Hello Zimbra Customers, Partners & Friends,
In today’s post, you will learn how to enable DANE verification for outgoing email in Zimbra. We’ll explain how to set up DANE for incoming email in another post.
DANE is a security protocol that adds additional verification of a TLS certificate. If you want to know more about DANE, please see the Further Reading section below.
First find the default settings:
/opt/zimbra/common/sbin/postconf smtp_dns_support_level /opt/zimbra/common/sbin/postconf smtp_tls_security_level
The following will be returned:
smtp_dns_support_level = enabled smtp_tls_security_level = may
To enable outgoing email DANE verification, these settings must be changed as:
zmprov ms `zmhostname` zimbraMtaSmtpDnsSupportLevel "dnssec" zmprov ms `zmhostname` zimbraMtaSmtpTlsSecurityLevel "dane" zmmtactl restart
Make Sure Your DNS Resolver Supports DNSSEC
DANE requires DNSSEC. This means that Postfix MUST be able to use a DNS resolver that validates DNSSEC. It won’t work without it. To test if your resolver supports it, run the following commands:
dig sigok.verteiltesysteme.net dig sigfail.verteiltesysteme.net
The first command should return an A record, and the second command should return a SERVFAIL. If you have a different result, your DNS resolver does not verify DNSSEC and you need to fix this first. One way to fix this is to install DNSMASQ as described here: https://wiki.archlinux.org/title/dnsmasq. On Ubuntu, DNSMASQ is included. Please note that CentOS 7 is shipped with a DNSMASQ that is compiled without DNSSEC support. You will have to compile it from source to use it on CentOS 7.
Do a Test DANE Verification
Now head over to https://havedane.net/. Here you see a bunch of weird looking email addresses. To do a DANE test, copy these into a new email, and watch the output on the page turn green. Also run tail -f /var/log/mail.log on your Zimbra to see the Postfix logs. If you see a red banner on havedane.net, the test failed. Look in the logs for clues.
Copy/paste the email addresses from havedane.net to your Zimbra webmail and send an email.
Example of a Successful DANE Verification
Here is a log of a successful DANE verification:
Feb 22 10:02:35 zimbra9-dev postfix/qmgr[1169927]: 5589513B332: from=<admin@zimbra9-dev.zimbra.tech>, size=1916, nrcpt=3 (queue active) Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332) Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332) Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332) Feb 22 10:02:35 zimbra9-dev postfix/qmgr[1169927]: 3A03D13B331: removed Feb 22 10:02:36 zimbra9-dev postfix/amavisd/smtpd[1177230]: connect from localhost[127.0.0.1] Feb 22 10:02:36 zimbra9-dev postfix/amavisd/smtpd[1177230]: 8A40913B331: client=localhost[127.0.0.1] Feb 22 10:02:36 zimbra9-dev postfix/cleanup[1177220]: 8A40913B331: message-id=<1820848796.80.1645524155164.JavaMail.zimbra@zimbra9-dev.zimbra.tech> Feb 22 10:02:36 zimbra9-dev postfix/qmgr[1169927]: 8A40913B331: from=<admin@zimbra9-dev.zimbra.tech>, size=2239, nrcpt=3 (queue active) Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331) Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331) Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331) Feb 22 10:02:36 zimbra9-dev postfix/qmgr[1169927]: 5589513B332: removed Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177233]: server certificate verification failed for wrong.havedane.net[5.79.70.105]:25: num=62:Hostname mismatch Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177233]: 8A40913B331: to=<21e483cb0892f86f@wrong.havedane.net>, relay=wrong.havedane.net[5.79.70.105]:25, delay=1.5, delays=0.01/0.02/1.5/0, dsn=4.7.5, status=deferred (Server certificate not verified) Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177231]: 8A40913B331: to=<21e483cb0892f86f@do.havedane.net>, relay=do.havedane.net[5.79.70.105]:25, delay=1.8, delays=0.01/0.01/1.6/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 33C59BF529) Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177232]: 8A40913B331: to=<21e483cb0892f86f@dont.havedane.net>, relay=dont.havedane.net[5.79.70.105]:25, delay=1.8, delays=0.01/0.01/1.6/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 36A36BF537)
Example of a Failed DANE Verification
This log is an indication of a DNS resolver that does not verify DNSSEC.
Feb 22 09:52:08 zimbra9-dev postfix/qmgr[1169927]: 0B56E13B329: from=<admin@zimbra9-dev.zimbra.tech>, size=2233, nrcpt=3 (queue active) Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329) Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329) Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329) Feb 22 09:52:08 zimbra9-dev postfix/qmgr[1169927]: E181613B330: removed Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170821]: warning: DNSSEC validation may be unavailable Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170821]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170820]: warning: DNSSEC validation may be unavailable Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170820]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170819]: warning: DNSSEC validation may be unavailable Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170819]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170821]: 0B56E13B329: to=<874c05b09e9471be@wrong.havedane.net>, relay=wrong.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.02/1.4/0.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8B9B0BF529) Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170820]: 0B56E13B329: to=<874c05b09e9471be@dont.havedane.net>, relay=dont.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.02/1.4/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8DC07BF537) Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170819]: 0B56E13B329: to=<874c05b09e9471be@do.havedane.net>, relay=do.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.01/1.4/0.21, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9159DBF5A3) Feb 22 09:52:09 zimbra9-dev postfix/qmgr[1169927]: 0B56E13B329: removed
Further Reading
- https://www.networking4all.com/en/support/faq/what-is-dane-and-dnssec
- https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-postfix
- https://havedane.net/
- https://dnssec.vs.uni-due.de/
- https://internet.nl/
Have feedback? Please leave us a comment.
Thanks,
Your Zimbra Team
Comments are closed.