Setup

Using exim 4.84 on Debian 8 (jessie) on a Bytemark BigV virtual machine (NOT using Symbiosis).

Problem

In early October 2015, mails to gmail addresses started going into the recipients' spam mailboxes.

Reverse DNS

The first thing that was clearly wrong since moving to BigV was that reverse DNS was not set up. Both IPv4 and IPv6 were needed.

Bytemark’s panel allows this to be set up under the “IP” tab.

Setting up an SPF record

There was no SPF record for the domain.

This is a DNS TXT record for disruptive.org.uk itself, which now looks like this in dig output:

$ dig -t txt disruptive.org.uk

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> -t txt disruptive.org.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32071
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;disruptive.org.uk.             IN      TXT

;; ANSWER SECTION:
disruptive.org.uk.      540     IN      TXT     "v=spf1 a -all ip6:2001:41c8:51:833:fcff:ff:fe00:46de"

;; Query time: 3 msec
;; SERVER: 80.68.80.24#53(80.68.80.24)
;; WHEN: Thu Oct 22 09:15:06 BST 2015
;; MSG SIZE  rcvd: 100

Initial problems:

  • just v=spf1 a -all as originally suggested by Bytemark doesn’t work with IPv6

  • mail was going out via the Bytemark smarthost smtp.bytemark.co.uk so the IPv6 address was not going to match anyway.

Solution:

  • send mail directly (Bytemark now deprecate the use of the smarthost)

  • add an AAAA record for disruptive.org.uk

  • generate an SPF record that works with Bytemark’s djbdns / tinydns setup using this record builder

  • add an alias record for a.mx.disruptive.org.uk.

DNS setup for SPF

The necessary extra lines in the DNS data file are:

Authority records for IPv6:

.4.2.e.4.1.0.0.0.8.c.1.4.1.0.0.2.ip6.arpa::a.ns.bytemark.co.uk
.4.2.e.4.1.0.0.0.8.c.1.4.1.0.0.2.ip6.arpa::b.ns.bytemark.co.uk
.4.2.e.4.1.0.0.0.8.c.1.4.1.0.0.2.ip6.arpa::c.ns.bytemark.co.uk

AAAA record for disruptive.org.uk:

6disruptive.org.uk:200141c800510833fcff00fffe0046de

IPv6 alias record for a.mx.disruptive.org.uk

3a.mx.disruptive.org.uk:200141c800510833fcff00fffe0046de

SPF record with correct escaping:

:disruptive.org.uk.:16:\064v=spf1\040a\040-all\040ip6\0722001\07241c8\07251\072833\072fcff\072ff\072fe00\07246de:540

Setting up DKIM

This required changes to exim configuration. Here we are using the “split configuration” option.

The changes are:

Create directory /etc/exim4/dkim.

Generate keys

In /etc/exim4/dkim/ do:

openssl genrsa -out disruptive.org.uk-private.pem 1024 -outform PEM
openssl rsa -in disruptive.org.uk-private.pem -out disruptive.org.uk.pem -pubout -outform PEM

Configure exim

Add the following to /etc/exim4/conf.d/transport/10_exim4-config_transport-macros

DKIM_CANON = relaxed
DKIM_SELECTOR = 20151021
DKIM_DOMAIN = disruptive.org.uk
DKIM_FILE = /etc/exim4/dkim/disruptive.org.uk-private.pem

Note: the DKIM DNS TXT record is going to be a TXT record for the subdomain <selector>._domainkey.<domain> so in our case for

20151021._domainkey.disruptive.org.uk

The selector is arbitrary. Here we are using the date the key was generated as the selector.

In /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp under driver = smtp we need:

  dkim_private_key = /etc/exim4/dkim/disruptive.org.uk-private.pem
  dkim_sign_headers = subject:to:from

When the configuation changes have been made:

update-exim4.conf
service exim4 restart

This is enough to sign mails with the DKIM key.

DNS setup for DKIM

Then we need to set up the DNS for DKIM. This is a TXT record for the domain 20151021._domainkey.disruptive.org.uk which looks like:

IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB.... "

As seen in dig output:

$ dig -t txt 20151021._domainkey.disruptive.org.uk

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> -t txt 20151021._domainkey.disruptive.org.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36094
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;20151021._domainkey.disruptive.org.uk. IN TXT

;; ANSWER SECTION:
20151021._domainkey.disruptive.org.uk. 540 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GC... "

;; Query time: 4 msec
;; SERVER: 80.68.80.24#53(80.68.80.24)
;; WHEN: Thu Oct 22 09:17:39 BST 2015
;; MSG SIZE  rcvd: 302

where the p= is followed by the full public key generated above.

To get this right in Bytemark’s djbdns / tinydns setup requires the use of this record builder.

The line in the DNS data file looks like:

:20151021._domainkey.disruptive.org.uk:16:\352v=DKIM1;\040k=rsa;\040p=MIGfMA...:540

where p=MIGfMA... is the public key generated earlier.

Testing

Success for both SPF and DKIM looks like this (in the headers of a mail sent to a gmail address):

Received-SPF: pass (google.com: domain of roger@disruptive.org.uk designates 2001:41c8:51:833:fcff:ff:fe00:46de \
       as permitted sender) client-ip=2001:41c8:51:833:fcff:ff:fe00:46de;
Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of roger@disruptive.org.uk designates 2001:41c8:51:833:fcff:ff:fe00:46de \
       as permitted sender) smtp.mailfrom=roger@disruptive.org.uk;
    dkim=pass header.i=@disruptive.org.uk
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=disruptive.org.uk; s=20151021;
    h=Subject:To:From; bh=rBA/GQHiZjeI27xDqOWH/Vn5sAV162LfNhk8SBnzF+E=;
    b=TCaOZrQG34ZaIT6OzxDkyr2SOYqqst2JO4tpIwa0Lf25waeuOQdOqKvUKr91.......;

References

Thanks

Many thanks to Charles Pigott of Bytemark for his help.