Security issues with mail server on a personal website.

tekra · 09-10-2016, 07:39 PM

I run a few small personal sites on a server using Lx with a Cpanel front end. Generally speaking the service is very good, but I've just received an embarrassing tip from an email list I recently joined:

Code:

Your misconfigured mail server is causing some subscribers servers to reject your messages,
and this is causing them to unsubscribe from the mailing list.

Here is and example of the bounce message:

<xxxxxxx@xxxxxx.co.uk>: host xxxxxxx.co.uk[XX.XX.XX.XX] said:
550-DKIM: encountered the following problem validating
52midnight.com: 550 pubkey_unavailable (in reply to end of DATA
command)

I immediately moved to a different subscription EmAdr, but need to fix the issue. I found a Cpanel page (Email::Encryption for those familiar with Cpanel) and generated a PGP key. My understanding is that many mail servers today require the exchange of keys for validation, and block non-compliant messages.

The worst part is that the emails were NOT returned to me, so I was unaware of the issue: they seem just to have been dropped, leaving me wondering how many other of my emails have quietly disappeared into cyberspace.

I formally detest the world's new obsession with fanatical levels of security and until now have tried to ignore it. Looks like I'll have to relent.

Does anyone know of GOOD documentation and/or literature describing the current state of play in this area. The biggest difficulty I face is how to test that my "fix" did actually FIX things.

IRJustman · 09-11-2016, 05:57 PM

Quote:

Originally Posted by tekra

I run a few small personal sites on a server using Lx with a Cpanel front end. Generally speaking the service is very good, but I've just received an embarrassing tip from an email list I recently joined:

Code:

Your misconfigured mail server is causing some subscribers servers to reject your messages,
and this is causing them to unsubscribe from the mailing list.

Here is and example of the bounce message:

<xxxxxxx@xxxxxx.co.uk>: host xxxxxxx.co.uk[XX.XX.XX.XX] said:
550-DKIM: encountered the following problem validating
52midnight.com: 550 pubkey_unavailable (in reply to end of DATA
command)

I immediately moved to a different subscription EmAdr, but need to fix the issue. I found a Cpanel page (Email::Encryption for those familiar with Cpanel) and generated a PGP key. My understanding is that many mail servers today require the exchange of keys for validation, and block non-compliant messages.

The worst part is that the emails were NOT returned to me, so I was unaware of the issue: they seem just to have been dropped, leaving me wondering how many other of my emails have quietly disappeared into cyberspace.

I formally detest the world's new obsession with fanatical levels of security and until now have tried to ignore it. Looks like I'll have to relent.

Does anyone know of GOOD documentation and/or literature describing the current state of play in this area. The biggest difficulty I face is how to test that my "fix" did actually FIX things.

The "fix" as you call it will not work. This has absolutely nothing to do with encryption at all, but rather, signing and signature verification. And it does not use PGP or GPG, but will use something like OpenDKIM.

What you need to do is look up some references on DKIM and also have your DNS zone files available for editing since some of the key information for DKIM is published by way of DNS.

Since I'm a new user to this forum, while I would post a URL, I can't as this is only my second post. Instead, I'll suggest you google the terms "how to set up dkim cpanel". Also, you may wish to include your distribution's name in the search terms as well.

As for cPanel, I know nothing about it, so I'm sorry, I can't offer any help. I'm far more accustomed to wrangling things directly with a root prompt, a text editor, and the applications' own tools and any ancillary third-party tools where applicable.

As for your detestation, yes, I do realize it is a royal pain in the keister, but given the crazy things people do these days, it's prudent to set up as many countermeasures as possible.

tekra · 09-11-2016, 06:26 PM

Thanks very much for a thoughtful and enlightening reply.

> The "fix" ... has absolutely nothing to do with encryption ... it does not use PGP or GPG, but ... OpenDKIM.

I've realized that there's a heap of reading to be done if I'm to get across all this. None so far has given me the top-level overview I'm seeking, especially such things as who promulgated what appear to be a heap of new standards, and why. My first searches (on Google) turned up volumes of info on Google's own new email protection methods (if they don't yet own the Net, it won't be long ...). Finally found what looks to be a good diagnostic site (my immediate concern):

http://mxtoolbox.com

> Since I'm a new user ... I would post a URL, I can't

Hang in there: people like you are too valuable to lose.

> "how to set up dkim cpanel" ... include your distribution's name

So you're confirming that the immediate issue is related to DKIM? That's a good start. By 'distro' I take it you mean what's used to run the email server, apache/enim on Linux.

> As for cPanel, I know nothing about it, so I'm sorry, I can't offer any help.

Not a problem: it's basically just a very classy GUI to standard CLI site management tools, along with a heap of "extras".

> I'm far more accustomed to wrangling things directly with a root prompt, a text editor, and ...

It'll always be the TRUE way of doing things, but can be a pain when you only turn to the task at long intervals. After a year or two you forget so much ...

> given the crazy things people do these days, it's prudent to set up as many countermeasures as possible.

Wouldn't mind betting that a lot of the crazies are paid by the Inet/software industry to drum up business for them. Where would John McAfee be without the bug-ridden dominance of M$, Visual Basic, Outlook etc etc?

I'll post back here once I've nailed things out a bit - may be others who find it useful to judge by the View count.

Thanks again.