====== Exim4 - Selective and multiple domain DKIM with Exim ======

===== Using lookups to support selective domain use =====

Since the Debian package contains "ifdef" for expansions, you can achieve  supporting selective domain use for DKIM in exim with lookups.  

Assuming the correct DNS records have been set up, add the key into /etc/exim4/dkim-foo.key and make it readable by the exim user (Debian-exim).  Create /etc/exim4/dkim_senders with a list of addresses that should have mail signed.

<file bash /etc/exim4/dkim_senders>
test@example.com
*@example.net
</file>


Create /etc/exim4/dkim_domains with the per-domain configs

<file bash /etc/exim4/dkim_domains>
example.com: selector=foo key=/etc/exim4/dkim-foo.key canon=relaxed
example.net: selector=bar key=/etc/exim4/dkim-bar.key
</file>


Create /etc/exim4/conf.d/main/00_local_dkim (if you're using split config)

<file bash /etc/exim4/conf.d/main/00_local_dkim>
 DKIM_DOMAIN =      ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}{$sender_address_domain}{}}

 ## make the following active instead if all mail from selected domains should be signed
 # DKIM_DOMAIN =      ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}}

 DKIM_SELECTOR =    ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
 DKIM_PRIVATE_KEY = ${extract{key}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
 DKIM_CANON =       ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}}
 DKIM_STRICT =      ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}}
</file>

Run **update-exim4.conf** and reload exim.  For addresses not listed in **/etc/exim4/dkim_senders** exim should not attempt DKIM signing.  This config assumes that the signing domain is the sender's domain.  It's reasonable, but not necessarily always true.  It also assumes users on the same sender domain use the same signing key.  If necessary it wouldn't be too hard to swap the lookups around to allow domains to support different selectors.


===== Using custom router and transport files to support selective domain use =====

Support for DKIM signing in Exim is [[http://www.exim.org/exim-html-current/doc/html/spec_html/ch54.html|available since version 4.70]], and the configuration supplied with Debian makes it fairly straightforward to implement.  However it suggests an all or nothing configuration wherein all outgoing mail is signed with the same domain authority.

Where multiple domains are used it may be necessary to selectively switch on DKIM signing, and be able to specify the signing domain.  The following details provide a mechanism to do so within the standard Debian Exim configuration.

(This assumes that the keys have been created and the requisite records have been added to DNS for the affected domains.  It also assumes a split config.)

Set up a simple look up file such as /etc/exim4/dkim_senders

<file bash /etc/exim4/dkim_senders>
*@example.com: example.com
test@example.org: example.org
</file>

This config should mean that anything sent from any address at example.com is signed as example.com, but only test@example.org will be signed with the example.org key.  If default DKIM is not enabled, then no other example.org mail will be signed.

Now create a new router that sits in front of the main router for external main (whatever uses remote_smtp as a transport e.g. dnslookup) such as /etc/exim4/conf.d/router/180_local_primary_dkim (basically a copy of dnslookp with a modified transport)

<file bash /etc/exim4/conf.d/router/180_local_primary_dkim>
dnslookup_dkim:
  debug_print = "R: dnslookup_dkim for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains
  senders = lsearch*@;/etc/exim4/dkim_senders
  transport = remote_smtp_dkim
  same_domain_copy_routing = yes
  # ignore private rfc1918 and APIPA addresses
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
                        172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
                        255.255.255.255
  no_more
</file>
  
Then add in a new transport /etc/exim4/conf.d/transport/30_local_remote_smtp_dkim (basically a modified version of remote_smtp)

<file bash /etc/exim4/conf.d/transport/30_local_remote_smtp_dkim>
remote_smtp_dkim:
  debug_print = "T: remote_smtp_dkim for $local_part@$domain"
  driver = smtp
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}}
dkim_selector = yourhostname
dkim_private_key = /etc/ssl/private/dkim.key
dkim_canon = relaxed
dkim_strict = false
#dkim_sign_headers = DKIM_SIGN_HEADERS
</file>

I've left the selector and keys the same since there doesn't appear to be any problem sharing these across domains, but these could also be found via lookups if needed.


===== References =====

https://debian-administration.org/users/lee/weblog/51