{"id":1443,"date":"2010-05-14T19:56:27","date_gmt":"2010-05-14T18:56:27","guid":{"rendered":"http:\/\/www.devco.net\/?p=1443"},"modified":"2012-10-24T21:59:11","modified_gmt":"2012-10-24T20:59:11","slug":"dkim_with_centos_5_and_exim","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2010\/05\/14\/dkim_with_centos_5_and_exim.php","title":{"rendered":"DKIM with CentOS 5 and Exim"},"content":{"rendered":"

DomainKeys Identified Mail – DKIM – is a recent attempt to add some sender verification to email. Read more here<\/a>, here<\/a> and in the RFC 4871<\/a> to get some background info.<\/p>\n

If you’re sending any newsletters you really want to be investigating this, if you’re doing anti spam it’s good to start looking at tracking this and really everyone should have DKIM on their domains. Exim recently – as of 4.70 – have decent support for it but CentOS is still on 4.63 thanks to RHEL.<\/p>\n

To get a new Exim on your CentOS machine I suggest just using ATrpms<\/a> who as of writing has 4.71<\/em> packages available for Exim and the other bits you need. I needed:<\/p>\n

<\/p>\n

\r\nexim-4.71-40.el5.i386.rpm\r\nexim-mysql-4.71-40.el5.i386.rpm\r\nlibspf2_2-1.2.5-5.0.el5.i386.rpm\r\nlibsrs_alt1-1.0-3_rc1.0.el5.i386.rpm\r\n<\/pre>\n
<\/code><\/p>\n
As well as the 64bit versions, you can just add ATrpms to your systems but really you should have your own repos and carefully control the packages that goes out to your estate.<\/p>\n
Once you have upgraded your stock Exim to these versions – it’s a totally clean and compatible upgrade – configuring Exim to automagically sign outgoing mail with DKIM is pretty easy.  We’ll make it so it looks for keys in a specific location based on outgoing mail domain so if you’re a relay for many domains you just need to drop down the certs.<\/p>\n
Put the following near the top of our \/etc\/exim\/exim.conf<\/em> file, this just sets some macros we’ll use later on:<\/p>\n
<\/p>\n
\r\nDKIM_DOMAIN = ${lc:${domain:$h_from:}}\r\nDKIM_FILE = \/etc\/exim\/dkim\/${lc:${domain:$h_from:}}.pem\r\nDKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}\r\n<\/pre>\n
<\/code><\/p>\n
This will use, based on sender domain, a private key in \/etc\/exim\/dkim\/sender_domain.pem<\/em>.  By default exim just logs DKIM verification, doesn’t block any incoming mail I won’t cover doing blocks here just sending.<\/p>\n
Next find your remote_smtp<\/em> transport later in the file and change it to look like this:<\/p>\n
<\/p>\n
\r\nremote_smtp:\r\n  driver = smtp\r\n  dkim_domain = DKIM_DOMAIN\r\n  dkim_selector = x\r\n  dkim_private_key = DKIM_PRIVATE_KEY\r\n  dkim_canon = relaxed\r\n  dkim_strict = 0\r\n<\/pre>\n
<\/code><\/p>\n
This will make Exim do the DKIM signing on outgoing mail but only if it can find a certificate.<\/p>\n
To make the certificates is pretty easy, we’ll use a domain example.com<\/em>:<\/p>\n
<\/p>\n
\r\n$ mkdir \/etc\/exim\/dkim\/ && cd \/etc\/exim\/dkim\/\r\n$ openssl genrsa -out example.com.pem 1024 \r\n$ openssl rsa -in example.com.pem -out example.com-public.pem -pubout -outform PEM\r\n<\/pre>\n
<\/code><\/p>\n
All that’s left now is to update your dns, sticking to example.com<\/em> you’d add something like this into your bind zone file the text to add after p=<\/em> is the stuff you’ll find in the public key called example.com-public.pem<\/em> in our example:<\/p>\n
<\/p>\n
\r\nx._domainkey     IN      TXT     \"v=DKIM1\\; t=y\\; k=rsa\\; p=MIGfMA0AQAB\"\r\n_domainkey       IN      TXT     \"t=y\\; o=~\\;\"\r\n<\/pre>\n
<\/code><\/p>\n
The x<\/em> matches up with your dkim_selector<\/em> in the SMTP transport above.  The t=y<\/em> tells the world you’re still testing your setup so remove that only when you’re all 100% certain it works.  The o=~<\/em> tells everyone you will sign only some mail.  You can make that o=-<\/em> if all mail from you would be signed.<\/p>\n
You can verify your DNS is right like this:<\/p>\n
<\/p>\n
\r\n$ dig +short txt x._domainkey.example.com\r\n\"v=DKIM1\\; k=rsa\\; p=MIGfMA0AQAB\"\r\n<\/pre>\n
<\/code><\/p>\n
And finally if you’re sending mail you should now see a header in the mail like this:<\/p>\n
<\/p>\n
\r\nDKIM-Signature: v=1; a=rsa-sha256; q=dns\/txt; c=relaxed\/relaxed; d=example.com; s=x;\r\n\th=From:To:Message-Id:Date; bh=g3zLY5uGs=; b=fonABbceHhQ==;\r\n<\/pre>\n
<\/code><\/p>\n
Finally you can send an email to check-auth@verifier.port25.com<\/em> and it will reply with all sorts of test output about your domain including DKIM validation details.<\/p>\n","protected":false},"excerpt":{"rendered":"
DomainKeys Identified Mail – DKIM – is a recent attempt to add some sender verification to email. Read more here, here and in the RFC 4871 to get some background info. If you’re sending any newsletters you really want to be investigating this, if you’re doing anti spam it’s good to start looking at tracking […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","footnotes":""},"categories":[1],"tags":[82,86,63,29],"_links":{"self":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1443"}],"collection":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/comments?post=1443"}],"version-history":[{"count":22,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1443\/revisions"}],"predecessor-version":[{"id":2843,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1443\/revisions\/2843"}],"wp:attachment":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/media?parent=1443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/categories?post=1443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/tags?post=1443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}