Exim4 does not add DKIM signature
Solution 1
Verify that that you are using the remote_smtp
transport. This should be listed after T=
in /var/log/exim4/mainlog
on the lines containing =>
. Checking DKIM on locally delivered email will not work as this transport is not used. Use a verification service to check whether your mail is signed such as http://dkimvalidator.com
If you are using the remote_smtp_smarthost
transport you must modify it to include DKIM signing. On a Debian/Ubuntu machine with split config append the below to the 30_exim4-config_remote_smtp_smarthost
file:
# DKIM setup copied from `30_exim4-config_remove_smtp`
# see: https://serverfault.com/a/782069/117087
.ifdef DKIM_DOMAIN
dkim_domain = DKIM_DOMAIN
.endif
.ifdef DKIM_SELECTOR
dkim_selector = DKIM_SELECTOR
.endif
.ifdef DKIM_PRIVATE_KEY
dkim_private_key = DKIM_PRIVATE_KEY
.endif
.ifdef DKIM_CANON
dkim_canon = DKIM_CANON
.endif
.ifdef DKIM_STRICT
dkim_strict = DKIM_STRICT
.endif
.ifdef DKIM_SIGN_HEADERS
dkim_sign_headers = DKIM_SIGN_HEADERS
.endif
Verify the permissions on your private key. It must be readable by the use Exim runs as which Debian-exim for Debian and Ubuntu installations. If your transport is to dkim_strict
, it will requeue messages if it cannot sign the message. It will log the failure causes to the mainlog
and the paniclog
. It may be easier to find the message in the paniclog
.
These are the setting that are required to get DKIM working. You seem to be missing some. (I sign for multiple domains with the same key. Try getting signing with a single key working before trying to get fancy and use seperate keys for different domains.) This configuration should prevent unsigned email from being sent by the remote_smtp
transport.
DKIM_CANON = relaxed
DKIM_DOMAIN = ${sender_address_domain}
DKIM_PRIVATE_KEY = CONFDIR/dkim.private.20160604
DKIM_SELECTOR = ${extract{-1}{.}{DKIM_PRIVATE_KEY}}
DKIM_STRICT = true # optional - causes signing failures to defer (requeue)
#DKIM_SIGN_HEADERS = # Use default
Once you have signing with a static key working. You could try these changes
DKIM_PRIVATE_KEY = CONFDIR/${sender_address_domain}.private.201604
DKIM_SELECTOR = 20160604
DKIM_STRICT = false # optional - pass if no key available
You may want to review:
- My notes on implementing DKIM - includes the settings for other transports
- My notes on detecting forged servers - particularly the list of verification services
- The Exim documentation on DKIM
Solution 2
This works for me:
DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/dkim/${dkim_domain}-private.pem} {/etc/exim4/dkim/${dkim_domain}-private.pem}}
These settings must be placed in exim4.conf.template file if you use single file Exim configuration and not in 00_local_macros or other files as said in many howtos.
Setting DKIM signatures in Exim is a problem (I spent 3 days) and Exim developers should fix it.
Solution 3
Exim version 4.84_2 #2 built 25-Jul-2016 18:59:44
Here's what worked for me, I was in the exact situation, exim4 was not adding the dkim signature.
I edited the file /etc/exim4/update-exim4.conf.conf
and I found that even when I was using the split config, the config file was wrong, so I had to change this line:
dc_use_split_config='true'
And then I edited the 10_exim4-config_transport-macros
file and added the following lines at the end:
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/dkim/${lc:${domain:$h_from:}}.private.key
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
DKIM_SELECTOR = exim
The previous work was generating the private key file and adding the TXT DNS record, etc.
Related videos on Youtube
aigffmss
Updated on September 18, 2022Comments
-
aigffmss over 1 year
Have spent 2 days trying to tell Exim to add DKIM signatures on my Debian8 server. No success. Have read many how-tos, forums but none of possible solutions wotk on my server.
Have generated the keys:
cd /etc/exim4/ openssl genrsa -out example.com-private.pem 1024 -outform PEM openssl rsa -in example.com-private.pem -out example.com.pem -pubout -outform PEM
Have creaded file
00_local_macros
in
/etc/exim4/conf.d/main/
with the following content:
DKIM_CANON = relaxed DKIM_SELECTOR = 20160604 DKIM_DOMAIN = ${lc:${domain:$h_from:}} DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
Have published a text DNS record:
20160604._domainkey.example.com
content with public key:
k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRpHpC2q1ycmaqdnYlf5WI5g7ZyiXybd6EFdOqk35Sl7ZNfSeZelbyxqgLN+BzHpbp4Z4JDtKLSgBwugCePhl2xVDtQvO9XfqwQLMO5PAOONCLTwoGYrViwf5ki2zIqS2uN5MpuRTKW/IiK3CtRId+w5gjdACAvkwZWBstKEDrQQIDAQAB # update-exim4.conf # service exim4 restart
even rebooted the server.
All emails still arrive without DKIM signature.
Tried to add lines:
dkim_domain = ${lc:${domain:$h_from:}} DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}} DKIM_CANON = relaxed DKIM_SELECTOR = 20160604 dkim_sign_headers = true
to the file /etc/exim4/conf.d./transport/30_exim4-config_remote_smtp as suggested in some forum. No success. Still no DKIM signature.
exim4 -bV Exim version 4.84_2 #2 built 13-Mar-2016 17:47:19 Copyright (c) University of Cambridge, 1995 - 2014 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM PRDR OCSP Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 Configuration file is /var/lib/exim4/config.autogenerated
Update
Almost all tutorials are wrong. With single file Exim configuration, the DKIM settings must reside in exim4.conf.template file. It works! But only one domain this configuration:
DKIM_CANON = relaxed DKIM_DOMAIN = example.com DKIM_PRIVATE_KEY = /etc/exim4/dkim/example.com-private.pem DKIM_SELECTOR = 20160604 #DKIM_STRICT = true
Multiple domains still don't work. Tried multiple configurations but still no success. All three below does not work:
DKIM_CANON = relaxed DKIM_SELECTOR = 20160604 DKIM_DOMAIN = ${sender_address_domain} DKIM_FILE = /etc/exim4/dkim/{DKIM_DOMAIN}-private.pem DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}} DKIM_CANON = relaxed DKIM_SELECTOR = 20160604 DKIM_DOMAIN = ${lc:${domain:$h_from:}} DKIM_PRIVATE_KEY=${if exists{/etc/exim4/dkim/${DKIM_DOMAIN}-private.pem} {/etc/exim4/dkim/${DKIM_DOMAIN}-private.pem}} DKIM_CANON = relaxed DKIM_SELECTOR = 20160604 dkim_domain = ${lc:${domain:$h_from:}} DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
-
Pavel Niedoba about 2 years
openssl genrsa -out example.com-private.pem 1024 -outform PEM
on debian bulleye outputsExtra arguments given.genrsa: Use -help for summary.
removing-outform PEM
will help
-
-
aigffmss almost 8 yearsYes, I am using remote_smtp. Single domain does not work. Yesterday I already tried a single domain. No success.DKIM_STRICT doesn't help. Mail arrive without signature. Just tried to sent en email to yahoo: dkim=neutral (no sig). As I understand many people have this problem and I wonder why Exim doesn't fix it. Some people just switch to postfix etc.
-
BillThor almost 8 yearsI've verified that dkim_strict does prevent sending email if the message can't be signed. Please add the output of
grep DKIM /var/lib/exim/config.autogenerated
to your post. This should include your DKIM settings if you have done them in the correct place. This is different for split files and single file configurations. It helps not to hide the domain you are working with. -
BillThor almost 8 years@aigffmss from your configuration changes it appears you should have using
dc_use_split_config='true'
inupdate-exim4.conf.conf
. If not, your changes should be inexim4.conf.template
. In either case, you need to reload or restart Exim for your changes to be effective. -
aigffmss almost 8 yearsI got working 1 domain when I place my configuration in exim4.conf.template file. But only 1 domain. Multiple domains still don't work. I just updated my question.
-
BillThor almost 8 yearsTry using
DKIM_STRICT = true
withDKIM_PRIVATE_KEY = CONFDIR/${sender_address_domain}.private
. This should log the errors. You could also use the same key for all domains. There is no requirement that each domain have a separate signing key. -
aigffmss almost 8 yearsErrors: 2016-06-05 17:28:51 1b9Ywm-0001BL-FX failed to expand dkim_private_key: missing or misplaced { or } 2016-06-05 17:37:41 1b9ZBN-0001ex-2Q failed to expand dkim_private_key: letter or digit expected after ${
-
BillThor almost 8 yearsThat error would occur if sender_address_domain is null. Either normal submission rules aren't being applied or your have a broken rewrite rule. Do you have
control = suppress_local_fixups
configured somehere?$domain:h_from:
might work instead ofsender_host_domain
. Sending to a validator likeport25
might help you understand what is happening. -
Daniel Sokolowski over 5 years"Verify that that you are using the remote_smtp transport" saved my bacon, thank you!