Exim/DKIM

From wiki
< Exim
Revision as of 21:21, 9 June 2016 by Vincent (talk | contribs) (add categories)

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing.

Initial Setup

  • Create an empty file at /etc/exim4/dkim_domains
  • Edit /etc/exim4/conf.d/main/00_local_settings and add[1]
    DKIM_DOMAIN =      ${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}{$sender_address_domain}{}}
    DKIM_SELECTOR =    ${extract{selector}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
    DKIM_PRIVATE_KEY = ${extract{key}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{}}
    DKIM_CANON =       ${extract{canon}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{relaxed}}
    DKIM_STRICT =      ${extract{strict}{${lookup{$sender_address_domain}lsearch*@{/etc/exim4/dkim_domains}}}{$value}{false}}
    

Add Domain

First choose a selector. DKIM allows each domain to have multiple keys (to allow key rotation, multiple senders…). Each key is identified by a selector. For the example, we will use example2016.

Then create the key

# openssl genrsa -out /etc/exim4/private/example2016.dkim.example.org.private.pem 2048
# openssl rsa -in /etc/exim4/private/example2016.dkim.example.org.private.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/
QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd
04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD
GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1
U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h
WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA
TwIDAQAB
-----END PUBLIC KEY-----

Next step is to create a DNS record. The

# Record can be either one long line ([...] added for readability)
example2016._domainkey TXT "v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0B[...]D0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSATwIDAQAB"
# or it can be split into multiple lines
example2016._domainkey TXT ("v=DKIM1;t=s;p="
                            "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmnY1WN2/MbvIywNBufD/"
                            "QTEsozcsSbOuBNE5WIDS/w8RudR/c0MDY4FiZNR/18bnut4wZqfCnX4AVDp+YaDd"
                            "04ISt54X9AuGv0AnAzfeYNaDvNo7Zm4wA5A4PW195Th4vyt8JPskfEcHMTWS9UoD"
                            "GGPLfT/WIZqwySq+yXikcBDVJ2uKcubKdEyZvAdeI2Ku/jOOHkl1IOaC0XO0TYz1"
                            "U0vQCaBbqodp1rLYn0UWQDIp8aoxeCPN93sxRXKEsBLLXMbHmJ7RgpT1Xim3NB+h"
                            "WaeAPFBrRyD0bY4B0Kc7/HcOwYx3nIckrn58sMRmtpPodU6YoTCaQq1trrI/XxSA"
                            "TwIDAQAB")

Finally add a line to /etc/exim4/dkim_domains

example.org: selector=example2016 key=/etc/exim4/private/example2016.dkim.example.org.private.pem strict=true

Test

You can test your signatures server by sending a message to check-auth@verifier.port25.com. See details page for advanced options.

References