Configuring mail SMTP server exim and HestiaCP to use SPF and DKIM

Por: Sergi Rodríguez
06-10-2020 13:53

If you have troubles to make work DKIM on your new VM or VPS with exim and HestiaCP (or VestaCP) and Ubuntu, i think that i can help you sharing my experience after pass 4 days reading, testing and reading again. Finally it worked!

Hosting notification.vip on Clouding.io VM

Before to begin with the steps to configure DKIM, i must note that i will put as example my recent installation of DKIM for my new domain name notification.vip hosted in a VM on clouding.io datacenter. This publication is not promoted by them at all. But i only can recommend its excellent services adn the incredible performance of their infraestructure for cloud computing.

Enable SMTP ports on CLOUDING.IO

Check that the VM on the clouding.io panel (Network tab) has enabled the SMTP sending. If not, you must require it to Clouding.io support team.

DNS settings

On clouding.io Dashboard panel go to DNS tab:

https://portal.clouding.io/dsb/dns/zones

and add a new domain (zone): notification.vip and once added edit this zone to add DNS records like:

notification.vip. | A | 185.253.154.23
www.notification.vip. | CNAME | notification.vip.
ftp.notification.vip. | CNAME | notification.vip.

mail.notification.vip. | A | 185.253.154.23
webmail.notification.vip. | A | 185.253.154.23
smtp.notification.vip. | CNAME | notification.vip.
imap.notification.vip. | CNAME | notification.vip.
pop3.notification.vip. | CNAME | notification.vip.
notification.vip. | MX | 10 mail.notification.vip.
notification.vip. | TXT | v=spf1 mx a ip4:185.253.154.23 ~all

PTR record

Also on DNS area of the Clouding.io Dashboard panel , go to PTR records:

And add this record:

185.253.154.23 | notification.vip.

Let's Encrypt

On HestiaCP panel:

https://{SERVER_IP}:8083/

Go to WEB section and Edit the domain you created (recommendable to create domains not-under root user, but under a new user, although this will be the unique domain in this machine). Once there, choose to enable Let's Encrypt certificate.

Install & configure DKIM

1. Go to HestiaCP > Mail > notification.vip click on Edit icon and:

  • enable "DKIM"
  • enable "SSL for this domain"
  • enable "Use Lets Encrypt to obtain SSL certificate"

Note: with this action hestiaCP will add new DNS records to the zone of this domain. Maybe you will need to move those records to the clouding.io DNS management area for this domain (outside of the VM), if you don't have delegated the DNS zone to HestiaCP. By default it is not.

2. Generate a SSL pair-key for DKIM, from terminal connected to VM:

sudo mkdir /etc/exim4/dkim
sudo cd /etc/exim4/dkim
sudo openssl genrsa -out notification.vip.pem 2048
sudo openssl rsa -in notification.vip.pem -pubout -outform PEM > notification.vip.pub
chown -R Debian-exim:mail /etc/exim4/dkim/
chmod 640 /etc/exim4/dkim/*

Note 1: you can create a key-pair like this **for each domain name hosted on your VM**.

Note 2: you will not find the last 2 commands (chown/chmod) in the usual guides for DKIM, but i think that it's needed in some cases, because if not, the keys are only available to root user by default.

3. Add a new DNS record to the ZONE (i did it twice: hestia/clouding.io) with:

host: mail._domainkey.notification.vip.
type: TXT
value: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7nnbsDAK505lRw8UO5ft+fWfLrO/sUdY1DS/jl/iyTVyBgIsyTQr9Y0R36OSf2hCDKcHLIne/a9FIDlcD5d8V3o0ysPa/5HbLPwXsoMYRaLDIK0c38zqaQgTGwQ++OeG5wgUPfnTG0x7KuRZ/nU+oLnGdeeieG3kfNa/2wDTqMwIDAQAB"

Note 1: the content of p= is the PUBLIC_KEY generated on
/etc/exim4/dkim/notification.vip.pub

Note 2: don't put the double quotes for value on the clouding.io panel, but do it when adding the record in HestiaCP.

4. Edit exim config template file:

sudo nano /etc/exim4/exim4.conf.template

Search for "DKIM" and set something like this, specially taking care in the path where the DKIM_FILE of the secret key is:

DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/dkim/${lc:${domain:$h_from:}}.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
DKIM_SIGN_HEADERS = Date:To:From:Subject:List-Unsubscribe:From
OUTGOING_IP = /etc/exim4/domains/${lc:${domain:$h_from:}}/ip

Note: although it's optional it didn't run for me until i added the line with DKIM_SIGN_HEADERS

5. Then update exim4 conf and restart service:

sudo update-exim4.conf
sudo service exim4 restart

6. After wait for propagation of new DNS record, test it at:

Note 1: you can also sent an email to Gmail and look for the "source" of the email, and there GMAIL comment it the email 'PASS' SPF and DKIM signatures.

Note 2: for your tests don't send emails from your new mailbox to the SAME mailbox!!! I learned it after WASTE almost 2 days of my life, hahaha. Because -briefly- exim use a different "sending mechanism" (different 'routers' and 'trasport' profiles/drivers) when sending mails WITHIN THE SAME DOMAIN NAME (local_delivery vs. remote_smtp transport). Specifically: the mails are not DKIM signed!! So you want to check if exim is adding the DKIM signature to the sent emails try to send to another domain name!

7. After verify DKIM and SPF is running well, add this other DNS record, for announce DMARC:

_dmarc. | TXT | v=DMARC1; p=none

Useful terminal commands to debug

1. To fastly send an email:

echo "This is a test." | mail -s Testing to@otherdomain.com

2. To show the config lines used by exim regarding DKIM:

 exim -bP transports | grep dkim

3. To get the current DKIM DNS propagated record:

dig +short mail._domainkey.notification.vip TXT

You must get something like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpKJm00btTbNzzQG1ciau7HCoPuZm7NL3ZvH981k1TLkGByeyUJpIIS7MSRA/CX1PgIG2CmiwTSP8rTOPyQcXUrZO63JfMDHkdFza85HC5tmqXdVKKT+bVQz5v1Q6PHjldeQESvr/MLD+eJjDoOTJDjFOmHThQ/isPQm/jQx43OwIDAQAB

And be sure that this match exactly with the key inside notification.vip.pub

External checking tools

USEFUL publications about DKIM & HestiaCP

Etiquetas : mail | hosting

Comentarios 0 Visitas 15

Comentarios


Añada su comentario:

(pregunta anti-robots)

Enviar

DÍGANOS QUÉ NECESITA

¡¡ Le respondemos antes de 24h !!
Puede dejarnos su teléfono.

Puede rellenar el formulario (pulsar botón derecha) o bien aquí tiene nuestros datos de contacto.

(pregunta anti-robots)
Revisar consentimientos a cookies