Mailing List Archive: exim: users

Default DKIM ACL?

Index | Next | Previous | View Threaded

majid.alavizadeh at gmail

Nov 26, 2009, 12:30 AM

Post #1 of 8 (1458 views)
Permalink

Default DKIM ACL?

Hi

I install exim 4.70 and know that the exim 4.70 supports Native DKIM
without an external library.
I can not find DKIM in sent mail header. Is it needed to change
default ACL in exim conf?

--
M Alavizadeh

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

peter at bowyer

Nov 26, 2009, 2:41 AM

Post #2 of 8 (1398 views)
Permalink

Re: Default DKIM ACL? [In reply to]

2009/11/26 majid alavizadeh <majid.alavizadeh [at] gmail>:
> Hi
>
> I install exim 4.70 and know that the exim 4.70 supports Native DKIM
> without an external library.
> I can not find DKIM in sent mail header. Is it needed to change
> default ACL in exim conf?

Did you read the DKIM section in the 4.70 / 4.71 documentation?

--
Peter Bowyer
Email: peter [at] bowyer
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

majid.alavizadeh at gmail

Nov 27, 2009, 7:15 AM

Post #3 of 8 (1394 views)
Permalink

Re: Default DKIM ACL? [In reply to]

Thanks but could you send me a sample?

On Thu, Nov 26, 2009 at 2:11 PM, Peter Bowyer <peter [at] bowyer> wrote:
> 2009/11/26 majid alavizadeh <majid.alavizadeh [at] gmail>:
>> Hi
>>
>> I install exim 4.70 and know that the exim 4.70 supports Native DKIM
>> without an external library.
>> I can not find DKIM in sent mail header. Is it needed to change
>> default ACL in exim conf?
>
> Did you read the DKIM section in the 4.70 / 4.71 documentation?
>
> --
> Peter Bowyer
> Email: peter [at] bowyer
> Follow me on Twitter: twitter.com/peeebeee
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>

--
M Alavizadeh

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

majid.alavizadeh at gmail

Nov 27, 2009, 8:28 AM

Post #4 of 8 (1399 views)
Permalink

Re: Default DKIM ACL? [In reply to]

This is my acl but sent mail dosen't have dkim:

acl_smtp_dkim = acl_check_dkim
KNOWN_DKIM_SIGNERS = paypal.com : gmail.com
dkim_verify_signers = $dkim_signers : KNOWN_DKIM_SIGNERS

acl_check_dkim:
accept hosts = +relay_from_hosts

accept authenticated = *

accept dkim_status = none
condition = ${if eq {$acl_c_dkim_hdr}{1} {no}{yes}}
set acl_c_dkim_hdr = 1
add_header = :at_start:X-DKIM: Exim 4.70 on $primary_hostname (no dkim
signature)

warn condition = ${if eq {$acl_c_dkim_hdr}{1} {no}{yes}}
set acl_c_dkim_hdr = 1
add_header = :at_start:X-DKIM: Exim 4.70 on $primary_hostname

deny dkim_status = fail
message = Rejected: $dkim_verify_reason

accept dkim_status = invalid
add_header = :at_start:Authentication-Results: $primary_hostname
$dkim_cur_signer ($dkim_verify_status); $dkim_verify_reason

accept dkim_status = pass
add_header = :at_start:Authentication-Results: $primary_hostanme;
dkim=$dkim_domain, header.i=@$dkim_cur_signer ($dkim_verify_status)

accept

On Fri, Nov 27, 2009 at 6:45 PM, majid alavizadeh
<majid.alavizadeh [at] gmail> wrote:
> Thanks but could you send me a sample?
>
>
>
> On Thu, Nov 26, 2009 at 2:11 PM, Peter Bowyer <peter [at] bowyer> wrote:
>> 2009/11/26 majid alavizadeh <majid.alavizadeh [at] gmail>:
>>> Hi
>>>
>>> I install exim 4.70 and know that the exim 4.70 supports Native DKIM
>>> without an external library.
>>> I can not find DKIM in sent mail header. Is it needed to change
>>> default ACL in exim conf?
>>
>> Did you read the DKIM section in the 4.70 / 4.71 documentation?
>>
>> --
>> Peter Bowyer
>> Email: peter [at] bowyer
>> Follow me on Twitter: twitter.com/peeebeee
>>
>> --
>> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>>
>
>
>
> --
> M Alavizadeh
>

--
M Alavizadeh

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

peter at bowyer

Nov 27, 2009, 8:54 AM

Post #5 of 8 (1395 views)
Permalink

Re: Default DKIM ACL? [In reply to]

2009/11/27 majid alavizadeh <majid.alavizadeh [at] gmail>:
> This is my acl but sent mail dosen't have dkim:

<snip>

ACLs have nothing to do with signing mail.

As suggested already, please look at the documentation on DKIM.

The section headed 'Signing outgoing messages' might be a good place to start.

http://docs.exim.org/current/spec_html/ch54.html

And please, please, don't top-post. This is the third or fourth time
you've been asked. Be polite.

Peter

--
Peter Bowyer
Email: peter [at] bowyer
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

graeme at graemef

Nov 27, 2009, 8:56 AM

Post #6 of 8 (1396 views)
Permalink

Re: Default DKIM ACL? [In reply to]

On Fri, 2009-11-27 at 19:58 +0330, majid alavizadeh wrote:
> This is my acl but sent mail dosen't have dkim:

ACLs are processed for incoming mail, to decide what to do with them.

Transports are used to get mail out of Exim into other systems. To DKIM
sign messages, you need to use the right options on the right transport.

The docs, although they don't contain an example, are pretty clear on
what you need:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch54.html#SECID513

You'll also need to understand the principles behind DKIM first - what
to sign, how to do it and so on.

Graeme

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

tlyons at ivenue

Nov 27, 2009, 10:10 AM

Post #7 of 8 (1391 views)
Permalink

Re: Default DKIM ACL? [In reply to]

On Fri, Nov 27, 2009 at 8:28 AM, majid alavizadeh
<majid.alavizadeh [at] gmail> wrote:
> This is my acl but sent mail dosen't have dkim:

As others have said, the ACL's are only for verifying dkim on received
messages. You have to modify other parts of your configuration to
sign outbound messages. Read section 54 of the spec file
(doc/spec.txt in the tarball IIRC).

I also see that you used a DKIM ACL section that I posted to the
mailing list when I was first figuring out how to implement it. There
are some bugs with that.

> warn condition = ${if eq {$acl_c_dkim_hdr}{1} {no}{yes}}
> set acl_c_dkim_hdr = 1
> add_header = :at_start:X-DKIM: Exim 4.70 on $primary_hostname

For example, the above logic uses an acl_c variable instead of an
acl_m variable. The acl_c variable persists for the entire
connection. So a bad guy could send one valid signed message, then
100 (signed or unsigned) messages all in the same session and that
header would not get added.

Also, you are doing this at the top of the ACL:

> acl_check_dkim:
> accept hosts = +relay_from_hosts
>
> accept authenticated = *

It is the wrong way to do it. Read the entire thread where you got
that DKIM ACL. Nigel responded to my email discussing what things
needed to change in that ACL, and specifically how to use the control
verb in the RCPT acl to tell exim not to attempt to verify any DKIM
sigs for the above two scenarios (is in +relay_from_hosts or is an
authenticated sender).

Go to the exim mailing list webpage (is at the bottom of each email
from the mailing list) and click on the "Archives" link. Just search
for DKIM and you'll see recent messages that discuss how to use it.

Also, READ SECTION 54 IN THE EXIM SPEC DOCUMENT. I cannot emphasize
this enough. Read it, reread it, and then reread it again.
Everything you need to know is in that section.
--
Regards... Todd
The best thing about pair programming is that you have the perfect
audience for your genius. -- Kent Beck

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

majid.alavizadeh at gmail

Nov 28, 2009, 4:06 AM

Post #8 of 8 (1378 views)
Permalink

Re: Default DKIM ACL? [In reply to]

I use this soloution:

#>openssl genrsa -out /usr/local/etc/exim/dkim/domain.org.key 1024
Generating RSA private key, 1024 bit long
modulus...++++++.....................................................................++++++e
is 65537 (0x10001)

#>chown mailnull:wheel /usr/local/etc/exim/dkim/chmod u=rx,go=
/usr/local/etc/exim/dkim/
#>chown mailnull:wheel /usr/local/etc/exim/dkim/chmod u=rx,go=
/usr/local/etc/exim/dkim/

for create txt dkim:

#> openssl rsa -in /usr/local/etc/exim/dkim/domain.org.key
-puboutwriting RSA key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQE.....
-----END PUBLIC KEY-----

I add this key for domain.org :

dkim._domainkey TXT "k=rsa;
p=MIGfMA0GCSqGSIb3D.........;"

I change exim.conf:

## DKIM:
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE =
/usr/local/etc/exim/dkim/${lc:${domain:$h_from:}}.key
DKIM_PRIVATE_KEY = ${if
exists{DKIM_FILE}{DKIM_FILE}{0}}

remote_smtp:
driver = smtp
dkim_domain = DKIM_DOMAIN
dkim_selector = dkim
dkim_private_key = DKIM_PRIVATE_KEY

But mails are sending without DKIM Please help me :(

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads