Re: [exim] DKIM outgoing Mail

Góra strony
Delete this message
Reply to this message
Autor: Mike Brudenell
Data:  
Dla: exim users
Temat: Re: [exim] DKIM outgoing Mail
Hi, basti -

You can prevent the error by first checking whether the private key file
exists using the *exists* operator. For example,

dkim_private_key = ${if
exists{/etc/exim4/ssl/dkim.${lc:${domain:$h_from:}}.private.key} \

{/etc/exim4/ssl/dkim.${lc:${domain:$h_from:}}.private.key}}

However you might want to build your selector name into the test too, so
that if you change keys in the future you can switch easily form old to new
(and back again if you discover a problem with the new one!). Foer example,

dkim_private_key = ${if exists{/etc/exim4/ssl/dkim.
${dkim_domain}-${dkim_selector}.private.key} \
                              {/etc/exim4/ssl/dkim.
/${dkim_domain}-${dkim_selector}.private.key}}


*But note what James says:* you should really only be DKIM-signing messages
that

1. use a domain name you control in their RFC5322.From header, *and*
2. are originating from a source you trust: either a machine in your own
network, or someone who has authenticated to your service from anywhere.

(2) is important otherwise a spammer could send a message to your server
with a From header forged to be one of your addresses. If you then forward
and DKIM-sign it then you're signing spam.

If you're really cunning and careful you can build all that into your
*dkim_domain* line. For example in ours I use an expression to:

1. Check its an authorised sender — ie, has authenticated or from a
machine with an IP address in our netblock, and then
2. use *lookup* with an *nwildsearch* to look for the domain name in a
text file, and
3. if found set *dkim_domain* to the value of the entry found in the
file (otherwise to the empty string, which suppresses DKIM signing).

Likewise I do an *lsearch* to look up the domain name to find the selector
name I should currently be using to sign with for that domain.

Cheers,
Mike B-)

On 1 March 2017 at 15:58, basti <mailinglist@???> wrote:

> Hello,
> I do sign outgoing mail with dkim.
> In my config I use
>
> remote_smtp:
> driver = smtp
> dkim_domain = ${lc:${domain:$h_from:}}
> dkim_selector = mx
> dkim_private_key =
> /etc/exim4/ssl/dkim.${lc:${domain:$h_from:}}.private.key
> dkim_canon = relaxed
>
> all is fine for my domains I do hosting.
>
> but when i get a mail from facebook and do a redirect to an other
> mailadress I get an error that the private key for facebook does not exist.
>
> 2017-03-01 04:01:22 1ciuVy-0004Hv-Ad <=
> notification+kr4ynkwxkesx@??? H=(mx-out.facebook.com)
> [69.171.232.172] P=esmtps X=TLS1.0:ECDHE_RSA_AES_128_CBC_SHA1:128 CV=no
> S=20050 id=a7d60ae185f5cf2f9aa2e4db61bfeac8@???
> ....
> 2017-03-01 04:01:24 1ciuVy-0004Hv-Ad unable to open private key file for
> reading: /etc/exim4/ssl/dkim.facebookmail.com.private.key
>
>
> That's ok. but how do i solve it.
> Should i do only sign my own domains?
>
> best regards,
> basti
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>




--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm