(How-To) Kopano UCS 4.4 Latest install - DKIM support

Hi everyone, I’m migrating a Zimbra server to the newest K4UCS server available.
Now, I m dealing with a problem, that’s how can I implement the DKIN & DMARC support on the server?

Are there any how-tos? On a quick search on google, I couldn’t find any useful for Kopano UCS …

Is this implemented manually ?? via CLI?

Sorry for the quick message, but I m trying to find the info on searches, but decided to ask for help in here too.

Thanks in advance.

I have never setup dkim or dmarc on an ucs system personally, but searching in this forum gives some results. Kopano is just using the default mail stack of ucs so any ucs based tutorial should work.


Hi everyone, this is a quick How-to about how I’ve set up this on my test server.

Info here was gathered from several ones available, either on posts on this forum or from searching the Net, it’s not my credits.

links / credits:




I did this using the ‘root’ user and running UCS version 4.4.

Set the repository to be able to download the packages needed:

ucr set repository/online/unmaintained='yes'

Install the packages needed:

univention-install opendkim opendkim-tools postfix-policyd-spf-python postfix-pcre

Make a copy of the original file:

cp /etc/opendkim.conf /etc/opendkim.conf.original

Open file /etc/default/opendkim and change:


The socket number may be different, use one not in use.

Sample of my own:

AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:12301@localhost

open postfix template ::

vi /etc/univention/templates/files/etc/postfix/main.cf.d/10_general

add this end of file:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Save the file and run:

univention-config-registry commit /etc/postfix/main.cf

Create the relevant files:
vi /etc/opendkim/TrustedHosts

Create a key table:
vi /etc/opendkim/KeyTable

mail._domainkey.domain.com domain.com:mail:/etc/opendkim/keys/domain.com/mail.private

Create a signing table:
vi /etc/opendkim/SigningTable

*@domain.com mail._domainkey.domain.com

Generate the public and private keys:

cd /etc/opendkim/keys
mkdir domain.com
cd domain.com

Generate the keys:

opendkim-genkey -s mail -d domain.com

Change the owner of the private key to opendkim:

chown opendkim:opendkim mail.private

Add the public key to the domain’s DNS records
This part can be tricky to someone not used to do this, since you need to copy the text ‘as is’ to the TXT record.

Sample key:

nano -$ mail.txt
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxddfBL9/0ZgCHpwXv92xxvpasPXUaIeXXosDCiypxUIY1CtCRLJ8Ti03FZrJGVQvYmYaiI1Wa8omMVF11b+0U6Cl5t2BlH6VzBYxuNHk1w91xkVJz59MTYuwNTT87JuMGM/y0IQV8UfykZ7TWZxvr79mWYxSLkYC5CDTrPj7iph2MWn/8fqsUMcJbNd4oLszY5nyqfmmhMug0avPQ/vEmmUjb9MwUU15Og4GvcjQ5XK/u5o9Z4wktM8v+v+4JM19xX6L/wR7HgW4d0mq/UtAWSqlnqgQcsztcjt

Copy the key to your TXT record on the DNS server serving your domain.

Sample of mine, on Cloudflare DNS record:

TXT    mail._domainkey	v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkq

Restart services:

service postfix restart
service opendkim restart

Hope this can help someone too.


First: thanks for providing this How-To

I did a comparable setup a while ago and it appears that we nearly have done the same.
Some additional remarks:

It is not necessary to change the postffix template anymore. All changes can be done in /etc/postfix/main.cf.local. This eliminates the need of reviewing the changed template after an update.

I dont see where the installed packages postfix-policyd-spf-python and postfix-pcre are needed but maybe I am missing something.

Once https://forge.univention.org/bugzilla/show_bug.cgi?id=50777 is resolved it is not needed to activate the unmaintained repository anymore. It looks like this will happen in a couple of days.

Best Regards,


Hello @mag007 and thank you very much for the howto.

As small addition:
Under certain circumstances (e.g. if Spamassassin has been configured in UCS) it can happen that when using “DomainKeys Identified Mail” (DKIM) the entry is duplicated or even tripled.

With standard settings, every mail sent is checked by Amavis and then run through postfix again, which adds an additional DKIM header. However, this can be prevented with the appropriate configuration.

A german tutorial with detailed background information is available here (newsportal.koeln):
Unfortunately, with UCS, at the moment a template file has to be changed as shown below.

root@mail:~# diff -u /etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir_ORIGINAL /etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir
--- /etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir_ORIGINAL	2020-02-18 23:42:35.041259401 +0100
+++ /etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir	2020-02-18 23:44:06.876020444 +0100
@@ -21,5 +21,5 @@
 	-o smtpd_error_sleep_time=0
 	-o smtpd_soft_error_limit=1001
 	-o smtpd_hard_error_limit=1000
-	-o receive_override_options=no_address_mappings''' % {"maxproc": configRegistry.get("mail/antivir/max_servers", "2")}
+	-o receive_override_options=no_address_mappings,no_milters''' % {"maxproc": configRegistry.get("mail/antivir/max_servers", "2")}

root@mail:~# ucr commit /etc/postfix/master.cf
Multifile: /etc/postfix/master.cf

root@mail:~# systemctl restart postfix.service

The easiest way to check the result is to use a mail reply service, for example the service of Port25. Just send an (empty) mail to check-auth@verifier.port25.com and check the result sent back to you.

hth, Greetings Lutz

Thanks for the efforts @mag007 @ahrnke @lutz.willek ! May I ask what is the situation a year later? Is the advice in this thread still valid?

I am implementing mail server on UCS. Hopefully some day DKIM can be configured via UMC/UCR, but meanwhile, update of any kind of the current workarounds would be highly appreciated.

This bug https://forge.univention.org/bugzilla/show_bug.cgi?id=31993 has been open for a while and seems I am not alone with the interest to a supported DKIM setup on Univention UCS. :slight_smile: