Emails plays a major role in today’s business, one must be keen to preserve the authenticity of mails they sent to the users and fail to do so may result in getting your mail server IP blacklisted and mails ends-up in users junk folder and they die!

This post is not a perfect guide to prevent you from getting blacklisted by the spamcops, but a few tips that could save your “Time” and “Reputation”.

1) All email is filtered against published blacklists of spam servers. Check whether your mailserver IP is already blacklisted : http://www.mxtoolbox.com/. If listed, take necessary actions to remove it. You can temporarily switch the mail server IP to get the mails moving until your regular IP is released.

2) All mails will be filtered based on certain rules. It looks for senders email address, mail subject line and words on the message content. Avoid using blank subject line and using common spammers words like “offer, discount, sale, free etc… There are a lot more..

3) Maintain a regular time intervals while sending mails to a particular sender. This could be setup on exim configuration file. (Needs admin privileges)

4) Enable SPF:
Sender Policy Framework (SPF), is an e-mail validation system designed to prevent e-mail spam by addressing a common vulnerability, source address spoofing. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific DNS SPF record in the public DNS for that domain. Mail exchangers then use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.

If SPF record is enabled for a domain, spammers and phishers are less likely to forge e-mails pretending to be from that domain. Spam filters now check for SPF records and hence eliminate the chance of forged mails, spams. Hence an SPF protected domain is less attractive to spammers and phishers and is less likely to be blacklisted by spam filters and ligitimate mails will go through.

SPF keeps the detail of the machine which is only authorized to send mails for that particular domain. This is done by adding additional a TXT record to their existing DNS records. Mail receivers that checks for SPF records check the domain DNS and finds whether the server is allowed to send mails for that domain.

The key issue in SPF is the specification for the new DNS information that domains set and receivers use. Eg is :

example.com. IN SPF “v=spf1 a mx -all”

“v=” defines the version of SPF used. “v=” defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The “a” and “mx” specify the systems permitted to send messages for the given domain. The “-all” at the end specifies that, if the previous mechanisms did not match, the message should be rejected.

On a cPanel server, one can easily enable SPF records.

Login to cPanel account for that particular domain ==> Email Authentication ==> Scroll down to SPF section ==> and Click on Enable.

Enable SPF :

SPF record on Domain DNS.

5) Enable SenderID:

SenderID is also an anti-spoofing method to save emails from Junk. SenderID is heavily based on SPF with a few additions. Like in SPF, DNS entries are used on the domain DNS to ensure the authenticity of emal. But they differ on what rules they apply to what fields contained in the message header.

How SenderID works:

• Sender sends an e-mail to Receiver.
• Receiver’s inbound e-mail server receives e-mail and calls its Sender ID Framework.
• The Sender ID Framework looks up the SPF record of the domain that Sender is using for sending the mail.
• The receiving Mail Transfer Agent (MTA) determines if the outbound Mail Server IP address matches IP addresses that are authorized to send mail for the user

DNS entry for SenderID enabled domain looks like,

You can Generate SenderID from here : http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

6) Enable Domain Keys:

DomainKeys is the branded name created by Yahoo. It has been introduced by Yahoo to fight against spams. DomainKeys is a PGP-like (Pretty Good Privacy) protocol for validating and authenticating an email. This system includes the creation of a public and private key. You keep your private key private and give your public key to your trusties. We encrypt data with our private key and users can decrypt messages with our public key.  This prevents others from seeing our data. Domain Keys takes this idea one step further. Instead of encrypting the email, it encrypts the email headers and creates a hash value from that encryption. The hash value is send/placed in the email header. When a site receives an email, it locates the public key which is located in the DNS server for the user listed in the From: line of the email and encrypts the email once again to compare the hash value.  If the hash values match after the second encryption test, the email passes validation.

DomainKeys is an system that allows for incoming mail to be checked against the server it was sent from to verify that the mail has not been modified and thereby ensures that messages are actually coming from the listed sender and allows abusive messages to be tracked with more ease.

Yahoo check for domankeys  on a domain if they are requested to whitelist the IP. Below are the steps to enable DomanKeys on a cPanel server.

DNS entries for DomainKeys and SPF

Once DomainKeys are enabled you can check whether it is setup correctly by sending a test mail addresses set up to  dk@dk.crynwr.com

7) Enable DKIM :

DKIM is the result of combining Yahoo’s DomainKeys technology with Identified Internet Mail which was developed at Cisco which is another methodology of PGP-like technique.
DomainKeys and DKIM sounds similar but there are different. DKIM was created to provide a more robust solution that would survive more types of modification to which messages are frequently subjected. DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit.  The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

DKIM is not available as a ready-made option in cPanel server till now. If you are running an VPS and know basic administration, you can get it enabled. Login to the server via SSH and check if if exim is compiled with DKIM support enabled.

root@server # /usr/sbin/exim -dd 2>&1 | grep Experimental_DKIM

Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning Old_Demime Experimental_SPF Experimental_SRS
Experimental_DomainKeys Experimental_DKIM

Generate the SSL keys

cd /usr/local/cpanel/etc/exim

openssl genrsa -out dkim.key 1024

openssl rsa -in dkim.key -out dkim.public -pubout -outform PEM

You will find two keys, dkim.key & dkim.public

Open dkim.public and copy the contents excluding the –Begin– and –End– section. This is your DKIM key.  Now open exim configuration file and append the below entries under the section ‘remote_smtp’

Sample file:
vi /etc/exim.conf

remote_smtp
driver = smtp
dkim_domain=your_domain_name.com
dkim_selector=mail
dkim_private_key=/usr/local/cpanel/etc/exim/dkim.key #path to the dkim.key key.
interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}
{$primary_hostname}}

Now on WHM, open DNS editor for the particular domain and add the TXT entry with DKIM key like below.

mail._domainkey.example.com. IN TXT "v=DKIM1;g=*;k=rsa; p=GIGmGA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDv4PSEG9PcxlI2tRojAUQ9hpRQ0Zj/XG4SK08/DrhG/CaspJAKZm9rZDAw18TrmuXeRgsGWAdS2vJ4Oa/kXqX0NG2eBJcGasu4GeNXANGXvC1uGz+8GC6rEPlE/Ucau4tGAHOZL0HJ9IDd/PIxoTkeTG3GjGeqvKBLbdvVIDXbcQIDAQAB"

Here p=the_key_you_have_copied_from_dkim.public

Restart exim and named services.

/scripts/restartsrv exim

/scripts/restartsrv named

To check whether DKIM is setup properly, send a mail to dkimtest@atmail.org , if setup properly, you will get a reply like below ,else a failure message.
———————
Subject:    AutoReply from dkimtest@atmail.org
From:    spftest@example.com
Date:    Fri, Jul 9, 2010 10:27 pm
To:    spftest@example.com
*** DKIM TEST SUCCESSFUL ***
———————-

8 ) Join JMRP :

JMRP/Junk Mail Report Program is a free service to provide reports on junk e-mail issues reported by Windows Live Hotmail users. You can use this free service to which is developed commercial mailers and e-mail administrators to identify/fix issues in sending mails to hotmails ID’s. JMRP returns the full message with headers of any e-mail marked as “junk” or “phishing” by a recipient.  Provides senders an opportunity to clean their e-mail lists and improve the quality of their content and helps identify potential problems with your marketing practices and content and also improves sender reputation by removing unwanted subscribers from lists.

You can join LMRP from here : http://bit.ly/JMRP

N:B :- Mail server mentioned here is cPanel Exim, you may replace this with any other mail server.

Tweet This Post

How to solve this

Pre-Requisites : You should have Shell access (as root) to the Node server.

Mostly this happens due to inode issue. The inodes allocated to the server maybe full. inode is a data structure on a traditional Unix-style file system such as UFS. An inode stores basic information about a regular file, directory, or other file system object.

Steps

Say we are logged into the Node Server. There we are going to list all the Containers existing on the Hardware Node. By default, only running Containers are shown.

[root@linuxvps1 ~]# vzlist -a
CTID    NPROC STATUS   IP_ADDR        HOSTNAME
100     18  running    100.20.11.111  WEB.EXAMPLE.COM
101     63  running    100.20.12.203  -
102     169 running    100.20.92.182  server2.example.com
103     81  running    100.20.56.169  example.net
78965   236 running    100.20.77.204  server1.example.com

Assume your container is 103. So simply enter into 103 by this command

[root@linuxvps1 ~]# vzctl enter 103

Check if the inodes are full in the container

[root@linuxvps1 ~]# df -i

Most Probably it should display something like this :

Filesystem      Inodes      IUsed        IFree     IUse%      Mounted on
/dev/vzfs       200000      200000       0         100%       /
none            65536       95           65441     1%         /dev

Bang ! The inodes on /dev/vzfs mounted on / are full. You’ve to go nowhere else to see why that error was delivered. A simple solution will work out, you’ve to increase the inode limit. You’ve two options, either through Shell or through the Node Control Panel (like Parallels Infrastructure Manager)

First we will go through Shell mode with this command :

$ vzctl set veid --diskinodes softlimit:hardlimit 

Where ‘veid’ is the VPS ID

root@linuxvps1 ~]# vzctl set 103 --diskinodes 7680100:7680200

Second we are going for Node Control Panel. In the infrastructure, you will see your VPS with a ! sign. That indicates your VPS is having some sort of issue.

So you’ve seen the Alert. Next access the VPS, go to Resources tab. I’m sorry to tell you that I grabbed this screenshot after resolving the issue, but it will help you anyway

You should see the ‘Disk Inodes’ is full under ‘Disk Usage’ category (Here it is not !). Next Click Configure to settle this one

See the Highlighted part, the inodes should be limited to some size. Increase it or remove the check mark to make it unlimited.  Make sure you save the changes. Now try again accessing cpanel/WHM/Webmail. It should load with out any issues.That makes a smile in your face, isn’t it ?

Tweet This Post

Issue reported in the phppGAdmin page was

FATAL:  password authentication failed for user "cPanel_username"
FATAL:  permission denied for database "template1"
DETAIL:  User does not have CONNECT privilege.

Solution

# su - postgres
-bash-3.2$ psql
psql (8.4.2)
Type "help" for help.

postgres=# alter user cPanel_username with password 'password_here';
ALTER ROLE
postgres=# alter user cPanelusername_username with password 'password_here';

Check for issues in /var/lib/pgsql/pgstartup.log . That is where postgreSQL throws out errors which will be helpful in debugging the issues.

In prior releases, template1 was used both as a default connection for utilities like createuser, and as a template for new databases. This caused CREATE DATABASE to sometimes fail, because a new database cannot be created if anyone else is in the template database. With this change, the default connection database is now postgres, meaning it is much less likely someone will be using template1 during CREATE DATABASE.

Also, do change the postgresql configuration file of cPanel installation, /usr/local/cpanel/base/3rdparty/phpPgAdmin/conf/config.inc.php

Look for

$conf['servers'][0]['defaultdb'] = 'template1';

and change it to

$conf['servers'][0]['defaultdb'] = 'postgres';

Don’t forget to chattr also. BTW now a days, cPanel is intelligent enough to detect and remove the chattrs also .

Tweet This Post

Ben Thomas from cPanel has a script written for it, which I am sharing here. Weird fact is that you won’t see this anywhere in a cPanel server, not even in /scripts folder. So why wait ? download the file below and help your customers next time, the easy way

http://www.supportsages.com/blog/wp-content/uploads/2009/05/horde_settings_transferpl.gz

Usage is as below,

./horde_sql_transfer.pl -u <username> -d <data dir> -o <archive | restore>

Tweet This Post