Adding DKIM record (1024 bit) in Zimbra

Email security is very important now a days. We always look for inbound email security. However, it is very much important to enhance security for outbound emails too for successful email delivery to the recipient inbox.

DomainKeys Identified Mail (DKIM) provides an organization to take responsibility for a message that is in transit. The sending server reputation is responsible for successful email delivery. DKIM provides the message is not being altered in the transmission of message till delivery of it. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

In some cases, we have generate 1024 bit DKIM key due to old Zimbra version or lack of support 2048 bit key in DNS servers. The below steps should be performed to achieve the goal of publishing 1024 bit DKIM key.

Generate DKIM Key:

DKIM signing is done at the domain level, including alias domains. Setting up signing consists of two parts:

I.      Generate DKIM data.

  1. Updating the DNS server with the public DNS entry.

DKIM needs to be generated per domain in the MTA Server, and needs to be configured in the public DNS of each domain.

DKIM Record Work Methodology
 


Part I: (Generate DKIM Data)

 

Step 1: Modify DKIM generator

a. Edit (as root) script file /opt/zimbra/libexec/zmdkimkeyutil and replace all '2048' occurrences with '1024'.

This will allow creation of DKIM key with length 1024 and set it as default value.

cp /opt/zimbra/libexec/zmdkimkeyutil /srv/zmdkimkeyutil.backup

vim /opt/zimbra/libexec/zmdkimkeyutil

replace all 6 "2048" occurrences with "1024" and then save and exit.

 

Step 2: Generate a new DKIM, replace example.com with your domain. Please note you'll need to generate a DKIM for each domain

switch to zimbra user: su - zimbra

/opt/zimbra/libexec/zmdkimkeyutil -a -d example.com

 

Sample output:

DKIM Data added to LDAP for domain example.com with selector 3DEFB3BC-2CF7-11E7-B322-6C0B1889F934

Public signature to enter into DNS:

3DEFB3BC-2CF7-11E7-B322-6C0B1889F934._domainkey IN      TXT     ( "v=DKIM1; k=rsa;"

         "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbKFdF6L7f4Ir+4tXGsMrz7HwHYsp7S14rmrl64oyltuLU30xMPU+nII+FZZ6OL7zQabncD2uUnb3+vttQbeaW+HtSrgnZ7JTjd4PAqC4DmX8Ec6Xpe59qCB3TsQH9thDnN4kA/BtkG4GR0jizDjFmXPHYl+vcFDv/ZlFnsvf6nQIDAQAB" )  ; ----- DKIM key 3DEFB3BC-2CF7-11E7-B322-6C0B1889F934 for example.com

 

Step 3: Retrieving the stored DKIM data for your domain - replace example.com with your domain

as zimbra user run command below;

/opt/zimbra/libexec/zmdkimkeyutil -q -d example.com

 

Sample Output:

DKIM Domain:

example.com

DKIM Selector:

3DEFB3BC-2CF7-11E7-B322-6C0B1889F934

DKIM Private Key:

-----BEGIN RSA PRIVATE KEY-----

MIICXAIBAAKBgQCbKFdF6L7f4Ir+4tXGsMrz7HwHYsp7S14rmrl64oyltuLU30xM

PU+nII+FZZ6OL7zQabncD2uUnb3+vttQbeaW+HtSrgnZ7JTjd4PAqC4DmX8Ec6Xp

e59qCB3TsQH9thDnN4kA/BtkG4GR0jizDjFmXPHYl+vcFDv/ZlFnsvf6nQIDAQAB

AoGAL4UjdZ3bF+ZFq9r9bmUnQ53iPsDbEvf6V5CDzkcknHxu7JOXYqJEiwNF8a01

6oZkZdB7xBJU+Kd3UVZTBUcjoA9T0xz97JbTW6bVjMwrgtjEbldBr2KMKIXOVJuY

vFwjf9lGztBb5KbLL2opjT6rFLke6GX1k6S4/kq2eRUG7GECQQDJi9eCnCsncqXD

lsyY0KlYVKdVoOPEKIvl/7gw1t7qUNSDdWaw6NUG+8c7nnzLgYNrRLH7H4zbwHK3

t/ltGatfAkEAxRP6Sr0/fmz/19NmHFGhn3Pw0EU33N15MqlZ64prXDr4uejZkIuR

zP/yhFOCyD5iBe8/poRbIQ7YpiwA2WhXgwJADr1seH/lZBAtcV2A/xgbmnsudcO7

hKgWey61kNTWHrrkn+yhIwUUN1uImaKgq91/+ANhJOWMzrGHckpBMqpy7wJADS+u

AowxEGN4ptc1MNXha4rVZQoMl9GVx2b/ZjwnvM8RT1ceH4bHJaFGd8YirQVHh8Af

USPv+QFGS7AMCn/pwwJBALNmC6TBwCuixhjJAgqDk0MIUXQ25GvCT3+lWk5ukAdh

GY2BVy5WYy2ZDLlwWYJCr0/wvf2NYKwT1/WdzeKLBLM=

-----END RSA PRIVATE KEY-----

 

DKIM Public signature:

3DEFB3BC-2CF7-11E7-B322-6C0B1889F934._domainkey IN      TXT     ( "v=DKIM1; k=rsa;"

          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbKFdF6L7f4Ir+4tXGsMrz7HwHYsp7S14rmrl64oyltuLU30xMPU+nII+FZZ6OL7zQabncD2uUnb3+vttQbeaW+HtSrgnZ7JTjd4PAqC4DmX8Ec6Xpe59qCB3TsQH9thDnN4kA/BtkG4GR0jizDjFmXPHYl+vcFDv/ZlFnsvf6nQIDAQAB" )  ; ----- DKIM key 3DEFB3BC-2CF7-11E7-B322-6C0B1889F934 for example.com

 

DKIM Identity:

example.com

Step 4:

Highlight and copy: 3DEFB3BC-2CF7-11E7-B322-6C0B1889F934._domainkey

Highlight and copy: v=DKIM1; k=rsa;

Highlight and copy: p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbKFdF6L7f4Ir+4tXGsMrz7HwHYsp7S14rmrl64oyltuLU30xMPU+nII+FZZ6OL7zQabncD2uUnb3+vttQbeaW+HtSrgnZ7JTjd4PAqC4DmX8Ec6Xpe59qCB3TsQH9thDnN4kA/BtkG4GR0jizDjFmXPHYl+vcFDv/ZlFnsvf6nQIDAQAB

 

Part II: (Add record to public DNS server)

For cPanel:

- login to your DNS web portal zone file

- create new TXT entry

 

Name: 3DEFB3BC-2CF7-11E7-B322-6C0B1889F934._domainkey.example.com.

TTL: 3600

Type: TXT

TXT Data: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbKFdF6L7f4Ir+4tXGsMrz7HwHYsp7S14rmrl64oyltuLU30xMPU+nII+FZZ6OL7zQabncD2uUnb3+vttQbeaW+HtSrgnZ7JTjd4PAqC4DmX8Ec6Xpe59qCB3TsQH9thDnN4kA/BtkG4GR0jizDjFmXPHYl+vcFDv/ZlFnsvf6nQIDAQAB

For bind DNS servers:

3DEFB3BC-2CF7-11E7-B322-6C0B1889F934._domainkey IN      TXT     ( "v=DKIM1; k=rsa;"

          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbKFdF6L7f4Ir+4tXGsMrz7HwHYsp7S14rmrl64oyltuLU30xMPU+nII+FZZ6OL7zQabncD2uUnb3+vttQbeaW+HtSrgnZ7JTjd4PAqC4DmX8Ec6Xpe59qCB3TsQH9thDnN4kA/BtkG4GR0jizDjFmXPHYl+vcFDv/ZlFnsvf6nQIDAQAB" )  ; ----- DKIM key 3DEFB3BC-2CF7-11E7-B322-6C0B1889F934 for example.com

 

Verify DKIM Record:

Finally, verify the DKIM record from https://mxtoolbox.com/dkim.aspx

To verify you have to provide selector information as below.

3DEFB3BC-2CF7-11E7-B322-6C0B1889F934._domainkey.example.com

Comments

Post a Comment

Popular posts from this blog

Install a Comodo/Sectigo Domain Validation SSL certificate in Zimbra

Objective:  Install a Comodo/Sectigo Domain Validation (DV) SSL certificate in Zimbra. We usually get the below four files from Sectigo in the certificate bundle. The file name may vary depending on the certificate type 1.     yourdomain.com.crt - main certificate 2.     AAACertificateServices.crt – Root Certificate 3.     USERTrustRSAAAACA.crt – Intermediate Certificate - 1 4.     SectigoRSADomainValidationSecureServerCA.crt - Intermediate Certificate - 2 Step 1:  We shall create two files as below. commercial_ca.crt (includes root certificate and two intermediate certificates) commercial.crt (includes main certificate, root certificate and two intermediate certificates) Step 2:  Login to Zimbra server, move to directory /opt/zimbra/ssl/zimbra/commercial and create two files as below. root@mail:~# cd /opt/zimbra/ssl/zimbra/commercial/ root@mail:/opt/zimbra/ssl/zimbra/comme...
Read more

Recipient Limit of a Message in Zimbra

Image
We received some complaints from one of our customers regarding problem of sending email, especially rate limit, to Gmail. After some diagnosis, we found that the users keep 70-80 email addresses in TO/CC/BCC. In order to restrict users to send emails on such accounts at a time, we implemented a policy. After executing this policy, users shall not be able to add more than 10 email addresses in a message. root@mail:~# su – zimbra Check the current limit: zimbra@mail:~$ postconf | grep smtpd_recipient_limit  smtpd_recipient_limit = 1000     ##This is the default recipient limit zimbra@mail:~$ postconf -e 'smtpd_recipient_limit = 10'   It will restrict the recipient limit to 10. You may adjust the number based on your scenario. To apply settings. zimbra@mail:~$ postfix reload After applying this settings, you will get an error while sending a message greater than the threshold value (in this case: 10). It is also t...
Read more