Exim + DKIM using the example of FreeBSD 8.2

What is DKIM and how does it work

DKIM (stands for DomainKeys Identified Mail ) is a method for identifying a letter by domain keys.
DKIM is configured on the mail server in order to sign outgoing letters with a digital signature. The presence of such a signature in the header of the sent letter informs the recipient server that it was indeed sent from the specified domain.
It is known that in SPAM letters, often in the From: field they put an e-mail, which has absolutely no relation to the sender. In this case, DKIM will help you recognize the real spam letter. Unlike other digital signature methods, DKIM is compatible with existing formats and protocols and can be seamlessly integrated into existing mail delivery and receiving systems.

The signature of the letter occurs on the SMTP server using a private key (Private key), and the decryption of the signature occurs on the recipient server or the client program using the public key (Public key). Interestingly, the public key is stored in the DNS, which allows you to kill two birds with one stone. First, there is no need to attach a public key with each letter to decrypt it. And secondly, in this case DKIM allows you to tell the recipient servers what to do with the letter, which does not have a digital signature, but is supposedly sent from you. This technology is called ADSP (Author Domain Signing Practices). ADSP is also stored in the DNS of the SMTP server and is accessible to everyone and from anywhere.

Configure DKIM in Exim

First you need to create a pair of Private key + Public key.
About encryption methods and key length is available written in Wikipedia:

DKIM uses already established cryptographic tools. Currently, DKIM authors propose two algorithms for digital signature: RSA-SHA256 and RSA-SHA1, but in the future it may be possible to expand the technology to support other algorithms. The key length is limited to 4096 bits, since the longer key will not fit into the maximum DNS UDP packet size - 512 bytes. The recommended key length is from 1024 to 2048 bits. Too much length creates a computational load on the server to process each message, and too small (384 or 512 bits) is cracked over the current time using a PC or using a cloud computing service.

According to the results of research in our time it is already possible to decrypt data encrypted with RSA with a key length of 1024 bits. Therefore, the best for today will be the RSA key with a length of 2048 bits.
To generate a key pair, you can use the online service www.port25.com/support/domainkeysdkim-wizard or use openssl in the console.
')

Generate the secret key through openssl

root@server# openssl genrsa -out /usr/local/etc/exim/example.com.key 2048 

At the exit, we have a key of the form:

 -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDT1tSzyG2Zch4LTgGPbn/8H535Vd+friNn/gBsV7rFNVZdxapD dOUzeATUTbAG/3Ux7vJxYd6i982IajVz0b2dsmkdDzctC4EdJsLcpCpyf3x21nYZ oJO2GjaFW65MNj7dU7BXDerLTE+zTu/Q4vs4ZqCA39CtbmetjBS9l/NsMQIDAQAB AoGBAM2ZyVFAatkQSBaivLwlWknapSPgv4g7h5FSTXeI9i5frx+V1UnRDki+FTx nbH9CErRZh8jZQj4x1Pp+T0SyRtb62ydJooPYIpNlTt71cgZNwH174uFt4HevKmC MJIhzaufEZYhamS4NQOR+4FakdZX2T8yzuvwDwkplJP2tO/tAkEA7RDltCTOShdd sJYs0wjs1mDXUiSz0giFAYvMBvOelpyjJl9Pi1A0CNcD4WdvAl0Xo5aRMVrTXRzf .... -----END RSA PRIVATE KEY----- 

Generate a public key based on the secret

 root@server# openssl rsa -in /usr/local/etc/exim/example.com.key -pubout 

At the output we get something like:

 -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA3GNADCBiQKBgQDT1tSzyG1Zch4LTgGPbn/8H535 Vd+friNn/gBsV7rFNVZdxapDd0UzeATUTbAG/3Ux7vJxYd6i982IajVz0b2dsmkd DzctC4EdJsLcpCpyf3x21nYZoJO2GjaFW65MNj7dU7BXDerLTE+zTu/Q4vs4ZqCA ... -----END PUBLIC KEY----- 

Rule the DNS

Add DKIM selector

Create a DNS entry mail1._domainkey.example.com of type TXT with the value:

 k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT1tSzyG1Zch4LTgGPbn/8H535Vd+friNn/gBsV7rFNVZdxapDdOUzeATUTb... 

(In this case, this is the syntax for the DNS server on BIND, and other DNS servers may not require the “\” sign to escape the “;”.)
Instead of mail1, you can use another selector, for example, dkim , server , public, etc. There can be several similar public key entries for DKIM.
You must wait until your DNS record is updated on other servers. This may take several hours.
You can check your DKIM record, for example, using the DNSWatch service.

Add ADSP Record

Create a DNS entry _adsp._domainkey.example.com type TXT with the value dkim = unknown .
In addition to unknown, the dkim parameter can have two more values ​​— all and discardable .

• unknown - the domain can sign some or all letters.
• all - all letters from the domain are signed.
• discardable - all letters from the domain are signed. In addition, if the letter arrives without a valid signature due to changes in the path, passing through the path without access to the signing key, or for other reasons, the domain calls upon the addressee to reject it.

We rule config Exim

Add to the file / usr / local / etc / exim / configure at the beginning:

 ## DKIM: DKIM_DOMAIN = ${lc:${domain:$h_from:}} DKIM_FILE = /usr/local/etc/exim/${lc:${domain:$h_from:}}.key DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}} 

This design will allow the use of different private key for different domains.
We correct the remote_smtp transport:

  remote_smtp: driver = smtp dkim_domain = DKIM_DOMAIN dkim_selector = mail1 dkim_private_key = DKIM_PRIVATE_KEY 

Here mail1 is our selector.

Save the config and reread it:

 root@server# service exim reload 

DKIM check

There are several ways to check DKIM. I will describe two of them.
1) It is known that Gmail checks DKIM in emails. We send the letter to your gmail box and look at the headers.
Find a record of the form

 Authentication-Results: mx.google.com; spf=pass (google.com: domain of info@example.com designates 100.12.94.241 as permitted sender) smtp.mail=info@example.com; dkim=pass header.i=@example.com 

dkim = pass means that DKIM is configured and successfully tested.
2) Use the DKIM-checker from the www.port25.com service.
We send a test letter to the address check-auth2@verifier.port25.com and wait for the test result back from him.

References:
DKIM wiki ru.wikipedia.org/wiki/DomainKeys_Identified_Mail
DKIM ADSP www.dkim.org/specs/draft-ietf-dkim-ssp-04.html
DKIM wizard www.port25.com/support/domainkeysdkim-wizard
HOWTO: Exim & DKIM forum.lissyara.su/viewtopic.php?f=20&t=22162
man openssl
DNSWatch www.dnswatch.info