DANE verification for outgoing email
DANE is a security protocol that adds additional verification of a TLS certificate. If you want to know more about DANE please refer to the Further reading section below.
In this article you will learn how to enable DANE verification for outgoing email in Zimbra. In a different article we will explain how to set up DANE for incoming email.
First find the default settings:
/opt/zimbra/common/sbin/postconf smtp_dns_support_level /opt/zimbra/common/sbin/postconf smtp_tls_security_level
The following will be returned
smtp_dns_support_level = enabled smtp_tls_security_level = may
To enable outgoing email DANE verification, these settings must be changed as:
zmprov ms `zmhostname` zimbraMtaSmtpDnsSupportLevel "dnssec" zmprov ms `zmhostname` zimbraMtaSmtpTlsSecurityLevel "dane" zmmtactl restart
Make sure your DNS resolver supports DNSSEC
DANE requires DNSSEC. This means that Postfix MUST be able to use a DNS resolver that validates DNSSEC. It will not work without it. To test if your resolver supports it run the following commands.
dig sigok.verteiltesysteme.net dig sigfail.verteiltesysteme.net
The first command should return an A record and the second command should return a SERVFAIL. If you have a different result, your DNS resolver does not verify DNSSEC and you need to fix this first. One way would be installing DNSMASQ as described here: https://wiki.archlinux.org/title/dnsmasq. On Ubuntu DNSMASQ is included. Please note that CentOS 7 is shipped with a DNSMASQ that is compiled without DNSSEC support. So you will have to compile it from source to be able to use it on CentOS 7.
Do a test DANE verification
Now head over to https://havedane.net/ here you see a bunch of weird looking email addresses, you should copy them into a new email and watch the output on the page turn green to do the DANE test. In the mean time also run tail -f /var/log/mail.log
on your Zimbra to see the Postfix logs. If you see a red banner on havedane.net, it means a test has failed and you need to look in the logs for clues.
Example of a successful DANE verification
Here is a log of a successful DANE verification:
Feb 22 10:02:35 zimbra9-dev postfix/qmgr[1169927]: 5589513B332: from=<admin@zimbra9-dev.zimbra.tech>, size=1916, nrcpt=3 (queue active) Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332) Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332) Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332) Feb 22 10:02:35 zimbra9-dev postfix/qmgr[1169927]: 3A03D13B331: removed Feb 22 10:02:36 zimbra9-dev postfix/amavisd/smtpd[1177230]: connect from localhost[127.0.0.1] Feb 22 10:02:36 zimbra9-dev postfix/amavisd/smtpd[1177230]: 8A40913B331: client=localhost[127.0.0.1] Feb 22 10:02:36 zimbra9-dev postfix/cleanup[1177220]: 8A40913B331: message-id=<1820848796.80.1645524155164.JavaMail.zimbra@zimbra9-dev.zimbra.tech> Feb 22 10:02:36 zimbra9-dev postfix/qmgr[1169927]: 8A40913B331: from=<admin@zimbra9-dev.zimbra.tech>, size=2239, nrcpt=3 (queue active) Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331) Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331) Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331) Feb 22 10:02:36 zimbra9-dev postfix/qmgr[1169927]: 5589513B332: removed Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177233]: server certificate verification failed for wrong.havedane.net[5.79.70.105]:25: num=62:Hostname mismatch Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177233]: 8A40913B331: to=<21e483cb0892f86f@wrong.havedane.net>, relay=wrong.havedane.net[5.79.70.105]:25, delay=1.5, delays=0.01/0.02/1.5/0, dsn=4.7.5, status=deferred (Server certificate not verified) Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177231]: 8A40913B331: to=<21e483cb0892f86f@do.havedane.net>, relay=do.havedane.net[5.79.70.105]:25, delay=1.8, delays=0.01/0.01/1.6/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 33C59BF529) Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177232]: 8A40913B331: to=<21e483cb0892f86f@dont.havedane.net>, relay=dont.havedane.net[5.79.70.105]:25, delay=1.8, delays=0.01/0.01/1.6/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 36A36BF537)
This log is an indication of a DNS resolver that does not verify DNSSEC.
Feb 22 09:52:08 zimbra9-dev postfix/qmgr[1169927]: 0B56E13B329: from=<admin@zimbra9-dev.zimbra.tech>, size=2233, nrcpt=3 (queue active) Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329) Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329) Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329) Feb 22 09:52:08 zimbra9-dev postfix/qmgr[1169927]: E181613B330: removed Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170821]: warning: DNSSEC validation may be unavailable Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170821]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170820]: warning: DNSSEC validation may be unavailable Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170820]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170819]: warning: DNSSEC validation may be unavailable Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170819]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170821]: 0B56E13B329: to=<874c05b09e9471be@wrong.havedane.net>, relay=wrong.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.02/1.4/0.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8B9B0BF529) Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170820]: 0B56E13B329: to=<874c05b09e9471be@dont.havedane.net>, relay=dont.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.02/1.4/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8DC07BF537) Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170819]: 0B56E13B329: to=<874c05b09e9471be@do.havedane.net>, relay=do.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.01/1.4/0.21, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9159DBF5A3) Feb 22 09:52:09 zimbra9-dev postfix/qmgr[1169927]: 0B56E13B329: removed