Using Debian's mail-submit server
Due to the increasing amount of classic mail providers (including, e.g. gmail) requiring a proper SPF/DKIM/DMARC setup to accept mails, the DSA team (the Debian System Administrators, that run the Debian infrastructure) has set up an SMTP submission server. This blog explains how to use it with Exim4.
Everybody hates SPAM. Unfortunately, many SPAM blocking strategies make working with regular emails harder and harder. Esp. if you are not using one of the big corporate mail servers (Google, Yahoo, Microsoft,... you name it), but like to run your own infrastructure.
Recently, Google has increased the hurdle to send emails to gmail users (that is: about half the world), by requiring (bulk?) emails to have a DKIM-signature.
This makes it somewhat complicated, if an organization (like Debian) does not provide central mail services,
but encourages its members to use whatever services they like (including their own):
as there is no central authority to check for the validity of such a signature -
the result was that hundreds of Debian Developers (using their precious @debian.org addresses) were not longer able to send emails to gmail users.
In order to fix this problem, the DSA has finally set up a mail relay server for Debian Members, that uses a central DKIM signing authority.
I followed the discussion as an interested party, but had no immediate plans to switch to this new service,
until today when I tried to contact somebody with a @gmail.com address in Debian-related matters (thus using my @debian.org address):
my mail was promptly rejected.
So I went to re-configure my email server (most likely it's possible to re-configure my MUA to use Debian's mail server, but I have multiple mail clients and almost all of them use the same mail server, so I figured it simpler to fix the issue once for all).
There's some nice documentation, but unfortunately it only talks about configuring Postfix, and I'm using Exim (which happens to be the default MTA on Debian systems, and is much easier to configure (IMHO)).
So this is what I did.
DKIM
DKIM is an abbreviation for "DomainKeys Identified Mail". In short, it adds a cryptographic signature of the mail content to the mail headers. The signature is bound to the domain of the sender address.
The private key (used to generate the signature) is safely stored on the mailserver. To verify the signature, you have to look up its public key via DNS.
You can do this manually with something like this:
1dig +noall +answer TXT smtpauto.stravinsky._domainkey.debian.org
2smtpauto.stravinsky._domainkey.debian.org. 600 IN TXT
3 "v=DKIM1; k=rsa; s=email; h=sha256; p="
4 "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwi8LqBb0lIBri5MJwFq8"
5 "lak6adGPCq/kpLTarDdSdlfOekhpAnwVf9cD37ii9u4bLfVkuIzg3eIm4HmHKoUC"
6 "vqc24CZkggi5+D8TyhS0TnlXAZNQgFGtE9X6ZZTban34a/iqVU1PNjxXPLIEW+e5"
7 "D3NJn1ah+3ILFDw7vXIXjZSierXl5onMY/lgN3DidLYBmw0+BNVKI4mnByczmhh6"
8 "5kF+DLsv8N0Jtb5YOcRle3SuuK6dp1N4dyosd0CHnjuytpZ81F97FBfMKpmHYJEc"
9 "eA+/1Rxykhl7x+khw2V5UKK7o30af7QJgMS+ZO/XJSl6Sw1yerxixvX9kAnjZppt"
10 "RwIDAQAB"
So we are doing a TXT lookup for <SELECTOR>._domainkey.<DOMAIN>.
The <DOMAIN> part is taken literally from the sender-address.
(The _domainkey part is some well-known subdomain for the purpose of DKIM;
and the <SELECTOR> (smtpauto.stravinsky in the example above), is some identifier that is sent along with the email
(so it's easier to manage multiple keys for the same domain, e.g. when using multiple outgoing mailservers and you don't want to share the private key between them).
The trick is, that if you want to send an email with your email address (e.g. user@example.com),
then you (or whoever controls your mailserver) must also control the DNS-server for that domain (so you can publish the public key the _domainkey.example.com subdomain).
This makes it "impossible" (well: hard) to forge emails.
Anyhow, Debian folks have set this up for us.
The only thing left for me to do, is to tell my mailserver to sent all emails originating from my @debian.org address to the Debian relay server.
Authentication
The Debian mail relay server is (obviously) not an Open Relay, so we need to authenticate against it.
Obtaining a password is done via some arcane mail commands: you need to send a GPG-signed email (using the GPG-key that is in the (current) Debian keyring) to a mail gateway, using "Please change my mail password" as the command:
1echo "Please change my mail password" | gpg --clearsign | mail chpasswd@db.debian.org
If the signature is valid (and in the Debian keyring), the server will generate a new password and send it back encrypted.
Using the (same) Debian GPG-key, it's possible to decrypt the PASSWORD.
The entire process takes a while (probably also because of some greylisting, I have setup in the various mailservers in between).
Exim4 configuration
Some fellow Debian Member provided a an Exim4 configuration snippet, that got me started.
However, it was lacking some additional information and used a transport
(namely remote_smtp_gmail) that was not present on my system.
First we need to create a new router,
that will accept emails that originate from @debian.org addresses, and redirect them to another SMTP-host:
1router_debian:
2 condition = ${lookup {${lc:$sender_address}}lsearch{CONFDIR/debian-accounts} {yes}{no}}
3 domains = ! +local_domains
4 driver = manualroute
5 transport = remote_smtp_smarthost
6 route_list = * mail-submit.debian.org::587
7 debug_print = "R: debian route"
8 no_more
The condition in the above router will only accept messages from senders that are listed in CONFDIR/debian-accounts (that is: /etc/exim4/debian-accounts), which has the following contents
(with USER being my Debian username):
1USER@debian.org
If I ever send emails from my Debian address to myself (or some other user on my mailserver), I want to keep them on my server and not forward them the Debian relay server,
which would only send it back to me (possibly creating a mail loop unless there are countermeasures in action).
Therefore the router won't accept mails addressed to my local domains (see the domains line).
Once the mail is accepted by the router, it selects the remote_smtp_smarthost transport, telling it to use mail-submit.debian.org:587 as the relay server (mind the double colon!).
Without further ado, this would try to send mails via the relay without authentication (which get rejected by mail-submit.debian.org).
We therefore need to provide our credentials in CONFDIR/passwd.client (that is: /etc/exim4/passwd.client) by adding the following line to this file
(again replacing USER with my Debian username, and PASSWORD with the (decrypted) plain-text password received from the mail gateway).
1stravinsky.debian.org:USER:PASSWORD
Wait, why does it say stravinsky.debian.org? Shouldn't that read mail-submit.debian.org???
Well, yes. The documentation even explicitly says:
The SMTP submission server is hosted on stravinsky.debian.org, on port 587, but it is recommended to use the CNAME mail-submit.debian.org for the submission service.
However, exim4 does some forward- and reverse-lookup
to resolve the hostname used in the passwd.client file from the smarthost, and this doesn't work at all with CNAME records, so we need to use the A-record here.
Final words
That's it.
Now, whenever I send an email via my mail server, using USER@debian.org as the From-address (and not sending it to any local recipient on my mailserver),
it will be automatically relayed through mail-gate.debian.org, where it receives a DKIM-signature.
Now I only need to find some gmail user to send an email to.