Exim4 does not add DKIM signature

debian email exim dkim

6,384

Solution 1

Verify that that you are using the remote_smtp transport. This should be listed after T= in /var/log/exim4/mainlog on the lines containing =>. Checking DKIM on locally delivered email will not work as this transport is not used. Use a verification service to check whether your mail is signed such as http://dkimvalidator.com

If you are using the remote_smtp_smarthost transport you must modify it to include DKIM signing. On a Debian/Ubuntu machine with split config append the below to the 30_exim4-config_remote_smtp_smarthost file:

# DKIM setup copied from `30_exim4-config_remove_smtp`
# see: https://serverfault.com/a/782069/117087
.ifdef DKIM_DOMAIN
dkim_domain = DKIM_DOMAIN
.endif
.ifdef DKIM_SELECTOR
dkim_selector = DKIM_SELECTOR
.endif
.ifdef DKIM_PRIVATE_KEY
dkim_private_key = DKIM_PRIVATE_KEY
.endif
.ifdef DKIM_CANON
dkim_canon = DKIM_CANON
.endif
.ifdef DKIM_STRICT
dkim_strict = DKIM_STRICT
.endif
.ifdef DKIM_SIGN_HEADERS
dkim_sign_headers = DKIM_SIGN_HEADERS
.endif

Verify the permissions on your private key. It must be readable by the use Exim runs as which Debian-exim for Debian and Ubuntu installations. If your transport is to dkim_strict, it will requeue messages if it cannot sign the message. It will log the failure causes to the mainlog and the paniclog. It may be easier to find the message in the paniclog.

These are the setting that are required to get DKIM working. You seem to be missing some. (I sign for multiple domains with the same key. Try getting signing with a single key working before trying to get fancy and use seperate keys for different domains.) This configuration should prevent unsigned email from being sent by the remote_smtp transport.

DKIM_CANON = relaxed
DKIM_DOMAIN = ${sender_address_domain}
DKIM_PRIVATE_KEY = CONFDIR/dkim.private.20160604
DKIM_SELECTOR = ${extract{-1}{.}{DKIM_PRIVATE_KEY}}
DKIM_STRICT = true # optional - causes signing failures to defer (requeue)
#DKIM_SIGN_HEADERS = # Use default

Once you have signing with a static key working. You could try these changes

DKIM_PRIVATE_KEY = CONFDIR/${sender_address_domain}.private.201604
DKIM_SELECTOR = 20160604
DKIM_STRICT = false # optional - pass if no key available

You may want to review:

My notes on implementing DKIM - includes the settings for other transports
My notes on detecting forged servers - particularly the list of verification services
The Exim documentation on DKIM

Solution 2

This works for me:

DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/dkim/${dkim_domain}-private.pem} {/etc/exim4/dkim/${dkim_domain}-private.pem}}

These settings must be placed in exim4.conf.template file if you use single file Exim configuration and not in 00_local_macros or other files as said in many howtos.

Setting DKIM signatures in Exim is a problem (I spent 3 days) and Exim developers should fix it.

Solution 3

Exim version 4.84_2 #2 built 25-Jul-2016 18:59:44

Here's what worked for me, I was in the exact situation, exim4 was not adding the dkim signature.

I edited the file /etc/exim4/update-exim4.conf.conf and I found that even when I was using the split config, the config file was wrong, so I had to change this line:

dc_use_split_config='true'

And then I edited the 10_exim4-config_transport-macros file and added the following lines at the end:

DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/dkim/${lc:${domain:$h_from:}}.private.key
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
DKIM_SELECTOR = exim

The previous work was generating the private key file and adding the TXT DNS record, etc.

6,384

aigffmss

Updated on September 18, 2022

Comments

aigffmss over 1 year

Have spent 2 days trying to tell Exim to add DKIM signatures on my Debian8 server. No success. Have read many how-tos, forums but none of possible solutions wotk on my server.

Have generated the keys:

cd /etc/exim4/

openssl genrsa -out example.com-private.pem 1024 -outform PEM
openssl rsa -in example.com-private.pem -out example.com.pem -pubout -outform PEM

Have creaded file

00_local_macros

/etc/exim4/conf.d/main/

with the following content:

DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}

Have published a text DNS record:

20160604._domainkey.example.com

content with public key:

k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRpHpC2q1ycmaqdnYlf5WI5g7ZyiXybd6EFdOqk35Sl7ZNfSeZelbyxqgLN+BzHpbp4Z4JDtKLSgBwugCePhl2xVDtQvO9XfqwQLMO5PAOONCLTwoGYrViwf5ki2zIqS2uN5MpuRTKW/IiK3CtRId+w5gjdACAvkwZWBstKEDrQQIDAQAB

# update-exim4.conf
# service exim4 restart

even rebooted the server.

All emails still arrive without DKIM signature.

Tried to add lines:

dkim_domain = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
dkim_sign_headers = true

to the file /etc/exim4/conf.d./transport/30_exim4-config_remote_smtp as suggested in some forum. No success. Still no DKIM signature.

exim4 -bV

Exim version 4.84_2 #2 built 13-Mar-2016 17:47:19
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

Update

Almost all tutorials are wrong. With single file Exim configuration, the DKIM settings must reside in exim4.conf.template file. It works! But only one domain this configuration:

DKIM_CANON = relaxed
DKIM_DOMAIN = example.com
DKIM_PRIVATE_KEY = /etc/exim4/dkim/example.com-private.pem
DKIM_SELECTOR = 20160604
#DKIM_STRICT = true

Multiple domains still don't work. Tried multiple configurations but still no success. All three below does not work:

DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${sender_address_domain}
DKIM_FILE = /etc/exim4/dkim/{DKIM_DOMAIN}-private.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}


DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/dkim/${DKIM_DOMAIN}-private.pem} {/etc/exim4/dkim/${DKIM_DOMAIN}-private.pem}}

DKIM_CANON = relaxed
DKIM_SELECTOR = 20160604
dkim_domain = ${lc:${domain:$h_from:}}
DKIM_PRIVATE_KEY=${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}

Pavel Niedoba about 2 years

openssl genrsa -out example.com-private.pem 1024 -outform PEM on debian bulleye outputs Extra arguments given.genrsa: Use -help for summary. removing -outform PEM will help

aigffmss almost 8 years

Yes, I am using remote_smtp. Single domain does not work. Yesterday I already tried a single domain. No success.DKIM_STRICT doesn't help. Mail arrive without signature. Just tried to sent en email to yahoo: dkim=neutral (no sig). As I understand many people have this problem and I wonder why Exim doesn't fix it. Some people just switch to postfix etc.
BillThor almost 8 years

I've verified that dkim_strict does prevent sending email if the message can't be signed. Please add the output of grep DKIM /var/lib/exim/config.autogenerated to your post. This should include your DKIM settings if you have done them in the correct place. This is different for split files and single file configurations. It helps not to hide the domain you are working with.
BillThor almost 8 years

@aigffmss from your configuration changes it appears you should have using dc_use_split_config='true' in update-exim4.conf.conf. If not, your changes should be in exim4.conf.template. In either case, you need to reload or restart Exim for your changes to be effective.
aigffmss almost 8 years

I got working 1 domain when I place my configuration in exim4.conf.template file. But only 1 domain. Multiple domains still don't work. I just updated my question.
BillThor almost 8 years

Try using DKIM_STRICT = true with DKIM_PRIVATE_KEY = CONFDIR/${sender_address_domain}.private. This should log the errors. You could also use the same key for all domains. There is no requirement that each domain have a separate signing key.
aigffmss almost 8 years

Errors: 2016-06-05 17:28:51 1b9Ywm-0001BL-FX failed to expand dkim_private_key: missing or misplaced { or } 2016-06-05 17:37:41 1b9ZBN-0001ex-2Q failed to expand dkim_private_key: letter or digit expected after ${
BillThor almost 8 years

That error would occur if sender_address_domain is null. Either normal submission rules aren't being applied or your have a broken rewrite rule. Do you have control = suppress_local_fixups configured somehere? $domain:h_from: might work instead of sender_host_domain. Sending to a validator like port25 might help you understand what is happening.
Daniel Sokolowski over 5 years

"Verify that that you are using the remote_smtp transport" saved my bacon, thank you!