DKIM Support Added To Nodes Successfully - 11.28.52-RELEASE_50725

[nwtg]

Hi.

I'm usually helping people at WHT, but thought I would share this here as well.

I'm honestly not sure if this is old news by now, but I've been reading up here, especially This DKIM thread.

I've put together a workaround process to support DKIM signatures. It has worked in QA, and I just moved it to the production nodes today. I am running 11.28.52-RELEASE_50725.

Involves a bit of manual zone tweaking, a few unexpected tricks in cPanel "Email Authentication" and some tedious time spent in exim.conf, exim.conf.localopts and verifying your MAILHELO and /etc/mail_reverse_dns. The only downside is that you have to give up DomainKeys Signatures if you want support for DKIM.

Code:

2010-12-24 16:14:43 H=localhost.localdomain (webmail.nwtechgroup.com) [127.0.0.1] Warning: Sender rate 23.0 / 1h

2010-12-24 16:14:44 1PWHmV-0001L9-UI <= john@nwtechgroup.com H=localhost.localdomain (webmail.nwtechgroup.com) [127.0.0.1] P=esmtpa A=dovecot_login:john@nwtechgroup.com S=1206 id=b1eacef86e96334e4c505a8d303a6d5c.squirrel@webmail.nwtechgroup.com

2010-12-24 16:14:44 1PWHmV-0001L9-UI Message signed with DKIM: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=nwtechgroup.com; s=default; h=Message-ID: Date: Subject:From:To: 
        Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
        bh=Ikg14KprzypYlejwPLa35vaNVzy198CRaqAFEDIficw=; b=NNpIAwZgPcYrL
        oyV6cWD4UBZuFpjVg+rekMFxUJwx7e/5XfReZ2ah1OrghDJdUJ/ECyjuKrgFbz7v
        OfKWy/JPZabVfTpKcFg6YBIcT/tHVwGxKkM82VYo21R+Yzb23LPRKuwGeLyA3DEs
        VxTC0nZqUFCMlmH2xnqEYN5pyy6dFI=

2010-12-24 16:14:44 1PWHmV-0001L9-UI => ntgtest@www.brandonchecketts.com R=lookuphost T=remote_smtp H=www.brandonchecketts.com [207.210.219.125]
2010-12-24 16:14:44 1PWHmV-0001L9-UI Completed

Code:

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: john@nwtechgroup.com)
ID(s) verified: header.d=nwtechgroup.com
Canonicalized Headers:
    message-id:<3c9895b21ab83028e7ecb77bb86af47a.squirrel@webmail.nwtechgroup.com>'0D''0A'
    date:Fri,'20'24'20'Dec'20'2010'20'16:13:05'20'-0800'0D''0A'
    subject:'0D''0A'
    from:"N.W.'20'Technology'20'Group"'20'<john@nwtechgroup.com>'0D''0A'
    to:check-auth@verifier.port25.com'0D''0A'
    reply-to:john@nwtechgroup.com'0D''0A'
    mime-version:1.0'0D''0A'
    content-type:text/plain;charset=iso-8859-1'0D''0A'
    content-transfer-encoding:8bit'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=nwtechgroup.com;'20's=default;'20'h=Message-ID:Date:Subject:From:To:'20'Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;'20'bh=Ikg14KprzypYlejwPLa35vaNVzy198CRaqAFEDIficw=;'20'b=

Some adjustments to /etc/exim.conf:

Code:

remote_smtp:
  driver = smtp
  dkim_selector = default
  dkim_canon = relaxed
  dkim_private_key = /usr/local/cpanel/etc/exim/dkim.key
  dkim_domain = nwtechgroup.com
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}

I haven't had the time to go through ALL of the threads, so there may be a better workaround for this, I'm not sure. BUT, I'm now running this on three production environments, and Yahoo and the other freebies don't seem to be treating my clients' emails as SPAM anymore.

If this is of interest to anyone who would like to try it, just kick me an email. If this is of interest to enough people I will post a step-by-step. I am not employed by cPanel, I accept no responsibility for the outcome, yadda-yadda-yadda, so back up all your files before changing anything.

And, if this or something similar has been done already, great at least I was able to do it without any documentation or outside help.

[SoftDux]

Thanx for this post, I'm going to set it up on 2 problematic servers and see if it helps with the Yahoo blockage at all.

Would you say DKIM works better than DomainKeys?