I'm using exim 4.82 on Debian sid. I've followed several tutorials on how to configure exim to sign outgoing emails, but it seems like something is not behaving as it should be.
My diagnosis is that $sender_address_domain
is always set to the hostname of the server (/etc/hostname
), regardless what the From:
field is in the email message.
I've defined the following macros in /etc/exim4/conf.d/transport/00_exim4-config_header
:
DKIM_CANON = relaxed
DKIM_DOMAIN = ${sender_address_domain}
DKIM_SELECTOR = dkim
DKIM_PRIVATE_KEY = /etc/exim4/dkim.private.key
This current setup signs outgoing emails, but the domain in the DKIM signature is always set to euvps.rolisoft.net
, regardless of the From:
field. My best guess is $sender_address_domain
is set to euvps.rolisoft.net
, when it should be set to the domain of the email address in the From:
field.
Because of this, the verification fails with bad version
message:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=euvps.rolisoft.net; s=dkim; // <- d= should be set to whatever is in From
h=Date:Message-Id:From:Subject:To; bh=...; b=...;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of root@euvps.rolisoft.net designates 188.226.159.108 as permitted sender) smtp.mail=root@euvps.rolisoft.net;
dkim=neutral (bad version) header.i=@euvps.rolisoft.net;
dmarc=fail (p=NONE dis=NONE) header.from=seriesinfos.com
Setting DKIM_DOMAIN
manually to a domain name I'm going to send message from solves this, and the DKIM signature becomes valid. However, I'm using multiple domain names, so it would be best if the DKIM_DOMAIN
would be automatically set to whatever email I'm sending the message from.
I have not set up custom routers and transports as some tutorials suggest it. (I've done it at some point, but it had the same results, so I removed them.)
Setting DKIM_DOMAIN
to ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}}
(with dkim_senders
properly set-up) will simply not sign the messages, however dkim_senders
doesn't have euvps.rolisoft.net
in it, so I'm guessing here $sender_address
is also set to euvps.rolisoft.net
, which is why the lack of signing.
I'm not exactly sure how to debug what $sender_address_domain
is set to.