Just so everyone has a point of reference:
Here is how I have Exim setup to sign all outgoing mail and check incomming.

in exim.conf:
add

acl_smtp_dkim = acl_check_dkim

just below

# These options specify the Access Control Lists (ACLs) that
# are used for incoming SMTP messages - after the RCPT and DATA
# commands, respectively.


Then add this in the ACL Section - generally below check_helo:

acl_check_dkim:

warn add_header = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
sender_domains = $sender_address_domain:$dkim_signers
dkim_signers = $sender_address_domain:$dkim_signers
dkim_status = invalid
condition = ${if eq {${lc:$dkim_verify_status}{invalid}{true}{false}}}

warn add_header = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
sender_domains = $sender_address_domain:$dkim_signers
dkim_signers = $sender_address_domain:$dkim_signers
dkim_status = fail
condition = ${if eq {${lc:$dkim_verify_status}{fail}{true}{false}}}

warn add_header = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
sender_domains = $sender_address_domain:$dkim_signers
dkim_signers = $sender_address_domain:$dkim_signers
dkim_status = none
condition = ${if eq {${lc:$dkim_verify_status}{none}{true}{false}}}

warn add_header = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
sender_domains = $sender_address_domain:$dkim_signers
dkim_signers = $sender_address_domain:$dkim_signers
dkim_status = pass
condition = ${if eq {${lc:$dkim_verify_status}{pass}{true}{false}}}
accept



then in the transport section - under driver = smtp add:

dkim_domain = ${sender_address_domain}
dkim_selector = x
dkim_private_key = /etc/virtual/${lookup{$sender_address_domain}lsearch{/etc/virtual/domains}{$sender_address_domain}{ERROR}}/dkim.private.key
dkim_canon = relaxed


then create the following script:

#!/bin/bash
openssl genrsa -out /etc/virtual/$1/dkim.private.key 768
openssl rsa -in /etc/virtual/$1/dkim.private.key -out /etc/virtual/$1/dkim.public.key -pubout -outform PEM
chown mail:mail /etc/virtual/$1/*.key
echo
echo "x._domainkey.$1. 14400 IN TXT \"v=DKIM1; k=rsa; p=`cat /etc/virtual/$1/dkim.public.key|grep -v "\-\-\-\-\-"|sed ':a;N;$!ba;s/\n//g'`\"">>/var/named/$1.db
echo Domain $1, has been configured for DKIM signing.

The usage would be:

add_dkim [domain]
e.g. add_dkim example.com

Then for each domain you have, run the script. Or add it to the post_process part of da for domain creation.

of course - if you have lots of domains you could run:

ls -d */|xargs -n1|cut -d"/" -f1|xargs -n1 add_dkim $1
in the /etc/virtual directory. that is assuming you have chmodded add_dkim to 0755 and placed it in the executable path.

This is how I set this up - and hope it works well for others.
I'm sorry if this all looks very untidy and hacky. I am not really a liux sysadmin or anything (as you can probably tell). I am learning slowly.
Any improvments are more than welcome!

Thanks all

Neil.

If this guide can be verified it works can it be moved to the how-to section.

Interested. I'm waiting for some third-party verifications and also some discussions on using DKIM.

Jeff

i have tested this guide and it works so far.

Discussions please. On the advantages and disadvantages (if any) of using DKIM with outgoing email.

And of advantages of checking it on incoming mail since all it appears to do is add headers to the incoming messages. Where/how would we check those headers?

Thanks.

Jeff

Signing outgoing mail ensures your company/business is taking responsibility for e-mails sent from its domain. Meaning that any e-mails forged to appear that they come from your domain are screamingly obvious that they are not yours.

It also helps in regards to tracing if your mail server has been used to send spam - as any spam sent via your mail server will be DKIM signed. Thus you can take appropriate measures to ensure it stops occuring.

Adding headers to incoming mail is useful for custom Spamassassin rules, filter rules, OE rules, and anything that can check mail headers. Specifically, giving you control of what you wish to do with your signed/not-signed mails.

Thats my 2 pence worth.

Neil.

i think that would be nice if implemented in your spamblocker jlasman, anyone will decide what domain add in it or if add by default to all already exist and newer ones...

regards

Signing outgoing mail ensures your company/business is taking responsibility for e-mails sent from its domain. Meaning that any e-mails forged to appear that they come from your domain are screamingly obvious that they are not yours.
I don't see how I can agree with you. For example, in my case, mail from the nobaloney.net domain may come from our billing provider (we use an external billing service at this time), our domain registration system (which uses LogicBoxes software and runs on their servers) our Certificate issuing system (which runs on Certification Authority's servers), from certain other providers, and even from gmail. They won't be signed by DKIM. Or if they will (I'm not sure and I'm not checking now) they won't be signed by our DKIM. But they're all legitimate and all from us.

It also helps in regards to tracing if your mail server has been used to send spam - as any spam sent via your mail server will be DKIM signed. Thus you can take appropriate measures to ensure it stops occuring.
Signed by whom? By the domain the user has set up on your server? That doesn't help the outside world or me much; it simply leads me back to the guy sending spam on my server, which I certainly can identify by other means.

Perhaps I'm misunderstanding, but I just read the Wikipedia article (http://en.wikipedia.org/wiki/Dkim) (wikipedia.org) again, and DKIM doesn't seem to give any more information to the spam recipient to use to trace the spam than s/he already has. Nor does it give me any more information about the spammer than I already have.

I suppose if it can be set up to only work for certain domains it doesn't do harm, but except for possible protection on the receiving end from accepting phishing email, I still don't understand much good.

Please consider continuing to educate me (and others here).

Adding headers to incoming mail is useful for custom Spamassassin rules, filter rules, OE rules, and anything that can check mail headers. Specifically, giving you control of what you wish to do with your signed/not-signed mails.
This I simply don't understand. I see DKIM headers in my incoming email all the time, and my exim.conf SpamBlocker file is no different from yours. The DKIM headers match the return-path. Please explain how we could do anything different.

Jeff

i think that would be nice if implemented in your spamblocker jlasman, anyone will decide what domain add in it or if add by default to all already exist and newer ones...
Do you remember when I wrote that I'd stopped accepting new features, so I could finally bring out the new SpamBlocker version? That was many months ago.

Are you suggesting I begin work on a new version? My current version works well for me, and so far I've made a total of under $300 in installation fees after years of hard work, so I'm not sure I want to spend years more hard work. Nor am I sure those of us with many systems want to do yet another update; the files require a lot of customizations.

You can possibly talk me into it, but not just by saying you want it.

More on the advantages, and more on what would it require besides changes to the exim.conf file?

Jeff

Sorry jlasman wasnt my intention mean "i want it, do it".. i was just supposing that should be a nice feature... honeslty i forget you sayd me that u stopped new features, my fault :)

No problem. And I'm still awaiting more discussion to see how much interest really exists.

Jeff

Today ive received an email from yahoo support cause im having problem with them and they suggest me those things:


- Make sure you provided the correct IPs and that these IPs are sending
traffic to Yahoo! Mail.

- Send to opted-in and engaged subscribers only.

- Use DKIM to authenticate your email, so you can enroll in our feedback
loop program.

- Process bounces and complaints in an efficient manner.


The problem im having is that they blocked my server ip, prolly for too much traffic.. the real problem is that traffic is made by newsletter and mailing list from my customer.. and who receive the email is cause he asked for it...

im not so good on english, ive tryed to explain better i can to them what is going on but... seems they dont understand me so well...

but they mention the DKIM thing as a way to solve the problem (i think they meant that).

this ofc is off topic but maybe some other user having this problem and find out a "solution"

but i would ask you (cause u ofc more expert then me on email and, i think, on sysadmin in general) how should i check an email sent with U=apache or... stop apache to send email and so force user to use smtp auth with your spamblocker (if exim have to do something for that or is another thing to edit)...

as usual, thanks for your time, i really appreciate.

Let's look at this one at a time:

- Make sure you provided the correct IPs and that these IPs are sending traffic to Yahoo! Mail.
Make sure that you've listed with them the IP# your server uses to send email.

- Send to opted-in and engaged subscribers only.
Unfortunately you're responsible to Yahoo to make sure that all who get the email have asked for it, and that all returns due to undeliverables, and all addresses from people who unsubscribe, are immediately removed from the list. Also that each outgoing email includes a remove from list link. If you can't guarantee that to Yahoo, then don't allow your client to send using a mailing list. This needs to be in your terms of service to your client.

- Use DKIM to authenticate your email, so you can enroll in our feedback loop program.
You can certainly use the information in this thread to install DKIM-authenticated email.

- Process bounces and complaints in an efficient manner.[/CODE]
What I wrote above.
[quote]The problem im having is that they blocked my server ip, prolly for too much traffic..
They'll unblock once you've done all they ask and open up a feedback loop with them (ask them how).

Note that they don't require everyone sending them email to use DKIM; I don't know the threshold, but I do know I can successfully send email to Yahoo, even list mail, and I don't run DKIM.

the real problem is that traffic is made by newsletter and mailing list from my customer..
No, the real problem is that you're responsible for that email even though it's your customer sending it. If you're not willing to take that responsibility then put your client on his own server and VPS and have him manage his email settings himself.

and who receive the email is cause he asked for it...
You don't know that and can't prove it At least some people are complaining to Yahoo, or they wouldn't be getting involved.

im not so good on english, ive tryed to explain better i can to them what is going on but... seems they dont understand me so well...
Your english doesn't matter to them at all. All they care about is that you do what they're asking.

but they mention the DKIM thing as a way to solve the problem (i think they meant that).
You'll still need to make sure your client is handling list management and content correctly. Yahoo is a US-based company, and they want all your outgoing mail to them to be in compliance with the US Can Spam Act (http://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003) (wikipedia.org).

]stop apache to send email and so force user to use smtp auth with your spamblocker (if exim have to do something for that or is another thing to edit)...You can turn off the sendmail interface by deleting the sendmail link. You can turn off local unauthenticated smtp by removing 127.0.0.1 from the relay_hosts hostlist. But these are both server-wide settings.

Jeff

Signing outgoing mail ensures your company/business is taking responsibility for e-mails sent from its domain. Meaning that any e-mails forged to appear that they come from your domain are screamingly obvious that they are not yours.
Neil,

I'd be happy to work with you and trying out adding DKIM to outoing email on the server I use personally, for testing purposes. Please contact me by email at the address below in my siglines.

Jeff

Thanks for your reply and suggestions.

im trying to find out a solution so i try to ask you the stuff i didnt completly get


1 ]stop apache to send email and so force user to use smtp auth with your spamblocker (if exim have to do something for that or is another thing to edit)...
You can turn off the sendmail interface by deleting the sendmail link. You can turn off local unauthenticated smtp by removing 127.0.0.1 from the relay_hosts hostlist. But these are both server-wide settings.

what do u mean for server-wide settings? should cause prooblems that modify of exim.conf?

2 does majordomo send the unsubscribe link automatically?


3 - Use DKIM to authenticate your email, so you can enroll in our feedback loop program.
You can certainly use the information in this thread to install DKIM-authenticated email.
[quote]- Process bounces and complaints in an efficient manner.
What I wrote above.[/CODE]

what process bounces opt-in means? and what double opt-in?
if i understood fine is a way to subscribe, but i should be wrong

opt-in is user subscribe to newsletter/email (or majordomo owner insert the email?)
doube opt-in is user subscribe and receive an email for confirm the email or something like that?

how should i check what every single user is using as method for add user? i mean, some using majordomo, some the "built in website" newsletter for registered user.

and, how should i check if they send with the confirmation for get removed?
and (sorry for those bounce of question) does majordomo delete automatically the emails that get frozen or got errors?

and last question... in case im not able to understnad who and how, how much should cost hire you for those check/fix?

thanks in advance, as usual

PS.. sorry for my english.. im sure there is a better way to ask those stuff... just english is not my main language :)

what do u mean for server-wide settings? should cause prooblems that modify of exim.conf?
If you turn off the sendmail interface than no php or perl programs that use it will be able to send email. If you turn off local unauthenticated smtp, then no proram on the server will be able to send email by direct connection on port 25.

2 does majordomo send the unsubscribe link automatically?
No. In fact majordomo does nothing by itself to make it compliant, except that you can set it to not automatically sign up people unless they send a confirmation email.


3 - Use DKIM to authenticate your email, so you can enroll in our feedback loop program.
You can certainly use the information in this thread to install DKIM-authenticated email.
- Process bounces and complaints in an efficient manner.
What I wrote above.
I don't understand what you wrote above.

what process bounces opt-in means? and what double opt-in?
if i understood fine is a way to subscribe, but i should be wrong

opt-in is user subscribe to newsletter/email (or majordomo owner insert the email?)
doube opt-in is user subscribe and receive an email for confirm the email or something like that?
You're correct.

how should i check what every single user is using as method for add user? i mean, some using majordomo, some the "built in website" newsletter for registered user.
That's for you to decide. You may need to sign up for their lists to see if they follow the rules. You should have a strong Terms of Service so you can immediately shut down any client who doesn't do it right.

and, how should i check if they send with the confirmation for get removed?
Again, try subscribing and unsubscribing yourself.

Also make sure your clients know that they MUST do this and if they don't you'll either suspend their account or their email.

and (sorry for those bounce of question) does majordomo delete automatically the emails that get frozen or got errors?
No.

and last question... in case im not able to understnad who and how, how much should cost hire you for those check/fix?
Please feel free to contact me by email with this question. If you do, please put everything in your email. Do not expect me; to log back on to DirectAdmin forums to understand what you're writing about.

And note that it's not easy for or anyone else to figure out what your clients are doing. Do you really want every line of code in every site audited? That could take hundreds of hours. Best you narrow down your problem users, check their sites, try signing up to their forms, etc.

thanks in advance, as usual

PS.. sorry for my english.. im sure there is a better way to ask those stuff... just english is not my main language :)
You're very welcome. Don't worry about your English and I won't worry about my utter lack of acquaintance with Italian :).

Jeff

SeLLeRoNe :
I myself try to monitore every now and then the exim pile to see witch custommers are sending alot of emails. After a while you know what your average normal email "outgoing" or "incoming" is and can spot the differences pretty easy.

(i do not have many customers ... so its perhaps not a good way for you)

From there i check there website. Its manual, but it works.

Having the problem has you with yahoo, im looking into the same things and i am very interested in if your going to implement DKIM or not.


jlasman :
Thanks again for your great work on spamblocker. I love it and the doc is great :)

ok ive installed dkim on mine exim.conf (sb4) but i had to make a modify in add_dkim file cause he was pointing to /var/named and ive /etc/bind (os related maybe, im using debian).

and on the command to add all domain i made a change to point to correct file path


ls -d */|xargs -n1|cut -d"/" -f1|xargs -n1 /etc/virtual/add_dkim $1

email are still working (at least seems) but i would like to understand how who receive my email can understand im using dkim or not (if he can check that)

for the edit on exim.conf i made in this places:


#EDIT#13:
acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
acl_smtp_dkim = acl_check_dkim
acl_smtp_rcpt = acl_check_recipient
acl_smtp_data = acl_check_message


#EDIT#25:
acl_check_helo:
# accept mail originating on this server unconditionally
accept hosts = @[] : @
# deny if the HELO pretends to be this host
deny message = Bad HELO - Host impersonating hostname [$sender_helo_name]
condition = ${if or { \
{match{$sender_helo_name}{$smtp_active_hostname}} \
{eq{$sender_helo_name}{[$interface_address]}} \
} {true}{false} }
# deny if the HELO is an IP address
deny message = HELO is an IP address (See RFC2821 4.1.3)
condition = ${if isip{$sender_helo_name}}
# deny if the HELO pretends to be one of the domains hosted on the server
deny message = Bad HELO - Host impersonating domain name [$sender_helo_name]
condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}}
hosts = ! +relay_hosts
accept

acl_check_dkim:

warn add_header = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
sender_domains = $sender_address_domain:$dkim_signers
dkim_signers = $sender_address_domain:$dkim_signers
dkim_status = invalid
condition = ${if eq {${lc:$dkim_verify_status}{invalid}{true}{false}}}

warn add_header = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
sender_domains = $sender_address_domain:$dkim_signers
dkim_signers = $sender_address_domain:$dkim_signers
dkim_status = fail
condition = ${if eq {${lc:$dkim_verify_status}{fail}{true}{false}}}

warn add_header = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
sender_domains = $sender_address_domain:$dkim_signers
dkim_signers = $sender_address_domain:$dkim_signers
dkim_status = none
condition = ${if eq {${lc:$dkim_verify_status}{none}{true}{false}}}

warn add_header = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
sender_domains = $sender_address_domain:$dkim_signers
dkim_signers = $sender_address_domain:$dkim_signers
dkim_status = pass
condition = ${if eq {${lc:$dkim_verify_status}{pass}{true}{false}}}
accept


#COMMENT#61:
remote_smtp:
driver = smtp
dkim_domain = ${sender_address_domain}
dkim_selector = x
dkim_private_key = /etc/virtual/${lookup{$sender_address_domain}lsearch{/etc/virtual/domains}{$sender_address_domain}{ERROR}}/dkim.private.key
dkim_canon = relaxed

hope is helpfull to someone.

regards

oh, ive a question btw...

on the post script how should i put the command line?

/etc/virtual/add_dkim DOMAIN

my question is.. how i grep the domain name? Which variable it is?

Ok now ive made some test, seems that on local relay messages in header doesnt appear dkim signature but on external relay it appear.

Im having just one problem on header atm


X-DKIM-Status: invalid [(crazynetwork.it) - 81.174.67.21]

did i missed something?

the ip of the domain is that one so i dont get why he fail on check.. (or maybe i understood that error in a wrong way)

#EDIT
Just noticed that if i send an email from the same server but different domain (that is on a different/shared ip) the dkim pass

X-DKIM-Status: pass [(iannucci.net) - 81.174.67.21]

but dkim check always the server main ip and iannucci.net domain is on 194.177.98.234 ip and not on 81.174.67.21

Any suggestion?

thanks

I'm not sure what you mean by local relay. Do you mean for mail delivered on the same server? If so, then that's not relaying, that's local delivery. And there's no need for dkim checking on local delivery.

Jeff

sorry... meant delivery not relay.. sometimes i confuse some words...

do you think that i made the edit in the correct section on your spamblocker?

Thanks

It looks right to me. It's where I put everything when I recently did a paid conversion for a client to SpamBlocker-powered exim.conf version 4. He never wrote back to complain that it's not working. Unless he does I'm going to presume that's correct.

Jeff

Been looking for a way to integrate DKIM. This is nice. I was thinking of creating an actual plugin for this.

For what it's worth, I've taken some time today to examine recent emails which have made it through my system but look spammy (they're from mailing companies, and I've never joined the lists). Note that SpamBlocker is working well; there aren't many of these.

They all use DKIM.

Our blocklists aren't removing the ones I'm seeing. That doesn't mean many more aren't being blocked, but these made it through.

And then SpamAssassin autolearned them as ham strictly because they had DKIM enabled.

It appears that mailing list companies I think of as spammers (they think they're not spammers because they conform to Can-SPAM but they don't care where their addresses come from, or they pretend to care but don't check) are using DKIM to make sure their email gets through spam blocking.

Based on this experienced I'd recommend that SpamBlocker never whitelist based on DKIM, and that DKIM whitelisting be disabled in SpamAssassin.

That's my opinion.

Comments welcome.

Jeff

I agree with you, dkim enabled doesnt mean that sender is not sending spam.

Btw, where ive to edit something to make spamassassin autolearn? Does it work well?

And last question.. if i make some basic filter.. how should i make them automatic assigned to user alraedy exist and new users?

Thanks in advance.

For what it's worth, I've taken some time today to examine recent emails which have made it through my system but look spammy (they're from mailing companies, and I've never joined the lists). Note that SpamBlocker is working well; there aren't many of these.

They all use DKIM.

Our blocklists aren't removing the ones I'm seeing. That doesn't mean many more aren't being blocked, but these made it through.

And then SpamAssassin autolearned them as ham strictly because they had DKIM enabled.

It appears that mailing list companies I think of as spammers (they think they're not spammers because they conform to Can-SPAM but they don't care where their addresses come from, or they pretend to care but don't check) are using DKIM to make sure their email gets through spam blocking.

Based on this experienced I'd recommend that SpamBlocker never whitelist based on DKIM, and that DKIM whitelisting be disabled in SpamAssassin.

That's my opinion.

Comments welcome.

Jeff

Agreed 100%. DKIM is a tool to verify the sender. Anyone can set it up including spammers. However, with that said, I do believe it is a decent tool to help prevent your customers regular emails from ending up in spam boxes.

I don't see how I can agree with you. For example, in my case, mail from the nobaloney.net domain may come from our billing provider (we use an external billing service at this time), our domain registration system (which uses LogicBoxes software and runs on their servers) our Certificate issuing system (which runs on Certification Authority's servers), from certain other providers, and even from gmail. They won't be signed by DKIM. Or if they will (I'm not sure and I'm not checking now) they won't be signed by our DKIM. But they're all legitimate and all from us.

Since this was posted a while ago, maybe you now understand better how it works, but I just wanted to add that you don't need to sign all the emails from your domain. A simple change in the DNS entry will indicate that only some of it is signed. This can be re-enforced with ADSP.

Also, regarding this implementation, it's best to usually start in testing mode, in order to avoid being blocked or flagged. Once things are working a 100%, one can switch to production mode.

All the rules for incoming emails simply warn the recipient, so there is no real need for additional rules, but if one wanted to block or delay emails, here are a few tips:
- Use a list of known senders. If an email coming from gmail doesn't have a DKIM signature, "block" it, it's a spoof
- When a signature verification fails, check if the domain sending it is in testing mode. You can then make decisions based on that result.


And if people want more antispam features and Jeff lacks the time to develop his solution further, there is always "spamblocker on steroid", ASSP.

Use a list of known senders. If an email coming from gmail doesn't have a DKIM signature, "block" it, it's a spoof
What do you mean by an email coming from gmail? Do you mean with a gmail return address, or from a gmail server? How would you identify it?

Jeff

DKIM workss with $sender_address_domain, so an address like something@gmail.com.

Then what happens if sender uses his gmail.com address but sends from his own server (or any other server)? I don't see blocking that as viable.

Jeff

Well, I don't see sending emails using a DA server when the sender is a gmail address as a viable option ;). Doing something like that is one of the first thing that gets you flagged as a potential threat/spammer.
In my filters, I just add a flag when something like this occurs. It will raise the overall spam score.

But adding sites like Facebook, Linkedin, Nespresso, etc. to the list of known DKIM senders does make sense.

Starting exim: 2010-12-23 20:30:57 Exim configuration error in line 196 of /etc/exim.conf:
main option "acl_check_dkim" unknown

If I remove all this lines my exim works fine!.
Any suggestion?

mmm.. I have try the configurations of first post, but if I restart exim I have this error: main option "acl_smtp_dkim" unknown

Maybe your exim is too old.

Maybe your exim is too old.
after I've try to type ./build exim

the version that should run is 4.72

mmm.. I have try the configurations of first post, but if I restart exim I have this error: main option "acl_smtp_dkim" unknown
it is possible that this error because there is missing some software or mod installed?

I've found this link: http://network-wizard.blogspot.com/2008/09/install-exim-with-dkim-and-domainkeys.html is it valid?

It's worth adding this

control = dkim_disable_verify
wherever you have

hosts = +relay_hosts
or

hosts = +auth_relay_hosts

if you trust those hosts

Also, you can now use RBLs as well to whitelist some domains in the DKIM ACL.

A couple more things that are missing...

You should always start in testing mode.
Add t=y after k=rsa, like this

TXT "k=rsa; t=y; p=fdgdfgdfg


There should be at least one policy.
Example 1

_domainkey.domain.com. 14400 IN TXT "t=y; o=~;"
indicates that we're in testing mode and that only some of the emails are signed

Another example

_adsp._domainkey.domain.com. 14400 IN TXT "dkim=all"
indicates that all emails will be signed

I've just checked the acl_check_dkim snippet and there is some redundant and unnecessary code.

First, define this before the ACLs

dkim_verify_signers = $sender_address_domain:$dkim_signers

Second, get rid of all these lines

sender_domains = $sender_address_domain:$dkim_signers
dkim_signers = $sender_address_domain:$dkim_signers
That's not the proper way of using them. You should only use that if you want to apply a rule to a specific list of domains.

Third, remove all the "conditions =". dkim_status is already a condition

Here is an example that should work

warn dkim_status = none
set acl_m_dkim_hdr = 1
add_header = X-DKIM: no dkim signature for $dkim_cur_signer

warn condition = ${if eq {$acl_m_dkim_hdr}{1}{no}{yes}}
set acl_m_dkim_hdr = 1
add_header = X-DKIM: by $primary_hostname on $tod_full

warn dkim_status = invalid
add_header = Authentication-Results:$primary_hostname; \
dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"

warn dkim_status = fail
add_header = Authentication-Results:$primary_hostname; \
dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"

warn dkim_status = pass
add_header = Authentication-Results:$primary_hostname; \
dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"

accept

This can be improved by writing to logs, checking against adsp records, list of trusted domains, etc.

I can't receive emails from yahoo and gmail, any idea? Best Regards

Watch your exim rejectlog while sending email from both of them.

If that doesn't show you anything, then watch your exim mainlog while sending email from both of them.

Jeff

uncomment this line acl_check_dkim was the goal.
now all is working fine.

Hello guys, I just got to this forum becuase I was searching for dkim since google is blocking our emails and it's one of the things they suggested we implemente.

Are any of you having problems with google, that was solved using dkim ?

Thanks !

Never had a problem with Google, but we pass all SPF and DKIM tests on all our IPv4 and IPv6 IPs.

So do we, and we're not on any black list or anything. DNS is perfect.

Hmmmm....How can you pass their DKIM tests if you haven't implemented it?

ooops, I read SPF tests (in general).

we did pass thier SPF tests, but I didn't even know they had a DKIM test. Going to look for it now :)

Thanks !

darn, actually spf test says I need ? instead of ~

Sorry if I ask in the wrong thread, but is this advisable to change to ?

should you please point me to those test?

Thanks

http://www.openspf.org/

Has anyone implemented DKIM successfully without side effects yet ?

That website is a good helper, but the template used in DA is fine (with mods).
Too bad it doesn't support IPv6 yet.

Regarding DKIM, there are no side effect if you configure it to only warn you, add points to the spam score, etc.
Make sure you indicate in your DNS that you're in testing mode and your mail should never get rejected.

An example of some spammer trying to make it look like he's Google...:

2011-01-13 05:15:15 1PdEah-xxx-5h H=(mail.petersenpainting.net) [173.10.28.74]:35492 I=[x]:25 temporarily rejected DKIM : DKIM Forgery: Unsigned message from adwords-noreply@google.com
2011-01-13 05:30:20 1PdEpI-000Nbi-6j DKIM Forgery: Known Signers rule : Domain:google.com, message from adwords-noreply@google.com to

He would have been blocked anyway (http://www.barracudacentral.org/reputation?pr=1&ip=173.10.28.74), but people using some less known servers could go through the blacklists, but not the DKIM tests.

Ive tested once again the first post setup.

Removed all dkim keys (private and public) and all dns entry genereted by the script and added just my main domain with dkim and made some test.

First test the dkim test passed.

So, i tryed to remove the dns entry and keys again and generated them again just for one domain (same as first test).

Tryed again to send an email to a different serveer and this time test failed (no other change was made).

So i tryed to remove the dns entry and keys 5 more times and the dkim test always fail.

Any suggestion?

Couze i didnt wanted to add DKIM for incoming emails, i just want to add DKIM for my domains who i host i did this.

1. Under driver = smtp


dkim_domain = ${sender_address_domain}
dkim_selector = x
dkim_private_key = /etc/virtual/${lookup{$sender_address_domain}lsearch{/etc/virtual/domains}{$sender_address_domain}{ERROR}}/dkim.private.key
dkim_canon = relaxed

2. Then i open notepad and paste this code


#!/bin/bash
openssl genrsa -out /etc/virtual/$1/dkim.private.key 768
openssl rsa -in /etc/virtual/$1/dkim.private.key -out /etc/virtual/$1/dkim.public.key -pubout -outform PEM
chown mail:mail /etc/virtual/$1/*.key
echo
echo "x._domainkey.$1. 14400 IN TXT \"v=DKIM1; k=rsa; p=`cat /etc/virtual/$1/dkim.public.key|grep -v "\-\-\-\-\-"|sed ':a;N;$!ba;s/\n//g'`\"">>/var/named/$1.db
echo Domain $1, has been configured for DKIM signing.

3. save as dkim.sh , 755 mode in virtual dir.

4. Im noowbie, but i saw on one forum that i can run your script as

sh -x ./dkim mydomain.com

There are some errors, but i noticed that 2 files dkim.private.key and dkim.public.key exist now in domain folder.

*****************************************************
Questions:
1. I got chown mail:mail error?
2. Created files have root user as owner, should i change to mail user, since all files in domain folder have mail as user?

Regards

Output code image = http://img848.imageshack.us/i/unledk.jpg/

latest directadmin release have a dkim script inside

check http://www.directadmin.com/features.php?id=1189

Regards

Hey Guys,

So I run a small ISP where our one directadmin box also acts as a mail relay for all the customers in our IP space. When a user sends mail they have no DKIM associated with them so it's hitting

2011-10-12 14:38:39 1RDnmJ-0001z7-Ac unable to open private key file for reading: /etc/virtual/ERROR/dkim.private.key

Rather than each and every client that uses us for outbound mail calling us and asking us to generate a key for them and asking for the public portion to add to their DNS, can I have a default one that sits in the file /ERROR/dkim.private.key and then all these users sit on this one shared key?

I tried it and I see messages get signed but when sending an email to gmail and checking the headers I see that DKIM= neurtral due to bad configuration.

So I have disabled the above said method and wondering if there is another way for me to do this or if I am close to sorting this out.

I need DKIM or domain keys to work as clients mail is ending up in yahoo junk mail boxes and sometimes gmail too.

look forward to a response and thanks in advance.

barry

Have you generated the private keys for each domain?