#941804 exim4: remote_smtp_smarthost transport does not set DKIM variables

#941804#5
Date:
2019-10-05 19:39:37 UTC
From:
To:
The remote_smtp transport in
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp contains lines
like:

 .ifdef DKIM_PRIVATE_KEY
 dkim_private_key = DKIM_PRIVATE_KEY
 .endif

to set the DKIM variables based on macro values. These lines are not
present in the remote_smtp_smarthost transport in
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost, which
stops DKIM from working when using a smart host.

I've copied and pasted the DKIM lines from remote_smtp to
remote_smtp_smarthost as recommended at
https://warlord0blog.wordpress.com/2016/10/13/exim4-dkim-smarthost/ which
seemed to make DKIM work for me when using a smart host.

Please can you include these lines in the shipped configuration?

Mike.

#941804#10
Date:
2021-11-21 20:32:06 UTC
From:
To:
Yes please. I'd be happy to contribute a patch if the maintainers
believe this is acceptable?

To expand on the original report: DKIM signatures are meant to
authenticate various headers on a message regardless of what host(s)
were involved in relaying it. So if one has gone to the trouble of
setting up DKIM signing, and then has to swtich from direct delivery to
smarthost, it's surprising/unhelpful that the DKIM signatures are no
longer added.

Thanks,

David

#941804#15
Date:
2023-10-16 16:24:02 UTC
From:
To:
Control:
found 941804 4.94.2-7+deb11u1
found 941804 4.96-15+deb12u2
found 941804 4.97~RC1-2
severity 941804 normal
thanks

This exim4 bug has taken on increased importance now that gmail requires DKIM
on all (?) incoming messages.
I checked and can confirm its presence in the three versions above,
as currently used in bullseye, bookworm, and trixie.

 - Larry

#941804#20
Date:
2023-10-16 17:13:28 UTC
From:
To:
I do not follow:

The smarthost transport is typically used by a machine without
permanent internet connection to deliver *to* a smarthost. This
smarthost the does the real delivery iusing M lookups et al.

google cares about the DKIM signature of the latter (the real mailserver).

OTOH if you want to use google as smarthost you need to use SMTP AUTH
instead of adding a DKIM signature on your personal PC/laptop.

cu andreas

#941804#25
Date:
2023-10-16 17:53:17 UTC
From:
To:
Andreas -

Basically right.  I'd say "permanent and unimpeded Internet connection".
See below.

Someone has to add the DKIM signature, tied to the sender address.
Google doesn't care where in the relaying chain it got added.

My use case is being stuck behind an ISP's firewall,
so the smarthost is supplied by the ISP.  When the ISP
delivers the mail to gmail, google needs some indication
that the mail I sent is really from me.  That's where DKIM comes in.
I _am_ me, so I can make my exim MTA "sign" the message with DKIM
on its way to the smarthost.

I don't doubt that other people have different setups.
Some will need this configuration fixed, some will not.
But before google started enforcing SPF/DKIM/DMARC earlier this year,
my smarthost routing approach could succeed without complications.
Now it needs DKIM.  Fortunately I could make that work -- after applying
a local patch to fix this bug.

  - Larry

#941804#30
Date:
2023-11-02 15:51:55 UTC
From:
To:
Just to be clear: You have got a domain but lack both control of a
machine that is not blocked from accessing outgoing port 25 (and could
deliver) and the domain package does also lack a smarthost for that
domain that would apply a dkim signature?

cu Andreas

#941804#35
Date:
2023-11-02 20:58:13 UTC
From:
To:
Andreas -

Right.  Standard for a "modern" consumer-grade ISP in the U.S.

Yes.  The boa.org domain infrastructure and maintenance is
self-serve and all-volunteer.  (Thanks, Russ!)

How would a domain-package smarthost help, if I couldn't get to
its port 25 because of the ISP firewall?

Of course I don't know the individual situations of others who have
posted this question and its answer to various on-line forums.
But it's common enough that it was easy to find the answer and
patch my Debian exim4 setup to get the desired results.

You can see the DKIM my exim4 added, before passing to an ISP smarthost,
if you look at the headers of this email.

  - Larry

#941804#40
Date:
2023-11-03 07:46:39 UTC
From:
To:
Hello,

Strange, that seems to be, pretty limited in its usefullness since it
makes using the domain impossible[1] without having a very custom setup
using a local MTA instead of just a MUA. (e.g. unable to use the domain
from a mobile device.)

You would use a submission port, i.e.  465 or 587.

cu Andreas


[1] I think delivery to gmail is a must, because of its market share.