DKIM signature in MS Exchange
Good day, Habr!
Often there is a problem when a letter from your new or underused domain initially receives a “spam” or “unwanted mail” label, and falls into the appropriate folder, where it is simply not noticed. And this is not about mailings, but about business and not very letters, but sent by people. I faced such a problem.
The search showed that our configuration does not include the use of DKIM signatures, the need for which begins to rise to a mandatory level. But the snag was that MS Exchange Edge is used as a MTA in conjunction with Forefront Protection, which cannot work with DKIM, and the installation ahead of another MTA, for example postfix, promised to refuse Forefront DNS-BL, re-configure SSL / TLS, and further complicating the configuration. And forgive me, but as a Windows admin, I really didn’t want to do all this.
')
Began the search for other solutions, because Microsoft firmly believes in the sufficiency of the SPF record, even in the 2013 edition of the Exchange there is no support for DKIM, and no future additions are planned. At first, only paid DkimX and EmailArchitect were found, but then I came across a free Exchange DKIM Signer module from Stefan “Pro” Profanter, and it will be discussed about its use.
There are a lot of descriptions of DKIM principles and its settings. If you are unfamiliar with this, please read the following articles, they all clearly and clearly describe everything: DKIM is simple , There are no more Spam emails: setting up an SMTP server .
It is a Transport Agent, an internal mail handler. There are a lot of them in Exchange, for example, this one has become 14, each is engaged in his part of work, checking for spam, attachment filter or changing headers, the letter passes them sequentially. Therefore, the DKIM signature agent must be placed at the very end, when the letter should no longer change.
If you use Exchange 2007sp3-2010sp3, then the latest version can be downloaded here , for Exchange 2013, Agent version 2.0 is used, which has a GUI for installation, so there should be no questions, links to online / offline installers can be found here .
The operation must be performed on all servers with the role of external transport.
We will need (all this is described in the articles on the links in the DKIM section above):
- a pair of keys (open and closed), I recommend using openssl, and not third-party online services,
- make the necessary records in DNS
Now the agent itself, we place it in any folder, the installation is done via the Exchange Management Shell:
1. Go to the folder with the agent (let it be cd c: \ dkim),
2. Enter the command " Set-ExecutionPolicy Unrestricted ", this allows us to execute external scripts,
3. Run the installation script " . \ Install.ps1 " (Attention, the Exchange Transport service will be stopped in the process)
4. Next, we are offered to immediately change the configuration, by default, the config is in “C: \ Program Files \ Exchange DkimSigner”, open it with a text editor and fix this place:
Here are described 3 rules for the example, where Domain = is the domain from which the signature is made, Selector = - selector, where the public key is located, PrivateKeyFile = - where is the path to the private key (relative or absolute), RecipientRule = and SenderRule = - filters senders or recipients by regular expressions, determine the letters that need to be signed with this key.
It is enough to leave only 1 line and enter your data into it, then all outgoing letters will be signed.
5. Click Enter and see the message about the end of the installation, the transport services should start. We check the event log for possible errors, in the "Applications" section the Agent leaves entries on behalf of "Exchange DKIM",
6. As well as we check the listing of Transport Agents with the command " Get-TransportAgent ", Exchange DkimSigner should be in last place, if not, then change its priority with the command" Set-TransportAgent -Identity" Exchange DkimSigner "-Priority N ", where N - number of the last agent in the list.
7. The " Set-ExecutionPolicy Restricted " command returns the default execution policy of external scripts.
Now you can try to send a letter to the address of any of the mail providers, and make sure that the cherished " dkim = pass " should appear in the service information, if this did not happen, then check the correctness of filling in the Agent's config, as well as the DNS records.
Temporarily disable or remove an agent can be commands:
1. Stop the “Net Stop MSExchangeTransport” transport service,
2. Disable the Disable-TransportAgent -Identity "Exchange DkimSigner" agent,
3. If necessary, remove its binding "Uninstall-TransportAgent -Identity" Exchange DkimSigner "",
4. Start the transport back "Net Start MSExchangeTransport".
5. Delete files
You can also use the " . \ Uninstall.ps1 " script attached to the installation for removal, its use is similar to installation.
This is a free and easy way to add DKIM signatures in MS Exchange, more information and description, in English, can be found in the installation documentation. I hope the article will be useful to those who will be puzzled by this issue.
Often there is a problem when a letter from your new or underused domain initially receives a “spam” or “unwanted mail” label, and falls into the appropriate folder, where it is simply not noticed. And this is not about mailings, but about business and not very letters, but sent by people. I faced such a problem.
The search showed that our configuration does not include the use of DKIM signatures, the need for which begins to rise to a mandatory level. But the snag was that MS Exchange Edge is used as a MTA in conjunction with Forefront Protection, which cannot work with DKIM, and the installation ahead of another MTA, for example postfix, promised to refuse Forefront DNS-BL, re-configure SSL / TLS, and further complicating the configuration. And forgive me, but as a Windows admin, I really didn’t want to do all this.
')
Began the search for other solutions, because Microsoft firmly believes in the sufficiency of the SPF record, even in the 2013 edition of the Exchange there is no support for DKIM, and no future additions are planned. At first, only paid DkimX and EmailArchitect were found, but then I came across a free Exchange DKIM Signer module from Stefan “Pro” Profanter, and it will be discussed about its use.
DKIM
There are a lot of descriptions of DKIM principles and its settings. If you are unfamiliar with this, please read the following articles, they all clearly and clearly describe everything: DKIM is simple , There are no more Spam emails: setting up an SMTP server .
Exchange DKIM Signer
It is a Transport Agent, an internal mail handler. There are a lot of them in Exchange, for example, this one has become 14, each is engaged in his part of work, checking for spam, attachment filter or changing headers, the letter passes them sequentially. Therefore, the DKIM signature agent must be placed at the very end, when the letter should no longer change.
If you use Exchange 2007sp3-2010sp3, then the latest version can be downloaded here , for Exchange 2013, Agent version 2.0 is used, which has a GUI for installation, so there should be no questions, links to online / offline installers can be found here .
Installation on the example of Exchange 2010 SP3
The operation must be performed on all servers with the role of external transport.
We will need (all this is described in the articles on the links in the DKIM section above):
- a pair of keys (open and closed), I recommend using openssl, and not third-party online services,
- make the necessary records in DNS
Now the agent itself, we place it in any folder, the installation is done via the Exchange Management Shell:
1. Go to the folder with the agent (let it be cd c: \ dkim),
2. Enter the command " Set-ExecutionPolicy Unrestricted ", this allows us to execute external scripts,
3. Run the installation script " . \ Install.ps1 " (Attention, the Exchange Transport service will be stopped in the process)
4. Next, we are offered to immediately change the configuration, by default, the config is in “C: \ Program Files \ Exchange DkimSigner”, open it with a text editor and fix this place:
/>/>/>Here are described 3 rules for the example, where Domain = is the domain from which the signature is made, Selector = - selector, where the public key is located, PrivateKeyFile = - where is the path to the private key (relative or absolute), RecipientRule = and SenderRule = - filters senders or recipients by regular expressions, determine the letters that need to be signed with this key.
It is enough to leave only 1 line and enter your data into it, then all outgoing letters will be signed.
5. Click Enter and see the message about the end of the installation, the transport services should start. We check the event log for possible errors, in the "Applications" section the Agent leaves entries on behalf of "Exchange DKIM",
6. As well as we check the listing of Transport Agents with the command " Get-TransportAgent ", Exchange DkimSigner should be in last place, if not, then change its priority with the command
7. The " Set-ExecutionPolicy Restricted " command returns the default execution policy of external scripts.
Now you can try to send a letter to the address of any of the mail providers, and make sure that the cherished " dkim = pass " should appear in the service information, if this did not happen, then check the correctness of filling in the Agent's config, as well as the DNS records.
Disable and remove agent
Temporarily disable or remove an agent can be commands:
1. Stop the “Net Stop MSExchangeTransport” transport service,
2. Disable the Disable-TransportAgent -Identity "Exchange DkimSigner" agent,
3. If necessary, remove its binding "Uninstall-TransportAgent -Identity" Exchange DkimSigner "",
4. Start the transport back "Net Start MSExchangeTransport".
5. Delete files
You can also use the " . \ Uninstall.ps1 " script attached to the installation for removal, its use is similar to installation.
Conclusion
This is a free and easy way to add DKIM signatures in MS Exchange, more information and description, in English, can be found in the installation documentation. I hope the article will be useful to those who will be puzzled by this issue.
Source: https://habr.com/ru/post/229401/
All Articles