIR/dkim_selectors chown -R root:Debian-exim $DKIMDIR chmod 640 $DKIMDIR/*.key chmod 644 $DKIMDIR/*.pub $DKIMDIR/dkim_selectors chmod 755 $DKIMDIR ;=== sorry for the linewraps, see also https://wiki.kmp.or.at/EximConfig#DKIM galiegrü, Klaus -- Klaus Maria Pfeiffer chat: xmpp:hoedlmo...@jabber.rekmp.net blog: http://blog.kmp.or.at/ twitter: @hoedlmoser -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
On Tue, 25 Sep 2018 at 16:39, Andrew Colin Kissa wrote: > > > On 25 Sep 2018, at 15:34, Odhiambo Washington > wrote: > > > > Thank you very much. This works now. > > Suppose I had different dkim_selectors, is there a simple way to work > around that too? :) > > Same idea, the option is expandable so you can use a lookup based on > $sender_address_domain > to get the selector. > It's clear now. ¡Muchas gracias! -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft." -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
> On 25 Sep 2018, at 15:34, Odhiambo Washington wrote: > > Thank you very much. This works now. > Suppose I had different dkim_selectors, is there a simple way to work around > that too? :) Same idea, the option is expandable so you can use a lookup based on $sender_address_domain to get the selector. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
On Tue, 25 Sep 2018 at 15:28, Andrew Colin Kissa wrote: > > > On 25 Sep 2018, at 13:57, Odhiambo Washington > wrote: > > > > Thank you. However, for some reason this is generating an error: > > > > 2018-09-25 14:53:15 1g4jHp-000B76-VQ signing_init: error:0906D06C:PEM > routines:PEM_read_bio:no start line > > 2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: signing failed: PRIVKEY > > 2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: message could not be signed, > and dkim_strict is set. Deferring message delivery. > > Sorry about that butter fingers typo in the dkim_private_key part it > should have one curly bracket as follows. > > dkim_private_key = ${if > exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}\ > {/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}} > > Or if you prefer one line. > > dkim_private_key = ${if > exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}} > Thank you very much. This works now. Suppose I had different dkim_selectors, is there a simple way to work around that too? :) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft." -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
> On 25 Sep 2018, at 13:57, Odhiambo Washington wrote: > > Thank you. However, for some reason this is generating an error: > > 2018-09-25 14:53:15 1g4jHp-000B76-VQ signing_init: error:0906D06C:PEM > routines:PEM_read_bio:no start line > 2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: signing failed: PRIVKEY > 2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: message could not be signed, and > dkim_strict is set. Deferring message delivery. Sorry about that butter fingers typo in the dkim_private_key part it should have one curly bracket as follows. dkim_private_key = ${if exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}\ {/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}} Or if you prefer one line. dkim_private_key = ${if exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}} -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
On Tue, 25 Sep 2018 at 13:26, Andrew Colin Kissa via Exim-users < exim-users@exim.org> wrote: > > > On 25 Sep 2018, at 09:28, Odhiambo Washington via Exim-users < > exim-users@exim.org> wrote: > > > > I have multiple domains hosted on the same server. They are virtual > > domains. The server has just one IP address and one Exim instance. > > I am wondering how to easily do DKIM signing for these domains. I decided > > to use the same selector for all the domains to make life easy. Would the > > following transport work? If not, what is the best way to do this for > > multiple domains sharing the same IP address? > > > > remote_smtp_DK: > > driver = smtp > > dkim_domain = ${sender_address_domain} > > dkim_selector = csl > > dkim_private_key = > > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key" > > dkim_canon = relaxed > > dkim_strict = true > > It is better to check for the existence of the key as follows. > > dkim_domain = ${if > exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{${lc:$sender_address_domain}}{}} > dkim_private_key = ${if > exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}\ >{{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}} > > - A > > Thank you. However, for some reason this is generating an error: 2018-09-25 14:53:15 1g4jHp-000B76-VQ signing_init: error:0906D06C:PEM routines:PEM_read_bio:no start line 2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: signing failed: PRIVKEY 2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: message could not be signed, and dkim_strict is set. Deferring message delivery. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft." -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing for multiple domains
> On 25 Sep 2018, at 09:28, Odhiambo Washington via Exim-users > wrote: > > I have multiple domains hosted on the same server. They are virtual > domains. The server has just one IP address and one Exim instance. > I am wondering how to easily do DKIM signing for these domains. I decided > to use the same selector for all the domains to make life easy. Would the > following transport work? If not, what is the best way to do this for > multiple domains sharing the same IP address? > > remote_smtp_DK: > driver = smtp > dkim_domain = ${sender_address_domain} > dkim_selector = csl > dkim_private_key = > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key" > dkim_canon = relaxed > dkim_strict = true It is better to check for the existence of the key as follows. dkim_domain = ${if exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{${lc:$sender_address_domain}}{}} dkim_private_key = ${if exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}\ {{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}} - A -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/