The remote_smtp transport in /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp contains lines like: .ifdef DKIM_PRIVATE_KEY dkim_private_key = DKIM_PRIVATE_KEY .endif to set the DKIM variables based on macro values. These lines are not present in the remote_smtp_smarthost transport in /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost, which stops DKIM from working when using a smart host. I've copied and pasted the DKIM lines from remote_smtp to remote_smtp_smarthost as recommended at https://warlord0blog.wordpress.com/2016/10/13/exim4-dkim-smarthost/ which seemed to make DKIM work for me when using a smart host. Please can you include these lines in the shipped configuration? Mike.
Yes please. I'd be happy to contribute a patch if the maintainers believe this is acceptable? To expand on the original report: DKIM signatures are meant to authenticate various headers on a message regardless of what host(s) were involved in relaying it. So if one has gone to the trouble of setting up DKIM signing, and then has to swtich from direct delivery to smarthost, it's surprising/unhelpful that the DKIM signatures are no longer added. Thanks, David
Control: found 941804 4.94.2-7+deb11u1 found 941804 4.96-15+deb12u2 found 941804 4.97~RC1-2 severity 941804 normal thanks This exim4 bug has taken on increased importance now that gmail requires DKIM on all (?) incoming messages. I checked and can confirm its presence in the three versions above, as currently used in bullseye, bookworm, and trixie. - Larry
I do not follow: The smarthost transport is typically used by a machine without permanent internet connection to deliver *to* a smarthost. This smarthost the does the real delivery iusing M lookups et al. google cares about the DKIM signature of the latter (the real mailserver). OTOH if you want to use google as smarthost you need to use SMTP AUTH instead of adding a DKIM signature on your personal PC/laptop. cu andreas
Andreas - Basically right. I'd say "permanent and unimpeded Internet connection". See below. Someone has to add the DKIM signature, tied to the sender address. Google doesn't care where in the relaying chain it got added. My use case is being stuck behind an ISP's firewall, so the smarthost is supplied by the ISP. When the ISP delivers the mail to gmail, google needs some indication that the mail I sent is really from me. That's where DKIM comes in. I _am_ me, so I can make my exim MTA "sign" the message with DKIM on its way to the smarthost. I don't doubt that other people have different setups. Some will need this configuration fixed, some will not. But before google started enforcing SPF/DKIM/DMARC earlier this year, my smarthost routing approach could succeed without complications. Now it needs DKIM. Fortunately I could make that work -- after applying a local patch to fix this bug. - Larry
Just to be clear: You have got a domain but lack both control of a machine that is not blocked from accessing outgoing port 25 (and could deliver) and the domain package does also lack a smarthost for that domain that would apply a dkim signature? cu Andreas
Andreas - Right. Standard for a "modern" consumer-grade ISP in the U.S. Yes. The boa.org domain infrastructure and maintenance is self-serve and all-volunteer. (Thanks, Russ!) How would a domain-package smarthost help, if I couldn't get to its port 25 because of the ISP firewall? Of course I don't know the individual situations of others who have posted this question and its answer to various on-line forums. But it's common enough that it was easy to find the answer and patch my Debian exim4 setup to get the desired results. You can see the DKIM my exim4 added, before passing to an ISP smarthost, if you look at the headers of this email. - Larry
Hello, Strange, that seems to be, pretty limited in its usefullness since it makes using the domain impossible[1] without having a very custom setup using a local MTA instead of just a MUA. (e.g. unable to use the domain from a mobile device.) You would use a submission port, i.e. 465 or 587. cu Andreas [1] I think delivery to gmail is a must, because of its market share.