Exim4 and DKIM [not DMARC]

I have a Linux server which runs Apache2, and the Exim4 SMTP server.
I use the LetsEncrypt Certbot system to create the certificates and these get copied acros to the Exim4 directory and fixed up.
All works perfectly.
But I also have to copy the public certificate into the DMARC DNS settings of my VPS provider, every time the Certbox renews the certificates!
That is an impossible task every 3 months.

Is there any way to have the LetsEncrypt cetificates to be valid for 12 months instead of 3 months?
Why in heavens name is it set to such a short period?
Is there another solution to use LetsEncrypt for Mail servers? It seems to be only designed for https servers...

Hi @bartkindtnz, and welcome to the LE community forum :slight_smile:

No, they only have one offering: 90 days.

Certificates are not made specific for any server(s) - they can be used by all kinds of servers and systems.
LE certs are exactly like any other/all other CA certs.
How would you like a cert to be designed specifically for a mail server?

How is that impossible?


DMARC records don’t normally contain certificates, so I’m a little confused about the problem you’re having. Do you mean DANE TLSA records?


Please see:

Which could have been found through the FAQ:


You probably mean DKIM, which doesn't involve x509 certificates, but plain pubkeys (RSA or ed25519) published in DNS. You don't need LE or any other Certificate Authority for this, this can simply be generated locally on your server.


I am sorry, yes I meant DKIM not DMARC. You would not believe the trouble I am having with places like hotmail which keep blocking emails. All of them now seem to require real certifications and not self-build onces. Especially with my mailing list system, where the hash of the body is always wrong (due to the required unsubscribe links being added) it seems to be that you have to have everything else absollutely perfect to have any chance to get the emails through.

1 Like

Hmmm: as mentioned above, DKIM does not use the WebPKI type of certificate that we (and other CAs) issue, at all. Could you please give us some more detail about your configuration, so we can better understand exactly what’s going on?

(Edit:) I think your note about the signature matching is important here: no matter what you do, that will need to be fixed, or your deliverability will stay bad. I’m less familiar with Exim than with Postfix; are you using OpenDKIM or some other configuration? Snippets of those config files could help us troubleshoot this. Although it may be beyond the scope of our forum, we’ll do what we can.


Basically, I copy the Public Key and Private Key generated by LetsEncrypt to the Exim4 directory for it to use.
Then I copy the Public Key into the DKIM DNS records for the 5 different Domains which are running on this VPS.

I just read a bit more. I read now that certificates expire, but SSL keys do not expire? Which would mean I can leave the current Public Key in place for Exim4, even when the LetsEncrypt certifcates get updated?

Dkim uses entirely different keys. You can generate those yourself.


Only if it continues to use the matching private key. [uncommon]
If Exim4 changes the private key as you renew your certs, then you will have to change the public key to match the private key.


That only matters for DANE/TLSA, though. And you can always use a trust anchor like R3 or ISRG Root X1 in your tlsa record (they are additive, you can use more than one.)

For example:

❯ dig tlsa _25._tcp.bjorn.qualcuno.xyz

; <<>> DiG 9.16.41 <<>> tlsa _25._tcp.bjorn.qualcuno.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8011
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;_25._tcp.bjorn.qualcuno.xyz.   IN      TLSA

_25._tcp.bjorn.qualcuno.xyz. 10800 IN   TLSA    2 1 1 55F77DE41C03792428F8D518C55104225BE43A5598D926A528AD653E 1CCEC7BF
_25._tcp.bjorn.qualcuno.xyz. 10800 IN   TLSA    2 1 1 871A9194F4EED5B312FF40C84C1D524AED2F778BBFF25F138CF81F68 0A7ADC67
_25._tcp.bjorn.qualcuno.xyz. 10800 IN   TLSA    2 1 1 0B9FA5A59EED715C26C1020C711B4F6EC42D58B0015E14337A39DAD3 01C5AFC3
_25._tcp.bjorn.qualcuno.xyz. 10800 IN   TLSA    2 1 1 9847E5653E5E9E847516E5CB818606AA7544A19BE67FD7366D506988 E8D84347
_25._tcp.bjorn.qualcuno.xyz. 10800 IN   TLSA    2 1 1 762195C225586EE6C0237456E2107DC54F1EFC21F61A792EBD515913 CCE68332
_25._tcp.bjorn.qualcuno.xyz. 10800 IN   TLSA    2 1 1 4179EDD981EF747477B49626408AF43DAA2CA7AB7F9E082C1060F840 96774348
_25._tcp.bjorn.qualcuno.xyz. 10800 IN   TLSA    2 1 1 08B3A6335FCE5EF48F8F0E543986C07FD18A3B1226129F61864BBD5B DD1F1CC9

;; Query time: 53 msec
;; WHEN: Thu Sep 28 05:41:47 CEST 2023
;; MSG SIZE  rcvd: 385

(I'm not even sure what those fingerprints refer to. They should be X1, X2, maybe R3, E1, and the GTS roots. I think I should add R4 and E2)


So you're throwing away all the x509 parts (what LE provided), retaining only the bare public key (that you already had without LE). Again, you don't need a CA for DKIM.

You do want to rotate those keys periodically though, but that's on your own initiative and not mandated by any expiration date.

Here's your actual problem - you're modifying the messages after signing them, and DKIM was designed to detect this kind of message "tampering". So it actually works! :slight_smile:

Change the order of your message processing: modify, then sign, and you should be fine.


You need spf-srs to do that and hope not to get flagged :wink:


That is totally true, but it does not seem to be possible with
Where Mailman is the mailing list system.
And it is a well known issue, but for whatever reason, it does not seem possible to fix it from the MailMan side; I also have not seen any solutions from the Exim4 side. There is an option for MailMan to remove the DKIM data from the email, so at least it is not considered FAIL, but then it is missing, which in some destinations is also a complete SPAM. I must admit is does not make sense, and there must be a way to solve this.

However, we are getting way from the LetsEncrypt question, which I now understand is totally not required for DKIM to work with Exim4 and I can just use a privately generated Key set.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.