exim and domainkeys on debian

This post if a follow up on one of my previous posts that described how you can create a custom exim package on debian.

In this post I will show you how to compile and configure exim with domainkeys support. The configuration will be only for signing outgoing emails but it's easy to make it verify signed messages if you read the exim DomainKeys documentation

To do this first follow the steps described in my previous post and between steps 7 and 8 do these steps :

  1. install libdomainkeys:
    download from: domainkeys.sourceforge.net , extract and make:
    1.  
    2. tar -xzpf libdomainkeys-0.69.tar.gz
    3. cd libdomainkeys-0.69
    4. make
    5.  

    if it doesn't compile with errors about resolv do this:

    1.  
    2. echo '-lresolv' > dns.lib
    3. make
    4.  

    to install just copy the static lib and the header files:

    cp libdomainkeys.a /usr/local/lib
    cp domainkeys.h dktrace.h  /usr/local/include
    

    and then cleanup :

    1.  
    2. rm -rf libdomainkeys-0.69*
    3.  
  2. Configure the exim custom package for domainkeys:
    add domainkeys support to exim makefile:
    1.  
    2. echo < <EOF > EDITME-exim4-custom
    3. EXPERIMENTAL_DOMAINKEYS=yes
    4. CFLAGS  += -I/usr/local/include
    5. LDFLAGS += /usr/local/lib/libdomainkeys.a
    6. EOF
    7.  

    And now continue with step 8 in the previous post

When you're done all that's left to do is edit exim configuration to enable domain keys signing:

open /etc/exim4/exim4.conf  or /etc/exim4/exim4.conf.template  in an editor

look up for the remote_smtp transport definition and add the following configuration to it:

dk_domain = ${lc:${domain:$h_from:}}
dk_selector = default
dk_private_key = /etc/exim4/dk_keys/${dk_domain}_priv.key

Key management

create the directory that will hold the keys :

mkdir /etc/exim4/dk_keys

create the scripts that will generate and show the the keys :

  1.  
  2. cd /etc/exim4/dk_keys
  3. cat < <EOF > gen_key.sh
  4. #!/bin/sh
  5. if [ "$1" = "" ] ; then
  6. echo "Usage: $0 domain_name";
  7. exit 1;
  8. fi
  9. openssl genrsa -out $1_priv.key 1024
  10. openssl rsa -in $1_priv.key -pubout -out $1_pub.key
  11. EOF
  12.  
  13. cat < <EOF > cat_key.sh
  14. #!/bin/sh
  15. domain=$1
  16. p=$(echo $(cat ${domain}_pub.key )| \
  17. sed -r -e 's/ //g' \
  18. -e 's/-----BEGINPUBLICKEY-----//' \
  19. -e 's/-----ENDPUBLICKEY-----//' )
  20. echo default._domainkey IN TXT "\"k=rsa; t=s; p=$p\""
  21. EOF
  22.  
  23. chmod +x gen_key.sh cat_key.sh
  24.  

generate a key for a new domain:

  1.  
  2. cd /etc/exim4/dk_keys
  3. # generate the keys
  4. ./gen_key.sh my_new_domain.tld
  5. # show the DNS record that needs to be set
  6. ./cat_key.sh my_new_domain.tld
  7.  

After you set the DNS TXT record you can test the new setup by sending an email from the newly configured domain to an account @ gmail or yahoo . At gmail view the new message and click on "details", it should show up as "signed-by: my_new_domain.tld" , yahoo will just show an icon with a key in the message header.

6 thoughts on “exim and domainkeys on debian

  1. Thanks a lot for your posts on this topic.
    I'm implementing domainkeys for my mails to Yahoo. Although I have taken many precautions (SPF-Record/clean Blacklists/Reverse DNS/Static IP/no unauthorized relay) , somehow Yahoo still puts most of my mails into the spam-folder.

    A small note on your post.
    There is a small mistake:
    cp domainkeys.h dktrace.h /usr/local/includes
    should be
    cp domainkeys.h dktrace.h /usr/local/include

    That gave me a compilation error, but I can live with the additional minutes spent ;-)

    Thanks again and cheers!
    - leonard

  2. When testing Gmail now says 'mailed-by:' rather than 'signed-by:'

    Fantastic guide though! Information on how to build custom debian packages is hard to come by and this couldn't have been simpler. It's only because of the guide that I can give you the above small amendment :]

    Many thanks!

  3. if it shows mailed by it means something is not working at the domainkeys level. Look at the message source if it has the signature in there maybe something's wrong with the DNS entries.

Leave a Reply