{"id":646,"date":"2019-08-27T01:47:25","date_gmt":"2019-08-27T08:47:25","guid":{"rendered":"https:\/\/porkrind.org\/missives\/?p=646"},"modified":"2019-08-27T01:47:25","modified_gmt":"2019-08-27T08:47:25","slug":"dkim-and-exim4-on-debian","status":"publish","type":"post","link":"https:\/\/porkrind.org\/missives\/dkim-and-exim4-on-debian\/","title":{"rendered":"DKIM and Exim4 on Debian"},"content":{"rendered":"

I wanted to get DKIM working on an Debian box I have that runs Exim. The first thing to do is to create the keys:<\/p>\n

$ openssl genrsa -out diamonds.key 4096\n$ openssl rsa -in diamonds.key -pubout > diamonds.pub\n<\/code><\/pre>\n
I was following these<\/a> instructions and noticed that Exim supports ed25519 DKIM signatures. Neat! I decided I may as well create those keys, too:<\/p>\n
$ openssl genpkey -algorithm ed25519 -out hearts.key\n$ openssl pkey -outform DER -pubout -in hearts.key | tail -c +13 | base64 > hearts.pub\n<\/code><\/pre>\n
From there I stuck the public keys in DNS:<\/p>\n
diamonds._domainkey.example.com. 3600 IN TXT  \"v=DKIM1; k=rsa; t=s; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxDMS3KRFCU4PEtygOUdALBt7jmz5IIX2+KHoV4fd0CLjXRvOqA5H8rU3e+y1lNese9yjPLksPqiOh5vtx8Tysjv2MSTXB1Kgr0tl+1IlJL4ihdpUgR1veKB5X4wK3Ppkr5Oy42H7xNHf\/yj6aC1E+alZ8TdssuHY3ReqO6YvGa72UqTMmL1gBl9SXBUl\" \"vD+FqvfFtkQFFMU9QSTtrIuzcup6NC6z3a4I4UGz4YOZSxeUARKzySGFzPd7vwmrKEZVhlA0HzmJm9eGrjq6IiLVdgTJhSZ8Ecn9h65x9EjhNYYhsufTbcPDljlZYpA4b+dkTEs35a4KjOM2wY7gUdY9ydOqOCfz2BpzJ25Mn3K8nTV8a7fInWCnKg0sm6Fuiwe0DrQjrTe7xGC3Y03CU8eziynOukyWnfsCAnpWcUGa15bp1\/O0Le+ZYsKOWxA\" \"CL5cKlYPw1VJrqz7ZQ1i+s+twOLgEKWm8gwKMsDysgpM1WvE+IhlJkkZLkWavF9pAKeSD6akkHcbkB3QsDKgNugDC4EEm6XV\/+hPcTS9Gmd2PYPswxg8nlEdUDjxLul6UbKzWwkYihzKxhMSqCEXTUkt6eHjT+KAIHXVm86elFEmOcuadUWwr+74fgnTpv1XbWIs5qqqh\/zROhvUUR8EXZbjOchFEX3YjLO8NDPqHdW4zHt0CAwEAAQ==\"\nhearts._domainkey.example.com. 3600 IN TXT    \"v=DKIM1; t=s; k=ed25519; p=MTGVeSXmIzviF\/B+ANc\/bLqP2zEWhO\/rw6o8HxIl5+8=\"\n<\/code><\/pre>\n
Ed25519 is quite compact! t=s:y<\/code> is found in the DKIM RFC (section 3.6.1)<\/a>. t<\/code> is for various flags. s<\/code> is for strict (I’m just guessing the mnemonic)\u2014it means all the domain names have to match. Apparently you don’t want this if you use subdomains in your email addresses (I don’t). y<\/code> means “This domain is testing DKIM”\u2014ie, don’t worry if it fails. It seemed reasonable to set that while I was playing around.<\/p>\n
Next, I had to set up Exim in Debian. This was kind of a pain because there’s the Exim config, then the Debian wrapper around that config. This is made more complicated by the fact that Debian has a debconf option named dc_use_split_config<\/code>. You can see which way yours is set in \/etc\/exim4\/update-exim4.conf.conf<\/code> (the double .conf<\/code> is not<\/em> a typo!). If it’s false<\/code> then when you update \/etc\/exim4\/conf.d<\/code> you first have run \/usr\/sbin\/update-exim4.conf.template<\/code> which cats everything in the conf.d<\/code> dir into \/etc\/exim4\/exim4.conf.template<\/code>. Then you have to run \/usr\/sbin\/update-exim4.conf<\/code> which combines \/etc\/exim4\/exim4.conf.localmacros<\/code> and \/etc\/exim4\/exim4.conf.template<\/code> and puts the resulting final config file in \/var\/lib\/exim4\/config.autogenerated<\/code>. Fwew.<\/p>\n
The basic DKIM config is in \/etc\/exim4\/exim4.conf.localmacros<\/code>. I added these lines:<\/p>\n
DKIM_CANON = relaxed\nDKIM_SELECTOR = diamonds : hearts\nDKIM_DOMAIN = example.com\nDKIM_PRIVATE_KEY = \/etc\/exim4\/dkim\/$dkim_selector.key\n<\/code><\/pre>\n
For my setup this wasn’t enough. The DKIM_*<\/code> macros are only used by the “remote_smtp” transport (found in \/etc\/exim4\/conf.d\/transport\/30_exim4-config_remote_smtp<\/code>). I was using a “satellite” configuration with a smarthost. This means it uses the “remote_smtp_smarthost” transport (found in \/etc\/exim4\/conf.d\/transport\/30_exim4-config_remote_smtp_smarthost<\/code>). You can tell what transport is being used by looking for T=<\/code> in \/var\/log\/exim4\/mainlog<\/code>.<\/p>\n
I copied all the DKIM related stuff from \/etc\/exim4\/conf.d\/transport\/30_exim4-config_remote_smtp<\/code> into \/etc\/exim4\/conf.d\/transport\/30_exim4-config_remote_smtp_smarthost<\/code>, namely these lines:<\/p>\n
# 2019-08-26: David added these:\n.ifdef DKIM_DOMAIN\ndkim_domain = DKIM_DOMAIN\n.endif\n.ifdef DKIM_SELECTOR\ndkim_selector = DKIM_SELECTOR\n.endif\n.ifdef DKIM_PRIVATE_KEY\ndkim_private_key = DKIM_PRIVATE_KEY\n.endif\n.ifdef DKIM_CANON\ndkim_canon = DKIM_CANON\n.endif\n.ifdef DKIM_STRICT\ndkim_strict = DKIM_STRICT\n.endif\n.ifdef DKIM_SIGN_HEADERS\ndkim_sign_headers = DKIM_SIGN_HEADERS\n.endif\n<\/code><\/pre>\n
Then I ran update-exim4.conf.template<\/code> and update-exim4.conf<\/code> and finally systemctl restart exim4<\/code>.<\/p>\n
At this point I could send emails through and the DKIM headers were added.<\/p>\n
Next I removed the y<\/code> flag from the t<\/code> flags in the DNS since everything appeared correct. I also added the ADSP DNS record:<\/p>\n
_adsp._domainkey.example.com. 3600 IN  TXT     \"dkim=all\"\n<\/code><\/pre>\n
Then I wrote this post and called it a night!<\/p>\n","protected":false},"excerpt":{"rendered":"
I wanted to get DKIM working on an Debian box I have that runs Exim. The first thing to do is to create the keys: $ openssl genrsa -out diamonds.key 4096 $ openssl rsa -in diamonds.key -pubout > diamonds.pub I was following these instructions and noticed that Exim supports ed25519 DKIM signatures. Neat! I decided … Continue reading DKIM and Exim4 on Debian<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-646","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/646","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/comments?post=646"}],"version-history":[{"count":2,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/646\/revisions"}],"predecessor-version":[{"id":648,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/646\/revisions\/648"}],"wp:attachment":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/media?parent=646"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/categories?post=646"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/tags?post=646"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}