Installing DKIM for Zimbra on CentOS or Red Hat

DKIM stands for DomainKey Identified Mail.  It is useful to help reduce the probability that your mail is going to be tagged as spam.  DKIM is currently used by many email provider like Google and YAhoo.  See www.dkim.org for more information.

DKIM is not included with Zimbra.  But since Zimbra use Postfix , it’s rather simple to enable it.

Here how I have done it :

First, install the RPM (replace i386 with x86_64 if you are running on a 64 bits OS) :

#rpm -ivh http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.3-1.i386.rpm

Generate our key :

#cd /etc/dkim-filter

#dkim-genkey -b 1024 -d example.com -s default

Make sure that we have the rights permissions :

#chown dkim-milt *

#chmod 600 *

Add the following lines at the end of /etc/dkim-filter.conf :

Selector default
Domain example.com
KeyFile                 /etc/dkim-filter/default.private

In the same file, make sure the follwing line is commented (that line could be used if you have multiple domain):

#KeyList                        /etc/mail/dkim/keylist

Add the following line in /etc/mail/dkim/trusted-hosts (This will make sure that outgoing mail are tagged with DKIM headers):

127.0.0.1/32

Start DKIM and make sure it will be started on next reboot :

#/etc/init.d/dkim-milter start

#chkconfig dkim-milter on

In the previously generated file/etc/dkim-filter/default.txt, you have the entry that you have to add to your DNS server :

default._domainkey IN TXT « v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY7Lgaeyh6uoRGTOlZI0+5psR2GXB8pUUhsy8M94miy8qnk1nZHvQd+vfo+rfRxdgD4muBDMPOo5yPlcnIRb1uI4g+r0Ztz07KSKvw6PpEyCTqB97n69UFvnnDNcnoJlmhLSivxGGS7qPU1KgD3OCsKYiB4ONuTuWShfueiZPDdQIDAQAB » ; —– DKIM default for example.com

Depending on where your DNS is hosted, you can simply add that line in your DNS config files or see  this document on how to do that with different providers.

The final step is to tell Postfix to use DKIM :

Add or replace the following lines in /opt/zimbra/postfix/conf/master.cf.in

-o smtpd_milters=inet:localhost:20209
-o milter_default_action=accept
-o disable_mime_output_conversion=yes
-o non_smtpd_milters=inet:localhost:20209

Finally, restart Zimbra MTA so that the change take effect :

# su – zimbra

$zmmtactl restart

If you want to test that everything is correctly setup, send an email to « autorespond+dkim-relaxed@dk.elandsys.com », you shoul get an email within a few minutes with the following line :

DKIM Signature validation: pass (1024-bit key)

Once you get that, everthing is working as expected!

The following setup has been tested on CentOS 5.4 and Zimbra  5.0.16 but it should also work with Zimbra 6.x.

Update (July 24 2010) :

Here are a few more tipts to troubleshoot your DKIM installation :

Make sur your outgoing mail are being tagged, everytime a mail is sent there should be a line like this in your /var/log/zimbra.log :

Jul 24 20:11:13 mail dkim-filter[5351]: 2875014C024 « DKIM-Signature » header added

Make sur your TXT entry is correct, you shoud be able to test it with the host command.  The syntax would be : $host -t txt <name of your key>.<domain name>

In my exemple, that would be : $host -t txt default._domainkey.example.com

Or for gmail.com :  $host -t txt gamma._domainkey.gmail.com

  • Share/Bookmark

30 Responses to “Installing DKIM for Zimbra on CentOS or Red Hat”

  1. Ronald Says:

    Hi I just wondering if this setup also apply on this version dkim-milter-2.8.3-1.x86_64.rpm, I tried to follow your guide but seems different. Also I have to domain mail server how can I setup it?

  2. Ronald Says:

    I follow your guide and already configure multiple domain… but not successful…

    DKIM Signature validation: not available
    DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.mydomain.com

    I have corrent reverse dns and spf….

  3. Ronald Says:

    I’m back again I just observe when I try to restart zmmtactl

    -o smtpd_milters=inet:localhost:20209
    -o milter_default_action=accept
    -o disable_mime_output_conversion=yes
    -o non_smtpd_milters=inet:localhost:20209

    none of these is save on master.cf

  4. Étienne Pouliot Says:

    It should work with x64 with no problem, but I haven’t tested.

    You should set it in master.cf.in, that’s my mistake. master.cf gets overwritted everytime zimbra restart.

    You could also try to put the followings lines in main.cf :
    smtpd_milters = inet:localhost:20209
    non_smtpd_milters = inet:localhost:20209
    milter_default_action = accept

    You dont’t need both, just one.

    If it works, you should see the following entry in zimbra.log everytime a mail is sent :
    « DKIM-Signature » header added

  5. Ronald Says:

    Thanks for the preply… how can I setup 2 domain like domain1.com domain2.com, also once I edit master.cf I don’t need to restart $zmmtactl restart

  6. Étienne Pouliot Says:

    For multiple domain, instead of using the Keyfile parameter, you will have to use the Keylist parameter and specify the keyfile for each domain.

  7. Ronald Says:

    Thanks for the reply again… just wondering I have 4 main.cf

    /opt/zimbra/postfix-2.4.7.5z/conf/main.cf
    /opt/zimbra/postfix-2.6.5.2z/conf/main.cf
    /opt/zimbra/postfix-2.6.5.2z/conf/main.cf.default
    /opt/zimbra/postfix-2.6.5.2z/libexec/main.cf

    Do I need to edit them all and append

    mtpd_milters = inet:localhost:20209
    non_smtpd_milters = inet:localhost:20209
    milter_default_action = accept

    Also after apply this do I need to restart zimbra server or just $zmmtactl restart

    Thanks

  8. Étienne Pouliot Says:

    Just the one in /opt/zimbra/postfix/conf/main.cf

    /opt/zimbra/postfix/ should be a symlink to your current postfix version.

    $zmmtactl restart should be enough.

  9. Ronald Says:

    Thanks… now have to try… let you know if it work….

  10. Ronald Says:

    Hi, I’m back after restart and tail zimbra logs… I have this error.

    warning: milter inet:localhost:20209: can’t read SMFIC_DATA reply packet header: Success

  11. Ronald Says:

    Error logs…

    May 27 10:23:09 ns2 postfix/smtpd[22218]: warning: milter inet:localhost:20209: can’t read SMFIC_DATA reply packet header: Success
    May 27 10:23:09 ns2 dkim-filter[3835]: terminated with signal 8, restarting
    May 27 10:23:09 ns2 postfix/cleanup[22222]: CC62E21E89FC: message-id=
    May 27 10:23:09 ns2 dkim-filter[22223]: Sendmail DKIM Filter v2.8.3 starting (args: -x /etc/dkim-filter.conf)

  12. Ronald Says:

    Ok after some research I found this…

    [Incompat 20090428] The default milter_protocol setting is increased
    from 2 to 6; this enables all available features up to and including
    Sendmail 8.14.0. The new milter_protocol setting may break
    compatibility with older Milter libraries or applications, and may
    cause Postfix to log warning messages such as:

    warning: milter inet:host:port: can’t read packet header: Unknown error : 0

    warning: milter inet:host:port: can’t read packet header: Success

    warning: milter inet:host:port: can’t read SMFIC_DATA reply
    packet header: No such file or directory

    To restore compatibility, specify « milter_protocol = 2″ in main.cf.

    Now I did change milter_protocol = 2

    Now this what error I have now….
    May 27 10:53:22 ns2 dkim-filter[22864]: D1B8121E8A5B: no signature data

  13. Ronald Says:

    I found error if milter_protocol = 2 is set to main.cf all incoming is rejected… I’m still stock with this error warning: milter inet:localhost:20209: can’t read SMFIC_DATA reply packet header: Success

  14. Ronald Says:

    « DKIM-Signature » header after many times of trial and error I get this on my zibmra log… if I try to add this on main.cf milter_protocol = 2… but problem is zimbra mail can no longer received any email…. If I remove milter_protocol i’m back to this problem milter inet:localhost:20209: can’t read SMFIC_DATA reply packet header: Success

    please help…

  15. Ronald Says:

    How to fix this error can’t read SMFIC_DATA reply packet header: Success

  16. Étienne Pouliot Says:

    I really have no idea how to fix this error sorry.

  17. Edgar Tellez Says:

    Hi,

    I have done all things in this tutorial, and I everything seems to be fine, but every time I send an email to the dkim test account: «  »autorespond+dkim-relaxed@dk.elandsys.com »"

    I got this:

    DKIM Signature validation: not available
    DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.metatron.com

    So I use EasyDNS, and I have create a TXT record like this:

    v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBzDGZz/TUNjKQgbInsM8cJGABwTqIrXSMsouHETkeZAZqE0XAVXEAIsqdY8MGkP24Xhy8HykgZIHeDzn G3jPlADiaHjQcmoqW7lcM+fCFrtSlOQRqK0dVLPmwXBxxUla9LNxKjo0Gj5CNGPThlWzhH53mw6itRqKeIiVo5KQmzwIDAQAB

    Is that right???, what else i need to do??

    Regards

  18. Étienne Pouliot Says:

    Hello,

    There is someting wrong with your DNS entry. I think the « TXT name » is missing.

    The following command should return your DKIM signature :host -t txt _adsp._domainkey.metatron.com

    But it does not.

  19. Étienne Pouliot Says:

    I updated the article by adding a few tips at the bottom of the article to help people troubleshoot their DKIM issue.

  20. Edgar Tellez Says:

    Well, I made a mistake my full default.txt is the next:

    default._domainkey IN TXT « v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
    CBiQKBgQDmGqJ5XDG50kq73j+QbDtmQXWzZAyTg9i3YIYQyiX3+xw8+Nj3D1KMQRx4do0ubFU+e0JsNS
    9Zilo5VyQHSPoc9z1HiUEJHBloiy0K8uWT8YqYSYpTp5kQLegVtWWgHwer7zFGZNwdoW8LXTYalGC3ii
    1Kiqy8HYhp+rDTNEz4dQIDAQAB » ; —– DKIM default for metatron.com

    And In EasyDNS (my DNS provider) only allow me to set 2 fiels:

    « hostname » & TXT record, so what I did was the next:

    hostname: smtp.metatron.com

    TXT: v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
    CBiQKBgQDmGqJ5XDG50kq73j+QbDtmQXWzZAyTg9i3YIYQyiX3+xw8+Nj3D1KMQRx4do0ubFU+e0JsNS
    9Zilo5VyQHSPoc9z1HiUEJHBloiy0K8uWT8YqYSYpTp5kQLegVtWWgHwer7zFGZNwdoW8LXTYalGC3ii
    1Kiqy8HYhp+rDTNEz4dQIDAQAB

    ¿¿ From which part of the default.txt file i have to put in the TXT record??

    **** And second one, I was seeing in my zimbra logs the same problem reported by Ronlad:

    «  » can’t read SMFIC_DATA reply packet header: Success «  »

    What I am going to do is try to upgrade my sendmail version to 8.14, I am using Centos 5.5 and sendmail version is: « sendmail-8.13.8-8.el5″
    ¿¿ Does any body has found how to solve can’t read SMFIC_DATA issue??.

    Best Regards

    Edgar T.

  21. Étienne Pouliot Says:

    I’m not really familiar with easydns, but try to fill the hostname field with the following : default._domainkey.metatron.com

    If it does not work, try to fill it with default._domainkey

    What you put in the TXT field is correct.

    What version of Zimbra are you using ? I’m guessing that people that are getting the SMFIC_DATA error are using Zimbra 6 ?

  22. pnyet Says:

    Hello, can you tell me where I should put the DKIM configuration in master.cf? Give your master.cf ;)

  23. Étienne Pouliot Says:

    I can’t. Simply because I no longer set it in master.cf.in, so I don’t have any working example.

    I find it to be easier to set it up in main.cf.

    You just need to add those 3 lines at the end of main.cf :

    smtpd_milters = inet:localhost:20209
    non_smtpd_milters = inet:localhost:20209
    milter_default_action = accept

  24. david Says:

    Hello, can you tell me where I should put the DKIM configuration in master.cf? Give your master.cf ;)

  25. Johnny Says:

    Edit /etc/default/dkim-filter in the Socket line to work:
    SOCKET= »inet:20209″
    That’s the problem and not the main.cf: you just need add the tree comands in the end of the file (no secrets here).

  26. Steve Jenkins Says:

    Salut, Étienne. I was able to successfully set up DKIM on CentOS using OpenDKIM (based on dkim-milter). I wrote a HowTo on my blog here. Hopefully it can help some others trying to do this same setup. Ciao!

  27. Edgar Tellez Says:

    Hi,

    Before of all thanks for this great document, my Zimbra server is working properly with DKIM.

    Now i have an issue about milter (milter-reject), I have been receiving this message:

    milter-reject: END-OF-MESSAGE from mail-qw0-f52.google.com[209.85.216.52]: 4.7.1 Service unavailable – try again later; from= to= proto=ESMTP helo=<mail-qw0-f52.google.com.

    I know that this is because spam scores that I have defined, My question is ¿ Is there some kind to permit that the email that I am sending from gmail to arrive into the Inbox an not be discarted?

    I have test many whitelist in Zimbra, but with not success.

    Regards.

    Edgar T.

  28. Subhranshu Dwivedi Says:

    Hi Étienne,

    Installed DKIM, and configured as suggested

    But, its the same issue which others are facing:

    Nov 30 19:54:23 mail postfix/smtpd[12232]: warning: milter inet:localhost:20209: can’t read SMFIC_DATA reply packet header: Success

    With No « « DKIM-Signature » header added »

    Could You suggest anything

    I am on zcs-6.0.8_GA_2661.RHEL5.20100820051652

    Please help

    Thanks

    Subhranshu Dwivedi

  29. kirtan Says:

    Hi

    This is very help full for domainkeys configuration but
    when try to download and install dkim package

    show 404 Not Found please give any other link for this package download

    I am waiting your positive response

    Thanks
    Kirtan Patel

  30. Murray S. Kucherawy Says:

    dkim-milter v2.8.3 was released in May 2009 and is no longer supported. As Steve Jenkins pointed out, its twin, which is still under active development and support, can be found at http://www.opendkim.org. See the RELEASE_NOTES in the latest release for a list of what’s changed since dkim-milter.


Leave a Reply