Mailing List Archive

Implementing StartTLS, DMarc and DKim on Exim
Has anyone implemented any of the following on their mail systems? StartTLS, DMarc and DKim.

I would just like to any tips, gotchas, downsides or other useful information I should know?



Peter Hutchison MCP
Senior Network Systems Specialist
* 01484 473716
Networks Team
University of Huddersfield | Queensgate | Huddersfield | HD1 3DH


University of Huddersfield inspiring tomorrow's professionals.
[http://marketing.hud.ac.uk/_HOSTED/EmailSig2014/EmailSigFooter.jpg]

This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Implementing StartTLS, DMarc and DKim on Exim [ In reply to ]
Hi Peter,

It's actually not quite complicated. DMARC comprises SPF and DKIM.
It's more of publish the two records and configure Exim to sign outgoing
mail. It's pretty easy if you have complete control of your DNS servers.

So here are three links that will demystify the whole thing for you:
https://blog.returnpath.com/build-your-dmarc-record-in-15-minutes-v2/
https://port25.com/dkim-wizard/
https://www.itworld.com/article/2773545/enterprise-
software/how-to-deploy-dkim-email-authentication-in-4-steps.html

You can then use http://www.appmaildev.com/ to test your setup.

Head to http://exim4u.org/, grab the tarball and look at the configuration
files. They have pretty good explanation of how to implement DKIM.

Come back with questions in a day or two.

HTH



On 9 April 2018 at 16:24, Peter Hutchison via Exim-users <
exim-users@exim.org> wrote:

> Has anyone implemented any of the following on their mail systems?
> StartTLS, DMarc and DKim.
>
> I would just like to any tips, gotchas, downsides or other useful
> information I should know?
>
>
>
> Peter Hutchison MCP
> Senior Network Systems Specialist
> * 01484 473716
> Networks Team
> University of Huddersfield | Queensgate | Huddersfield | HD1 3DH
>
>
> University of Huddersfield inspiring tomorrow's professionals.
> [http://marketing.hud.ac.uk/_HOSTED/EmailSig2014/EmailSigFooter.jpg]
>
> This transmission is confidential and may be legally privileged. If you
> receive it in error, please notify us immediately by e-mail and remove it
> from your system. If the content of this e-mail does not relate to the
> business of the University of Huddersfield, then we do not endorse it and
> will accept no liability.
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Implementing StartTLS, DMarc and DKim on Exim [ In reply to ]
Peter Hutchison via Exim-users <exim-users@exim.org> (Mo 09 Apr 2018 15:24:54 CEST):
> Has anyone implemented any of the following on their mail systems? StartTLS, DMarc and DKim.

STARTTLS I'd see as a must nowadays.
Problems can arise if you have MUAs connecting to your server and your
server is presenting a certificate with an unexpected CN or SAN.

DMARC should imply DKIM.
Do you talk about the sending or the receiving side?
DMARC is experimental, so expect configuration options to change.

Sending: Be sure to know the hosts sending with your domains as sender
Receiving: Expect messages from mailinglists to rejected.

Implement it and closely watch the logs.
I use all of the three, for sending and on the MX for checking inbound
messages, and beside the usual issues I do not see any problems (or, the
problems are not important enough to reach me ;))

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Re: Implementing StartTLS, DMarc and DKim on Exim [ In reply to ]
I wrote on the subject some years ago:
http://yalis.fr/cms/index.php/post/2014/01/31/Why-buy-a-domain-name-Secure-mail.
This may interest you.

I am in the process of setting up a newer configuration, all with Ansible,
among which are Exim and Dovecot, with real users and virtual users, and
with delivery by LMTP, all based on information stored in LDAP. But I
cannot promise any "release date" since I do not have much time these
days...

Cheers

On Mon, 9 Apr 2018, Peter Hutchison via Exim-users wrote:
> Has anyone implemented any of the following on their mail systems? StartTLS, DMarc and DKim.
>
> I would just like to any tips, gotchas, downsides or other useful information I should know?
>
> Peter Hutchison MCP
> Senior Network Systems Specialist
> * 01484 473716
> Networks Team
> University of Huddersfield | Queensgate | Huddersfield | HD1 3DH

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/