On 2013-02-20 at 16:21 +0100, a.smith@??? wrote:
> remote_smtp:
> driver = smtp
> dkim_domain = ${sender_address_domain}
> dkim_selector = dkimxy
> dkim_private_key =
> /usr/local/etc/exim/${sender_address_domain}/dkim.private.key
> dkim_canon = relaxed
>
> I was just wondering what the recommended config would be to have DKIM
> only used on specific domains. One option is to simply have no domain
> private key for domains without DKIM and let Exim fail reading the key
> and send anyway (this will log an error everytime to the mainlog), but I
> guess there must be a cleaner way to do this.
> Can anyone advise?
Set the dkim_private_key to "false" instead of a path that doesn't exist.
dkim_private_key = ${if exists \
{/usr/local/etc/exim/${sender_address_domain}/dkim.private.key}\
{/usr/local/etc/exim/${sender_address_domain}/dkim.private.key}\
{false}}
I recommend also thinking about how you will *roll* your keys, which
you'll need to do periodically; how often depends upon the keysize and
how desirable your domain is to attack, but you should probably roll
them at least once a year, just to make sure that people remember how to
do it.
-Phil
----------------------------8< cut here >8------------------------------
+----------------+---------+-------------+--------------+
|dkim_private_key|Use: smtp|Type: string*|Default: unset|
+----------------+---------+-------------+--------------+
MANDATORY: This sets the private key to use. You can use the $dkim_domain and
$dkim_selector expansion variables to determine the private key to use. The
result can either
* be a valid RSA private key in ASCII armor, including line breaks.
* start with a slash, in which case it is treated as a file that contains the
private key.
* be "0", "false" or the empty string, in which case the message will not be
signed. This case will not result in an error, even if dkim_strict is set.
----------------------------8< cut here >8------------------------------
