Zimbra SkillZ: Enable DANE Verification for Outgoing Email in Zimbra

Hello Zimbra Customers, Partners & Friends,

In today’s post, you will learn how to enable DANE verification for outgoing email in Zimbra. We’ll explain how to set up DANE for incoming email in another post.

DANE is a security protocol that adds additional verification of a TLS certificate. If you want to know more about DANE, please see the Further Reading section below.

First find the default settings:

/opt/zimbra/common/sbin/postconf smtp_dns_support_level
/opt/zimbra/common/sbin/postconf smtp_tls_security_level

The following will be returned:

smtp_dns_support_level = enabled
smtp_tls_security_level = may

To enable outgoing email DANE verification, these settings must be changed as:

zmprov ms `zmhostname` zimbraMtaSmtpDnsSupportLevel "dnssec"
zmprov ms `zmhostname` zimbraMtaSmtpTlsSecurityLevel "dane"
zmmtactl restart

Make Sure Your DNS Resolver Supports DNSSEC

DANE requires DNSSEC. This means that Postfix MUST be able to use a DNS resolver that validates DNSSEC. It won’t work without it. To test if your resolver supports it, run the following commands:

dig sigok.verteiltesysteme.net
dig sigfail.verteiltesysteme.net

The first command should return an A record, and the second command should return a SERVFAIL. If you have a different result, your DNS resolver does not verify DNSSEC and you need to fix this first. One way to fix this is to install DNSMASQ as described here: https://wiki.archlinux.org/title/dnsmasq. On Ubuntu, DNSMASQ is included. Please note that CentOS 7 is shipped with a DNSMASQ that is compiled without DNSSEC support. You will have to compile it from source to use it on CentOS 7.

Do a Test DANE Verification

Now head over to https://havedane.net/. Here you see a bunch of weird looking email addresses. To do a DANE test, copy these into a new email, and watch the output on the page turn green. Also run tail -f /var/log/mail.log on your Zimbra to see the Postfix logs. If you see a red banner on havedane.net, the test failed. Look in the logs for clues.

Copy/paste the email addresses from havedane.net to your Zimbra webmail and send an email.

Example of a Successful DANE Verification

Here is a log of a successful DANE verification:

Feb 22 10:02:35 zimbra9-dev postfix/qmgr[1169927]: 5589513B332: from=<admin@zimbra9-dev.zimbra.tech>, size=1916, nrcpt=3 (queue active)
Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332)
Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332)
Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332)
Feb 22 10:02:35 zimbra9-dev postfix/qmgr[1169927]: 3A03D13B331: removed
Feb 22 10:02:36 zimbra9-dev postfix/amavisd/smtpd[1177230]: connect from localhost[127.0.0.1]
Feb 22 10:02:36 zimbra9-dev postfix/amavisd/smtpd[1177230]: 8A40913B331: client=localhost[127.0.0.1]
Feb 22 10:02:36 zimbra9-dev postfix/cleanup[1177220]: 8A40913B331: message-id=<1820848796.80.1645524155164.JavaMail.zimbra@zimbra9-dev.zimbra.tech>
Feb 22 10:02:36 zimbra9-dev postfix/qmgr[1169927]: 8A40913B331: from=<admin@zimbra9-dev.zimbra.tech>, size=2239, nrcpt=3 (queue active)
Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331)
Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331)
Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331)
Feb 22 10:02:36 zimbra9-dev postfix/qmgr[1169927]: 5589513B332: removed
Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177233]: server certificate verification failed for wrong.havedane.net[5.79.70.105]:25: num=62:Hostname mismatch
Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177233]: 8A40913B331: to=<21e483cb0892f86f@wrong.havedane.net>, relay=wrong.havedane.net[5.79.70.105]:25, delay=1.5, delays=0.01/0.02/1.5/0, dsn=4.7.5, status=deferred (Server certificate not verified)
Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177231]: 8A40913B331: to=<21e483cb0892f86f@do.havedane.net>, relay=do.havedane.net[5.79.70.105]:25, delay=1.8, delays=0.01/0.01/1.6/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 33C59BF529)
Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177232]: 8A40913B331: to=<21e483cb0892f86f@dont.havedane.net>, relay=dont.havedane.net[5.79.70.105]:25, delay=1.8, delays=0.01/0.01/1.6/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 36A36BF537)

Example of a Failed DANE Verification

This log is an indication of a DNS resolver that does not verify DNSSEC.

Feb 22 09:52:08 zimbra9-dev postfix/qmgr[1169927]: 0B56E13B329: from=<admin@zimbra9-dev.zimbra.tech>, size=2233, nrcpt=3 (queue active)
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329)
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329)
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329)
Feb 22 09:52:08 zimbra9-dev postfix/qmgr[1169927]: E181613B330: removed
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170821]: warning: DNSSEC validation may be unavailable
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170821]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170820]: warning: DNSSEC validation may be unavailable
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170820]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170819]: warning: DNSSEC validation may be unavailable
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170819]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170821]: 0B56E13B329: to=<874c05b09e9471be@wrong.havedane.net>, relay=wrong.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.02/1.4/0.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8B9B0BF529)
Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170820]: 0B56E13B329: to=<874c05b09e9471be@dont.havedane.net>, relay=dont.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.02/1.4/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8DC07BF537)
Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170819]: 0B56E13B329: to=<874c05b09e9471be@do.havedane.net>, relay=do.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.01/1.4/0.21, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9159DBF5A3)
Feb 22 09:52:09 zimbra9-dev postfix/qmgr[1169927]: 0B56E13B329: removed

Further Reading

Have feedback? Please leave us a comment.

Thanks,
Your Zimbra Team

, , ,

No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures