Re: [exim] DKIM signing for multiple domains

Top Page
Delete this message
Reply to this message
Author: Odhiambo Washington
Date:  
To: exim
CC: exim users
Subject: Re: [exim] DKIM signing for multiple domains
On Wed, 26 Sep 2018 at 08:47, Richard James Salts via Exim-users <
exim-users@???> wrote:

> On Tuesday, 25 September 2018 10:28:42 AM AEST Odhiambo Washington via
> Exim-users
> wrote:
> > Hi everyone,
> >
> > I have multiple domains hosted on the same server. They are virtual
> > domains. The server has just one IP address and one Exim instance.
> > I am wondering how to easily do DKIM signing for these domains. I decided
> > to use the same selector for all the domains to make life easy. Would the
> > following transport work? If not, what is the best way to do this for
> > multiple domains sharing the same IP address?
> >
> > remote_smtp_DK:
> > driver = smtp
> > dkim_domain = ${sender_address_domain}
> > dkim_selector = csl
> > dkim_private_key =
> > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key"
> > dkim_canon = relaxed
> > dkim_strict = true
> I use dkim_domain =
> ${filter{${map{${addresses:$h_from:}}{${domain:$item}}}}
> {match_domain{$item}{+local_domains}}}
> which will match any addresses in a from field that are local, in addition
> if dkim_domain is a
> list it will sign with multiple signatures (e.g. From: <user1@local1>,
> <user2@local2>,
> <user3@remote> will add dkim signature for local1 and local2 domains.
>
>

That seems awesome.

I am having a problem with system-generated mails though. What I have
always had is that those mails that the system generates and sends to
root@FQDN or postmaster@FQDN were always redirected to my address (
odhiambo@???). Now, since I enabled strict DKIM signing, those mails
cannot be delivered to gmail servers.
I am also seeing some bounces not being delivered, and I believe it's
because they are unsigned.

root@gw:/usr/home/wash # *exim -Mvh 1g5eo8-000Poy-BT*
1g5eo8-000Poy-BT-H
mailnull 26 26
<>
1538087452 0
-received_time_usec .355992
-active_hostname gw.titan.co.ke
-ident mailnull
-received_protocol local
-body_linecount 61
-max_received_linelength 441
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1538114959
-localerror
-manual_thaw
XX
1
root@???

146P Received: from mailnull by gw.titan.co.ke with local (Exim 4.90_1)
        id 1g5eo8-000Poy-BT
        for root@???; Fri, 28 Sep 2018 01:30:52 +0300
040  X-Failed-Recipients: odhiambo@???
029  Auto-Submitted: auto-replied
058F From: Mail Delivery System <Mailer-Daemon@???>
024T To: root@???
095  Content-Type: multipart/report; report-type=delivery-status;
boundary=1538087452-eximdsn-16807
018  MIME-Version: 1.0
059  Subject: Mail delivery failed: returning message to sender
047I Message-Id: <E1g5eo8-000Poy-BT@???>
038  Date: Fri, 28 Sep 2018 01:30:52 +0300



When I try a forced delivery for that mail, the error I get is:
LOG: MAIN
** odhiambo@??? <root@???> R=dnslookup T=remote_smtp_DK
H=gmail-smtp-in.l.google.com [66.102.1.27] I=[197.232.25.162]
X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes
DN="/C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com":
SMTP error from remote mail server after pipelined end of data: 550-5.7.1
Unauthenticated email from titan.co.ke is not accepted due to
domain's\n550-5.7.1 DMARC policy. Please contact the administrator of
titan.co.ke domain\n550-5.7.1 if this was a legitimate mail. Please
visit\n550-5.7.1 https://support.google.com/mail/answer/2451690 to learn
about the\n550 5.7.1 DMARC initiative. t10-v6si1002397wmf.192 - gsmtp


So, how do people deal with system mails that are forwarded to external
addresses? It seems that such local mail are not signed.



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."