Table of Contents
Exim4 - Selective and multiple domain DKIM with Exim
Using lookups to support selective domain use
Since the Debian package contains “ifdef” for expansions, you can achieve supporting selective domain use for DKIM in exim with lookups.
Assuming the correct DNS records have been set up, add the key into /etc/exim4/dkim-foo.key and make it readable by the exim user (Debian-exim). Create /etc/exim4/dkim_senders with a list of addresses that should have mail signed.
- /etc/exim4/dkim_senders
test@example.com *@example.net
Create /etc/exim4/dkim_domains with the per-domain configs
- /etc/exim4/dkim_domains
example.com: selector=foo key=/etc/exim4/dkim-foo.key canon=relaxed example.net: selector=bar key=/etc/exim4/dkim-bar.key
Create /etc/exim4/conf.d/main/00_local_dkim (if you're using split config)
- /etc/exim4/conf.d/main/00_local_dkim
DKIM_DOMAIN = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}{$sender_address_domain}{}} ## make the following active instead if all mail from selected domains should be signed # DKIM_DOMAIN = ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}} DKIM_SELECTOR = ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}} DKIM_PRIVATE_KEY = ${extract{key}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}} DKIM_CANON = ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}} DKIM_STRICT = ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}}
Run update-exim4.conf and reload exim. For addresses not listed in /etc/exim4/dkim_senders exim should not attempt DKIM signing. This config assumes that the signing domain is the sender's domain. It's reasonable, but not necessarily always true. It also assumes users on the same sender domain use the same signing key. If necessary it wouldn't be too hard to swap the lookups around to allow domains to support different selectors.
Using custom router and transport files to support selective domain use
Support for DKIM signing in Exim is available since version 4.70, and the configuration supplied with Debian makes it fairly straightforward to implement. However it suggests an all or nothing configuration wherein all outgoing mail is signed with the same domain authority.
Where multiple domains are used it may be necessary to selectively switch on DKIM signing, and be able to specify the signing domain. The following details provide a mechanism to do so within the standard Debian Exim configuration.
(This assumes that the keys have been created and the requisite records have been added to DNS for the affected domains. It also assumes a split config.)
Set up a simple look up file such as /etc/exim4/dkim_senders
- /etc/exim4/dkim_senders
*@example.com: example.com test@example.org: example.org
This config should mean that anything sent from any address at example.com is signed as example.com, but only test@example.org will be signed with the example.org key. If default DKIM is not enabled, then no other example.org mail will be signed.
Now create a new router that sits in front of the main router for external main (whatever uses remote_smtp as a transport e.g. dnslookup) such as /etc/exim4/conf.d/router/180_local_primary_dkim (basically a copy of dnslookp with a modified transport)
- /etc/exim4/conf.d/router/180_local_primary_dkim
dnslookup_dkim: debug_print = "R: dnslookup_dkim for $local_part@$domain" driver = dnslookup domains = ! +local_domains senders = lsearch*@;/etc/exim4/dkim_senders transport = remote_smtp_dkim same_domain_copy_routing = yes # ignore private rfc1918 and APIPA addresses ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ 255.255.255.255 no_more
Then add in a new transport /etc/exim4/conf.d/transport/30_local_remote_smtp_dkim (basically a modified version of remote_smtp)
- /etc/exim4/conf.d/transport/30_local_remote_smtp_dkim
remote_smtp_dkim: debug_print = "T: remote_smtp_dkim for $local_part@$domain" driver = smtp .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif .ifdef REMOTE_SMTP_RETURN_PATH return_path = REMOTE_SMTP_RETURN_PATH .endif .ifdef REMOTE_SMTP_HELO_DATA helo_data=REMOTE_SMTP_HELO_DATA .endif dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}} dkim_selector = yourhostname dkim_private_key = /etc/ssl/private/dkim.key dkim_canon = relaxed dkim_strict = false #dkim_sign_headers = DKIM_SIGN_HEADERS
I've left the selector and keys the same since there doesn't appear to be any problem sharing these across domains, but these could also be found via lookups if needed.