Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

OT: DKIM - but nothing to do with Exim!

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


exim.ml at riotm

Mar 31, 2012, 2:05 AM

Post #1 of 7 (318 views)
Permalink
OT: DKIM - but nothing to do with Exim!
Please forgive asking here, but the advice is always so good.

I'm trying to figure something out with DKIM that is making my head
explode. It's probably so simple too, but do you think I can find an
answer? No.

Suppose I have MTA (Exim/Qmail/Sendmail - doesn't matter) that is shared
amongst multiple domains. A 'main' domain name - say -
'somehosting.null' exists, and signs outbound mail with DKIM using it's
private key. When mail is sent from 'anything [at] somehosting' DKIM
verification is fine because the domain has suitable DNS records to
authenticate it.

Now, another domain comes on stream with this shared MTA - say
'anotherdomain.null'. How can this ever send mail that is DKIM signed
when the private key is for somehosting.null?

Obviously I'm missing something really obvious here in my understanding.
Can anyone put me out of my misery?

Kind thanks
Ron



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


lucabert at lucabert

Mar 31, 2012, 2:15 AM

Post #2 of 7 (307 views)
Permalink
Re: OT: DKIM - but nothing to do with Exim! [In reply to]
Ron White <exim.ml [at] riotm> schrieb:

> Now, another domain comes on stream with this shared MTA - say
> 'anotherdomain.null'. How can this ever send mail that is DKIM signed
> when the private key is for somehosting.null?
>
> Obviously I'm missing something really obvious here in my understanding.
> Can anyone put me out of my misery?

Hi, Ron!

I can't say you how to do that with other MTAs as Exim, but with Exim is
really simple!
This is my configuration (just the part used to send out E-Mails):

Router:

external_gw:
driver = dnslookup
transport = ${if exists {/etc/exim/domainKeys/$sender_address_domain}
{remote_smtp_DK} {remote_smtp}}
domains = !+local_domains
no_more

Transport:
# Transport for sender domains WITHOUT DomainKeys
remote_smtp:
driver = smtp

# Transport for sender domains WITH DomainKeys
remote_smtp_DK:
driver = smtp
dkim_canon = relaxed
dkim_domain = $sender_address_domain
dkim_selector = ${substr{0}{4}{$tod_zulu}}
dkim_private_key = /etc/exim/domainKeys/$dkim_domain/$dkim_selector.priv

Now, in /etc/exim/domainKeys I have many directories, with the name of the
domain on my server that use DKIM to sign outgoing E-Mails (for example
lucabert.de, lucabert.com and so on).
Et voila! The E-Mail from something [at] lucabert will be signed with the DKIM
for lucabert.de, the E-Mail from someotherthing [at] lucabert (other domain on
my server) will be signed with the DKIM for lucabert.com.

Really simple, isn't it? :)

Regards
Luca Bertoncello
(lucabert [at] lucabert)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim.ml at riotm

Mar 31, 2012, 2:45 AM

Post #3 of 7 (305 views)
Permalink
Re: OT: DKIM - but nothing to do with Exim! [In reply to]
On Sat, 2012-03-31 at 11:15 +0200, Luca Bertoncello wrote:
> Ron White <exim.ml [at] riotm> schrieb:
>
> > Now, another domain comes on stream with this shared MTA - say
> > 'anotherdomain.null'. How can this ever send mail that is DKIM signed
> > when the private key is for somehosting.null?
> >
> > Obviously I'm missing something really obvious here in my understanding.
> > Can anyone put me out of my misery?
>
> Hi, Ron!
>
> I can't say you how to do that with other MTAs as Exim, but with Exim is
> really simple!
> This is my configuration (just the part used to send out E-Mails):
>
> Router:
>
> external_gw:
> driver = dnslookup
> transport = ${if exists {/etc/exim/domainKeys/$sender_address_domain}
> {remote_smtp_DK} {remote_smtp}}
> domains = !+local_domains
> no_more
>
> Transport:
> # Transport for sender domains WITHOUT DomainKeys
> remote_smtp:
> driver = smtp
>
> # Transport for sender domains WITH DomainKeys
> remote_smtp_DK:
> driver = smtp
> dkim_canon = relaxed
> dkim_domain = $sender_address_domain
> dkim_selector = ${substr{0}{4}{$tod_zulu}}
> dkim_private_key = /etc/exim/domainKeys/$dkim_domain/$dkim_selector.priv
>
> Now, in /etc/exim/domainKeys I have many directories, with the name of the
> domain on my server that use DKIM to sign outgoing E-Mails (for example
> lucabert.de, lucabert.com and so on).
> Et voila! The E-Mail from something [at] lucabert will be signed with the DKIM
> for lucabert.de, the E-Mail from someotherthing [at] lucabert (other domain on
> my server) will be signed with the DKIM for lucabert.com.
>
> Really simple, isn't it? :)
>
> Regards
> Luca Bertoncello
> (lucabert [at] lucabert)
>
Hi Luca,

Thank you for your kind reply.

Is it Exim 4.72 onwards that supports DKIM natively?

All the 'how to' docs I read suggested using DKIMPROXY, and so far so
good.

I've now finally worked it out, typically by reading the documents
properly. I feel such a fool:

http://dkimproxy.sourceforge.net/manual/dkimproxy.out.html

Separate the domain names with commas, make sure all domains have the
same public key. Job done.

Thank you once again - appreciate the reply.

Ron




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


lucabert at lucabert

Mar 31, 2012, 2:53 AM

Post #4 of 7 (302 views)
Permalink
Re: OT: DKIM - but nothing to do with Exim! [In reply to]
"exim.ml [at] riotm" <exim.ml [at] riotm> schrieb:

> Is it Exim 4.72 onwards that supports DKIM natively?
>
> All the 'how to' docs I read suggested using DKIMPROXY, and so far so
> good.
>
> I've now finally worked it out, typically by reading the documents
> properly. I feel such a fool:
>
> http://dkimproxy.sourceforge.net/manual/dkimproxy.out.html
>
> Separate the domain names with commas, make sure all domains have the
> same public key. Job done.

I use Exim 4.75 and it supports DKIM native.

Regards
Luca Bertoncelo
(lucabert [at] lucabert)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

Mar 31, 2012, 3:08 AM

Post #5 of 7 (304 views)
Permalink
Re: OT: DKIM - but nothing to do with Exim! [In reply to]
On 2012-03-31 at 10:45 +0100, exim.ml [at] riotm wrote:
> Is it Exim 4.72 onwards that supports DKIM natively?

4.70

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim.ml at riotm

Mar 31, 2012, 3:25 AM

Post #6 of 7 (305 views)
Permalink
Re: OT: DKIM - but nothing to do with Exim! [In reply to]
On Sat, 2012-03-31 at 03:08 -0700, Phil Pennock wrote:
> On 2012-03-31 at 10:45 +0100, exim.ml [at] riotm wrote:
> > Is it Exim 4.72 onwards that supports DKIM natively?
>
> 4.70
>
I was close, but no cigar :-(


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


tlyons at ivenue

Apr 1, 2012, 2:14 AM

Post #7 of 7 (308 views)
Permalink
Re: OT: DKIM - but nothing to do with Exim! [In reply to]
On Sat, Mar 31, 2012 at 2:05 AM, Ron White <exim.ml [at] riotm> wrote:
>
> Now, another domain comes on stream with this shared MTA - say
> 'anotherdomain.null'. How can this ever send mail that is DKIM signed
> when the private key is for somehosting.null?
>
> Obviously I'm missing something really obvious here in my understanding.
> Can anyone put me out of my misery?

The value for the dkim key is an expanded value, so you can do like
Luca said and create paths with the key files, or you can perform a
lookup and the data returned from that lookup will be what is used. I
do the lookups from a database. Mine is kinda weird and has a bunch
of macros, but basically in the transport, it does this:
dkim_domain = DKIM_DOMAIN
dkim_selector = DKIM_SELECTOR
dkim_private_key = DKIM_PRIVATE_KEY

And the macros it uses are:
(DKIM_DOMAIN is a long ugly complicated macro that I won't post
because it's site specific. In your case, the example posted by Luca
is likely to fit your needs, same for DKIM_LOCAL_PART)

DKIM_DOMAIN = $sender_address_domain
DKIM_LOCAL_PART = $sender_address_local_part
DKIM_DATA = ${lookup mysql {SELECT dk.selector, dk.private_key \
FROM domain_key AS dk \
JOIN domain AS d ON d.domain_key_id=dk.id \
JOIN email AS e ON e.domain_id=d.id \
WHERE d.name="${quote_mysql:DKIM_DOMAIN}" \
AND e.name="${quote_mysql:DKIM_LOCAL_PART}" }}
DKIM_PRIVATE_KEY = ${extract{private_key}{DKIM_DATA}{$value}{}}
DKIM_SELECTOR = ${extract{selector}{DKIM_DATA}{$value}{}}

I hope this helps to clarify a little bit.

...Todd
--
Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. -- Martin Golding

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.