Exim4 - Validating DKIM

DKIM-checking requires no additional software to be installed, but it does have a slightly complex configuration.

Edit /etc/exim4/conf.d/acl/00_exim4-config_header, adding the following to the start of the file:

acl_smtp_dkim = acl_check_dkim

All being well this will then be the complete contents:

/etc/exim4/conf.d/acl/00_exim4-config_header
acl_smtp_dkim = acl_check_dkim
 
######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################
begin acl

After this create the file /etc/exim4/conf.d/acl/10_local_dkim_check, with this content:

/etc/exim4/conf.d/acl/00_exim4-config_header
acl_check_dkim:
 
  # Deny failures
  deny
     dkim_status = fail
     logwrite = DKIM test failed: $dkim_verify_reason
     add_header = X-DKIM: DKIM test failed: (address=$sender_address domain=$dkim_cur_signer), signature is bad.
 
 
  # Deny invalid signatures
  deny
     dkim_status = invalid
     add_header = X-DKIM: $dkim_cur_signer ($dkim_verify_status); $dkim_verify_reason
     logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), but signature is invalid.
 
  # Accept valid/passed sigs
  accept
     dkim_status = pass
     logwrite = DKIM test passed
     add_header = X-DKIM: DKIM passed: (address=$sender_address domain=$dkim_cur_signer), signature is good.
 
 
  # And anything else.
  accept

NOTE: Incoming emails will have a new header X-DKIM added to them

Restart exim4.

update-exim4.conf
service exim4 restart

Log-entries will look like this:

..
2015-08-02 19:34:06 1ZLy5G-0001rA-Lh DKIM: d=googlemail.com s=20120113 c=relaxed/relaxed a=rsa-sha256 [verification succeeded]
2015-08-02 19:34:06 1ZLy5G-0001rA-Lh DKIM test passed
2015-08-02 19:34:06 1ZLy5G-0001rA-Lh <= john@googlemail.com ..
..

Logging will end up in the mailserver logfile (/var/log/exim4/mainlog).