Zimbra Tips : How To Enable DKIM/DomainKeys Checking/Verify for Incoming Email

Posted by

From previous article, you can configure and validate DKIM records on Zimbra which is used to increase email reputation. The configuration will increase reputation for outgoing email. But, how to enable DKIM/DomainKeys checking for incoming connection?

By enable DKIM/DomainKeys checking, you can reject every incoming email who did not have DKIM/DomainKeys. By default, Zimbra only configure OpenDKIM as signer. For configure OpenDKIM as verifier, you can follow these step

# Open openDKIM configuration

su - zimbra
vi /opt/zimbra/conf/opendkim.conf.in

adjust below configuration. save and exit

On-NoSignature reject
Mode sv

# Restart OpenDKIM

zmopendkimctl restart

The following is example log when receive email from domain who did not have DKIM

Mar 18 15:10:13 mail postfix/cleanup[22424]: 64728441B96: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.0 no DKIM signature data; from=<xxxx@xxxxxx.xxx> to=<xxxx@xxxxxx.xx.xx> proto=ESMTP helo=<xxx.xxxxx.xxx>
Mar 18 15:10:13 mail postfix/smtp[23944]: 94BC4441B99: to=<xxxx@xxxxx.xx.xx>, relay=127.0.0.1[127.0.0.1]:10030, delay=42, delays=42/0.02/0.02/0.09, dsn=5.7.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 550 5.7.0 no DKIM signature data (in reply to end of DATA command))

Good luck and hopefully useful 🙂

22 comments

  1. I configured zimbra 8.7 to work with DKIM.
    External messages with correct signature are verified and processed.
    Internal messages without signature are rejected
    External messages without signature are accepted.

    Here the log of the connection from an external address without signature
    Jul 10 15:57:15 mail postfix/postscreen[6744]: CONNECT from [79.52.221.58]:34580 to [10.55.0.40]:25
    Jul 10 15:57:15 mail postfix/postscreen[6744]: PASS OLD [79.52.221.58]:34580
    Jul 10 15:57:15 mail postfix/smtpd[29516]: connect from host58-221-dynamic.52-79-r.retail.telecomitalia.it[79.52.221.58]
    Jul 10 15:57:51 mail postfix/smtpd[29516]: NOQUEUE: filter: RCPT from host58-221-dynamic.52-79-r.retail.telecomitalia.it[79.52.221.58]: : Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from= to= proto=SMTP helo=
    Jul 10 15:57:51 mail postfix/smtpd[29516]: NOQUEUE: filter: RCPT from host58-221-dynamic.52-79-r.retail.telecomitalia.it[79.52.221.58]: : Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from= to= proto=SMTP helo=
    Jul 10 15:57:52 mail postfix/smtpd[29516]: 456DFF8006A: client=host58-221-dynamic.52-79-r.retail.telecomitalia.it[79.52.221.58]
    Jul 10 15:57:59 mail postfix/postscreen[6744]: CONNECT from [10.55.0.31]:59973 to [10.55.0.40]:25
    Jul 10 15:57:59 mail postfix/postscreen[6744]: WHITELISTED [10.55.0.31]:59973
    Jul 10 15:57:59 mail postfix/smtpd[18048]: connect from prtg.systeamus.com[10.55.0.31]
    Jul 10 15:57:59 mail postfix/smtpd[18048]: disconnect from prtg.systeamus.com[10.55.0.31] ehlo=1 quit=1 commands=2
    Jul 10 15:58:11 mail zmconfigd[2368]: Fetching All configs
    Jul 10 15:58:11 mail zmconfigd[2368]: All configs fetched in 0.05 seconds
    Jul 10 15:58:15 mail zmconfigd[2368]: Watchdog: service antivirus status is OK.
    Jul 10 15:58:15 mail zmconfigd[2368]: All rewrite threads completed in 0.03 sec
    Jul 10 15:58:15 mail zmconfigd[2368]: All restarts completed in 0.00 sec
    Jul 10 15:58:35 mail postfix/cleanup[18042]: 456DFF8006A: message-id=
    Jul 10 15:58:35 mail postfix/qmgr[5602]: 456DFF8006A: from=, size=374, nrcpt=1 (queue active)
    Jul 10 15:58:35 mail amavis[13009]: (13009-07) ESMTP [127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20170710T115046-13009-OGOthOah: -> SIZE=374 Received: from mail.cloak.me ([127.0.0.1]) by localhost (mail.cloak.me [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Mon, 10 Jul 2017 15:58:35 -0700 (PDT)
    Jul 10 15:58:35 mail amavis[13009]: (13009-07) Checking: 73CLjTFd19Vz [79.52.221.58] ->
    Jul 10 15:58:36 mail postfix/amavisd/smtpd[18915]: connect from localhost[127.0.0.1]
    Jul 10 15:58:36 mail postfix/amavisd/smtpd[18915]: D9115F80083: client=localhost[127.0.0.1]
    Jul 10 15:58:36 mail postfix/cleanup[18042]: D9115F80083: message-id=
    Jul 10 15:58:36 mail postfix/amavisd/smtpd[18915]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
    Jul 10 15:58:36 mail postfix/qmgr[5602]: D9115F80083: from=, size=1105, nrcpt=1 (queue active)
    Jul 10 15:58:36 mail amavis[13009]: (13009-07) 73CLjTFd19Vz FWD from -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as D9115F80083
    Jul 10 15:58:36 mail amavis[13009]: (13009-07) Passed CLEAN {RelayedInbound}, [79.52.221.58]:34580 [79.52.221.58] -> , Queue-ID: 456DFF8006A, Message-ID: , mail_id: 73CLjTFd19Vz, Hits: 2.816, size: 374, queued_as: D9115F80083, 1774 ms
    Jul 10 15:58:36 mail postfix/smtp[18913]: 456DFF8006A: to=, orig_to=, relay=127.0.0.1[127.0.0.1]:10024, delay=57, delays=55/0.02/0.01/1.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as D9115F80083)
    Jul 10 15:58:36 mail postfix/qmgr[5602]: 456DFF8006A: removed
    Jul 10 15:58:37 mail postfix/lmtp[18916]: D9115F80083: to=, relay=mail.cloak.me[10.55.0.40]:7025, delay=0.2, delays=0.01/0.02/0.11/0.06, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Jul 10 15:58:37 mail postfix/qmgr[5602]: D9115F80083: removed
    Jul 10 15:58:37 mail postfix/smtpd[29516]: disconnect from host58-221-dynamic.52-79-r.retail.telecomitalia.it[79.52.221.58] helo=1 mail=1 rcpt=1 data=1 quit=1 unknown=0/2 commands=5/7
    (END)

    Here the opendkim config
    UserID zimbra:zimbra
    UMask 022
    Socket %%zimbraInetMode%%:8465@[%%zimbraLocalBindAddress%%]
    PidFile /opt/zimbra/log/opendkim.pid

    LDAPBindUser uid=zmpostfix,cn=appaccts,cn=zimbra
    LDAPBindPassword @@ldap_postfix_password@@
    LDAPUseTLS @@ldap_starttls_supported@@
    LDAPTimeout 30
    LDAPKeepaliveIdle 240
    LDAPKeepaliveProbes 10
    LDAPKeepaliveInterval 30
    SigningTable @@opendkim_signingtable_uri@@
    KeyTable @@opendkim_keytable_uri@@
    #Canonicalization relaxed/relaxed
    Canonicalization relaxed/simple
    ReportAddress @@av_notify_user@@
    SignHeaders message-id,date,from,mime-version,to

    On-BadSignature quarantine
    On-DNSError tempfail
    On-InternalError tempfail
    On-NoSignature reject
    On-Security tempfail

    AllowSHA1Only no
    AlwaysAddARHeader no
    AuthservIDWithJobId yes
    AutoRestart yes
    AutoRestartCount 20
    AutoRestartRate 10/1h
    Background Yes
    ClockDrift 300
    DisableCryptoInit yes
    DNSTimeout 10
    DomainKeysCompat no
    EnableCoredumps yes
    FixCRLF no
    MaximumHeaders 65536
    Minimum 0
    Mode sv
    MultipleSignatures no
    NoHeaderB no
    RequireSafeKeys Yes
    SignatureAlgorithm rsa-sha256
    SignatureTTL 0
    StrictHeaders no
    StrictTestMode no
    SubDomains no
    InternalHosts file:/opt/zimbra/conf/opendkim-localnets.conf
    ExternalIgnoreList file:/opt/zimbra/conf/opendkim-localnets.conf
    PeerList file:/opt/zimbra/conf/opendkim-localnets.conf

    SendReports yes
    Diagnostics yes
    LogWhy yes
    Quarantine yes
    ResolverTracing no
    Syslog yes
    SyslogFacility LOCAL0
    SyslogSuccess no
    SoftwareHeader yes
    TemporaryDirectory /opt/zimbra/data/tmp
    KeepTemporaryFiles no
    MilterDebug 0
    ~
    ~

      1. Hi,
        this is the problem on the public IP (external)
        the email not signed passes without any problem

        Here the segment note Ip address source is 79.52.221.58

        Jul 10 15:32:13 mail postfix/cleanup[31026]: 23736F800B4: message-id=
        Jul 10 15:32:13 mail postfix/qmgr[5602]: 23736F800B4: from=, size=395, nrcpt=1 (queue active)
        Jul 10 15:32:13 mail amavis[29181]: (29181-10) ESMTP [127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20170710T125611-29181-aNnefojn: -> SIZE=395 Received: from mail.cloak.me ([127.0.0.1]) by localhost (mail.cloak.me [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Mon, 10 Jul 2017 15:32:13 -0700 (PDT)
        Jul 10 15:32:13 mail amavis[29181]: (29181-10) Checking: oAeU9-jXutqQ [79.52.221.58] ->
        Jul 10 15:32:14 mail postfix/amavisd/smtpd[26286]: connect from localhost[127.0.0.1]
        Jul 10 15:32:14 mail postfix/amavisd/smtpd[26286]: 0EB75F804AF: client=localhost[127.0.0.1]
        Jul 10 15:32:14 mail postfix/cleanup[31608]: 0EB75F804AF: message-id=
        Jul 10 15:32:14 mail postfix/qmgr[5602]: 0EB75F804AF: from=, size=1154, nrcpt=1 (queue active)
        Jul 10 15:32:14 mail postfix/amavisd/smtpd[26286]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
        Jul 10 15:32:14 mail amavis[29181]: (29181-10) oAeU9-jXutqQ FWD from -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0EB75F804AF
        Jul 10 15:32:14 mail amavis[29181]: (29181-10) Passed CLEAN {RelayedInbound}, [79.52.221.58]:34326 [79.52.221.58] -> , Queue-ID: 23736F800B4, Message-ID: , mail_id: oAeU9-jXutqQ, Hits: 4.224, size: 395, queued_as: 0EB75F804AF, 301 ms
        Jul 10 15:32:14 mail postfix/smtp[31029]: 23736F800B4: to=, orig_to=, relay=127.0.0.1[127.0.0.1]:10024, delay=104, delays=104/0/0.01/0.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0EB75F804AF)
        Jul 10 15:32:14 mail postfix/qmgr[5602]: 23736F800B4: removed
        Jul 10 15:32:14 mail postfix/lmtp[31084]: 0EB75F804AF: to=, relay=mail.cloak.me[10.55.0.40]:7025, delay=0.16, delays=0.01/0/0.11/0.05, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
        Jul 10 15:32:14 mail postfix/qmgr[5602]: 0EB75F804AF: removed
        Jul 10 15:32:15 mail postfix/smtpd[21644]: disconnect from host58-221-dynamic.52-79-r.retail.telecomitalia.it[79.52.221.58] helo=1 mail=1 rcpt=1/2 data=1 quit=1 commands=5/6

  2. Here instead the rejection before I added added PeerList into the config file. IP address 10.50.50.6 is internal (was already in the zimbra file opendkim-localnets.com)

    Jul 10 15:01:01 mail amavis[31728]: (31728-08) ESMTP [127.0.0.1]:10026 /opt/zimbra/data/amavisd/tmp/amavis-20170710T103155-31728-k5JD6sVy: -> Received: from mail.cloak.me ([127.0.0.1]) by localhost (mail.cloak.me [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for ; Mon, 10 Jul 2017 15:01:01 -0700 (PDT)
    Jul 10 15:01:01 mail amavis[31728]: (31728-08) Checking: n41o61fbF9K8 ORIGINATING/MYNETS [10.50.50.6] ->
    Jul 10 15:01:01 mail postfix/dkimmilter/smtpd[5776]: connect from localhost[127.0.0.1]
    Jul 10 15:01:01 mail postfix/dkimmilter/smtpd[5776]: A2650F804AF: client=localhost[127.0.0.1]
    Jul 10 15:01:01 mail postfix/cleanup[6914]: A2650F804AF: message-id=
    Jul 10 15:01:01 mail opendkim[5801]: A2650F804AF: no signing table match for ‘luigi@luigi.com’
    Jul 10 15:01:01 mail opendkim[5801]: A2650F804AF: no signature data
    Jul 10 15:01:01 mail postfix/cleanup[6914]: A2650F804AF: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.0 no DKIM signature data; from= to= proto=ESMTP helo=
    Jul 10 15:01:01 mail postfix/dkimmilter/smtpd[5776]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=0/1 quit=1 commands=4/5
    Jul 10 15:01:01 mail amavis[31728]: (31728-08) Negative SMTP response to data-dot (): 550 5.7.0 no DKIM signature data, dt: 86.9 ms
    Jul 10 15:01:01 mail amavis[31728]: (31728-08) (!)n41o61fbF9K8 FWD from -> , BODY=7BIT 550 5.7.0 from MTA(smtp:[127.0.0.1]:10030): 550 5.7.0 no DKIM signature data
    Jul 10 15:01:01 mail amavis[31728]: (31728-08) Blocked MTA-BLOCKED {RejectedInternal}, ORIGINATING/MYNETS LOCAL [10.50.50.6]:44648 -> , Queue-ID: 5C658F800B4, Message-ID: , mail_id: n41o61fbF9K8, Hits: -, size: 342, 173 ms
    Jul 10 15:01:01 mail postfix/smtp[5749]: 5C658F800B4: to=, orig_to=, relay=127.0.0.1[127.0.0.1]:10026, delay=19, delays=19/0/0/0.17, dsn=5.7.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 550 5.7.0 id=31728-08 – Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10030): 550 5.7.0 no DKIM signature data (in reply to end of DATA command))

    1. Hello Luigi,

      What your domain on Zimbra? please masking/change your domain on the log with another domain for troubleshoot

  3. The driving crazy factor is that the internal ip execute DKIM and get rejected because there is no signature, while the external ip does not even get processed.
    Any idea?

    Thanks

      1. Hi Iman,
        Luigi@luigi.com does not have signature and he get rejected, BUT is coming from a trusted internal IP address where was supposedly not to be checked.
        At the same time if I do the same (pluto@www.pluto.com with no signature) from a public ipaddress opendkim will not even attempt to check the signature and will accept the message.

        ul 10 13:53:29 mail postfix/smtpd[25414]: NOQUEUE: filter: RCPT from host58-221-dynamic.52-79-r.retail.telecomitalia.it[79.52.221.58]: : Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from= to= proto=SMTP helo=
        Jul 10 13:53:29 mail postfix/smtpd[25414]: NOQUEUE: filter: RCPT from host58-221-dynamic.52-79-r.retail.telecomitalia.it[79.52.221.58]: : Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from= to= proto=SMTP helo=
        Jul 10 13:53:30 mail postfix/smtpd[25414]: 24730F8006A: client=host58-221-dynamic.52-79-r.retail.telecomitalia.it[79.52.221.58]
        Jul 10 13:53:42 mail postfix/anvil[1715]: statistics: max connection rate 1/60s for (smtpd:79.52.221.58) at Jul 10 13:51:58
        Jul 10 13:53:42 mail postfix/anvil[1715]: statistics: max connection count 1 for (smtpd:79.52.221.58) at Jul 10 13:51:58
        Jul 10 13:53:42 mail postfix/anvil[1715]: statistics: max cache size 1 at Jul 10 13:51:58
        Jul 10 13:53:59 mail postfix/postscreen[6744]: CONNECT from [10.55.0.31]:62362 to [10.55.0.40]:25
        Jul 10 13:53:59 mail postfix/postscreen[6744]: WHITELISTED [10.55.0.31]:62362
        Jul 10 13:53:59 mail postfix/smtpd[15486]: connect from prtg.systeamus.com[10.55.0.31]
        Jul 10 13:53:59 mail postfix/smtpd[15486]: disconnect from prtg.systeamus.com[10.55.0.31] ehlo=1 quit=1 commands=2
        Jul 10 13:54:04 mail postfix/cleanup[16864]: 24730F8006A: message-id=
        Jul 10 13:54:04 mail postfix/qmgr[5602]: 24730F8006A: from=, size=363, nrcpt=1 (queue active)
        Jul 10 13:54:04 mail amavis[29175]: (29175-03) ESMTP [127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20170710T125610-29175-CP4Gyf71: -> SIZE=363 Received: from mail.cloak.me ([127.0.0.1]) by localhost (mail.cloak.me [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Mon, 10 Jul 2017 13:54:04 -0700 (PDT)
        Jul 10 13:54:05 mail amavis[29175]: (29175-03) Checking: fR3hT8awOTMI [79.52.221.58] ->
        Jul 10 13:54:05 mail postfix/amavisd/smtpd[17179]: connect from localhost[127.0.0.1]
        Jul 10 13:54:05 mail postfix/amavisd/smtpd[17179]: 7F402F80083: client=localhost[127.0.0.1]
        Jul 10 13:54:05 mail postfix/cleanup[16864]: 7F402F80083: message-id=
        Jul 10 13:54:05 mail postfix/qmgr[5602]: 7F402F80083: from=, size=1017, nrcpt=1 (queue active)
        Jul 10 13:54:05 mail postfix/amavisd/smtpd[17179]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
        Jul 10 13:54:05 mail amavis[29175]: (29175-03) fR3hT8awOTMI FWD from -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7F402F80083
        Jul 10 13:54:05 mail amavis[29175]: (29175-03) Passed CLEAN {RelayedInbound}, [79.52.221.58]:54517 [79.52.221.58] -> , Queue-ID: 24730F8006A, Message-ID: , mail_id: fR3hT8awOTMI, Hits: 0.104, size: 363, queued_as: 7F402F80083, 576 ms
        Jul 10 13:54:05 mail postfix/smtp[17173]: 24730F8006A: to=, orig_to=, relay=127.0.0.1[127.0.0.1]:10024, delay=83, delays=83/0.03/0.01/0.57, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7F402F80083)
        Jul 10 13:54:05 mail postfix/qmgr[5602]: 24730F8006A: removed
        Jul 10 13:54:05 mail postfix/lmtp[17180]: 7F402F80083: to=, relay=mail.cloak.me[10.55.0.40]:7025, delay=0.2, delays=0.01/0.02/0.11/0.06, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
        Jul 10 13:54:05 mail postfix/qmgr[5602]: 7F402F80083: removed
        Jul 10 13:54:23 mail postfix/smtpd[25414]: disconnect from host58-221-dynamic.52-79-r.retail.telecomitalia.it[79.52.221.58] helo=1 mail=1 rcpt=1 data=1 quit=1 unknown=0/2 commands=5/7

        1. Try again

          Jul 10 13:54:05 mail postfix/qmgr[5602]: 7F402F80083: from=, size=1017, nrcpt=1 (queue active)
          Jul 10 13:54:05 mail postfix/amavisd/smtpd[17179]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
          Jul 10 13:54:05 mail amavis[29175]: (29175-03) fR3hT8awOTMI FWD from -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7F402F80083
          Jul 10 13:54:05 mail amavis[29175]: (29175-03) Passed CLEAN {RelayedInbound}, [79.52.221.58]:54517 [79.52.221.58] -> , Queue-ID: 24730F8006A, Message-ID: , mail_id: fR3hT8awOTMI, Hits: 0.104, size: 363, queued_as: 7F402F80083, 576 ms
          Jul 10 13:54:05 mail postfix/smtp[17173]: 24730F8006A: to=, orig_to=, relay=127.0.0.1[127.0.0.1]:10024, delay=83, delays=83/0.03/0.01/0.57, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7F402F80083)
          Jul 10 13:54:05 mail postfix/qmgr[5602]: 24730F8006A: removed
          Jul 10 13:54:05 mail postfix/lmtp[17180]: 7F402F80083: to=, relay=mail.cloak.me[10.55.0.40]:7025, delay=0.2, delays=0.01/0.02/0.11/0.06, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)

  4. I configured zimbra 8.0.7 to work with DKIM.

    Internal message rejected which is forwarding stetted by user or admin.
    “host 127.0.0.1[127.0.0.1] said: 550 5.7.0
    id=30989-05 – Rejected by next-hop MTA on relaying, from
    MTA(smtp:[127.0.0.1]:10030): 550 5.7.0 no DKIM signature data (in reply to end of DATA command)”

  5. Hi Imanudin,

    Can we block the domain only fail dkim verfication. Because we have lot of cusotmers which don’t have dkim signature in their domain so if we put reject on non signature everything will fail.

  6. Hi Iman,

    I have a peculiar problem in Zimbra 8.8.12 – All of a sudden, OpenDKIM does not start with the error Connection to LDAP failed. ON further investigation, I found that it is asking for TLS connect to the LDAP server but for some reason, the LDAP does not allow TLS connect. How do I check if TLS is enabled for LDAP and how do I allow LDAP to accept TLS connections?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.