Control Web Panel
WebPanel => E-Mail => DKIM => Topic started by: Vinayak on March 09, 2023, 04:59:12 PM
-
Any documentation or know how for implementing 2048 bit DKIM keys by default on Control Web Panel servers?
National Institute of Standards and Technology (NIST) recommends 2048 bit keys for DomainKeys Identified Mail (DKIM), so does a client of mine on a CWP VPS dedicated to this client only.
So is there a way to make 2048 bit DKIM keys installed by default on all accounts?
-
Have you looked at OpenDKIM?
https://www.linuxtechi.com/configure-domainkeys-with-postfix-on-centos-7/ (https://www.linuxtechi.com/configure-domainkeys-with-postfix-on-centos-7/)
-
My question is not about installing and configuring DKIM, my question is about how to implement 2048 bit DKIM keys by default on Control Web Panel servers.
-
The takeaway from that tutorial I linked to was to use opendkim-genkey with the -b bits option:
-b bits
(--bits=n) Specifies the size of the key, in bits, to be generated. The upstream
default is 1024 which is the value recommended by the DKIM specification, but in
Debian the default is 2048 based on more current recommendations such as those from
NIST 800-177.
So,
opendkim-genkey -b 2048is what you are looking for...
-
When setting up an account/domain, what part/script of CWP handles generation and setting up of DKIM?
I would like CWP to automatically generate/implement 2048 bit DKIM keys by default.
Also is there a way to replace all existing 1024 bit records with 2048 bit DKIM keys?
-
Here's a shot in the dark, since I am sticking with the default 1024 for the time being.
/etc/opendkim.conf
MinimumKeyBits (integer)
Establishes a minimum key size for acceptable signatures. Signatures with smaller key sizes, even if they otherwise pass DKIM validation, will me marked as invalid. The default is 1024, which accepts all signatures. A value of 0 causes the default to be used.
-
So is there a way to make 2048 bit DKIM keys installed by default on all accounts?
I have try over Postfix Mail Manager and did'nt work.
So I had to edit dns settings on my Domain registar.
I am using PhPMailer for emails from my website, so I found the related answer here:
https://medium.com/@djaho/how-to-create-dkim-keys-and-use-them-with-phpmailer-a6003449c718 (https://medium.com/@djaho/how-to-create-dkim-keys-and-use-them-with-phpmailer-a6003449c718)
There is a section where You can find procedure and use it over SSH on your server (if you have access) to generate the DKIM 2048
There are the two command lines which you can use to generate a 2048 bit password protected private key file and a (non-password protected) public key file.
-
Hello,
Can anyone make an tutorial for using 2048 bit DKIM in CWP?
Many mailserver put email in SPAM, especially Google.
Or anyone can modify CWP script for generate 2048 bit key?
Thank you
-
Many mailserver put email in SPAM, especially Google.
Just sent a test email from my CWP server to my email address at gmail. It was received and not marked as spam. The email was signed by 1024bit DKIM record.
I think your emails are marked as spam and/or rejected by gmail and other mail servers for some other reason:
1. The IP address of your server is blackisted/has bad mail reputation;
2. The DKIM record of your domain is incorrect or absents;
3. The SPF record of the domain you send the emails from is incorrect/absents;
4. Misconfiguration of PTR/RDNS record.
-
Many mailserver put email in SPAM, especially Google.
Just sent a test email from my CWP server to my email address at gmail. It was received and not marked as spam. The email was signed by 1024bit DKIM record.
I think your emails are marked as spam and/or rejected by gmail and other mail servers for some other reason:
1. The IP address of your server is blackisted/has bad mail reputation;
2. The DKIM record of your domain is incorrect or absents;
3. The SPF record of the domain you send the emails from is incorrect/absents;
4. Misconfiguration of PTR/RDNS record.
This thread is not about finding reasons, it's about "How to implement 2048 bit DKIM keys on CWP servers".
2048 bit DKIM is the new standard today, developers of CWP and we the users must move toward implementing 2048 bit DKIM out of the box by default.
-
Many mailserver put email in SPAM, especially Google.
Just sent a test email from my CWP server to my email address at gmail. It was received and not marked as spam. The email was signed by 1024bit DKIM record.
I think your emails are marked as spam and/or rejected by gmail and other mail servers for some other reason:
1. The IP address of your server is blackisted/has bad mail reputation;
2. The DKIM record of your domain is incorrect or absents;
3. The SPF record of the domain you send the emails from is incorrect/absents;
4. Misconfiguration of PTR/RDNS record.
I understand, but my problem is:
Sometime, when i send an email to domain that have email on Google Apps, first mail arrived in SPAM, after that email is deliver in Inbox.
I have everything setup, DKIM is ok SPF and also PTR.
But my question is: can CWP make something about this?
Because another Panel already have implemented 2048 bits DKIM
Thank you
-
opendkim-genkey is a perl script. You can open the file /usr/sbin/opendkim-genkey using the text editor like vi, ee, etc and change the value of "bits":
my $bits = 1024;
to
my $bits = 2048;
right under "Set up defaults".
It will generate 2048bits keys by default.
Please note you do such changed on your own risk.
-
You can create a signing pair at 4096 bits if you so desire:
https://www.transip.eu/knowledgebase/using-dkim-with-postfix/ (https://www.transip.eu/knowledgebase/using-dkim-with-postfix/)
(But maybe study the utility of such a change and its effects -- computationally expensive.)
-
opendkim-genkey is a perl script. You can open the file /usr/sbin/opendkim-genkey using the text editor like vi, ee, etc and change the value of "bits":
my $bits = 1024;
to
my $bits = 2048;
right under "Set up defaults".
It will generate 2048bits keys by default.
Please note you do such changed on your own risk.
So, yes is working, generate 2048 bits DKIM key, but problem is when script add dns record, he broke at first quote, and not continue to scond part.
Can we make some adjust for this "bug"?
Thank you
-
If the above soulution doesn't work and cause the problem then you need to undo the changes and use the CWP Hooks:
https://wiki.centos-webpanel.com/action-hooks
look at "Account Hooks". When a new domain/subdomain is added your script should generate the DKIM key and put the proper DNS record into the DNS zone of the domain.
Please note it requires programming skills to write the script.
-
opendkim-genkey is a perl script. You can open the file /usr/sbin/opendkim-genkey using the text editor like vi, ee, etc and change the value of "bits":
my $bits = 1024;
to
my $bits = 2048;
right under "Set up defaults".
It will generate 2048bits keys by default.
Please note you do such changed on your own risk.
-
Or I just do it manually.
You can user the DKIM Generator at:
https://dmarcly.com/tools/dkim-record-generator (https://dmarcly.com/tools/dkim-record-generator)
And then update the files at /etc/opendkim/userkeys/
-
Or I just do it manually.
As another user wrote the question is:
it's about "How to implement 2048 bit DKIM keys on CWP servers".
2048 bit DKIM is the new standard today, developers of CWP and we the users must move toward implementing 2048 bit DKIM out of the box by default.
;)