Mailing List Archive

DKIM signing for multiple domains
Hi everyone,

I have multiple domains hosted on the same server. They are virtual
domains. The server has just one IP address and one Exim instance.
I am wondering how to easily do DKIM signing for these domains. I decided
to use the same selector for all the domains to make life easy. Would the
following transport work? If not, what is the best way to do this for
multiple domains sharing the same IP address?

remote_smtp_DK:
driver = smtp
dkim_domain = ${sender_address_domain}
dkim_selector = csl
dkim_private_key =
"/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key"
dkim_canon = relaxed
dkim_strict = true

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
> On 25 Sep 2018, at 09:28, Odhiambo Washington via Exim-users <exim-users@exim.org> wrote:
>
> I have multiple domains hosted on the same server. They are virtual
> domains. The server has just one IP address and one Exim instance.
> I am wondering how to easily do DKIM signing for these domains. I decided
> to use the same selector for all the domains to make life easy. Would the
> following transport work? If not, what is the best way to do this for
> multiple domains sharing the same IP address?
>
> remote_smtp_DK:
> driver = smtp
> dkim_domain = ${sender_address_domain}
> dkim_selector = csl
> dkim_private_key =
> "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key"
> dkim_canon = relaxed
> dkim_strict = true

It is better to check for the existence of the key as follows.

dkim_domain = ${if exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{${lc:$sender_address_domain}}{}}
dkim_private_key = ${if exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}\
{{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}}

- A


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
On Tue, 25 Sep 2018 at 13:26, Andrew Colin Kissa via Exim-users <
exim-users@exim.org> wrote:

>
> > On 25 Sep 2018, at 09:28, Odhiambo Washington via Exim-users <
> exim-users@exim.org> wrote:
> >
> > I have multiple domains hosted on the same server. They are virtual
> > domains. The server has just one IP address and one Exim instance.
> > I am wondering how to easily do DKIM signing for these domains. I decided
> > to use the same selector for all the domains to make life easy. Would the
> > following transport work? If not, what is the best way to do this for
> > multiple domains sharing the same IP address?
> >
> > remote_smtp_DK:
> > driver = smtp
> > dkim_domain = ${sender_address_domain}
> > dkim_selector = csl
> > dkim_private_key =
> > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key"
> > dkim_canon = relaxed
> > dkim_strict = true
>
> It is better to check for the existence of the key as follows.
>
> dkim_domain = ${if
> exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{${lc:$sender_address_domain}}{}}
> dkim_private_key = ${if
> exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}\
> {{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}}
>
> - A
>
>
Thank you. However, for some reason this is generating an error:

2018-09-25 14:53:15 1g4jHp-000B76-VQ signing_init: error:0906D06C:PEM
routines:PEM_read_bio:no start line
2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: signing failed: PRIVKEY
2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: message could not be signed, and
dkim_strict is set. Deferring message delivery.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
> On 25 Sep 2018, at 13:57, Odhiambo Washington <odhiambo@gmail.com> wrote:
>
> Thank you. However, for some reason this is generating an error:
>
> 2018-09-25 14:53:15 1g4jHp-000B76-VQ signing_init: error:0906D06C:PEM routines:PEM_read_bio:no start line
> 2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: signing failed: PRIVKEY
> 2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: message could not be signed, and dkim_strict is set. Deferring message delivery.

Sorry about that butter fingers typo in the dkim_private_key part it should have one curly bracket as follows.

dkim_private_key = ${if exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}\
{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}}

Or if you prefer one line.

dkim_private_key = ${if exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}}



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
On Tue, 25 Sep 2018 at 15:28, Andrew Colin Kissa <andrew@topdog.za.net>
wrote:

>
> > On 25 Sep 2018, at 13:57, Odhiambo Washington <odhiambo@gmail.com>
> wrote:
> >
> > Thank you. However, for some reason this is generating an error:
> >
> > 2018-09-25 14:53:15 1g4jHp-000B76-VQ signing_init: error:0906D06C:PEM
> routines:PEM_read_bio:no start line
> > 2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: signing failed: PRIVKEY
> > 2018-09-25 14:53:15 1g4jHp-000B76-VQ DKIM: message could not be signed,
> and dkim_strict is set. Deferring message delivery.
>
> Sorry about that butter fingers typo in the dkim_private_key part it
> should have one curly bracket as follows.
>
> dkim_private_key = ${if
> exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}\
> {/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}}
>
> Or if you prefer one line.
>
> dkim_private_key = ${if
> exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{0}}
>

Thank you very much. This works now.
Suppose I had different dkim_selectors, is there a simple way to work
around that too? :)


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
> On 25 Sep 2018, at 15:34, Odhiambo Washington <odhiambo@gmail.com> wrote:
>
> Thank you very much. This works now.
> Suppose I had different dkim_selectors, is there a simple way to work around that too? :)

Same idea, the option is expandable so you can use a lookup based on $sender_address_domain
to get the selector.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
On Tue, 25 Sep 2018 at 16:39, Andrew Colin Kissa <andrew@topdog.za.net>
wrote:

>
> > On 25 Sep 2018, at 15:34, Odhiambo Washington <odhiambo@gmail.com>
> wrote:
> >
> > Thank you very much. This works now.
> > Suppose I had different dkim_selectors, is there a simple way to work
> around that too? :)
>
> Same idea, the option is expandable so you can use a lookup based on
> $sender_address_domain
> to get the selector.
>

It's clear now.

¡Muchas gracias!



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
hi!

On 09/25/2018 03:40 PM, Odhiambo Washington via Exim-users wrote:
>>> Suppose I had different dkim_selectors, is there a simple way to work
>>> around that too? :)
>> Same idea, the option is expandable so you can use a lookup based on
>> $sender_address_domain
>> to get the selector.

I've done it the following way, config snippets and script should be
self explainable. :-)

;=== /etc/exim4/conf.d/main/00_local-config_macros ===
# Enable DKIM
DKIM_DOMAIN = ${sender_address_domain}
#DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_SELECTOR =
${lookup{DKIM_DOMAIN}lsearch*{CONFDIR/dkim.d/dkim_selectors}}
DKIM_PRIVATE_KEY = ${if
exists{CONFDIR/dkim.d/DKIM_DOMAIN.DKIM_SELECTOR.key}{CONFDIR/dkim.d/DKIM_DOMAIN.DKIM_SELECTOR.key}{0}}
DKIM_CANON = relaxed
# we just use the same as Heiko Schlittermann schlittermann.de
DKIM_SIGN_HEADERS =
In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:Cc:Content-Description:Content-ID:Content-Transfer-Encoding:Resent-To
;===

you also will have DKIM towards smarthost.
;=== /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost ===
.ifdef DKIM_DOMAIN
dkim_domain = DKIM_DOMAIN
.endif
.ifdef DKIM_SELECTOR
dkim_selector = DKIM_SELECTOR
.endif
.ifdef DKIM_PRIVATE_KEY
dkim_private_key = DKIM_PRIVATE_KEY
.endif
.ifdef DKIM_CANON
dkim_canon = DKIM_CANON
.endif
.ifdef DKIM_STRICT
dkim_strict = DKIM_STRICT
.endif
.ifdef DKIM_SIGN_HEADERS
dkim_sign_headers = DKIM_SIGN_HEADERS
.endif
;===

create dkim keys.
;===
!#/bin/bash
DOMAIN=$1
SELECTOR=dflt
KEYSIZE=2048
DKIMDIR=dkim.d
cd /etc/exim4
mkdir $DKIMDIR
openssl genrsa -out $DKIMDIR/$DOMAIN.$SELECTOR.key $KEYSIZE
openssl rsa -in $DKIMDIR/$DOMAIN.$SELECTOR.key -out
$DKIMDIR/$DOMAIN.$SELECTOR.pub -pubout -outform PEM
echo -e "$DOMAIN:\t$SELECTOR" >> $DKIMDIR/dkim_selectors
chown -R root:Debian-exim $DKIMDIR
chmod 640 $DKIMDIR/*.key
chmod 644 $DKIMDIR/*.pub $DKIMDIR/dkim_selectors
chmod 755 $DKIMDIR
;===

sorry for the linewraps, see also https://wiki.kmp.or.at/EximConfig#DKIM

galiegr├╝, Klaus

--
Klaus Maria Pfeiffer
chat: xmpp:hoedlmoser@jabber.rekmp.net
blog: http://blog.kmp.or.at/
twitter: @hoedlmoser


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
On Tuesday, 25 September 2018 10:28:42 AM AEST Odhiambo Washington via Exim-users
wrote:
> Hi everyone,
>
> I have multiple domains hosted on the same server. They are virtual
> domains. The server has just one IP address and one Exim instance.
> I am wondering how to easily do DKIM signing for these domains. I decided
> to use the same selector for all the domains to make life easy. Would the
> following transport work? If not, what is the best way to do this for
> multiple domains sharing the same IP address?
>
> remote_smtp_DK:
> driver = smtp
> dkim_domain = ${sender_address_domain}
> dkim_selector = csl
> dkim_private_key =
> "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key"
> dkim_canon = relaxed
> dkim_strict = true
I use dkim_domain = ${filter{${map{${addresses:$h_from:}}{${domain:$item}}}}
{match_domain{$item}{+local_domains}}}
which will match any addresses in a from field that are local, in addition if dkim_domain is a
list it will sign with multiple signatures (e.g. From: <user1@local1>, <user2@local2>,
<user3@remote> will add dkim signature for local1 and local2 domains.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
On Wed, 26 Sep 2018 at 08:47, Richard James Salts via Exim-users <
exim-users@exim.org> wrote:

> On Tuesday, 25 September 2018 10:28:42 AM AEST Odhiambo Washington via
> Exim-users
> wrote:
> > Hi everyone,
> >
> > I have multiple domains hosted on the same server. They are virtual
> > domains. The server has just one IP address and one Exim instance.
> > I am wondering how to easily do DKIM signing for these domains. I decided
> > to use the same selector for all the domains to make life easy. Would the
> > following transport work? If not, what is the best way to do this for
> > multiple domains sharing the same IP address?
> >
> > remote_smtp_DK:
> > driver = smtp
> > dkim_domain = ${sender_address_domain}
> > dkim_selector = csl
> > dkim_private_key =
> > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key"
> > dkim_canon = relaxed
> > dkim_strict = true
> I use dkim_domain =
> ${filter{${map{${addresses:$h_from:}}{${domain:$item}}}}
> {match_domain{$item}{+local_domains}}}
> which will match any addresses in a from field that are local, in addition
> if dkim_domain is a
> list it will sign with multiple signatures (e.g. From: <user1@local1>,
> <user2@local2>,
> <user3@remote> will add dkim signature for local1 and local2 domains.
>
>
That seems awesome.

I am having a problem with system-generated mails though. What I have
always had is that those mails that the system generates and sends to
root@FQDN or postmaster@FQDN were always redirected to my address (
odhiambo@gmail.com). Now, since I enabled strict DKIM signing, those mails
cannot be delivered to gmail servers.
I am also seeing some bounces not being delivered, and I believe it's
because they are unsigned.

root@gw:/usr/home/wash # *exim -Mvh 1g5eo8-000Poy-BT*
1g5eo8-000Poy-BT-H
mailnull 26 26
<>
1538087452 0
-received_time_usec .355992
-active_hostname gw.titan.co.ke
-ident mailnull
-received_protocol local
-body_linecount 61
-max_received_linelength 441
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1538114959
-localerror
-manual_thaw
XX
1
root@gw.titan.co.ke

146P Received: from mailnull by gw.titan.co.ke with local (Exim 4.90_1)
id 1g5eo8-000Poy-BT
for root@gw.titan.co.ke; Fri, 28 Sep 2018 01:30:52 +0300
040 X-Failed-Recipients: odhiambo@gmail.com
029 Auto-Submitted: auto-replied
058F From: Mail Delivery System <Mailer-Daemon@gw.titan.co.ke>
024T To: root@gw.titan.co.ke
095 Content-Type: multipart/report; report-type=delivery-status;
boundary=1538087452-eximdsn-16807
018 MIME-Version: 1.0
059 Subject: Mail delivery failed: returning message to sender
047I Message-Id: <E1g5eo8-000Poy-BT@gw.titan.co.ke>
038 Date: Fri, 28 Sep 2018 01:30:52 +0300


When I try a forced delivery for that mail, the error I get is:
LOG: MAIN
** odhiambo@gmail.com <root@gw.titan.co.ke> R=dnslookup T=remote_smtp_DK
H=gmail-smtp-in.l.google.com [66.102.1.27] I=[197.232.25.162]
X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes
DN="/C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com":
SMTP error from remote mail server after pipelined end of data: 550-5.7.1
Unauthenticated email from titan.co.ke is not accepted due to
domain's\n550-5.7.1 DMARC policy. Please contact the administrator of
titan.co.ke domain\n550-5.7.1 if this was a legitimate mail. Please
visit\n550-5.7.1 https://support.google.com/mail/answer/2451690 to learn
about the\n550 5.7.1 DMARC initiative. t10-v6si1002397wmf.192 - gsmtp


So, how do people deal with system mails that are forwarded to external
addresses? It seems that such local mail are not signed.



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
On 9/28/18 7:47 AM, Odhiambo Washington via Exim-users wrote:
> It seems that such local mail are not signed.

What is the result of the expansion you used
for dkim_domain, when applied to such a message?

(If you can't work it out logically, test using "exim -bem")
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
On Fri, 28 Sep 2018 at 11:41, Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:

> On 9/28/18 7:47 AM, Odhiambo Washington via Exim-users wrote:
> > It seems that such local mail are not signed.
>
> What is the result of the expansion you used
> for dkim_domain, when applied to such a message?
>
> (If you can't work it out logically, test using "exim -bem")
> --
> Cheers,
> Jeremy
>

Hi Jeremy,

I must confess that your question has left me floating! It entered through
the left and went out straight through the right.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
On Friday, 28 September 2018 2:19:10 PM AEST Odhiambo Washington wrote:
> On Wed, 26 Sep 2018 at 08:47, Richard James Salts via Exim-users <
>
> exim-users@exim.org> wrote:
> > On Tuesday, 25 September 2018 10:28:42 AM AEST Odhiambo Washington via
> > Exim-users
> >
> > wrote:
> > > Hi everyone,
> > >
> > > I have multiple domains hosted on the same server. They are virtual
> > > domains. The server has just one IP address and one Exim instance.
> > > I am wondering how to easily do DKIM signing for these domains. I
> > > decided
> > > to use the same selector for all the domains to make life easy. Would
> > > the
> > > following transport work? If not, what is the best way to do this for
> > > multiple domains sharing the same IP address?
> > >
> > > remote_smtp_DK:
> > > driver = smtp
> > > dkim_domain = ${sender_address_domain}
> > > dkim_selector = csl
> > > dkim_private_key =
> > >
> > > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key"
> > >
> > > dkim_canon = relaxed
> > > dkim_strict = true
> >
> > I use dkim_domain =
> > ${filter{${map{${addresses:$h_from:}}{${domain:$item}}}}
> > {match_domain{$item}{+local_domains}}}
> > which will match any addresses in a from field that are local, in addition
> > if dkim_domain is a
> > list it will sign with multiple signatures (e.g. From: <user1@local1>,
> > <user2@local2>,
> > <user3@remote> will add dkim signature for local1 and local2 domains.
>
> Hi Richard
>
> When I use your dkim_domain option, the mail does not get signed, but mails
> get signed using my option
>
> dkim_domain = ${if
> exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{${lc:$sen
> der_address_domain}}{}} #dkim_domain =
> ${filter{${map{${addresses:$h_from:}}{${domain:$item}}}}{match_domain{$item}
> {+local_domains}}}
>
> How can I test your expansion manually?
As Jeremy suggested you can use exim -bem /path/to/message, you probably want
a combination of mine and yours in the expansion as you're testing on the
existence of a key for a particular domain whereas I'm signing for all domains
considered local with the same key. Maybe instead of the {match_domain ...}
part of the filter you should instead use your {${if exists{/etc/pki/tls/dk/$
{lc:$item}-dkim.priv.key}} or something like that.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
On Mon, 1 Oct 2018 at 09:55, Richard James Salts <exim@spectralmud.org>
wrote:

> On Friday, 28 September 2018 2:19:10 PM AEST Odhiambo Washington wrote:
> > On Wed, 26 Sep 2018 at 08:47, Richard James Salts via Exim-users <
> >
> > exim-users@exim.org> wrote:
> > > On Tuesday, 25 September 2018 10:28:42 AM AEST Odhiambo Washington via
> > > Exim-users
> > >
> > > wrote:
> > > > Hi everyone,
> > > >
> > > > I have multiple domains hosted on the same server. They are virtual
> > > > domains. The server has just one IP address and one Exim instance.
> > > > I am wondering how to easily do DKIM signing for these domains. I
> > > > decided
> > > > to use the same selector for all the domains to make life easy. Would
> > > > the
> > > > following transport work? If not, what is the best way to do this for
> > > > multiple domains sharing the same IP address?
> > > >
> > > > remote_smtp_DK:
> > > > driver = smtp
> > > > dkim_domain = ${sender_address_domain}
> > > > dkim_selector = csl
> > > > dkim_private_key =
> > > >
> > > > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key"
> > > >
> > > > dkim_canon = relaxed
> > > > dkim_strict = true
> > >
> > > I use dkim_domain =
> > > ${filter{${map{${addresses:$h_from:}}{${domain:$item}}}}
> > > {match_domain{$item}{+local_domains}}}
> > > which will match any addresses in a from field that are local, in
> addition
> > > if dkim_domain is a
> > > list it will sign with multiple signatures (e.g. From: <user1@local1>,
> > > <user2@local2>,
> > > <user3@remote> will add dkim signature for local1 and local2 domains.
> >
> > Hi Richard
> >
> > When I use your dkim_domain option, the mail does not get signed, but
> mails
> > get signed using my option
> >
> > dkim_domain = ${if
> >
> exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{${lc:$sen
> > der_address_domain}}{}} #dkim_domain =
> >
> ${filter{${map{${addresses:$h_from:}}{${domain:$item}}}}{match_domain{$item}
> > {+local_domains}}}
> >
> > How can I test your expansion manually?
> As Jeremy suggested you can use exim -bem /path/to/message, you probably
> want
> a combination of mine and yours in the expansion as you're testing on the
> existence of a key for a particular domain whereas I'm signing for all
> domains
> considered local with the same key. Maybe instead of the {match_domain
> ...}
> part of the filter you should instead use your {${if
> exists{/etc/pki/tls/dk/$
> {lc:$item}-dkim.priv.key}} or something like that.
>

Thank you. Let me run the test for -bem and see what I come up with.


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing for multiple domains [ In reply to ]
On Fri, 28 Sep 2018 at 13:21, Odhiambo Washington <odhiambo@gmail.com>
wrote:

>
>
> On Fri, 28 Sep 2018 at 11:41, Jeremy Harris via Exim-users <
> exim-users@exim.org> wrote:
>
>> On 9/28/18 7:47 AM, Odhiambo Washington via Exim-users wrote:
>> > It seems that such local mail are not signed.
>>
>> What is the result of the expansion you used
>> for dkim_domain, when applied to such a message?
>>
>> (If you can't work it out logically, test using "exim -bem")
>> --
>> Cheers,
>> Jeremy
>>
>
> Hi Jeremy,
>
> I must confess that your question has left me floating! It entered through
> the left and went out straight through the right.
>
>
I wasn't able to figure out how to achieve what was advised by Jeremy so I
decided to use a different way - rewrite rule:
\N^(.*)@fq\.domain\.name$ $1@domain.name FfrsTt

And now system/cron generated mails which were sent to root@fq.domain.name
(who happens to be odhiambo@gmail.com) are now correctly accepted by gmail
because they pass the DMARC vrf.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/