On 3/14/23 05:57, Yves via Exim-users wrote:
> Yes, it is just that most emails I receive are sent through ISPs or from commercial companies, and go through a bunch of internal relays. Although completely standard, such direct emails are rare enough for me that I noticed…
Spam is very often delivered this way, directly to your server.
> If that is any help, my server is built using Ansible, and the whole configuration is public:
> https://yalis.fr/git/yves/home-server/src/branch/master/roles/dmz_exim/tasks/main.yml
>
> Based on Archlinux packaging for Exim (https://github.com/archlinux/svntogit-community/blob/packages/exim/trunk/PKGBUILD), my exim.conf seems to be just upstream Exim 4.96 configuration. Then I patch it using Ansible with various rules.
It's not much help. I can't reconstruct your exact config this way. But I do see how you're adding DKIM signing:
insertafter: '^\s*driver\s*=\s*smtp\s*$'
And I don't see any condition there.
The only thing that matters is the actual exim config file you have in effect.
A few comments:
1. On ports 587 / 465, _only_ authenticated users should be allowed
2. On ports 587 / 465, TLS should be _mandatory_.
3. On port 25, authentication should _not_ be available (not advertised, and exim will refuse the command if it wasn't advertised)
4. On ports 587, authentication should not be advertised before STARTTLS is issued.
(The above can be rephrased as: properly separate submission from "classic" SMTP. Submission requires TLS).
5. It does look like you may be simply signing all mail.
Sign only authenticated or locally-submitted mail:
dkim_private_key = ${if or {{match_ip{$sender_host_address}{:@[]}}{def:authenticated_id}}{/etc/your/private.key}{}}
Good idea: add:
dkim_sign_headers = From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:=In-Reply-To:=References:=List-Id:=List-Help:=List-Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive
May be a matter of taste but you might find that maintaining the exim config file itself in git might be simpler at some point.