DANE verification for outgoing email: Difference between revisions

(Created page with "= How to enable DANE verification for outgoing email in Zimbra = DANE is a security protocol that adds additional verification of a TLS certificate. If you want to know more...")
(No difference)

Revision as of 10:38, 22 February 2022

How to enable DANE verification for outgoing email in Zimbra

DANE is a security protocol that adds additional verification of a TLS certificate. If you want to know more about DANE please refer to the Further reading section below.

In this article you will learn how to enable DANE verification for outgoing email in Zimbra. In a different article we will explain how to set up DANE for incoming email.

First find the default settings:

/opt/zimbra/common/sbin/postconf smtp_dns_support_level
/opt/zimbra/common/sbin/postconf smtp_tls_security_level

The following will be returned

smtp_dns_support_level = enabled
smtp_tls_security_level = may

To enable outgoing email DANE verification, these settings must be changed as:

zmprov ms `zmhostname` zimbraMtaSmtpDnsSupportLevel "dnssec"
zmprov ms `zmhostname` zimbraMtaSmtpTlsSecurityLevel "dane"
zmmtactl restart

Make sure your DNS resolver supports DNSSEC

DANE requires DNSSEC. This means that Postfix MUST be able to use a DNS resolver that validates DNSSEC. It will not work without it. To test if your resolver supports it run the following commands.

dig sigok.verteiltesysteme.net
dig sigfail.verteiltesysteme.net

The first command should return an A record and the second command should return a SERVFAIL. If you have a different result, your DNS resolver does not verify DNSSEC and you need to fix this first. One way would be installing DNSMASQ as described here: https://wiki.archlinux.org/title/dnsmasq. On Ubuntu DNSMASQ is included. Please note that CentOS 7 is shipped with a DNSMASQ that is compiled without DNSSEC support. So you will have to compile it from source to be able to use it on CentOS 7.

Do a test DANE verification

Now head over to https://havedane.net/ here you see a bunch of weird looking email addresses, you should copy them into a new email and watch the output on the page turn green to do the DANE test. In the mean time also run tail -f /var/log/mail.log on your Zimbra to see the Postfix logs. If you see a red banner on havedane.net, it means a test has failed and you need to look in the logs for clues.

image Copy/paste the email addresses from havedane.net to your Zimbra webmail and send an email.

Example of a successful DANE verification

image

Here is a log of a successful DANE verification:

Feb 22 10:02:35 zimbra9-dev postfix/qmgr[1169927]: 5589513B332: from=<admin@zimbra9-dev.zimbra.tech>, size=1916, nrcpt=3 (queue active)
Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332)
Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332)
Feb 22 10:02:35 zimbra9-dev postfix/smtp[1177223]: 3A03D13B331: to=<21e483cb0892f86f@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 5589513B332)
Feb 22 10:02:35 zimbra9-dev postfix/qmgr[1169927]: 3A03D13B331: removed
Feb 22 10:02:36 zimbra9-dev postfix/amavisd/smtpd[1177230]: connect from localhost[127.0.0.1]
Feb 22 10:02:36 zimbra9-dev postfix/amavisd/smtpd[1177230]: 8A40913B331: client=localhost[127.0.0.1]
Feb 22 10:02:36 zimbra9-dev postfix/cleanup[1177220]: 8A40913B331: message-id=<1820848796.80.1645524155164.JavaMail.zimbra@zimbra9-dev.zimbra.tech>
Feb 22 10:02:36 zimbra9-dev postfix/qmgr[1169927]: 8A40913B331: from=<admin@zimbra9-dev.zimbra.tech>, size=2239, nrcpt=3 (queue active)
Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331)
Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331)
Feb 22 10:02:36 zimbra9-dev postfix/smtp[1177227]: 5589513B332: to=<21e483cb0892f86f@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.2, delays=0.01/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A40913B331)
Feb 22 10:02:36 zimbra9-dev postfix/qmgr[1169927]: 5589513B332: removed
Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177233]: server certificate verification failed for wrong.havedane.net[5.79.70.105]:25: num=62:Hostname mismatch
Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177233]: 8A40913B331: to=<21e483cb0892f86f@wrong.havedane.net>, relay=wrong.havedane.net[5.79.70.105]:25, delay=1.5, delays=0.01/0.02/1.5/0, dsn=4.7.5, status=deferred (Server certificate not verified)
Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177231]: 8A40913B331: to=<21e483cb0892f86f@do.havedane.net>, relay=do.havedane.net[5.79.70.105]:25, delay=1.8, delays=0.01/0.01/1.6/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 33C59BF529)
Feb 22 10:02:38 zimbra9-dev postfix/smtp[1177232]: 8A40913B331: to=<21e483cb0892f86f@dont.havedane.net>, relay=dont.havedane.net[5.79.70.105]:25, delay=1.8, delays=0.01/0.01/1.6/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 36A36BF537)

image Example of DANE verification failure.

This log is an indication of a DNS resolver that does not verify DNSSEC.

Feb 22 09:52:08 zimbra9-dev postfix/qmgr[1169927]: 0B56E13B329: from=<admin@zimbra9-dev.zimbra.tech>, size=2233, nrcpt=3 (queue active)
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@do.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329)
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@dont.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329)
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170813]: E181613B330: to=<874c05b09e9471be@wrong.havedane.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.1, delays=0.01/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0B56E13B329)
Feb 22 09:52:08 zimbra9-dev postfix/qmgr[1169927]: E181613B330: removed
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170821]: warning: DNSSEC validation may be unavailable
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170821]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170820]: warning: DNSSEC validation may be unavailable
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170820]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170819]: warning: DNSSEC validation may be unavailable
Feb 22 09:52:08 zimbra9-dev postfix/smtp[1170819]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170821]: 0B56E13B329: to=<874c05b09e9471be@wrong.havedane.net>, relay=wrong.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.02/1.4/0.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8B9B0BF529)
Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170820]: 0B56E13B329: to=<874c05b09e9471be@dont.havedane.net>, relay=dont.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.02/1.4/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8DC07BF537)
Feb 22 09:52:09 zimbra9-dev postfix/smtp[1170819]: 0B56E13B329: to=<874c05b09e9471be@do.havedane.net>, relay=do.havedane.net[5.79.70.105]:25, delay=1.7, delays=0.01/0.01/1.4/0.21, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9159DBF5A3)
Feb 22 09:52:09 zimbra9-dev postfix/qmgr[1169927]: 0B56E13B329: removed

Further reading

Jump to: navigation, search