Folks,
We experienced a regression in Exim with the 4.90 upgrade, which
affected exim.org mail. As a result, all mail generated by the exim.org
box which was sent out from a domain other than exim.org itself was not
sent.
Instead, the mail was queued as having a temporary problem, and then
eventually bounced.
This affects:
* buganizer
* cron job output
* probably other things
since Exim was updated to 4.90 on December 22nd, 2017.
The regression is that "dkim_private_key" being set to false does not
currently override "dkim_strict" and so instead of being sent unsigned,
the mail sending fails.
I have:
* added a DKIM signing key for bugs.exim.org;
* changed the configuration so that dkim_strict is based upon the same
logic as dkim_private_key, so that it's only set to '1' if we will be
signing;
* filed bug 2220 about this regression in Exim
<
https://bugs.exim.org/show_bug.cgi?id=2220>;
I'm currently recovering from fever so am not diving into the Exim
codebase to fix this myself. That's my excuse and I think it's a good
one. *coughcoughhack* (I was honestly apprehensive about changing
system configs, or logging in as root, in my current state.)
For elucidation, this is our current remote_smtp configuration on the
exim.org box:
remote_smtp:
driver = smtp
rcpt_include_affixes
tls_require_ciphers = ALL:-SSLv3:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
# hosts_try_chunking =
dnssec_request_domains = *
hosts_try_dane = *
hosts_try_fastopen = *
dkim_domain = ${domain:$sender_address}
dkim_selector = ${lookup {$dkim_domain}lsearch{/etc/exim/dkim/domains-mapping} {$value}{SKIP}}
dkim_private_key = ${if eq{$dkim_selector}{SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
dkim_strict = ${if eq{$dkim_selector}{SKIP}{0}{1}}
Regards,
-Phil
