Re: [exim] How to use Domainkeys and DKIM with Exim 4.7.1?

Thanks a lot Bryn,
The problem is that till now Yahoo check the Domainskeys and if I sign only DKIM I don't see the verified key sign.
I'll try DKIMproxy but if you have some simple docs for its installing and integration with Exim 4.71 I'll be grateful.
Thanks a lot,
John

--- On Sun, 6/27/10, Bryn Jones <bpaj@???> wrote:


From: Bryn Jones <bpaj@???>
Subject: Re: [exim] How to use Domainkeys and DKIM with Exim 4.7.1?
To: "john george" <zngr2003@???>
Cc: "exim-users@???" <exim-users@???>
Date: Sunday, June 27, 2010, 12:50 PM


Ok, as no one has replied to this one yet, the options as I see them are:

1. Use the Exim 4.70+ DKIM support as I assume you are now.

Pros: It works, is simple, and maintained.
Cons: It doesn't satisfy the DomainKeys requirement.

2. Install two versions of Exim, version 4.69 with the experimental DomainKeys support and Exim 4.70+ with DKIM support, and arrange to have messages passed through 4.69 and DomainKeys signed, then through 4.70+ and DKIM signed.

Pros: I can't see why it wouldn't work, it's a Pure Exim solution!
Cons: Messy; you need to maintain two Exim configurations, and an old version of Exim complete with any bugs etc; have to run the second Exim on nonstandard ports and nonstandard  spool locations to do it on one box.

3. Use a proxy to sign outgoing messages. For example DKIMproxy can sign with both DomainKeys and DKIM (found by typing "DomainKeys DKIM proxy" into google).

Pros: Only adding one additional step to the message path; not deliberately using old, and as you cant upgrade it, unmaintained version of Exim.
Cons: Adds another program to install and maintain.

All this is all from a technical point of view, there are other people who can, and have recently, argued the utility of these sorts of signatures at all (check the list archives if you want to see that).

One thing I will say is that adding the DomainKeys signature to the DKIM signature only allows MTAs who understand DomainKeys but not DKIM to validate the message. I would argue that the number of MTAs out there that fall into that category is rapidly approaching zero, so unless you have a specific need (i.e. specific recipient(s)), it's probably not worth the effort.

Bryn
--
Or words to that effect...

On 26 Jun 2010, at 12:10, john george <zngr2003@???> wrote:

> Hi,
> Is there a way I can do to use both Domainkeys and DKIM with Exim 4.7.1?
> Please give me details.
> Thanks,
> John
>
>
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

      From iane@??? Mon Jun 28 11:48:23 2010
Envelope-to: exim-users@???
Received: from sivits.uscs.susx.ac.uk ([139.184.14.88]:65087)
    by tahini.csx.cam.ac.uk with esmtp (Exim 4.72)
    (envelope-from <iane@???>) id 1OTBt0-0000xn-1m
    for exim-users@???; Mon, 28 Jun 2010 11:48:23 +0100
Received: from lewes.staff.uscs.susx.ac.uk ([139.184.135.133]:57401)
    by sivits.uscs.susx.ac.uk with esmtpsa (TLSv1:AES256-SHA:256)
    (Exim 4.72) (envelope-from <iane@???>)
    id L4Q0S7-00091H-62; Mon, 28 Jun 2010 11:50:31 +0100
Date: Mon, 28 Jun 2010 11:48:21 +0100
From: Ian Eiloart <iane@???>
Sender: iane@???
To: exim.ml@???
Message-ID: <7D27DDA9282EA1E1843EB66C@???>
In-Reply-To: <1277470572.5952.8.camel@localhost>
References: <1277372620.10756.341.camel@???>
    <CE0F2E44E551B586D3AFC09E@???>
    <1277470572.5952.8.camel@localhost>
Originator-Info: login-tokenElberry:01lgtV9v9sw1vXeKlYAjEJgMhp/IN2UPkxC3Y;
    token_authority¥pport@???
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charsetÃ-ascii; format\owed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
X-Spam-Score: -1.6 (-)
X-Spam-Status: No, scoreÑ.6 required~0 tests÷LÐ.146,
    BAYES_00Ñ.5 autolearnO version^1.8
Cc: exim-users@???
Subject: Re: [exim] listed at Backscatterer.org
X-BeenThere: exim-users@???
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: A user list for the exim MTA <exim-users.exim.org>
List-Unsubscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject¾subscribe>
List-Archive: <http://lists.exim.org/lurker/list/exim-users.html>
List-Post: <mailto:exim-users@exim.org>
List-Help: <mailto:exim-users-request@exim.org?subjectŽlp>
List-Subscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject¥bscribe>
X-List-Received-Date: Mon, 28 Jun 2010 10:48:23 -0000

--On 25 June 2010 13:56:12 +0100 Ron White <exim.ml@???> wrote:

> On Fri, 2010-06-25 at 11:28 +0100, Ian Eiloart wrote:
>> --On 24 June 2010 09:43:40 +0000 Kebba Foon <kebba.foon@???> wrote:
>>
>> >
>> > Backscatterer - Why it is abusive and how to stop your system doing so
>> >
>> > Email servers should be configured to provide Non-Delivery Reports
>> > (bounces) to local users only.
>> > Unacceptable email from anywhere else should be rejected.
>> >
>>
>> This is silly advice. It should be quite acceptable to bounce email that
>> has an SPF pass, or that has a valid DKIM signature (provided the return
>> path domain matches a signed From header domain). In both cases, if
>> you're creating collateral spam, then that's the fault of the domain
>> operator.
>>
> There is probably a bit of a translation issue there as backscatter.org
> is part of Dirk & Claus 'UCEProtect' stable of blocklists.
>
> My personal opinion is you should never accept mail that you cannot
> deliver to a user and in such a scenario it should be rejected at SMTP
> time - not after a 250 is given and (any/the) MTA decides it does not
> want it for whatever reason. Exim is very flexible and its brilliant
> ACL's can pretty much reduce backscatter to zero if configured
> correctly.

Well, the backscatter issue means that we have no choice but to try to do
that. But that's a bad thing. It would be a much better world in which we
were able to accept such messages, and then generate a bounce. Why? Because
bounce messages have the potential to be more user-friendly.

I believe that with improved email authentication (SPF, DKIM, etc), we'll
one day be able to revive the bounce message.


--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/