299a2315c1
* Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.) * Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings. * When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec. * Added a changelog entry.
81 lines
2.9 KiB
Bash
Executable file
81 lines
2.9 KiB
Bash
Executable file
#!/bin/bash
|
|
# OpenDKIM
|
|
# --------
|
|
#
|
|
# OpenDKIM provides a service that puts a DKIM signature on outbound mail.
|
|
#
|
|
# The DNS configuration for DKIM is done in the management daemon.
|
|
|
|
source setup/functions.sh # load our functions
|
|
source /etc/mailinabox.conf # load global vars
|
|
|
|
# Install DKIM...
|
|
apt_install opendkim opendkim-tools opendmarc
|
|
|
|
# Make sure configuration directories exist.
|
|
mkdir -p /etc/opendkim;
|
|
mkdir -p $STORAGE_ROOT/mail/dkim
|
|
|
|
# Used in InternalHosts and ExternalIgnoreList configuration directives.
|
|
# Not quite sure why.
|
|
echo "127.0.0.1" > /etc/opendkim/TrustedHosts
|
|
|
|
if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then
|
|
true # already done #NODOC
|
|
else
|
|
# Add various configuration options to the end of `opendkim.conf`.
|
|
cat >> /etc/opendkim.conf << EOF;
|
|
MinimumKeyBits 1024
|
|
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
|
|
InternalHosts refile:/etc/opendkim/TrustedHosts
|
|
KeyTable refile:/etc/opendkim/KeyTable
|
|
SigningTable refile:/etc/opendkim/SigningTable
|
|
Socket inet:8891@localhost
|
|
RequireSafeKeys false
|
|
EOF
|
|
fi
|
|
|
|
# Create a new DKIM key. This creates mail.private and mail.txt
|
|
# in $STORAGE_ROOT/mail/dkim. The former is the private key and
|
|
# the latter is the suggested DNS TXT entry which we'll include
|
|
# in our DNS setup. Note tha the files are named after the
|
|
# 'selector' of the key, which we can change later on to support
|
|
# key rotation.
|
|
#
|
|
# A 1024-bit key is seen as a minimum standard by several providers
|
|
# such as Google. But they and others use a 2048 bit key, so we'll
|
|
# do the same. Keys beyond 2048 bits may exceed DNS record limits.
|
|
if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
|
|
opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
|
|
fi
|
|
|
|
# Ensure files are owned by the opendkim user and are private otherwise.
|
|
chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim
|
|
chmod go-rwx $STORAGE_ROOT/mail/dkim
|
|
|
|
tools/editconf.py /etc/opendmarc.conf -s \
|
|
"Syslog=true" \
|
|
"Socket=inet:8893@[127.0.0.1]"
|
|
|
|
# Add OpenDKIM and OpenDMARC as milters to postfix, which is how OpenDKIM
|
|
# intercepts outgoing mail to perform the signing (by adding a mail header)
|
|
# and how they both intercept incoming mail to add Authentication-Results
|
|
# headers. The order possibly/probably matters: OpenDMARC relies on the
|
|
# OpenDKIM Authentication-Results header already being present.
|
|
#
|
|
# Be careful. If we add other milters later, this needs to be concatenated
|
|
# on the smtpd_milters line.
|
|
#
|
|
# The OpenDMARC milter is skipped in the SMTP submission listener by
|
|
# configuring smtpd_milters there to only list the OpenDKIM milter
|
|
# (see mail-postfix.sh).
|
|
tools/editconf.py /etc/postfix/main.cf \
|
|
"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893"\
|
|
non_smtpd_milters=\$smtpd_milters \
|
|
milter_default_action=accept
|
|
|
|
# Restart services.
|
|
restart_service opendkim
|
|
restart_service opendmarc
|
|
restart_service postfix
|
|
|