Symptoms
You have configured your cPanel server to use MailChannels as a smarthost.
When attempting to send messages you see errors regarding DKIM that may look similar to the following in the Exim log:
/var/log/exim_mainlog
2021-03-01 11:27:36 1lMABe-0001y3-Bw unable to open file for reading: /var/cpanel/domain_keys/private/example.tld
2021-03-01 22:43:12 1lMAhg-0007WO-Rd Tainted filename '/var/cpanel/domain_keys/private/example.tld'
Your server's Exim version is Exim 4.94. You can check this with the following command:
# whmapi1 installed_versions packages=1|grep exim:
exim: 4.94-1.cp1194
Description
With cPanel version 94.0.0 being released to current, this includes an update of Exim. Exim will be upgraded to version 4.94 as part of the cPanel update. This version is of Exim is included in the cPanel update tier "CURRENT." Exim changed how filenames are handled in some instances. One of the changes causes the tainted filename error to occur during the expansion of the specified file variables. This issue is a defect in Exim that has not yet been resolved at the time of writing this article.
Although this is a defect in Exim, cPanel has an internal tracking case: UPS-315
The following commit may resolve the issue once it has been published and officially pushed out through an update:
https://git.exim.org/exim.git/commitdiff/f7f933a199be8bb7362c715e0040545b514cddca
Workaround The MailChannels support team has published a workaround for this issue under the "Known Issues" section here:
MailChannels Support - cPanel DKIM configuration guide
If you are experiencing this issue but are not using MailChannels and their workaround does not work for you, you must reach out to your smarthost provider for specific instructions on how to workaround the issue.
We have had reports that replacing these lines of some configurations may resolve the issue for some situations. Please do not make any attempts to implement this modification if you are unsure how it works. You must contact a systems administrator with the skills, training, and expertise required to determine if this fix will work for your custom configuration.
Existing:
require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}"
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
Replacement:
require_files = "+/var/cpanel/domain_keys/private/${lookup{$sender_address_domain}dsearch{/var/cpanel/domain_keys/private/}}"
dkim_private_key = "/var/cpanel/domain_keys/private/${lookup{$dkim_domain}dsearch{/var/cpanel/domain_keys/private/}}"