DKIM Configuration
- BruceLeeRoy
- Posts: 4
- Joined: Sat Aug 18, 2018 11:56 am
DKIM Configuration
Having issues with DKIM failing after setting up on my Zimbra 8.7.11 Installation.
I was having issues with Yahoo accepting mail, as most of you probably already know Yahoo has their own blacklisting and wont let Email Administrators know what they consider to be problems. Anyway, I decided it was time to configure DKIM since maybe this was the issue. I already had DMARC and SPF in place which seem to be working fine. I first used this guide:
viewtopic.php?t=60548 because I am using PowerDNS with BIND backend and I thought it would be simpler to have 1024 bit keys to paste into my BIND files.
I then used this guide: https://wiki.zimbra.com/wiki/Configurin ... IM_Signing
Not really knowing how to test, I used MXToolbox and dmarcanalyzer.com which showed valid DKIM records. I then configured a different domain which also passed these tests. I assume this only checks the DNS record for accuracy and not the mail server. I then learned you could email a gmail account to see if DKIM SPF and DMARC passed. It did. I setup a third domain and thought everything was great but then later discovered DKIM was failing in my tests to Gmail, also found check-auth@verifier.port25.com which returns "wrong body hash: expected mLGvU9NouvLHDEKF7oHlNcsIC32n4gwRq8Y72gHdcd0=)"
So at one point it was working, I didn't change anything other than applying a few lines found here: https://wiki.zimbra.com/wiki/Bounces_from_Spam_Mail to reduce backscatter.
/opt/zimbra/libexec/zmdkimkeyutil -q -d mydomain.com shows the correct keys that I have in DNS but it still fails. Am I missing something?
I was having issues with Yahoo accepting mail, as most of you probably already know Yahoo has their own blacklisting and wont let Email Administrators know what they consider to be problems. Anyway, I decided it was time to configure DKIM since maybe this was the issue. I already had DMARC and SPF in place which seem to be working fine. I first used this guide:
viewtopic.php?t=60548 because I am using PowerDNS with BIND backend and I thought it would be simpler to have 1024 bit keys to paste into my BIND files.
I then used this guide: https://wiki.zimbra.com/wiki/Configurin ... IM_Signing
Not really knowing how to test, I used MXToolbox and dmarcanalyzer.com which showed valid DKIM records. I then configured a different domain which also passed these tests. I assume this only checks the DNS record for accuracy and not the mail server. I then learned you could email a gmail account to see if DKIM SPF and DMARC passed. It did. I setup a third domain and thought everything was great but then later discovered DKIM was failing in my tests to Gmail, also found check-auth@verifier.port25.com which returns "wrong body hash: expected mLGvU9NouvLHDEKF7oHlNcsIC32n4gwRq8Y72gHdcd0=)"
So at one point it was working, I didn't change anything other than applying a few lines found here: https://wiki.zimbra.com/wiki/Bounces_from_Spam_Mail to reduce backscatter.
/opt/zimbra/libexec/zmdkimkeyutil -q -d mydomain.com shows the correct keys that I have in DNS but it still fails. Am I missing something?
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: DKIM Configuration
I would go back to that link and find the section where opendkim-testkey is mentioned. You should be able to determine where the problem lies... DNS or ldap... /opt/zimbra/libexec/zmdkimkeyutil is just a perl script. I do see this:BruceLeeRoy wrote:Having issues with DKIM failing after setting up on my Zimbra 8.7.11 Installation.
I then used this guide: https://wiki.zimbra.com/wiki/Configurin ... IM_Signing
Not really knowing how to test,
Code: Select all
if ($bits < 2048) {
print "Bit size less than 2048 is not allowed, as it is insecure.\n";
} else {
qx($keygen $subflag -b $bits -s $selector -d $domain -D /opt/zimbra/data/tmp);
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: DKIM Configuration
In my experience the Zimbra dkim tools work fine, but...
The dkim dns record is longer than most dns providers can host in a single record, and each provider has their own method for splitting the record.
I suspect this is a dns, not Zimbra issue.
Hope that helps,
Mark
The dkim dns record is longer than most dns providers can host in a single record, and each provider has their own method for splitting the record.
I suspect this is a dns, not Zimbra issue.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- BruceLeeRoy
- Posts: 4
- Joined: Sat Aug 18, 2018 11:56 am
Re: DKIM Configuration
Yes, I have created the SPF, DMARC and DKIM records in both of my external DNS servers. When testing DKIM records with DMARC Analyzer, MX toolbox, and dkimcore.org, they all give valid DKIM core key and valid key records, which leads me to believe the DNS entries are working fine. It's also strange that it worked fine with the 1024 length key originally then suddenly stopped working.
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: DKIM Configuration
My understanding was that you had it working. Then you added a new domain and it stopped working for that domain. This is based on your gmail discussion above where it was working and then it stopped. Since the keys are in ldap, you get to use the older and smaller 1024 keys as you upgrade and it keeps working. It is only when you attempted to generate a new key you had to deal with the larger key issue for that domain because with 8.7 they introduced longer keys and the base code changed to reflect this. Anyway moving on... It might be helpful to look at your /opt/zimbra/conf/opendkim.conf file if you believe you have it all working... focus on which header is changing after it was signed.
Pay special attention to SignHeaders as those are the headers that you are signing... ie) message-id,date,from,mime-version,to ... Next look at the Canonicalization (ie. relaxed, strict, etc)
Pay special attention to SignHeaders as those are the headers that you are signing... ie) message-id,date,from,mime-version,to ... Next look at the Canonicalization (ie. relaxed, strict, etc)
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: DKIM Configuration
I forgot to mention... opendkim-testkey with -vvv might yield additional detail about your configuration. It sounds like you are fairly certain you have that properly setup and verified so I am with Bill in guessing that you look at possible reasons for the message changing after you sign it. Generally, I just send to gmail and look at my headers to see if I have it working as the zimbra tools have always worked from my experience. Another thing to look into... I have seen transparent proxying by some ISP's in the past as they intercept outgoing port 25 traffic and redirect it to themselves... you don't mention if that could be a possibility... You would be able to tell by looking at the email with your gmail account if that has happened. We use to see this quite often with customer email clients that were not using the user submission port and the ISP's blocked or redirected their access. running out of ideas here so some of this could be far fetched.
- BruceLeeRoy
- Posts: 4
- Joined: Sat Aug 18, 2018 11:56 am
Re: DKIM Configuration
After more testing I'm seeing more of a random pass/fail with failures being about 80% of the time. But your last message got me thinking... I use EFA for spam filtering between zimbra and the firewall so that everything going out also passes through EFA. I also noticed EFA had a feature for DKIM and I didn't understand why, since I thought the mail server would do that. I enabled it at one time, but then removed it. Maybe I should try setting up DKIM there since thats the last place outgoing mail hits before the public IP?
here's whats in my /opt/zimbra/conf/opendkim.conf
Canonicalization relaxed/relaxed
ReportAddress admin@zimbra.xxxx.net
SignHeaders message-id,date,from,mime-version,to
Here's a response from check-auth@verifier.port25.com which I dont understand why it has all the extra '20' '0D' and '0A' displayed which look like ASCII values in place of spaces and CR's
Canonicalized Headers:
from:"Bruce'20'Lee"'20'<blee@xxxx.com>'0D''0A'
to:<check-auth@verifier.port25.com>'0D''0A'
date:Mon,'20'20'20'Aug'20'2018'20'07:19:40'20'-0400'0D''0A'
message-id:<005f01d43877$b0dcc8b0$12965a10$@com>'0D''0A'
mime-version:1.0'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=xxxx.com;'20's=02A9C850-A29A-11E8-BDFA-3F9F4747F70D;'20't=1534763905;'20'bh=O2t61YvVLCLhQ1trTd5wBG1A+pTYuoKKvY5RZShV5as=;'20'h=From:To:Date:Message-ID:MIME-Version;'20'b=
Canonicalized Body:
This'20'is'20'a'20'multi-part'20'message'20'in'20'MIME'20'format.'0D''0A'
'0D''0A'
------=_NextPart_000_0060_01D43856.29CB28B0'0D''0A'
Content-Type:'20'text/plain;'0D''0A'
'20'charset="us-ascii"'0D''0A'
Content-Transfer-Encoding:'20'7bit'0D''0A'
here's whats in my /opt/zimbra/conf/opendkim.conf
Canonicalization relaxed/relaxed
ReportAddress admin@zimbra.xxxx.net
SignHeaders message-id,date,from,mime-version,to
Here's a response from check-auth@verifier.port25.com which I dont understand why it has all the extra '20' '0D' and '0A' displayed which look like ASCII values in place of spaces and CR's
Canonicalized Headers:
from:"Bruce'20'Lee"'20'<blee@xxxx.com>'0D''0A'
to:<check-auth@verifier.port25.com>'0D''0A'
date:Mon,'20'20'20'Aug'20'2018'20'07:19:40'20'-0400'0D''0A'
message-id:<005f01d43877$b0dcc8b0$12965a10$@com>'0D''0A'
mime-version:1.0'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=xxxx.com;'20's=02A9C850-A29A-11E8-BDFA-3F9F4747F70D;'20't=1534763905;'20'bh=O2t61YvVLCLhQ1trTd5wBG1A+pTYuoKKvY5RZShV5as=;'20'h=From:To:Date:Message-ID:MIME-Version;'20'b=
Canonicalized Body:
This'20'is'20'a'20'multi-part'20'message'20'in'20'MIME'20'format.'0D''0A'
'0D''0A'
------=_NextPart_000_0060_01D43856.29CB28B0'0D''0A'
Content-Type:'20'text/plain;'0D''0A'
'20'charset="us-ascii"'0D''0A'
Content-Transfer-Encoding:'20'7bit'0D''0A'
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: DKIM Configuration
Sounds like you have it figured out. It worked as expected and the recipient was able to determine that your messages was changed from the time you created and signed it. Now you know why it could be scored heavily as spam because it was modified upstream or from a users perspective - possibly forged. See this thread viewtopic.php?f=15&t=61543&hilit=aol+spam to see how this can cause problems from the other admins perspective.
Re: DKIM Configuration
Can anyone help me!!
Is there any possibility that zimbra can detect token based digital signature. At present, zimbra has the option for storing our key on their web client but can we digitally sign a email with help of hardware token?
Is there any possibility that zimbra can detect token based digital signature. At present, zimbra has the option for storing our key on their web client but can we digitally sign a email with help of hardware token?
Re: DKIM Configuration
it worked for me, thanks for the tutorial vidmate app save insta