6

I'm using exim 4.82 on Debian sid. I've followed several tutorials on how to configure exim to sign outgoing emails, but it seems like something is not behaving as it should be.

My diagnosis is that $sender_address_domain is always set to the hostname of the server (/etc/hostname), regardless what the From: field is in the email message.

I've defined the following macros in /etc/exim4/conf.d/transport/00_exim4-config_header:

DKIM_CANON = relaxed
DKIM_DOMAIN = ${sender_address_domain}
DKIM_SELECTOR = dkim
DKIM_PRIVATE_KEY = /etc/exim4/dkim.private.key

This current setup signs outgoing emails, but the domain in the DKIM signature is always set to euvps.rolisoft.net, regardless of the From: field. My best guess is $sender_address_domain is set to euvps.rolisoft.net, when it should be set to the domain of the email address in the From: field.

Because of this, the verification fails with bad version message:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=euvps.rolisoft.net; s=dkim;  // <- d= should be set to whatever is in From
    h=Date:Message-Id:From:Subject:To; bh=...; b=...;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of root@euvps.rolisoft.net designates 188.226.159.108 as permitted sender) smtp.mail=root@euvps.rolisoft.net;
       dkim=neutral (bad version) header.i=@euvps.rolisoft.net;
       dmarc=fail (p=NONE dis=NONE) header.from=seriesinfos.com

Setting DKIM_DOMAIN manually to a domain name I'm going to send message from solves this, and the DKIM signature becomes valid. However, I'm using multiple domain names, so it would be best if the DKIM_DOMAIN would be automatically set to whatever email I'm sending the message from.

I have not set up custom routers and transports as some tutorials suggest it. (I've done it at some point, but it had the same results, so I removed them.)

Setting DKIM_DOMAIN to ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}} (with dkim_senders properly set-up) will simply not sign the messages, however dkim_senders doesn't have euvps.rolisoft.net in it, so I'm guessing here $sender_address is also set to euvps.rolisoft.net, which is why the lack of signing.

I'm not exactly sure how to debug what $sender_address_domain is set to.

RoliSoft
  • 201
  • 2
  • 7

1 Answers1

4

Although I'm still not sure why isn't $sender_address correctly populated, I found a workaround solution to my problem using another variable:

DKIM_DOMAIN = ${lc:${domain:$h_from:}}

This sets the domain name correctly on the DKIM signature.

To stop signing domains I don't have a key for, I've set up two other macros:

DKIM_FILE = /etc/exim4/keys/${lc:${domain:$h_from:}}.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

These essentially just look for a private key in /etc/exim4/keys/*domain*.pem and won't sign if it doesn't exist.

RoliSoft
  • 201
  • 2
  • 7
  • 1
    The $sender_address is set by the *ENVELOPE* sender. You are trying to sign based on the From Header sender. As you can see, in your case, they are two different things. Another possible fix would be to redo your email submission code such that the envelope sender is the same as the From header. The more alignment you get between envelope and headers, the better things are in general. – Todd Lyons Apr 24 '14 at 19:09
  • Thanks, although I read "envelope" in the documentation, I did not know they're different. I looked up PHP's `mail()`, and it looks like changing the envelope sender is quite a pain, so I guess I will just continue signing based on the `Form` header. I also overwrite the `Return-Path` header to `bounce@${DKIM_DOMAIN}` in order to pass the DMARC ASPF test. – RoliSoft Apr 24 '14 at 21:08
  • Many times, the simplest way to control the envelope header is to stop using mail() and instead do smtp to localhost port 25 using some standard PHP Mail framework. There's a few of them out there. – Todd Lyons Apr 25 '14 at 00:24
  • yeah, changing envelope sender n php is complicated, you have to turn off PHP's "safe" mode and add the webserver uid/gid to the exim priviliedged users list. (after that it's pretty easy) – Jasen Aug 17 '15 at 04:16