2013-09-01 14:13:51 +00:00
|
|
|
# OpenDKIM: Sign outgoing mail with DKIM
|
|
|
|
########################################
|
|
|
|
|
|
|
|
# After this, you'll still need to run dns_update.sh to get the DKIM
|
2013-08-21 20:53:22 +00:00
|
|
|
# signature in the DNS zones.
|
|
|
|
|
2014-06-03 11:12:38 +00:00
|
|
|
source setup/functions.sh # load our functions
|
2014-05-01 19:13:00 +00:00
|
|
|
|
2013-09-01 14:13:51 +00:00
|
|
|
# Install DKIM
|
2014-05-01 19:13:00 +00:00
|
|
|
apt_install opendkim opendkim-tools
|
2013-08-21 20:53:22 +00:00
|
|
|
|
2013-09-01 14:13:51 +00:00
|
|
|
# Make sure configuration directories exist.
|
2013-08-21 20:53:22 +00:00
|
|
|
mkdir -p /etc/opendkim;
|
|
|
|
mkdir -p $STORAGE_ROOT/mail/dkim
|
|
|
|
|
2013-09-01 14:13:51 +00:00
|
|
|
# Used in InternalHosts and ExternalIgnoreList configuration directives.
|
|
|
|
# Not quite sure why.
|
2013-08-21 20:53:22 +00:00
|
|
|
echo "127.0.0.1" > /etc/opendkim/TrustedHosts
|
|
|
|
|
|
|
|
if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then
|
|
|
|
true; # already done
|
|
|
|
else
|
2013-09-01 14:13:51 +00:00
|
|
|
# Add various configuration options to the end.
|
2013-08-21 20:53:22 +00:00
|
|
|
cat >> /etc/opendkim.conf << EOF;
|
|
|
|
MinimumKeyBits 1024
|
|
|
|
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
|
|
|
|
InternalHosts refile:/etc/opendkim/TrustedHosts
|
|
|
|
KeyTable refile:/etc/opendkim/KeyTable
|
|
|
|
SigningTable refile:/etc/opendkim/SigningTable
|
|
|
|
Socket inet:8891@localhost
|
|
|
|
RequireSafeKeys false
|
|
|
|
EOF
|
|
|
|
fi
|
|
|
|
|
2013-09-01 14:13:51 +00:00
|
|
|
# Create a new DKIM key if we don't have one already. This creates
|
|
|
|
# mail.private and mail.txt in $STORAGE_ROOT/mail/dkim. The former
|
|
|
|
# is the actual private key and the latter is the suggested DNS TXT
|
|
|
|
# entry which we'll want to include in our DNS setup.
|
2014-06-03 21:42:33 +00:00
|
|
|
if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
|
2013-08-21 20:53:22 +00:00
|
|
|
# Should we specify -h rsa-sha256?
|
|
|
|
opendkim-genkey -r -s mail -D $STORAGE_ROOT/mail/dkim
|
|
|
|
fi
|
|
|
|
|
2013-09-01 14:13:51 +00:00
|
|
|
# Ensure files are owned by the opendkim user and are private otherwise.
|
2013-08-21 20:53:22 +00:00
|
|
|
chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim
|
|
|
|
chmod go-rwx $STORAGE_ROOT/mail/dkim
|
|
|
|
|
2013-09-01 14:13:51 +00:00
|
|
|
# Add OpenDKIM as a milter to postfix, which is how it intercepts outgoing
|
|
|
|
# mail to perform the signing (by adding a mail header).
|
|
|
|
# Be careful. If we add other milters later, it needs to be concatenated on the smtpd_milters line.
|
2013-08-21 20:53:22 +00:00
|
|
|
tools/editconf.py /etc/postfix/main.cf \
|
|
|
|
smtpd_milters=inet:127.0.0.1:8891 \
|
|
|
|
non_smtpd_milters=\$smtpd_milters \
|
|
|
|
milter_default_action=accept
|
|
|
|
|
2013-09-01 14:13:51 +00:00
|
|
|
# Restart services.
|
2014-07-16 13:06:45 +00:00
|
|
|
restart_service opendkim
|
|
|
|
restart_service postfix
|
2013-08-21 20:53:22 +00:00
|
|
|
|