Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Generate 1024-bit DKIM keys

Discussion in 'Workarounds and Optimization' started by Per Hlom, Apr 30, 2016.

Tags:
  1. Per Hlom

    Per Hlom Registered

    Joined:
    Apr 30, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Website Owner
    Hi,

    I struggled a lot with the 2048-bit DKIM keys that cPanel insists on generating, but that few registrars allow you to paste into the TXT field.

    I solved it by hacking cPanels generation script to reduce the key size, and I thought I'd post it here if it helps someone.

    Code:
    nano /usr/local/cpanel/Cpanel/DKIM.pm
    Around line 24, set the key size to 24:

    Code:
    our $_MYDNS_KEY_SIZE = 1024;
    Around line 192, comment out the existing lines and replace with versions that fix the key size:

    Code:
        #local $Cpanel::OpenSSL::DEFAULT_KEY_SIZE = $_MYDNS_KEY_SIZE if _nameserver_is_mydns();
    local $Cpanel::OpenSSL::DEFAULT_KEY_SIZE = 1024;
    
        #my $keysize_min = $Cpanel::OpenSSL::DEFAULT_KEY_SIZE;
    my $keysize_min = 1024;
    
    Basically, this is just a result of searching for "size" and replacing values.

    Then uninstall and reinstall:

    Code:
    /usr/local/cpanel/bin/dkim_keys_uninstall username
    /usr/local/cpanel/bin/dkim_keys_install username
    
    And then go to Edit DNS Zone to copy/paste the DKIM key. Remove the quotes. Now BulkRegister and NameCheap will accept it.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I've moved this thread to our "Workarounds" forum. Keep in mind that cPanel updates will overwrite the /usr/local/cpanel/Cpanel/DKIM.pm file, so you may need to manually patch it after each update until a resolution is reached on the remote DNS provider's interface.

    Thank you.
     
  3. BottNet

    BottNet Member

    Joined:
    Jun 25, 2015
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Rochester, NY
    cPanel Access Level:
    Root Administrator
    Great work around! This REALLY still needs to be address in CP itself as A LOT of places do not accept anything over 1024 including ENom. CP should allow you to select the key type 1024 or 2048 before generation. IMHO
     
  4. Xavier Crespin

    Joined:
    Mar 21, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    I agree, this issue needs a permanent fix ASAP, OVH DNS service does not support 2048 bit keys either.
     
    #4 Xavier Crespin, Jul 4, 2016
    Last edited: Jul 4, 2016
  5. letmein

    letmein Registered

    Joined:
    Oct 27, 2014
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Although my external DNS servers accept 2048 bit keys perfectly, I noticed that Microsoft (live.com, hotmail.com, etc.) is unable and/or unwilling to verify 2048 bit keys (dkim=temperror), which forced me to lower the size of DKIM keys for domains that use online mail forms.

    To avoid having to edit certain settings after updates, I use this method to create keys per domain:
    1. in the user's home directory, generate a 1024 bit private and public key:
      Code:
      # openssl genrsa -out private.key 1024
      # openssl rsa -in private.key -pubout -out public.key
    2. backup your old key:
      Code:
      # mv /var/cpanel/domain_keys/private/domain.tld /var/cpanel/domain_keys/private/domaint.tld.old
    3. move the newly generated private key to its proper location:
      Code:
      # mv /home/user/private.key /var/cpanel/domain_keys/private/domain.tld
    4. set ownership and permissions:
      Code:
      # chown root:mail /var/cpanel/domain_keys/private/domain.tld
      # chmod 640 /var/cpanel/domain_keys/private/domain.tld
    5. update your DNS record with the new public key that you will find in public.key:
      Code:
      # cat public.key

    Tested on CentOS 6.8 x86_64 with cPanel 60.0 (build 26).
     
    cPanelMichael likes this.
  6. lapsutrix

    lapsutrix Registered

    Joined:
    Aug 7, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    vietvam
    cPanel Access Level:
    Root Administrator
    Hi letmein
    Thank for that. following this, everything is ok now but when i do the email to gmail.com i see the error "DKIM: NEUTRAL with domain null"
    I have tested with dkimcore.org/c/keycheck, it is ok

    do you know where is the problem how can i check on it?

    thanks
     
    #6 lapsutrix, Jan 10, 2017
    Last edited by a moderator: Jan 11, 2017
  7. letmein

    letmein Registered

    Joined:
    Oct 27, 2014
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I wouldn't rely on just one test. You can verify your settings with multiple parties like dkimvalidator.com and mail-tester.com. Enabling and keeping an eye on DMARC-reports may also provide more insight.

    Based on the single error (generated by which party? Google? what do other receiving parties say?) you posted, my guess would be that your SMTP does not sign your outgoing mails correctly or does not sign them at all.
     
    #7 letmein, Jan 14, 2017
    Last edited by a moderator: Jan 14, 2017
Loading...

Share This Page