Exim won't sign mail send by PHP through SMTP

I've been struggling to get Exim to sign my mails i'm sending with Zend2 Mailer class. The class has the option to send through SMTP; this is awesome since i have everything configured at MTA level.

However. Sending mail from a client (Thunderbird) will get signed. The mail send with Zend2's Mailing class will not. Let's start with my version of Exim.

Exim version 4.76 #1 built 19-Jul-2011 02:56:59
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 4.7.25: (November 12, 2010)
Support for: crypteq IPv6 Perl OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Size of off_t: 8
Configuration file is /etc/exim.conf

Then there is the configuration of DKIM. I tried looking up the domain with the method beneath instead of using the $sender_address_domain variable. I saw in another serverfault post that the DATA command can malform the envelope resulting in a wierd sender address. That however was not the case with me. Both resolve to the actual sender/from adres.

[rob@server ~]$ exim -bP transports | grep dkim
dkim_canon = relaxed
dkim_domain = ${lc:${domain:$h_from:}}
dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
dkim_selector = x
dkim_sign_headers = MIME-Version:Date:Message-ID:Subject:From:To
dkim_strict = 0

The keys are there. The configuration works, as verified with mail send with Thunderbird.

Then i asked myself, do these mails actually pass through the SMTP server? The result; yes they do. I checked the /var/log/exim/mainlog. Now i also noted that the mails from Thunderbird don't get that "recieving the mail" logline. I don't know why? Can someone elaborate on that if they know why? PHP connects using SMTP login method with the exact same SMTP information that Thunderbird uses. Same ports, domain, username, password.

https://framework.zend.com/manual/2.4/en/modules/zend.mail.smtp.options.html#zend-mail-smtp-options

# This is the mail recieved from the PHP code.
2016-11-15 08:28:52 1c6YAm-000154-6p <= [email protected] H=mydomain.com [ipv4.addr] P=esmtpa A=login:[email protected] S=22098 id=26412cc5accb22e5ce03925c7ac38a7c95c398cb19d5736fa41fb565c8dc1254@mydomain.com T="Another day at the office with DKIM..." from <[email protected]> for [email protected]

# Here it is outbound for its destination. Not signed to be noted.
2016-11-15 08:28:52 1c6YAm-000154-6p => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=22157 H=gmail-smtp-in.l.google.com [ipv6.addr] X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 2.0.0 OK 1479194932 yr4si27147042wjc.210 - gsmtp"

# This is send with Thunderbird. This gets signed...
2016-11-15 08:31:47 1c6YDa-0001CM-UY => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=762 H=gmail-smtp-in.l.google.com [ipv6.addr] X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 2.0.0 OK 1479195107 s17si1915514wme.47 - gsmtp"

These mails also don't get rejected nor can be found in the panic log. They both get recieved by my gmail account:

# This is the mail send from thunderbird. With DKIM signing.

Delivered-To: [email protected]
Received: by 10.80.186.18 with SMTP id g18csp1289759edc;
        Mon, 14 Nov 2016 23:31:47 -0800 (PST)
X-Received: by 10.194.248.5 with SMTP id yi5mr384988wjc.11.1479195107193;
        Mon, 14 Nov 2016 23:31:47 -0800 (PST)
Return-Path: <[email protected]>
Received: from myserver.com (myserver.com. [ipv6.addr])
        by mx.google.com with ESMTPS id s17si1915514wme.47.2016.11.14.23.31.47
        for <[email protected]>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 14 Nov 2016 23:31:47 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates ipv6.addr as permitted sender) client-ip=ipv6.addr;
Authentication-Results: mx.google.com;
       dkim=pass [email protected];
       spf=pass (google.com: domain of [email protected] designates ipv6.addr as permitted sender) [email protected];
       dmarc=pass (p=NONE dis=NONE) header.from=mydomain.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mydomain.com; s=x;
    h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:Subject:From:To; bh=zaNQl8a2eAEHfPVmKMA7RmtMqJ/6huDk4u6pr/tWrqQ=;
    b=xcDHIzzTWS8hPMxjqbZM0I6b/act/LlweTuNcnZJ9ttEF1dAm37Lzy8zOJz2E2aDTkcQOdCQuC+VyIaXTRzTMJXyzJTUXTgPUPOePsR5XYqqsE0iQRMkDl/Ah650kBHD5drqIrFJwCw5g0aL9OECqTyRO9kwL0DQJX/mKcTkLtiiIs7Z7G77ZwWhJpFm/duoQARtZZ1UZFu42/Vbl+V8vSoWbXoZBpg+WBGucWJoGq+hb5zILxwsMPcbrIu+avBjjoUdLVP9YMFiPC3nK+7zOGBWOO7x6QoHQmO8uo0P88E52Sm9ZJGgLQOCfFCMjCnv4IMemj/GSe25Sf8PKah/Xg==;
Received: from 159-032-128-083.dynamic.caiway.nl ([83.128.32.159] helo=[192.168.1.108])
    by myserver.com with esmtpsa (UNKNOWN:AES128-SHA:128)
    (Exim 4.76)
    (envelope-from <[email protected]>)
    id 1c6YDa-0001CM-UY
    for [email protected]; Tue, 15 Nov 2016 08:31:46 +0100
To: Rob van der Lee <[email protected]>
From: Rob van der Lee <[email protected]>
Subject: Dit is een verzonden mail via account
Message-ID: <[email protected]>
Date: Tue, 15 Nov 2016 08:31:46 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Dit is echt een test.

And here the mail that gets send from PHP that doesn't get signed.

Delivered-To: [email protected]
Received: by 10.80.186.18 with SMTP id g18csp1288906edc;
        Mon, 14 Nov 2016 23:28:52 -0800 (PST)
X-Received: by 10.28.170.134 with SMTP id t128mr2009669wme.29.1479194932632;
        Mon, 14 Nov 2016 23:28:52 -0800 (PST)
Return-Path: <[email protected]>
Received: from myserver.com (myserver.com. [ipv6.addr])
        by mx.google.com with ESMTPS id yr4si27147042wjc.210.2016.11.14.23.28.52
        for <[email protected]>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 14 Nov 2016 23:28:52 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates ipv6.addr as permitted sender) client-ip=ipv6.addr;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates ipv6.addr as permitted sender) [email protected];
       dmarc=pass (p=NONE dis=NONE) header.from=mydomain.com
Received: from mydomain.com ([37.97.128.104])
    by myserver.com with esmtpa (Exim 4.76)
    (envelope-from <[email protected]>)
    id 1c6YAm-000154-6p
    for [email protected]; Tue, 15 Nov 2016 08:28:52 +0100
Date: Tue, 15 Nov 2016 07:28:52 +0000
To: [email protected]
From: Rob van der Lee <[email protected]>
Sender: Rob van der Lee <[email protected]>
Subject: Another day at the office with DKIM...
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_7ebb8a8d12984c5cc3f5fbf995b1b4ad"
Message-ID: <26412cc5accb22e5ce03925c7ac38a7c95c398cb19d5736fa41fb565c8dc1254@mydomain.com>

This is a message in Mime Format.  If you see this, your mail reader does not support this format.

--=_7ebb8a8d12984c5cc3f5fbf995b1b4ad
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

... content of mail in text and then html, left it out since not relevant.

It just doesn't make sense to me why Exim won't sign this mail. As seen in the log file both mails get send via T=remote_smtp and according to my MTA configuration all outbound mails that get send via remote_smtp should be signed.

Apart from the fact that the mail actually does get send and reaches the mailbox. Hopefully i can learn from this.

Update:

As per suggestion of Daniel i tried resolving the domain, handling the SMTP request, internally as opposed to letting my provider handle this for me. This does not help, the message is still sent unsigned.

The logs also look the same as mentioned above.

Dig Request of old situation:

;; QUESTION SECTION:
;mydomain.com.      IN  NS

;; ANSWER SECTION:
mydomain.com.   86400   IN  NS  ns1.transip.nl.
mydomain.com.   86400   IN  NS  ns2.transip.eu.
mydomain.com.   86400   IN  NS  ns0.transip.net.

Dig Request of new situation:

;; QUESTION SECTION:
;mydomain.com.      IN  NS

;; ANSWER SECTION:
mydomain.com.   14400   IN  NS  ns2.myserver.com.
mydomain.com.   14400   IN  NS  ns1.myserver.com.

Update to Answer:

I've also make a bug ticket over at the Exim Bug tracker. Thought to get some help over the experts; Jeremy Harris pointed me in the right direction.

Jeremy Harris 2016-11-15 14:58:55 GMT

First, if you're running Exim 4.76 - update it.

Then, assuming the problem still exists:  restart your daemon with a commandline
debug option, collecting output.  Feed it a test mail.  Examine the debug output,
which shows the processing flow for the message.  Compare with your config and
work out where it differs from what you expected.

I did what he told me. Updated, then found out the problem still persisted. Fed the debug modus 2 mails. One signed, the other unsigned.

I started closely comparing and noticed that the body on both mails started getting fed to PDKIM (the dkim lib for Exim). Then i noticed my unsigned mail didn't had closure after the body like the signed message did.

I figured it had to do with the content; so from the PHP side i send a mail with just a line of text. This was getting signed...

Solution? Wordwrapping! That i didn't thought of this earlier! I really don't feel all that smart now. This because i knew about this at forehand. The RFC 2646 spec tells us all about it.

Hope this post will help somebody else. It was a good journey and stupid enough the problem was my implementation.