DKIM Configuration

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
BruceLeeRoy
Posts: 3
Joined: Sat Aug 18, 2018 11:56 am

DKIM Configuration

Postby BruceLeeRoy » Sat Aug 18, 2018 12:52 pm

Having issues with DKIM failing after setting up on my Zimbra 8.7.11 Installation.

I was having issues with Yahoo accepting mail, as most of you probably already know Yahoo has their own blacklisting and wont let Email Administrators know what they consider to be problems. Anyway, I decided it was time to configure DKIM since maybe this was the issue. I already had DMARC and SPF in place which seem to be working fine. I first used this guide:
viewtopic.php?t=60548 because I am using PowerDNS with BIND backend and I thought it would be simpler to have 1024 bit keys to paste into my BIND files.
I then used this guide: https://wiki.zimbra.com/wiki/Configurin ... IM_Signing

Not really knowing how to test, I used MXToolbox and dmarcanalyzer.com which showed valid DKIM records. I then configured a different domain which also passed these tests. I assume this only checks the DNS record for accuracy and not the mail server. I then learned you could email a gmail account to see if DKIM SPF and DMARC passed. It did. I setup a third domain and thought everything was great but then later discovered DKIM was failing in my tests to Gmail, also found check-auth@verifier.port25.com which returns "wrong body hash: expected mLGvU9NouvLHDEKF7oHlNcsIC32n4gwRq8Y72gHdcd0=)"

So at one point it was working, I didn't change anything other than applying a few lines found here: https://wiki.zimbra.com/wiki/Bounces_from_Spam_Mail to reduce backscatter.

/opt/zimbra/libexec/zmdkimkeyutil -q -d mydomain.com shows the correct keys that I have in DNS but it still fails. Am I missing something?


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 282
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P6
Contact:

Re: DKIM Configuration

Postby JDunphy » Sat Aug 18, 2018 2:18 pm

BruceLeeRoy wrote:Having issues with DKIM failing after setting up on my Zimbra 8.7.11 Installation.
I then used this guide: https://wiki.zimbra.com/wiki/Configurin ... IM_Signing

Not really knowing how to test,

I would go back to that link and find the section where opendkim-testkey is mentioned. You should be able to determine where the problem lies... DNS or ldap... /opt/zimbra/libexec/zmdkimkeyutil is just a perl script. I do see this:

Code: Select all

  if ($bits < 2048) {
   print "Bit size less than 2048 is not allowed, as it is insecure.\n";
  } else {
    qx($keygen $subflag -b $bits -s $selector -d $domain -D /opt/zimbra/data/tmp);

You mentioned using 1024 so perhaps it didn't work as you expected given that code check above. It should not be a big deal to add larger records just use more lines but keep each TXT record under 255 for bind. I can't remember but doesn't the tool generate all those lines you need anyway for bind. Just cut and paste them into your zone file. You could also modify that script if you want to use 1024.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1869
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.10 Network Edition
Contact:

Re: DKIM Configuration

Postby L. Mark Stone » Sat Aug 18, 2018 4:42 pm

In my experience the Zimbra dkim tools work fine, but...

The dkim dns record is longer than most dns providers can host in a single record, and each provider has their own method for splitting the record.

I suspect this is a dns, not Zimbra issue.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
User avatar
BruceLeeRoy
Posts: 3
Joined: Sat Aug 18, 2018 11:56 am

Re: DKIM Configuration

Postby BruceLeeRoy » Sun Aug 19, 2018 2:01 pm

Yes, I have created the SPF, DMARC and DKIM records in both of my external DNS servers. When testing DKIM records with DMARC Analyzer, MX toolbox, and dkimcore.org, they all give valid DKIM core key and valid key records, which leads me to believe the DNS entries are working fine. It's also strange that it worked fine with the 1024 length key originally then suddenly stopped working.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 282
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P6
Contact:

Re: DKIM Configuration

Postby JDunphy » Sun Aug 19, 2018 3:25 pm

My understanding was that you had it working. Then you added a new domain and it stopped working for that domain. This is based on your gmail discussion above where it was working and then it stopped. Since the keys are in ldap, you get to use the older and smaller 1024 keys as you upgrade and it keeps working. It is only when you attempted to generate a new key you had to deal with the larger key issue for that domain because with 8.7 they introduced longer keys and the base code changed to reflect this. Anyway moving on... It might be helpful to look at your /opt/zimbra/conf/opendkim.conf file if you believe you have it all working... focus on which header is changing after it was signed.
Pay special attention to SignHeaders as those are the headers that you are signing... ie) message-id,date,from,mime-version,to ... Next look at the Canonicalization (ie. relaxed, strict, etc)
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 282
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P6
Contact:

Re: DKIM Configuration

Postby JDunphy » Sun Aug 19, 2018 3:45 pm

I forgot to mention... opendkim-testkey with -vvv might yield additional detail about your configuration. It sounds like you are fairly certain you have that properly setup and verified so I am with Bill in guessing that you look at possible reasons for the message changing after you sign it. Generally, I just send to gmail and look at my headers to see if I have it working as the zimbra tools have always worked from my experience. Another thing to look into... I have seen transparent proxying by some ISP's in the past as they intercept outgoing port 25 traffic and redirect it to themselves... you don't mention if that could be a possibility... You would be able to tell by looking at the email with your gmail account if that has happened. We use to see this quite often with customer email clients that were not using the user submission port and the ISP's blocked or redirected their access. running out of ideas here so some of this could be far fetched. :-)
User avatar
BruceLeeRoy
Posts: 3
Joined: Sat Aug 18, 2018 11:56 am

Re: DKIM Configuration

Postby BruceLeeRoy » Mon Aug 20, 2018 5:50 pm

After more testing I'm seeing more of a random pass/fail with failures being about 80% of the time. But your last message got me thinking... I use EFA for spam filtering between zimbra and the firewall so that everything going out also passes through EFA. I also noticed EFA had a feature for DKIM and I didn't understand why, since I thought the mail server would do that. I enabled it at one time, but then removed it. Maybe I should try setting up DKIM there since thats the last place outgoing mail hits before the public IP?

here's whats in my /opt/zimbra/conf/opendkim.conf

Canonicalization relaxed/relaxed
ReportAddress admin@zimbra.xxxx.net
SignHeaders message-id,date,from,mime-version,to


Here's a response from check-auth@verifier.port25.com which I dont understand why it has all the extra '20' '0D' and '0A' displayed which look like ASCII values in place of spaces and CR's

Canonicalized Headers:
from:"Bruce'20'Lee"'20'<blee@xxxx.com>'0D''0A'
to:<check-auth@verifier.port25.com>'0D''0A'
date:Mon,'20'20'20'Aug'20'2018'20'07:19:40'20'-0400'0D''0A'
message-id:<005f01d43877$b0dcc8b0$12965a10$@com>'0D''0A'
mime-version:1.0'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=xxxx.com;'20's=02A9C850-A29A-11E8-BDFA-3F9F4747F70D;'20't=1534763905;'20'bh=O2t61YvVLCLhQ1trTd5wBG1A+pTYuoKKvY5RZShV5as=;'20'h=From:To:Date:Message-ID:MIME-Version;'20'b=

Canonicalized Body:
This'20'is'20'a'20'multi-part'20'message'20'in'20'MIME'20'format.'0D''0A'
'0D''0A'
------=_NextPart_000_0060_01D43856.29CB28B0'0D''0A'
Content-Type:'20'text/plain;'0D''0A'
'20'charset="us-ascii"'0D''0A'
Content-Transfer-Encoding:'20'7bit'0D''0A'
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 282
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P6
Contact:

Re: DKIM Configuration

Postby JDunphy » Mon Aug 20, 2018 11:10 pm

Sounds like you have it figured out. It worked as expected and the recipient was able to determine that your messages was changed from the time you created and signed it. Now you know why it could be scored heavily as spam because it was modified upstream or from a users perspective - possibly forged. See this thread https://forums.zimbra.org/viewtopic.php?f=15&t=61543&hilit=aol+spam to see how this can cause problems from the other admins perspective.

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 14 guests