[Pkg-exim4-users] Why the DKIM-Signature header isn't created when a mail is relayed to the smarthost ?

Satoru Otsubo trnsnt at otip.jp
Sun Nov 18 09:22:49 UTC 2012 

Hi, all

My PC: Linux squeeze Japanese version clean install.
					(Current kernel version: 2.6.32-5-686)

Exim-related installed packages are as follows:
	(I have changed exim4-daemon-light to exim4-daemon-heavy.
 	 I use the normal exim4 package prepared by debian maintainers,
		 that is, I did not compile exim4.)
# dpkg -l | grep exim
ii  exim4                4.72-6+squeeze3
ii  exim4-base           4.72-6+squeeze3
ii  exim4-config         4.72-6+squeeze3
ii  exim4-daemon-heavy   4.72-6+squeeze3
rc  exim4-daemon-light   4.72-6+squeeze3
ii  sa-exim              4.2.1-13     SpamAssassin filter for Exim


 Internet<---Smarthost<---Exim4 server machine---(Lan)---a host(a.b.c.d)

I use Dynamic IP address to connect to the internet.
Therefore, I use the Exim4 server with configtype of 'mail sent by smarthost; received via SMTP or fetchmail' in order to avoid op25b, as follows:

$ cat /etc/exim4/update-exim4.conf.conf
........
dc_eximconfig_configtype='smarthost'
dc_other_hostnames='........'
dc_local_interfaces=''
dc_readhost=''
dc_minimaldns='false'
dc_relay_nets='a.b.c.d'
dc_smarthost='auth.gate-on.net::587'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='false'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
dc_relay_domains=''

(where a.b.c.d is the host address within the LAN, whose mails are sent to the Exim4 server machine.)

I want to sign, with DKIM, emails which start directly from the Exim4 server machine or come from the host(a.b.c.d) and which are relayed to the smarthost, in order for the emails not to be interpreted as spam mail.

(1)
I created a private key and public key as follows:
# cd /etc/exim4
# openssl genrsa -out dkim.private.key 1024
# chown root.Debian-exim dkim.private.key
# chmod 640 dkim.priv
# openssl rsa -in dkim.private.key -out dkim.public.key -pubout -outform pem

Because dc_use_split_config='false', I have set up exim4.conf.localmacros as follows:
$ cat /etc/exim4/exim4.conf.localmacros 
DKIM_SELECTOR = x
DKIM_PRIVATE_KEY = /etc/exim4/dkim.private.key
DKIM_CANON = relaxed
DKIM_DOMAIN = my.domain

And,
# /etc/init.d/exim4 restart

(2)
Next, I have to add my DKIM public key to my DNS.
I use a free Dynamic DNS service as my DNS.
But it is not accepting TXT records currently (although it is planning to accept them in near future), therefore I can't advertise my DKIM public key currently.
But my purpose is to test if I can sign , with DKIM, emails which are relayed to the smarthost.

(3)
Therefore, I emailed from the host(a.b.c.d) to check-auth at verifier.port25.com, which automatically send back the result, along with the original email headers.

As a sequence, of course, I found the following:
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         neutral (message not signed)


But I was unable to find a DKIM-Signature header in the original email headers.
If a DKIM-Signature header had been created when the email was relayed to the smarthost, it should be included in the original email headers attached with the sent-back email.
Therefore I think the DKIM-Signature header wasn't created when the email was relayed to the smarthost.
Why the DKIM-Signature header isn't created ?

(By the way, the sent-back emails from port25.com are attaching their own DKIM-Signature header within their own headers.
And there are lines like the following in /var/log/exim4/mainlog:
2012-11-18 13:02:29 1TZw5U-0005SS-C8 DKIM: d=port25.com s=verifier201208 c=relaxed/relaxed a=rsa-sha1 i=auth-results at verifier.port25.com[verification succeeded]
Therefore, it seems that Exim4 is correctly dealing with DKIM in incoming emails.)

Thanks any help
Satoru

More information about the Pkg-exim4-users mailing list