1

I've set up DKIM on Exim with the domain set like:

DKIM_DOMAIN = ${sender_address_domain}

However, the domain is always set to the same domain (my primary domain), which causes DMARC validation to fail, because of alignment, when sending emails for other domains (I host several websites).

From reading the documentation, I think the sender_address_domain is the envelope address and not the From field. How can I change the envelope address so that it matches the From field of a given email (I assume this will also allow SPF alignment to be correct)?

Also, for security, is it possible to have a whitelist of allowable domains, so Exim refuses to send emails that have another domain in the From field?

Sam Bull
  • 297
  • 4
  • 12
  • It looks like you are using the Debian exim config, as you use `DKIM_DOMAIN` in capitals? As far as I know this is initialized at startup so using a per-message variable to set it will not work. As I read it you need to specify the list of possible domains here, the correct one should be selected. – wurtel Aug 13 '19 at 07:10
  • @wurtel Correct, I'm using Debian's. But, I'm not sure that makes any difference, they just do `dkim_domain = DKIM_DOMAIN`. So, how might I configure the variable per-message as you suggest? – Sam Bull Aug 14 '19 at 19:33
  • Same thing, `dkim_domain` is set at startup as far as I know. Note that it's a list, perhaps include all domains this exim might send email for. – wurtel Aug 15 '19 at 06:54
  • @wurtel Tried setting `DKIM_DOMAIN = foo.com : bar.com`, but this just results in DKIM not getting set at all. Even if that worked, I'm still unsure how I would change the sender domain for the SPF as well. – Sam Bull Aug 17 '19 at 11:22
  • Finally figured out the answer, but if anyone knows how to restrict it to only a whitelist of domains, that would be great. – Sam Bull Aug 25 '19 at 15:23

2 Answers2

4

Add the rewrite rule to the Exim4 configuration:

*@+local_domains "${local_part}@${domain}" F

The rule rewrites the Envelope-from header to match the From header, allowing DMARC alignment to work correctly. Recommendation is to append it to the end of the section to avoid conflicts with current rules.

You can find this configuration in the file /etc/exim4/conf.d/rewrite/10_from_rewrite or in the section called rewrite/31_exim4-config_rewriting of the file /etc/exim4/exim4.conf.template (for Debian). It depends on the type of your configuration – called single monolithic or split Exim4 config file with possible need to run the command update-exim4.conf.

Restart Exim after reconfiguration using systemctl restart Exim4.

The rule explanation:

  • * of the *@+local_domains = for all "local_parts" e.g. users.
  • +local_domains = for all domains served by Exim4 server (defined in dc_other_hostnames and dc_readhost variables) and not by other domains (redirection attempts etc.).
  • ${local_part}@${domain} composes RFC2822 compliant e-mail address from From field. Variables are described in exim4 documentation – string expansions. You can use just "$header_from:", but addresses in a form as "John Doe <john.doe@example.net>" will fail and get recorded to paniclog because of the "John Doe" part.
  • F = target field of rewrite operation is the Envelope-from. see exim4 documentation – address rewriting.
noone
  • 56
  • 2
  • Finally testing this out. Question about `dc_other_hostnames`, the documentation says `This is the list of domains for which this machine should consider itself the final destination.` But, this server should only send emails from these domains, it should never receive them. Should I add the domains there anyway, or does the config need to change? – Sam Bull Oct 24 '21 at 15:07
  • OK, seems to work for me without setting `dc_other_hostnames`. But, it allows rewriting to any domain. Would be nice to have a whitelist, so it will only rewrite for certain domains. – Sam Bull Oct 24 '21 at 22:53
0

Add the rewrite rule:

*       "$header_from:" F

In debian this can be added by creating a file such as /etc/exim4/conf.d/rewrite/10_from_rewrite. This rule rewrites the sender field to match the From header, allowing DMARC alignment to work correctly.

Sam Bull
  • 297
  • 4
  • 12