DKIM: DomainKeys Identified Mail
Implementing DKIM on Exim is nice and easy. These instructions were written for use with Alpine Linux and Exim.
Create a new Key Pair
openssl genrsa -out dkim.e42.uk.private_key 2048
openssl rsa -in dkim.e42.uk.private_key -out dkim.e42.uk.public_key -pubout -outform PEM
Extract a Public Key from a Certificate
To use a public and private key from a certificate, extract the public key:
openssl x509 -pubkey -noout -in e42.uk.cert > e42.uk.public_key
Matching a Private Key with a Public Key
The output of these two commands should match
openssl rsa -noout -pubin -modulus -in dkim.e42.uk.public_key |md5sum
openssl rsa -noout -modulus -in dkim.e42.uk.private_key |md5sum
Installing The Key on Exim
Sign all mail for multiple domains when sent through exim. In Alpine Linux
exim has a single configuration file located at /etc/exim/exim.conf this
file should contain macros near the top below the MACROS section!
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim/dkim.${lc:${domain:$h_from:}}.private_key
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
DKIM_SELECTOR = m
DKIM_CANON = relaxed
These macros on their own do not do anything, they are to be used in the
remote_smtp section of transports:
remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
dkim_domain = DKIM_DOMAIN
dkim_selector = DKIM_SELECTOR
dkim_private_key = DKIM_PRIVATE_KEY
dkim_canon = DKIM_CANON
...
Ensure that the owner of the .private_key file is exim or that the exim
user can read the file.
chown exim:exim /etc/exim/dkim.e42.uk.private_key
Installing the key in NSD
I use the NSD name server for my domain (I don't know why, it takes up a huge chunk of my RAM). The zone file format is the same as BIND.
In the zone file for the domain add the lines:
m._domainkey IN TXT ( "v=DKIM1; t=y; k=rsa; p=MII..."
"..."
"..." )
Replace MII... with the contents of your public key file, each of the lines
specified above in quotes cannot be longer than 256 bytes. NSD and BIND will
tell you if there is a problem.
The m is the selector and must match the DKIM_SELECTOR specified earlier
in the exim configuration.
Update the serial number and reload the domain.
Check that the Public Key is Present
Since I use NSD I use ldns-utils' drill command rather than digg (usage
of digg is left as an exercise for the reader).
drill m._domainkey.e42.uk TXT
...
;; ANSWER SECTION:
m._domainkey.e42.uk. 86400 IN TXT "v=DKIM1; t=y; k=rsa; p=MII...
...
From the above it can be seen that the public key is available via DNS, any DKIM compatible server will use this key to verfy signature added by exim.
References
- HM Government
- Exim with Dovecot
- Exim with Dovecot
- Dovecot Exim on CentOS
- Verify that Private Key Matches Public Key
- Exim and Dovecot SASL
- Exim forward mail
- Using DKIM in Exim
- Implementing DKIM and Exim
- SO 1 Signing Email with DKIM
- Exim in docker
- ISP Mailserver
- More DKIM
- DKIM Deployment
- Multiple DKIM Domains one Exim Config