mailinabox/setup/dkim.sh

#!/bin/bash
# OpenDKIM
# --------
#
# OpenDKIM provides a service that puts a DKIM signature on outbound mail.
#
# The DNS configuration for DKIM is done in the management daemon.

source setup/functions.sh # load our functions
source /etc/mailinabox.conf # load global vars

# Install DKIM...
echo Installing OpenDKIM/OpenDMARC...
apt_install opendkim opendkim-tools opendmarc

# Make sure configuration directories exist.
mkdir -p /etc/opendkim;
mkdir -p $STORAGE_ROOT/mail/dkim

# Used in InternalHosts and ExternalIgnoreList configuration directives.
# Not quite sure why.
echo "127.0.0.1" > /etc/opendkim/TrustedHosts

# We need to at least create these files, since we reference them later.
# Otherwise, opendkim startup will fail
touch /etc/opendkim/KeyTable
touch /etc/opendkim/SigningTable

if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then
	true # already done #NODOC
else
	# Add various configuration options to the end of `opendkim.conf`.
	cat >> /etc/opendkim.conf << EOF;
MinimumKeyBits          1024
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  inet:8891@127.0.0.1
RequireSafeKeys         false
EOF
fi

# Create a new DKIM key. This creates mail.private and mail.txt
# in $STORAGE_ROOT/mail/dkim. The former is the private key and
# the latter is the suggested DNS TXT entry which we'll include
# in our DNS setup. Note that the files are named after the
# 'selector' of the key, which we can change later on to support
# key rotation.
#
# A 1024-bit key is seen as a minimum standard by several providers
# such as Google. But they and others use a 2048 bit key, so we'll
# do the same. Keys beyond 2048 bits may exceed DNS record limits.
if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
	opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
fi

# Ensure files are owned by the opendkim user and are private otherwise.
chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim
chmod go-rwx $STORAGE_ROOT/mail/dkim

tools/editconf.py /etc/opendmarc.conf -s \
	"Syslog=true" \
	"Socket=inet:8893@[127.0.0.1]"

# Add OpenDKIM and OpenDMARC as milters to postfix, which is how OpenDKIM
# intercepts outgoing mail to perform the signing (by adding a mail header)
# and how they both intercept incoming mail to add Authentication-Results
# headers. The order possibly/probably matters: OpenDMARC relies on the
# OpenDKIM Authentication-Results header already being present.
#
# Be careful. If we add other milters later, this needs to be concatenated
# on the smtpd_milters line.
#
# The OpenDMARC milter is skipped in the SMTP submission listener by
# configuring smtpd_milters there to only list the OpenDKIM milter
# (see mail-postfix.sh).
tools/editconf.py /etc/postfix/main.cf \
	"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893"\
	non_smtpd_milters=\$smtpd_milters \
	milter_default_action=accept

# We need to explicitly enable the opendmarc service, or it will not start
hide_output systemctl enable opendmarc

# Restart services.
restart_service opendkim
restart_service opendmarc
restart_service postfix
Add shebangs to enable running dkim and webmail scripts separately 2014-10-20 20:20:24 +00:00			`#!/bin/bash`
more work on making the bash scripts readable 2014-10-04 21:57:26 +00:00			`# OpenDKIM`
various improvements in bash comments 2014-10-13 14:00:26 +00:00			`# --------`
more work on making the bash scripts readable 2014-10-04 21:57:26 +00:00			`#`
			`# OpenDKIM provides a service that puts a DKIM signature on outbound mail.`
			`#`
			`# The DNS configuration for DKIM is done in the management daemon.`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
rename the scripts directory to setup 2014-06-03 11:12:38 +00:00			`source setup/functions.sh # load our functions`
Add source line so dkim should actually work when run separately 2014-10-20 20:33:20 +00:00			`source /etc/mailinabox.conf # load global vars`
make a bash function to use everywhere we apt-get-install (`DEBIAN_FRONTEND=noninteractive apt-get -qq -y `) ensures the output is quiet 2014-05-01 19:13:00 +00:00
more work on making the bash scripts readable 2014-10-04 21:57:26 +00:00			`# Install DKIM...`
silence all of the installing/already installed package messages on installation Querying dpkg for each package is slow, and we have way too much output on installation because of it. 2015-08-19 19:58:35 +00:00			`echo Installing OpenDKIM/OpenDMARC...`
install opendmarc to add Authentication-Results headers for DMARC too 2015-02-16 23:16:09 +00:00			`apt_install opendkim opendkim-tools opendmarc`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
improve comments throughout the scripts 2013-09-01 14:13:51 +00:00			`# Make sure configuration directories exist.`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`mkdir -p /etc/opendkim;`
			`mkdir -p $STORAGE_ROOT/mail/dkim`

improve comments throughout the scripts 2013-09-01 14:13:51 +00:00			`# Used in InternalHosts and ExternalIgnoreList configuration directives.`
			`# Not quite sure why.`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`echo "127.0.0.1" > /etc/opendkim/TrustedHosts`

minimal changeset to get things working on 18.04 @joshdata squashed pull request #1398, removed some comments, and added these notes: * The old init.d script for the management daemon is replaced with a systemd service. * A systemd service configuration is added to configure permissions for munin on startup. * nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2. * Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config. * The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04. * The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders. * Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing. * Other minor changes. 2018-07-07 18:41:41 +00:00			`# We need to at least create these files, since we reference them later.`
			`# Otherwise, opendkim startup will fail`
			`touch /etc/opendkim/KeyTable`
			`touch /etc/opendkim/SigningTable`

DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then`
more work on making the bash scripts readable 2014-10-04 21:57:26 +00:00			`true # already done #NODOC`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`else`
more work on making the bash scripts readable 2014-10-04 21:57:26 +00:00			# Add various configuration options to the end of `opendkim.conf`.
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`cat >> /etc/opendkim.conf << EOF;`
			`MinimumKeyBits 1024`
			`ExternalIgnoreList refile:/etc/opendkim/TrustedHosts`
			`InternalHosts refile:/etc/opendkim/TrustedHosts`
			`KeyTable refile:/etc/opendkim/KeyTable`
			`SigningTable refile:/etc/opendkim/SigningTable`
use "127.0.0.1" throughout rather than mixing use of an IP address and "localhost" On some machines localhost is defined as something other than 127.0.0.1, and if we mix "127.0.0.1" and "localhost" then some connections won't be to to the address a service is actually running on. This was the case with DKIM: It was running on "localhost" but Postfix was connecting to it at 127.0.0.1. (https://discourse.mailinabox.email/t/opendkim-is-not-running-port-8891/1188/12.) I suppose "localhost" could be an alias to an IPv6 address? We don't really want local services binding on IPv6, so use "127.0.0.1" to be explicit and don't use "localhost" to be sure we get an IPv4 address. Fixes #797 2016-05-06 13:06:52 +00:00			`Socket inet:8891@127.0.0.1`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`RequireSafeKeys false`
			`EOF`
			`fi`

dkim 2048 bits - migration and zone file generation changes * Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.) * Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings. * When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec. * Added a changelog entry. 2015-06-25 13:02:40 +00:00			`# Create a new DKIM key. This creates mail.private and mail.txt`
			`# in $STORAGE_ROOT/mail/dkim. The former is the private key and`
			`# the latter is the suggested DNS TXT entry which we'll include`
Fix small typo in comments 2016-02-18 14:38:33 +00:00			`# in our DNS setup. Note that the files are named after the`
dkim 2048 bits - migration and zone file generation changes * Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.) * Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings. * When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec. * Added a changelog entry. 2015-06-25 13:02:40 +00:00			`# 'selector' of the key, which we can change later on to support`
			`# key rotation.`
			`#`
			`# A 1024-bit key is seen as a minimum standard by several providers`
			`# such as Google. But they and others use a 2048 bit key, so we'll`
			`# do the same. Keys beyond 2048 bits may exceed DNS record limits.`
typo in updating DKIM, dont regenerate the DKIM private key each time setup is run 2014-06-03 21:42:33 +00:00			`if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then`
Increase DKIM key length to 2048 Currently MiaB creates 1024 bit keys which is seen as a minimum standard by several providers such as Google who already uses a 2048 bit key. Increasing the keysize beyond 2048 is an issue as it often goes beyond supported DNS record sizes. 2015-06-24 22:49:19 +00:00			`opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`fi`

improve comments throughout the scripts 2013-09-01 14:13:51 +00:00			`# Ensure files are owned by the opendkim user and are private otherwise.`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim`
			`chmod go-rwx $STORAGE_ROOT/mail/dkim`

install opendmarc to add Authentication-Results headers for DMARC too 2015-02-16 23:16:09 +00:00			`tools/editconf.py /etc/opendmarc.conf -s \`
			`"Syslog=true" \`
			`"Socket=inet:8893@[127.0.0.1]"`

			`# Add OpenDKIM and OpenDMARC as milters to postfix, which is how OpenDKIM`
			`# intercepts outgoing mail to perform the signing (by adding a mail header)`
			`# and how they both intercept incoming mail to add Authentication-Results`
			`# headers. The order possibly/probably matters: OpenDMARC relies on the`
			`# OpenDKIM Authentication-Results header already being present.`
			`#`
			`# Be careful. If we add other milters later, this needs to be concatenated`
			`# on the smtpd_milters line.`
the opendmarc miter should run on incoming mail only I added OpenDMARC's milter in fba4d4702e233fa66591ca37e6fe71225c661846. But this started setting Authentication-Results headers on outbound mail with failures. Not sure why it fails at that point, but it shouldn't be set at all. The failure might cause recipients to junk the mail. See #358. This commit removes the milter from the SMTP submission (port 587) listener. 2015-03-21 16:14:01 +00:00			`#`
			`# The OpenDMARC milter is skipped in the SMTP submission listener by`
			`# configuring smtpd_milters there to only list the OpenDKIM milter`
			`# (see mail-postfix.sh).`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`tools/editconf.py /etc/postfix/main.cf \`
install opendmarc to add Authentication-Results headers for DMARC too 2015-02-16 23:16:09 +00:00			`"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893"\`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`non_smtpd_milters=\$smtpd_milters \`
			`milter_default_action=accept`

minimal changeset to get things working on 18.04 @joshdata squashed pull request #1398, removed some comments, and added these notes: * The old init.d script for the management daemon is replaced with a systemd service. * A systemd service configuration is added to configure permissions for munin on startup. * nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2. * Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config. * The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04. * The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders. * Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing. * Other minor changes. 2018-07-07 18:41:41 +00:00			`# We need to explicitly enable the opendmarc service, or it will not start`
			`hide_output systemctl enable opendmarc`

improve comments throughout the scripts 2013-09-01 14:13:51 +00:00			`# Restart services.`
hide lots of unnecessary and scary output during setup 2014-07-16 13:06:45 +00:00			`restart_service opendkim`
install opendmarc to add Authentication-Results headers for DMARC too 2015-02-16 23:16:09 +00:00			`restart_service opendmarc`
hide lots of unnecessary and scary output during setup 2014-07-16 13:06:45 +00:00			`restart_service postfix`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00