-1

I'm trying to get DKIM setup on a CentOS 7 server running exim but gmail is returning 

dkim=neutral (bad format) header.i=@ellie-oli.com;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ellie-oli.com; s=mail;
h=; bh=VAgC5MVP54VmvlcGQaMT2ZdmokXkhMKi/RNSpcUu2qw=;
b=agz8IPjjK9+CerCMv5EDEl3DCVuakvU6StLQUgLTrnmVPPyazb0/Moi5pAopJdGJEUaHNhf9V2dFQNrcDUDw7AxqCUKT+pXwHDPq1tGIhtyntRy4LcoIBaEAf6eieVNScPQHX/hj2AUdMEVk1DaNwnh5rZbNGCydaMbVQFwbLLEXJbaY0sDt8Zpi/BF1JArxUMUeuJZlFGgU8LBpuQ671xuNVxMoK0Bfak3YEJjCx6LWhZBQLRKs2scZ/BHuDKLziY6n7GML8dPcgCpwo/wODJYXnDHxDY7MNCnEF6b110uQKje4kkQG32gVjJHr/gpeinQOWJ/oZAicJcnIp7kH8g==;

my exim config looks like 

remote_smtp:
  debug_print = "T: remote_smtp_dkim for $local_part@$domain"
  driver = smtp
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim/dkim_senders}}
dkim_selector = mail
dkim_private_key = /etc/exim/dkim/mail.pem
dkim_canon = relaxed
dkim_strict = false
dkim_sign_headers = DKIM_SIGN_HEADERS

The DNS record appears to work as far as I can tell and returns as

mail._domainkey.ellie-oli.com   text = "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzo9rv2QgABArrAwPgeR++q3Y/0HGWqoETE3N7/o3hwYBMpujcPM22Lp0PoMYStu/VyyZikM23nEnmlpeOiS8GdGL0ZbP5HatDqvZKoiu5mx5PODtea8XWoKsH1BV2ngOWt0d43SRMSCBT5vJ9tJpjYe20B3lE2XEXHbrxZ5vWajvAi3vFFJ4mQSUKisQ+KV+NEt" "pqR9bm9KTk0HbeykdSwjvsz78eHCbJQUI+C9sn5MrKmdatqHOHA1fjf6iqbc7kdA08MGr3KoiySAFrPqRLR/Pw1oRueU8ImPIzY3n2ZvZqMl2zTDhe/luxf6ecCEj0AbfwbGghRxMq4QIZDvzFwIDAQAB"

Does anyone have any idea what might be causing the problems?

Oliver Hills
  • 53
  • 6

2 Answers2

2

The signed header fields (the h-tag) in the DKIM signature is empty. According to the RFC 6376 it must however contain at least one header name. The recommended header fields to sign are described in section 5.4 of the RFC.

Probably the DKIM_SIGN_HEADERS variable contains something invalid. dkim_sign_headers according to the Exim specification:

OPTIONAL: When set, this option must expand to (or be specified as) a colon-separated list of header names. Headers with these names will be included in the message signature. When unspecified, the header names recommended in RFC4871 will be used.

Community
  • 1
user228011
  • 226
  • 1
  • 2
1

It turns out I shouldn't have had the below enabled as well as a mis configuration in the DNS record pointed out by eranga 

dkim_sign_headers = DKIM_SIGN_HEADERS
Oliver Hills
  • 53
  • 6