DKIM Support Added To Nodes Successfully - 11.28.52-RELEASE_50725

nwtg

Active Member
Dec 24, 2010
34
0
56
Portland, Oregon
cPanel Access Level
Root Administrator
Hi.

I'm usually helping people at WHT, but thought I would share this here as well.

I'm honestly not sure if this is old news by now, but I've been reading up here, especially This DKIM thread.

I've put together a workaround process to support DKIM signatures. It has worked in QA, and I just moved it to the production nodes today. I am running 11.28.52-RELEASE_50725.

Involves a bit of manual zone tweaking, a few unexpected tricks in cPanel "Email Authentication" and some tedious time spent in exim.conf, exim.conf.localopts and verifying your MAILHELO and /etc/mail_reverse_dns. The only downside is that you have to give up DomainKeys Signatures if you want support for DKIM.

Code:
2010-12-24 16:14:43 H=localhost.localdomain (webmail.nwtechgroup.com) [127.0.0.1] Warning: Sender rate 23.0 / 1h

2010-12-24 16:14:44 1PWHmV-0001L9-UI <= [email][email protected][/email] H=localhost.localdomain (webmail.nwtechgroup.com) [127.0.0.1] P=esmtpa A=dovecot_login:[email protected] S=1206 [email protected].com

[b]2010-12-24 16:14:44 1PWHmV-0001L9-UI Message signed with DKIM: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=nwtechgroup.com; s=default; h=Message-ID: Date: Subject:From:To: [/b]
        Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
        bh=Ikg14KprzypYlejwPLa35vaNVzy198CRaqAFEDIficw=; b=NNpIAwZgPcYrL
        oyV6cWD4UBZuFpjVg+rekMFxUJwx7e/5XfReZ2ah1OrghDJdUJ/ECyjuKrgFbz7v
        OfKWy/JPZabVfTpKcFg6YBIcT/tHVwGxKkM82VYo21R+Yzb23LPRKuwGeLyA3DEs
        VxTC0nZqUFCMlmH2xnqEYN5pyy6dFI=

2010-12-24 16:14:44 1PWHmV-0001L9-UI => [email][email protected][/email] R=lookuphost T=remote_smtp H=www.brandonchecketts.com [207.210.219.125]
2010-12-24 16:14:44 1PWHmV-0001L9-UI Completed

Code:
Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: [email protected])
ID(s) verified: header.d=nwtechgroup.com
Canonicalized Headers:
    message-id:<[email protected]m>'0D''0A'
    date:Fri,'20'24'20'Dec'20'2010'20'16:13:05'20'-0800'0D''0A'
    subject:'0D''0A'
    from:"N.W.'20'Technology'20'Group"'20'<[email protected]>'0D''0A'
    to:[email protected]'0D''0A'
    reply-to:[email protected]'0D''0A'
    mime-version:1.0'0D''0A'
    content-type:text/plain;charset=iso-8859-1'0D''0A'
    content-transfer-encoding:8bit'0D''0A'
 [b]   dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=nwtechgroup.com;'20's=default;'20'h=Message-ID:Date:Subject:From:To:'20'Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;'20'bh=Ikg14KprzypYlejwPLa35vaNVzy198CRaqAFEDIficw=;'20'b=[/b]
Some adjustments to /etc/exim.conf:
Code:
remote_smtp:
  driver = smtp
  dkim_selector = default
  dkim_canon = relaxed
  dkim_private_key = /usr/local/cpanel/etc/exim/dkim.key
  dkim_domain = nwtechgroup.com
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
I haven't had the time to go through ALL of the threads, so there may be a better workaround for this, I'm not sure. BUT, I'm now running this on three production environments, and Yahoo and the other freebies don't seem to be treating my clients' emails as SPAM anymore.

If this is of interest to anyone who would like to try it, just kick me an email. If this is of interest to enough people I will post a step-by-step. I am not employed by cPanel, I accept no responsibility for the outcome, yadda-yadda-yadda, so back up all your files before changing anything.

And, if this or something similar has been done already, great at least I was able to do it without any documentation or outside help. :)