logs archiveIRC Archive / Freenode / #exim / 2015 / September / 21 / 1
Agrajag-
g'day, i'm trying to set up dkim signing on outgoing messages and have followed https://www.debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 (i'm using debian), however it just doesn't appear to be signing outgoing messages. nothing in mail.log is helping debug this, how can i find out what's going wrong?
R1ck
hiya. Is it possible to force TLS (or S/MIME) encryption between my Exim server and a certain destination domain?
phx
R1ck, exim.org -> docs -> look for TLS -> read on
R1ck
phx: thanks, it looks like it's possible..
henk
Agrajag-: i guess mail.log is the wrong place to look, try /var/log/exim4/
Agrajag-
henk: yeah sorry that's what i meant (/var/log/exim4/mainlog). i've also tried starting exim with -d+all and checked everything out, i just don't see any dkim messages at all
i've confirmed the outgoing mail is using remote_smtp
but i don't see any messages regarding dkim at all. i do see it verifying incoming mail though
--version does tell me "Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM"
i have made sure dkim_file is readable by the process, the dkim_domain is just set to the domain mail is being sent from (no variable lookups or anything)
rjek
(Action) wonders how Agrajag- has died today.
henk
Agrajag-: You probably did something wrong while configuring it & Does the configuration for dkim show up in /var/lib/exim4/config.autogenerated?
Agrajag-
ahh.. found the problem. not sure if the instructions are wrong or for a different versino or something
but i had DKIM_FILE defined but not DKIM_PRIVATE_KEY
instructions at https://www.debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 for the single domain are wrong then.
i saw references to DKIM_PRIVATE_KEY in /var/lib/exim4/config.autogenerated so figured that should be set too
all good now. thanks
         

henk
yeah, what most people dont get: tutorials/howtos are rarely meant to be followed blindly and without thinking & they only serve as guidelines for the reader to understand concepts and interrelations. The reader still has to double check everything and adapt it to personal needs and such &
Luqq
hello
henk
helo
Luqq
i have set up an asmtp using exim using LDAP as a backend via libnss. Each user is a inetLocalMailRecipient, and can belong to multiple groups that are also inetLocalMailRecipients. Is there a way to verify that if a user is logged in to send an email, that it tries to send from his/her own email adress or one of the groups that it can belong to?
i've found things about sender_verify but this seems more related to when other mailservers deliver mail to my server
henk
whats an asmtp?
Luqq
authenticated smtp
henk
ah
Luqq
so everyone using my mailserver to deliver mail to external servers has to be authenticated
henk
yes, sure, you just have to look up the sender address the user is trying to use in some list of sender addresses this sender is allowed to send from.
Luqq
okay. using an acl ?
does that work on headers or envelope?
henk
yes, acl. works on the envelope, not sure how to properly deal with headers off the top of my hat
Luqq
I see. Is there any keyword i should be googling for? Or should I write my own ACL?
And, is this plus DKIM/SPF guarantee that mail that comes from a user from my domain that it actually comes from the sender? (assuming the receiving mailserver checks dkim)
henk
Id just write my own, but there is probably something out there & not sure what to STFW for though &
I dont understand the DKIM/SPF question, sorry.
Luqq
i'm having some trouble finding related articles on this.
henk
articles? o_O about what exactly?
Luqq
or just any manuals, blogs or anything
about verifying the local_part when sending email
henk
probably because there is no standard way to do that &
Luqq
okay, thats unfortunate
thanks anyway, henk :-)
hs12
Hi, anybody familiar with rfc2047?
exim -be '${rfc2047d:=?UTF-8?Q?=22=22Toni_Foo=c3=b6xxoooooo_-_foooooo_fooooooo_foooo_foooooooooo?=}'
exim -be '${rfc2047d:=?UTF-8?Q?=22Toni_Foo=c3=b6xxoooooo_-_foooooo_fooooooo_foooo_foooooooooo?=}'
... what's the difference? The first doesn't decode properly. The 2nd does.
The first one is too long, i think.
henk
hs12: looking at rfc2047, Id agree, in case you want confirmation (;
         

hs12
Yes, that's it. An incoming message didn't pass the valid-header-syntax checks, *probably* because of that.
But 2047 doesn't talk about "MUST NOT be longer than ..."
henk
hu? it does: An 'encoded-word' may not be more than 75 characters long, including
'charset', 'encoding', 'encoded-text', and delimiters.
well, not quite "MUST NOT" but close enough, Id say (;
hs12
:( Hm.
src/rfc2047.c has the length-check optional. I understand this for headers, but not for the ${rfc2047d:...} expansion. At least there should be some option to have it (not) strict.
check_rfc2047_length
+--------------------+---------+-------------+-------------+
|check_rfc2047_length|Use: main|Type: boolean|Default: true|
+--------------------+---------+-------------+-------------+
exim -C <(echo check_rfc2047_length=no) -be '${rfc2047d:=?UTF-8?Q?=22=22Toni_Foo=c3=b6xxoooooo_-_foooooo_fooooooo_foooo_foooooooooo?=}'
works
henk: thank you for confirmation and for pushing me to find the answer :)
henk
hs12: you are welcome
hs12
:)