DKIM Configuration

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
User avatar
BruceLeeRoy
Posts: 4
Joined: Sat Aug 18, 2018 11:56 am

DKIM Configuration

Post by BruceLeeRoy »

Having issues with DKIM failing after setting up on my Zimbra 8.7.11 Installation.

I was having issues with Yahoo accepting mail, as most of you probably already know Yahoo has their own blacklisting and wont let Email Administrators know what they consider to be problems. Anyway, I decided it was time to configure DKIM since maybe this was the issue. I already had DMARC and SPF in place which seem to be working fine. I first used this guide:
viewtopic.php?t=60548 because I am using PowerDNS with BIND backend and I thought it would be simpler to have 1024 bit keys to paste into my BIND files.
I then used this guide: https://wiki.zimbra.com/wiki/Configurin ... IM_Signing

Not really knowing how to test, I used MXToolbox and dmarcanalyzer.com which showed valid DKIM records. I then configured a different domain which also passed these tests. I assume this only checks the DNS record for accuracy and not the mail server. I then learned you could email a gmail account to see if DKIM SPF and DMARC passed. It did. I setup a third domain and thought everything was great but then later discovered DKIM was failing in my tests to Gmail, also found check-auth@verifier.port25.com which returns "wrong body hash: expected mLGvU9NouvLHDEKF7oHlNcsIC32n4gwRq8Y72gHdcd0=)"

So at one point it was working, I didn't change anything other than applying a few lines found here: https://wiki.zimbra.com/wiki/Bounces_from_Spam_Mail to reduce backscatter.

/opt/zimbra/libexec/zmdkimkeyutil -q -d mydomain.com shows the correct keys that I have in DNS but it still fails. Am I missing something?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: DKIM Configuration

Post by JDunphy »

BruceLeeRoy wrote:Having issues with DKIM failing after setting up on my Zimbra 8.7.11 Installation.
I then used this guide: https://wiki.zimbra.com/wiki/Configurin ... IM_Signing

Not really knowing how to test,
I would go back to that link and find the section where opendkim-testkey is mentioned. You should be able to determine where the problem lies... DNS or ldap... /opt/zimbra/libexec/zmdkimkeyutil is just a perl script. I do see this:

Code: Select all

  if ($bits < 2048) {
   print "Bit size less than 2048 is not allowed, as it is insecure.\n";
  } else {
    qx($keygen $subflag -b $bits -s $selector -d $domain -D /opt/zimbra/data/tmp);
You mentioned using 1024 so perhaps it didn't work as you expected given that code check above. It should not be a big deal to add larger records just use more lines but keep each TXT record under 255 for bind. I can't remember but doesn't the tool generate all those lines you need anyway for bind. Just cut and paste them into your zone file. You could also modify that script if you want to use 1024.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: DKIM Configuration

Post by L. Mark Stone »

In my experience the Zimbra dkim tools work fine, but...

The dkim dns record is longer than most dns providers can host in a single record, and each provider has their own method for splitting the record.

I suspect this is a dns, not Zimbra issue.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
BruceLeeRoy
Posts: 4
Joined: Sat Aug 18, 2018 11:56 am

Re: DKIM Configuration

Post by BruceLeeRoy »

Yes, I have created the SPF, DMARC and DKIM records in both of my external DNS servers. When testing DKIM records with DMARC Analyzer, MX toolbox, and dkimcore.org, they all give valid DKIM core key and valid key records, which leads me to believe the DNS entries are working fine. It's also strange that it worked fine with the 1024 length key originally then suddenly stopped working.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: DKIM Configuration

Post by JDunphy »

My understanding was that you had it working. Then you added a new domain and it stopped working for that domain. This is based on your gmail discussion above where it was working and then it stopped. Since the keys are in ldap, you get to use the older and smaller 1024 keys as you upgrade and it keeps working. It is only when you attempted to generate a new key you had to deal with the larger key issue for that domain because with 8.7 they introduced longer keys and the base code changed to reflect this. Anyway moving on... It might be helpful to look at your /opt/zimbra/conf/opendkim.conf file if you believe you have it all working... focus on which header is changing after it was signed.
Pay special attention to SignHeaders as those are the headers that you are signing... ie) message-id,date,from,mime-version,to ... Next look at the Canonicalization (ie. relaxed, strict, etc)
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: DKIM Configuration

Post by JDunphy »

I forgot to mention... opendkim-testkey with -vvv might yield additional detail about your configuration. It sounds like you are fairly certain you have that properly setup and verified so I am with Bill in guessing that you look at possible reasons for the message changing after you sign it. Generally, I just send to gmail and look at my headers to see if I have it working as the zimbra tools have always worked from my experience. Another thing to look into... I have seen transparent proxying by some ISP's in the past as they intercept outgoing port 25 traffic and redirect it to themselves... you don't mention if that could be a possibility... You would be able to tell by looking at the email with your gmail account if that has happened. We use to see this quite often with customer email clients that were not using the user submission port and the ISP's blocked or redirected their access. running out of ideas here so some of this could be far fetched. :-)
User avatar
BruceLeeRoy
Posts: 4
Joined: Sat Aug 18, 2018 11:56 am

Re: DKIM Configuration

Post by BruceLeeRoy »

After more testing I'm seeing more of a random pass/fail with failures being about 80% of the time. But your last message got me thinking... I use EFA for spam filtering between zimbra and the firewall so that everything going out also passes through EFA. I also noticed EFA had a feature for DKIM and I didn't understand why, since I thought the mail server would do that. I enabled it at one time, but then removed it. Maybe I should try setting up DKIM there since thats the last place outgoing mail hits before the public IP?

here's whats in my /opt/zimbra/conf/opendkim.conf

Canonicalization relaxed/relaxed
ReportAddress admin@zimbra.xxxx.net
SignHeaders message-id,date,from,mime-version,to


Here's a response from check-auth@verifier.port25.com which I dont understand why it has all the extra '20' '0D' and '0A' displayed which look like ASCII values in place of spaces and CR's

Canonicalized Headers:
from:"Bruce'20'Lee"'20'<blee@xxxx.com>'0D''0A'
to:<check-auth@verifier.port25.com>'0D''0A'
date:Mon,'20'20'20'Aug'20'2018'20'07:19:40'20'-0400'0D''0A'
message-id:<005f01d43877$b0dcc8b0$12965a10$@com>'0D''0A'
mime-version:1.0'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=xxxx.com;'20's=02A9C850-A29A-11E8-BDFA-3F9F4747F70D;'20't=1534763905;'20'bh=O2t61YvVLCLhQ1trTd5wBG1A+pTYuoKKvY5RZShV5as=;'20'h=From:To:Date:Message-ID:MIME-Version;'20'b=

Canonicalized Body:
This'20'is'20'a'20'multi-part'20'message'20'in'20'MIME'20'format.'0D''0A'
'0D''0A'
------=_NextPart_000_0060_01D43856.29CB28B0'0D''0A'
Content-Type:'20'text/plain;'0D''0A'
'20'charset="us-ascii"'0D''0A'
Content-Transfer-Encoding:'20'7bit'0D''0A'
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: DKIM Configuration

Post by JDunphy »

Sounds like you have it figured out. It worked as expected and the recipient was able to determine that your messages was changed from the time you created and signed it. Now you know why it could be scored heavily as spam because it was modified upstream or from a users perspective - possibly forged. See this thread viewtopic.php?f=15&t=61543&hilit=aol+spam to see how this can cause problems from the other admins perspective.
rajesh083
Posts: 1
Joined: Tue Sep 29, 2020 4:05 pm

Re: DKIM Configuration

Post by rajesh083 »

Can anyone help me!!
Is there any possibility that zimbra can detect token based digital signature. At present, zimbra has the option for storing our key on their web client but can we digitally sign a email with help of hardware token?
crossvid
Posts: 1
Joined: Fri Oct 01, 2021 7:03 am

Re: DKIM Configuration

Post by crossvid »

it worked for me, thanks for the tutorial vidmate app save insta
Post Reply