cPanel's crippled DKIM implementation

[LBJ]

G'day All,

There's been a feature request outstanding for 5 years about this, which is unfortunately all too common for cPanel's handling of feature requests...

https://features.cpanel.net/topic/dkim-support-for-custom-selector

The current validation process for DKIM before signing outgoing email (added in v78 I believe) has exacerbated the problem, since even kludgy workarounds directly via exim.conf are now ineffective.

Previously, overriding the "dkim_selector = default" statement was enough to solve the issue, but now a full validation is performed with a DNS lookup before signing is allowed. Even if the dkim_selector value is changed within exim.conf, the validation is still performed against default._domainkey in the authoritative DNS zone no matter what value is set for dkim_selector in exim.conf.

We have many clients who send via our servers and also via external cPanel based servers. Both ourselves and the external services are limited by cPanel's implementation to use only the "default" selector.

To allow DKIM signing by ourselves and the external services, separately named DKIM selectors are required. It's obviously not possible to create two default._domainkey records in the one zone.

The need for DKIM selector naming is explained very well in the "What is a DKIM selector" section of...

http://www.dkim.org/info/dkim-faq.html

This feature request is not a luxury item by any means. It's a basic feature of DKIM itself. The fact that cPanel still doesn't comply with the basic idea of the system is truly frustrating.

Come on cPanel, please!

In the interim, if anybody has a workaround that *truly* is functional since the introduction of the extra pre-validation, please do share.

Best regards,

LBJ

 

[cPanelLauren]

So changing the way the feature request site is handled is a big project that is ongoing currently and I believe you'll soon see a lot more communication on the existing requests, as they begin to go through them. I will say at the beginning of this project they're focusing on the high activity requests primarily but it will affect all requests. That being said I feel like this information would be best served added in the comments of this case. If you do that please let me know, I'll pass it on to the team responsible but also activity there shows continued interest.

As far as the issue you're running into, is the problem that you want to be able to sign with different selectors or that you need to be able to add custom DKIM records?

 

[LBJ]

G'day cPanelLauren,

That being said I feel like this information would be best served added in the comments of this case.

I did that at the same time as raising this post. My comment, which is basically the same text as above, is still sitting marked as "On Moderation". I see that happen a *lot*.

is the problem that you want to be able to sign with different selectors or that you need to be able to add custom DKIM records

The issue is related simply to cPanel's hard-coded use of a server-wide DKIM selector of "default" for all cPanel installations. Minimally, this value should be user configurable per server in compliance with DKIM's basic philosophy.

Best regards,

LBJ

 

[cPanelLauren]

Right, I understand your issue with it but what I'm asking is what you'd like to accomplish. My reason for asking is that none of this is set in stone, the automated DKIM creation does only use the one selector but there is literally nothing stopping you from using your OWN dkim public/private keys should you need to.

As far as moderation for the feature request goes and comments on it - I know they have a process for it and will approve posts that are helpful to the discussion, I do believe they've approved yours as well.

 

[Daniel Tyghbn]

what I'm asking is what you'd like to accomplish. [snip] there is literally nothing stopping you from using your OWN dkim public/private keys should you need to.

Hi Lauren,

Thanks for engaging with us on this. The original feature request was to be able to specify our own DKIM selector instead of being forced to use "default". That is what we want to accomplish.

It's nice that we can also provide our own DKIM public/private keys, but that then necessitates synchronizing keysets between all the different servers. That is a mess: It's prone to errors and security screwups. It would be much cleaner to just have each domain on a cPanel account be able to specify it's own DKIM selector.

LBJ is correct that this is in the DKIM specification. cPanel should implement the specification. Just make it easy for end users to change the DKIM selector for each domain directly in their cPanel, without having to dig into config files that they might not even have direct access to.

Thank you!
Daniel

 

[cPanelLauren]

I feel like I need to clarify here. I don't disagree that this should be configurable. Your feedback on that like I've mentioned already is best placed in the feature request thread for this. What *I* can do here is attempt to provide you with a solution that works for you in the meantime as well as clarify how cPanel & WHM obtain the data.

I cannot change this feature nor can I from the forums say that something should be actioned on. I can and will ensure the appropriate teams know about this thread but the best way to do this is to post your concerns in the feature request thread where all discussion that moves the thread forward, evidences the usefulness and need of the feature will be approved and make its way to the correct team as swiftly as possible. If you experience an issue where your comment is sitting in moderation for an extended period of time I can reach out to the responsible parties and ensure it didn't get overlooked on your behalf as well.

Furthermore, to add public/private keys for custom DKIM it's not necessary to dig into conf files but it is something that the administrator would need to do.

 

[LBJ]

G'day cPanelLauren,

As far as moderation for the feature request goes and comments on it - I know they have a process for it and will approve posts that are helpful to the discussion, I do believe they've approved yours as well.

Actually, my original feature request post was left "On Moderation" for a few days and was then deleted. I subsequently raised a new post which pointed to this thread, and that was eventually approved.

Right, I understand your issue with it but what I'm asking is what you'd like to accomplish. My reason for asking is that none of this is set in stone, the automated DKIM creation does only use the one selector but there is literally nothing stopping you from using your OWN dkim public/private keys should you need to.

I understand we can still modify keys, but we can no longer effectively change the "default" selector since the new verification logic makes a hard-coded assumption that the selector will always be "default._domainkey".

Again, the crux of the matter is...

The issue is related simply to cPanel's hard-coded use of a server-wide DKIM selector of "default" for all cPanel installations. Minimally, this value should be user configurable per server in compliance with DKIM's basic philosophy.

There's no suitable workaround for not being able to specify a unique selector when a client uses two SMTP servers for sending and requires DKIM functional on both MTAs.

Sharing private keys with an external server administrator who is also locked into using "default._domainkey" as a selector is not a solution. It's nice that we can modify keys, but it's essential that we can modify the selector.

I see that some other administrators would like the option to set selectors on a per domain basis, but for our own company, we'd be quite content with simply being able to use a unique selector on a per server basis.

Best regards,

LBJ

 

[LBJ]

G'day cPanelLauren,

Furthermore, to add public/private keys for custom DKIM it's not necessary to dig into conf files but it is something that the administrator would need to do.

Thanks very much for your input, but again, manipulation of the keys themselves is not a solution for being locked into one selector of "default._domainkey" for every cPanel server in the world due to the new validation logic which makes a hard-coded assumption about the name of the selector record in the DNS zone.

Best regards,

LBJ

 

[cPanelLauren]

Actually, my original feature request post was left "On Moderation" for a few days and was then deleted. I subsequently raised a new post which pointed to this thread, and that was eventually approved.

Yea, I talked to them about this today, and they have no way to go back through - they only had the 14 hour old one - I don't know what was said in this initial request or why it was removed but I can say that linking to this thread here only would normally also be removed. If the request is productive from what I understand it should be approved. Can you tell me what was said in your comment and I'll bring it up internally?

I understand we can still modify keys, but we can no longer effectively change the "default" selector since the new verification logic makes a hard-coded assumption that the selector will always be "default._domainkey".

You're right for the auto-generated TXT record and keys but you can create your own DKIM record with any selector and add it (the txt record and public/private keys)

DKIM Core Technical Specification - provides instructions on how to create the TXT record and private/public keys manually on your server using openssl, again, I realize that this is the thing you're trying to get WHM & cPanel to do automatically - this is just a way to work around the selector limitation for that process in the meantime as even if this was something picked up today it would not be immediately changed.

Again, this is not something set in stone, it's just the automated creation within cPanel/WHM which has the default limitation. cPanel & WHM does not manage the validation process for any selectors as far as I am aware.

 

[LBJ]

G'day cPanelLauren,

You're right for the auto-generated TXT record and keys but you can create your own DKIM record with any selector and add it (the txt record and public/private keys)

Yes, we can of course create whatever domainkey records in the zone we like to, but unless the validity_cache check passes the configuration, no DKIM signing occurs during sending.

In turn, the validity_cache update which runs each day will remove any domain from the validity_cache list if validation of the private key / public key / DNS zone selector fails.

With the current processing, that validation is always processed assuming the selector in the zone will be only "default._domainkey".

System administrators simply require the ability to set different domainkey selectors for each cPanel box.

Best regards,

LBJ

 

[Daniel Tyghbn]

System administrators simply require the ability to set different domainkey selectors for each cPanel box.

Yes, this is what we've been asking for at https://features.cpanel.net/topic/dkim-support-for-custom-selector for five years.

We appreciate your advocacy for us Lauren. Thank you for encouraging your development colleagues to implement this critical ability to specify the DKIM selectors as the specification indends.

Be well,
Daniel