Differences

This shows you the differences between two versions of the page.

--- exim4:selective_and_multiple_domain_dkim_with_exim [2016/11/16 15:24] – created peter
+++ exim4:selective_and_multiple_domain_dkim_with_exim [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== Exim4 - Selective and multiple domain DKIM with Exim ======
+===== Using lookups to support selective domain use =====
 Since the Debian package contains "ifdef" for expansions, you can achieve  supporting selective domain use for DKIM in exim with lookups.
@@ Line 35: / Line 37: @@
 Run **update-exim4.conf** and reload exim.  For addresses not listed in **/etc/exim4/dkim_senders** exim should not attempt DKIM signing.  This config assumes that the signing domain is the sender's domain.  It's reasonable, but not necessarily always true.  It also assumes users on the same sender domain use the same signing key.  If necessary it wouldn't be too hard to swap the lookups around to allow domains to support different selectors.
+===== Using custom router and transport files to support selective domain use =====
+Support for DKIM signing in Exim is [[http://www.exim.org/exim-html-current/doc/html/spec_html/ch54.html|available since version 4.70]], and the configuration supplied with Debian makes it fairly straightforward to implement.  However it suggests an all or nothing configuration wherein all outgoing mail is signed with the same domain authority.
+Where multiple domains are used it may be necessary to selectively switch on DKIM signing, and be able to specify the signing domain.  The following details provide a mechanism to do so within the standard Debian Exim configuration.
+(This assumes that the keys have been created and the requisite records have been added to DNS for the affected domains.  It also assumes a split config.)
+Set up a simple look up file such as /etc/exim4/dkim_senders
+<file bash /etc/exim4/dkim_senders>
+*@example.com: example.com
+test@example.org: example.org
+</file>
+This config should mean that anything sent from any address at example.com is signed as example.com, but only test@example.org will be signed with the example.org key.  If default DKIM is not enabled, then no other example.org mail will be signed.
+Now create a new router that sits in front of the main router for external main (whatever uses remote_smtp as a transport e.g. dnslookup) such as /etc/exim4/conf.d/router/180_local_primary_dkim (basically a copy of dnslookp with a modified transport)
+<file bash /etc/exim4/conf.d/router/180_local_primary_dkim>
+dnslookup_dkim:
+  debug_print = "R: dnslookup_dkim for $local_part@$domain"
+  driver = dnslookup
+  domains = ! +local_domains
+  senders = lsearch*@;/etc/exim4/dkim_senders
+  transport = remote_smtp_dkim
+  same_domain_copy_routing = yes
+  # ignore private rfc1918 and APIPA addresses
+  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
+.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
+.255.255.255
+  no_more
+</file>
+Then add in a new transport /etc/exim4/conf.d/transport/30_local_remote_smtp_dkim (basically a modified version of remote_smtp)
+<file bash /etc/exim4/conf.d/transport/30_local_remote_smtp_dkim>
+remote_smtp_dkim:
+  debug_print = "T: remote_smtp_dkim for $local_part@$domain"
+  driver = smtp
+.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
+  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+  return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+  helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}}
+dkim_selector = yourhostname
+dkim_private_key = /etc/ssl/private/dkim.key
+dkim_canon = relaxed
+dkim_strict = false
+#dkim_sign_headers = DKIM_SIGN_HEADERS
+</file>
+I've left the selector and keys the same since there doesn't appear to be any problem sharing these across domains, but these could also be found via lookups if needed.
+===== References =====
+https://debian-administration.org/users/lee/weblog/51