I spent the whole morning (finally) getting my exim4 based email relay
to spit out enough DKIM crap that gmail wont bounce its messages.

I found most tutorials were either too technical, or assumed too much
and didn't explain.

If anyone else is struggling, ask.

--
There’s a mighty big difference between good, sound reasons and reasons
that sound good.

Burton Hillis (William Vaughn, American columnist)

The Natural Philosopher wrote:

> I spent the whole morning (finally) getting my exim4 based email relay
> to spit out  enough DKIM crap that gmail wont bounce its messages.

I thought gmail insisted on DKIM *or* SPF? The latter is much easier to
arrange ...

On 30/05/2023 13:13, Andy Burns wrote:
> The Natural Philosopher wrote:
>
>> I spent the whole morning (finally) getting my exim4 based email relay
>> to spit out  enough DKIM crap that gmail wont bounce its messages.
>
> I thought gmail insisted on DKIM *or* SPF?  The latter is much easier to
> arrange ...
>
I wish you had told me that....

I will probably implement BOTH

--
A lie can travel halfway around the world while the truth is putting on
its shoes.

Andy Burns <usenet@andyburns.uk> wrote:
> The Natural Philosopher wrote:
>
>> I spent the whole morning (finally) getting my exim4 based email relay
>> to spit out  enough DKIM crap that gmail wont bounce its messages.
>
> I thought gmail insisted on DKIM *or* SPF? The latter is much easier to
> arrange ...

gmail is likely insisting on DMARC, which itself is what indicates what
to do when DKIM or SPF fail. One needs to configure all three for
succeessful email delivery.

A 'cloudfare' doc page found from a quick google search:

https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/

Second and third paragraph:

DKIM and SPF can be compared to a business license or a doctor's
medical degree displayed on the wall of an office — they help
demonstrate legitimacy.

Meanwhile, DMARC tells mail servers what to do when DKIM or SPF fail,
whether that is marking the failing emails as "spam," delivering the
emails anyway, or dropping the emails altogether.

On 30/05/2023 14:09, Rich wrote:
> Andy Burns <usenet@andyburns.uk> wrote:
>> The Natural Philosopher wrote:
>>
>>> I spent the whole morning (finally) getting my exim4 based email relay
>>> to spit out  enough DKIM crap that gmail wont bounce its messages.
>>
>> I thought gmail insisted on DKIM *or* SPF? The latter is much easier to
>> arrange ...
>
> gmail is likely insisting on DMARC, which itself is what indicates what
> to do when DKIM or SPF fail. One needs to configure all three for
> succeessful email delivery.
>
> A 'cloudfare' doc page found from a quick google search:
>
> https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/
>
> Second and third paragraph:
>
> DKIM and SPF can be compared to a business license or a doctor's
> medical degree displayed on the wall of an office — they help
> demonstrate legitimacy.
>
> Meanwhile, DMARC tells mail servers what to do when DKIM or SPF fail,
> whether that is marking the failing emails as "spam," delivering the
> emails anyway, or dropping the emails altogether.
>
DKIM alone has been enough to stop this...(private date obscured)

SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [108.177.15.27]:
550-5.7.26 This mail is unauthenticated, which poses a security
risk to the
550-5.7.26 sender and Gmail users, and has been blocked. The sender
must
550-5.7.26 authenticate with at least one of SPF or DKIM. For this
message,
550-5.7.26 DKIM checks did not pass and SPF check for [mymail.com]
did not
550-5.7.26 pass with ip: [188.188.188.188]. The sender should visit
550-5.7.26
https://support.google.com/mail/answer/81126#authentication for
550 5.7.26 instructions on setting up authentication.
v17-20020a05600c12d100b003f608fe6d5dsi4886592wmd.117 - gsmtp

SPF looks like a doddle to set up, so I might as well implement it

--
“The ultimate result of shielding men from the effects of folly is to
fill the world with fools.”

Herbert Spencer

The Natural Philosopher <tnp@invalid.invalid> wrote:
> SPF looks like a doddle to set up, so I might as well implement it

SPF and DMARC are both just TXT records (well, SPF had an SPF record at
one point, so doubling up on the SPF records covers both old and new
SPF code) in the DNS entry for the domain of the email. The syntax of
the entry is arcane, and takes some reading of the relevant docs to get
right, but neither involve any changes to the email server.

DKIM requires some configuration changes within the email server due to
it needed to add the auth. headers to outgoing emails. And it also
needs a DNS TXT record for publishing the public key of the email
server.

Getting all three up is not hard (all require that one's DNS host
allows for adding TXT records), but can take some time and effort to
get right. Testing with one of the many DMARC test tools is a good
idea, they often indicate clearly when one has missed some arcane flag
from the docs. Finding a "test tool" is simply a matter of searching
for DMARC or DKIM | SPF validator.

The good thing is that once one gets them setup right, one does not
have to go back and perform any tuning on any sort of regular basis.
Once setup properly they don't need much maintenance at all.

On 30/05/2023 14:57, Rich wrote:
> The Natural Philosopher <tnp@invalid.invalid> wrote:
>> SPF looks like a doddle to set up, so I might as well implement it
>
> SPF and DMARC are both just TXT records (well, SPF had an SPF record at
> one point, so doubling up on the SPF records covers both old and new
> SPF code) in the DNS entry for the domain of the email. The syntax of
> the entry is arcane, and takes some reading of the relevant docs to get
> right, but neither involve any changes to the email server.
>
> DKIM requires some configuration changes within the email server due to
> it needed to add the auth. headers to outgoing emails. And it also
> needs a DNS TXT record for publishing the public key of the email
> server.
>
> Getting all three up is not hard (all require that one's DNS host
> allows for adding TXT records), but can take some time and effort to
> get right. Testing with one of the many DMARC test tools is a good
> idea, they often indicate clearly when one has missed some arcane flag
> from the docs. Finding a "test tool" is simply a matter of searching
> for DMARC or DKIM | SPF validator.
>
> The good thing is that once one gets them setup right, one does not
> have to go back and perform any tuning on any sort of regular basis.
> Once setup properly they don't need much maintenance at all.
Amen to all that.

I managed to get DKIM DNS shit working fairly quickly, once I understood
the lexical rules for banging a public key in a text field.
Getting EXIM4 to use the private key was more problematic, due to the
way the configuration file is organised.
I eventually found that where I declared the macros made the difference
between success and failure.

--
Climate Change: Socialism wearing a lab coat.

Rich <rich@example.invalid> wrote:
> Andy Burns <usenet@andyburns.uk> wrote:
>> The Natural Philosopher wrote:
>>
>>> I spent the whole morning (finally) getting my exim4 based email relay
>>> to spit out enough DKIM crap that gmail wont bounce its messages.
>>
>> I thought gmail insisted on DKIM *or* SPF? The latter is much easier to
>> arrange ...
>
> gmail is likely insisting on DMARC, which itself is what indicates what
> to do when DKIM or SPF fail. One needs to configure all three for
> succeessful email delivery.

Yes I just had SPF set up and started having trouble with a few
email providers. After setting up DKIM and DMARC, those problems
have gone away. SPF and DMARC are easy, DKIM is indeed the
confusing part, although I haven't done it in EXIM. Actually I
think it was only confusing for me because I decided to "improve"
upon the method in the tutorial that I was following.

--
__ __
#_ < |\| |< _#

Computer Nerd Kev wrote:

> Yes I just had SPF set up and started having trouble with a few
> email providers. After setting up DKIM and DMARC, those problems
> have gone away.

I haven't encountered non-delivery due to lack of DKIM or DMARC yet, no
doubt that day will come.

Talking friends through adding SPF for their domain is is usually
straightforward, provided you know what to put into a CNAME so that it
"copies" their ISP's settings, and doesn't need changing every time they
alter email servers, obviously if you run your own you know its IP addr.

Some providers (e.g. microsoft, google) automatically sign emails that
they deliver, so you only need to know hoe to create the DKIM record,
but the sub-zone complicates that for some DNS zone GUI's

With SPF and/or DKIM, you're mostly leaving the action for failed
messages up to the recipient, by adding DMARC you're expressing your own
confidence that your SPF and DKIM are correct, and suggesting
action/inaction for failures ... worth starting out gently.

On 2023-05-31, Andy Burns wrote:

> Some providers (e.g. microsoft, google) automatically sign emails that
> they deliver, so you only need to know hoe to create the DKIM record,
> but the sub-zone complicates that for some DNS zone GUI's

I wouldn't trust Microsoft to do stuff like this right. I've gotten
error messages from mailing list posts because Microsoft was sending the
wrong From: when forwarding messages (from my notes, I think they use
the *original* From: in MAIL FROM, during the smtp interaction), and one
list subscriber had such a forwarding setup at a Microsoft mail
service... (or is this really what should be in MAIL FROM? this wasn't
me sending the message, it was the *list* distributing the message)

(And this is the same Microsoft that's overly aggressive with their
"Quarantine" approach to e-mails their system considers not worthy of
delivery, which pretty much amounts to a black hole if the recipient
user is not aware of the "Quarantine"...)

--
Nuno Silva

On 31/05/2023 06:59, Andy Burns wrote:
> Computer Nerd Kev wrote:
>
>> Yes I just had SPF set up and started having trouble with a few
>> email providers. After setting up DKIM and DMARC, those problems
>> have gone away.
>
> I haven't encountered non-delivery due to lack of DKIM or DMARC yet, no
> doubt that day will come.
>
> Talking friends through adding SPF for their domain is is usually
> straightforward, provided you know what to put into a CNAME so that it
> "copies" their ISP's settings, and doesn't need changing every time they
> alter email servers, obviously if you run your own you know its IP addr.
>
> Some providers (e.g. microsoft, google) automatically sign emails that
> they deliver, so you only need to know hoe to create the DKIM record,
> but the sub-zone complicates that for some DNS zone GUI's
>
> With SPF and/or DKIM, you're mostly leaving the action for failed
> messages up to the recipient, by adding DMARC you're expressing your own
> confidence that your SPF and DKIM are correct, and suggesting
> action/inaction for failures ... worth starting out gently.

Ah. is DMARC also a DNS field?

--
New Socialism consists essentially in being seen to have your heart in
the right place whilst your head is in the clouds and your hand is in
someone else's pocket.

The Natural Philosopher wrote:

> Ah. is DMARC also a DNS field?

Yes, start with p=none, so you have got a DMARC record, but you're not
forcing anyone's hand with it, then ramp it up to p=quarantine or
p=reject later

<https://support.google.com/a/answer/2466563?hl=en#dmarc-record-tags>

On 31/05/2023 11:11, Andy Burns wrote:
> The Natural Philosopher wrote:
>
>> Ah. is DMARC also a DNS field?
>
> Yes, start with p=none, so you have got a DMARC record, but you're not
> forcing anyone's hand with it, then ramp it up to p=quarantine or
> p=reject later
>
> <https://support.google.com/a/answer/2466563?hl=en#dmarc-record-tags>
>
>
>
I am not sure I can be bothered, the number of people spoofing my
domains is falling because presumably SPF and DKIM are in that instance
working.

I very rarely get instances of bounce messages to me from emails i didnt
send...
...I would be far more interested in setting up my *incoming* exim mail
server to reject non SPF or DKIM authenticated email.

But I suspect that would be another day I wont ever get back, Or longer

--
All political activity makes complete sense once the proposition that
all government is basically a self-legalising protection racket, is
fully understood.

The Natural Philosopher <tnp@invalid.invalid> wrote:
> Getting EXIM4 to use the private key was more problematic, due to the
> way the configuration file is organised.
> I eventually found that where I declared the macros made the difference
> between success and failure.

Wanna compare the confs?

/etc/exim4/exim4.conf.localmacros
# # DKIM signing
SENDER_DOMAIN = $sender_address_domain
DKIM_PATH = /etc/exim4/dkim
DKIM_DOMAIN = ${if exists{DKIM_PATH/SENDER_DOMAIN.private}{SENDER_DOMAIN}{$primary_hostname}}
DKIM_SELECTOR = dkim_rsa
DKIM_FILE = DKIM_DOMAIN.private
DKIM_PRIVATE_KEY = ${lookup {DKIM_FILE} dsearch,ret=full {DKIM_PATH}}
#

Note: If Exim has been configured to use smarthost for sending mail,
then addition configuration is needed for enabling signing:

Add the Local section to the end of:

#####################################################
### transport/30_exim4-config_remote_smtp_smarthost
#####################################################

remote_smtp_smarthost:

<existing conf lines here>

### Local: ------->
..ifdef DKIM_DOMAIN
dkim_domain = DKIM_DOMAIN
..endif
..ifdef DKIM_SELECTOR
dkim_selector = DKIM_SELECTOR
..endif
..ifdef DKIM_PRIVATE_KEY
dkim_private_key = DKIM_PRIVATE_KEY
..endif
..ifdef DKIM_CANON
dkim_canon = DKIM_CANON
..endif
..ifdef DKIM_STRICT
dkim_strict = DKIM_STRICT
..endif
..ifdef DKIM_SIGN_HEADERS
dkim_sign_headers = DKIM_SIGN_HEADERS
..endif
### -------<
#####################################################
### end transport/30_exim4-config_remote_smtp_smarthost
#####################################################

--

Harri

On 30/05/2023 17:37, Harri wrote:
> The Natural Philosopher <tnp@invalid.invalid> wrote:
>> Getting EXIM4 to use the private key was more problematic, due to the
>> way the configuration file is organised.
>> I eventually found that where I declared the macros made the difference
>> between success and failure.
>
> Wanna compare the confs?
>
> /etc/exim4/exim4.conf.localmacros
> #
> # DKIM signing
> SENDER_DOMAIN = $sender_address_domain
> DKIM_PATH = /etc/exim4/dkim
> DKIM_DOMAIN = ${if exists{DKIM_PATH/SENDER_DOMAIN.private}{SENDER_DOMAIN}{$primary_hostname}}
> DKIM_SELECTOR = dkim_rsa
> DKIM_FILE = DKIM_DOMAIN.private
> DKIM_PRIVATE_KEY = ${lookup {DKIM_FILE} dsearch,ret=full {DKIM_PATH}}
> #
>
I use one config file. My mistake was not declaring that lot after the
other macros, but in the SMTP transport section.

My current need is for a crib sheet to enable it all on incoming, as I
get shitloads of spam, and it might reduce it all a bit, but it all
looks a bit poorly documented

PS my Exim IS the smart host :-)

--
Climate is what you expect but weather is what you get.
Mark Twain

Hi there

On 01/06/2023 09:44, The Natural Philosopher wrote:

> On 30/05/2023 17:37, Harri wrote:
>> The Natural Philosopher <tnp@invalid.invalid> wrote:
>>> Getting EXIM4 to use the private key was more problematic, due to the
>>> way the configuration file is organised.
>>> I eventually found that where I declared the macros made the difference
>>> between success and failure.
>>
>> Wanna compare the confs?
>>
>> /etc/exim4/exim4.conf.localmacros
>> #
>> # DKIM signing
>> SENDER_DOMAIN = $sender_address_domain
>> DKIM_PATH = /etc/exim4/dkim
>> DKIM_DOMAIN = ${if
>> exists{DKIM_PATH/SENDER_DOMAIN.private}{SENDER_DOMAIN}{$primary_hostname}}
>> DKIM_SELECTOR = dkim_rsa
>> DKIM_FILE = DKIM_DOMAIN.private
>> DKIM_PRIVATE_KEY = ${lookup {DKIM_FILE} dsearch,ret=full {DKIM_PATH}}
>> #
>>
> I use one config file. My mistake was not declaring that lot  after the
> other macros, but in the SMTP transport section.
>
> My current need is for a crib sheet to enable it all on incoming, as I
> get shitloads of spam, and it might reduce it all a bit, but it all
> looks a bit poorly documented

I used;
https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-exim
Requires JavaScript and cookies

> PS my Exim IS the smart host :-)

For Hotmail and Outlookup I use a smarthost in New Zealand, which is
some 180° from where I live;
http://www.sput.nl/software/exim-smarthost.html

Regards,
Rob

On 01/06/2023 11:10, Rob van der Putten wrote:
> Hi there
>
>
> On 01/06/2023 09:44, The Natural Philosopher wrote:
>
>> On 30/05/2023 17:37, Harri wrote:
>>> The Natural Philosopher <tnp@invalid.invalid> wrote:
>>>> Getting EXIM4 to use the private key was more problematic, due to the
>>>> way the configuration file is organised.
>>>> I eventually found that where I declared the macros made the difference
>>>> between success and failure.
>>>
>>> Wanna compare the confs?
>>>
>>> /etc/exim4/exim4.conf.localmacros
>>> #
>>> # DKIM signing
>>> SENDER_DOMAIN = $sender_address_domain
>>> DKIM_PATH = /etc/exim4/dkim
>>> DKIM_DOMAIN = ${if
>>> exists{DKIM_PATH/SENDER_DOMAIN.private}{SENDER_DOMAIN}{$primary_hostname}}
>>> DKIM_SELECTOR = dkim_rsa
>>> DKIM_FILE = DKIM_DOMAIN.private
>>> DKIM_PRIVATE_KEY = ${lookup {DKIM_FILE} dsearch,ret=full {DKIM_PATH}}
>>> #
>>>
>> I use one config file. My mistake was not declaring that lot  after
>> the other macros, but in the SMTP transport section.
>>
>> My current need is for a crib sheet to enable it all on incoming, as I
>> get shitloads of spam, and it might reduce it all a bit, but it all
>> looks a bit poorly documented
>
> I used;
> https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-exim
> Requires JavaScript and cookies
>
>> PS my Exim IS the smart host :-)
>
> For Hotmail and Outlookup I use a smarthost in New Zealand, which is
> some 180° from where I live;
> http://www.sput.nl/software/exim-smarthost.html
>
>
> Regards,
> Rob
>
Thanks, That looks more than a 5 minute job, which is all I have time
for today, but it seems to be at my level of knowledge.

I needed to run a virtual private linux server for other reasons so I
threw exim on it as a smart host.

--
“It is hard to imagine a more stupid decision or more dangerous way of
making decisions than by putting those decisions in the hands of people
who pay no price for being wrong.”

Thomas Sowell

The Natural Philosopher <tnp@invalid.invalid> wrote:
>
> My current need is for a crib sheet to enable it all on incoming, as I
> get shitloads of spam, and it might reduce it all a bit

I don't get much spam, but when I started checking headers I
discovered that the vast majority was DKIM signed (including the
one received today), so in my case using it for incoming mail
wouldn't make any difference.

--
__ __
#_ < |\| |< _#

In comp.os.linux.misc, Computer Nerd Kev <not@telling.you.invalid> wrote:
> I don't get much spam, but when I started checking headers I
> discovered that the vast majority was DKIM signed (including the one
> received today), so in my case using it for incoming mail wouldn't
> make any difference.

I used to get vast amounts of spam with valid dkim signatures. It's
really easy for spammers to configure that. One common trait I found was
almost all of that spam was trying to send me to an http (no "s") site
to buy something.

Body check for http:// to a site with a new TLD: very effective filter.

(New top level domains are easy to match as three or more letters and
not .com, .net, .org. The others like .int, .mil, etc, don't send spam.)

Sample of actual examples from spam:

http://www.glucofreezediabetescare.life/
http://tenufaeg.digital/
http://neovakos.digital/
http://www.americansairlinesurveys.life/
http://adisiawa.today/
http://www.hydrossentialplus.live/
http://cherster.digital/
http://tenixdr.today/
http://pademen.digital/
http://www.russiasgirlsonlines.live/
http://snufflam.digital/
http://www.liveschatjobs.live/
http://miraclelashpro.live/
http://www.turntextinspeechelo.live/
http://dishfordiet.quest/
http://www.hydrossentialnew.live/

In the messages it's linked like this (line wrapped for posting):

<a
href="http://dishfordiet.quest/QqwRivvvvvv_tMSl0iK1qqqqqqqRH_1Qd3ipjjjjj60Z2Q"
><img alt="" border="0" height="72"
src="http://dishfordiet.quest/03c0e1427a88888888.png"
width="274" /></a></span></td>

If you go to the site, you get a page that looks like an unconfigured
website, but it has configuration to serve an image up for this:

http://dishfordiet.quest/03c0e142777777778f.png

And the link is going somewhere, too, but because I've overwritten some
errors, it just gives an "Invalid link." message.

Elijah
------
dishfordiet.quest set-up DKIM though

Computer Nerd Kev wrote:

> I don't get much spam, but when I started checking headers I
> discovered that the vast majority was DKIM signed (including the
> one received today), so in my case using it for incoming mail
> wouldn't make any difference.

spf and dkim don't stop spam as such, spammers can sign their messages
and tell you where they're sending from, then it'll get through, unless
you use a DBL they happen to be on.

what spf and dkim do allow you to detect is compromised machines pumping
out spam.

On 01/06/2023 22:52, Computer Nerd Kev wrote:
> The Natural Philosopher <tnp@invalid.invalid> wrote:
>>
>> My current need is for a crib sheet to enable it all on incoming, as I
>> get shitloads of spam, and it might reduce it all a bit
>
> I don't get much spam, but when I started checking headers I
> discovered that the vast majority was DKIM signed (including the
> one received today), so in my case using it for incoming mail
> wouldn't make any difference.
>
Ah, that is indeed interesting.

I will shove that into the cost benefit calculations and see if I can be
arsed :-)

--
If I had all the money I've spent on drink...
...I'd spend it on drink.

Sir Henry (at Rawlinson's End)

On 02/06/2023 09:49, Andy Burns wrote:
> Computer Nerd Kev wrote:
>
>> I don't get much spam, but when I started checking headers I
>> discovered that the vast majority was DKIM signed (including the
>> one received today), so in my case using it for incoming mail
>> wouldn't make any difference.
>
> spf and dkim don't stop spam as such, spammers can sign their messages
> and tell you where they're sending from, then it'll get through, unless
> you use a DBL they happen to be on.
>
> what spf and dkim do allow you to detect is compromised machines pumping
> out spam.
>
>
I can pump out spam easily if I want. If I use (other peoples) domains
that are not dkim or spf enabled

But as you say a huge amount of stuff is coming from 'legalised' spam
engines using domains set up to pump it all out

I see that a huge load is now arriving from '*.autos' TLD. And *.beauty
I ought to add them to my blacklists.

Except I added all of india to it once (*.in) and rejected some valid
mail accidentally.

On inspection, yes, they have valid dkim and SPF signatures :-(

ISTR from skimming the EXIM conf data someone posted that there is a
file that lists 'valid' TLDs

--
If I had all the money I've spent on drink...
...I'd spend it on drink.

Sir Henry (at Rawlinson's End)