2014-10-20 20:20:24 +00:00
|
|
|
#!/bin/bash
|
2021-12-10 23:54:56 +00:00
|
|
|
# DKIM
|
2014-10-13 14:00:26 +00:00
|
|
|
# --------
|
2014-10-04 21:57:26 +00:00
|
|
|
#
|
2021-12-10 23:54:56 +00:00
|
|
|
# DKIMpy provides a service that puts a DKIM signature on outbound mail.
|
2014-10-04 21:57:26 +00:00
|
|
|
#
|
|
|
|
# The DNS configuration for DKIM is done in the management daemon.
|
2013-08-21 20:53:22 +00:00
|
|
|
|
2014-06-03 11:12:38 +00:00
|
|
|
source setup/functions.sh # load our functions
|
2014-10-20 20:33:20 +00:00
|
|
|
source /etc/mailinabox.conf # load global vars
|
2014-05-01 19:13:00 +00:00
|
|
|
|
2022-02-06 21:01:08 +00:00
|
|
|
# Remove openDKIM if present
|
|
|
|
apt-get purge -qq -y opendkim opendkim-tools
|
|
|
|
|
|
|
|
# Install DKIMpy-Milter
|
2021-12-10 23:54:56 +00:00
|
|
|
echo Installing DKIMpy/OpenDMARC...
|
2021-12-30 23:33:34 +00:00
|
|
|
apt_install dkimpy-milter python3-dkim opendmarc
|
2013-08-21 20:53:22 +00:00
|
|
|
|
2013-09-01 14:13:51 +00:00
|
|
|
# Make sure configuration directories exist.
|
2021-12-10 23:54:56 +00:00
|
|
|
mkdir -p /etc/dkim;
|
2013-08-21 20:53:22 +00:00
|
|
|
mkdir -p $STORAGE_ROOT/mail/dkim
|
|
|
|
|
2013-09-01 14:13:51 +00:00
|
|
|
# Used in InternalHosts and ExternalIgnoreList configuration directives.
|
|
|
|
# Not quite sure why.
|
2021-12-10 23:54:56 +00:00
|
|
|
echo "127.0.0.1" > /etc/dkim/TrustedHosts
|
2013-08-21 20:53:22 +00:00
|
|
|
|
2018-07-07 18:41:41 +00:00
|
|
|
# We need to at least create these files, since we reference them later.
|
2021-12-10 23:54:56 +00:00
|
|
|
touch /etc/dkim/KeyTable
|
|
|
|
touch /etc/dkim/SigningTable
|
2018-07-07 18:41:41 +00:00
|
|
|
|
2022-01-06 21:06:27 +00:00
|
|
|
tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \
|
2022-02-01 21:48:09 +00:00
|
|
|
"MacroList=daemon_name|ORIGINATING" \
|
|
|
|
"MacroListVerify=daemon_name|VERIFYING" \
|
|
|
|
"Canonicalization=relaxed/simple" \
|
|
|
|
"MinimumKeyBits=1024" \
|
|
|
|
"ExternalIgnoreList=refile:/etc/dkim/TrustedHosts" \
|
|
|
|
"InternalHosts=refile:/etc/dkim/TrustedHosts" \
|
|
|
|
"KeyTable=refile:/etc/dkim/KeyTable" \
|
|
|
|
"KeyTableEd25519=refile:/etc/dkim/KeyTableEd25519" \
|
|
|
|
"SigningTable=refile:/etc/dkim/SigningTable" \
|
|
|
|
"Socket=inet:8892@127.0.0.1" \
|
2022-01-06 21:06:27 +00:00
|
|
|
"RequireSafeKeys=false"
|
2013-08-21 20:53:22 +00:00
|
|
|
|
2015-06-25 13:02:40 +00:00
|
|
|
# Create a new DKIM key. This creates mail.private and mail.txt
|
|
|
|
# in $STORAGE_ROOT/mail/dkim. The former is the private key and
|
|
|
|
# the latter is the suggested DNS TXT entry which we'll include
|
2016-02-18 14:38:33 +00:00
|
|
|
# in our DNS setup. Note that the files are named after the
|
2015-06-25 13:02:40 +00:00
|
|
|
# 'selector' of the key, which we can change later on to support
|
|
|
|
# key rotation.
|
2021-12-28 22:33:22 +00:00
|
|
|
if [ ! -f "$STORAGE_ROOT/mail/dkim/box-rsa.key" ]; then
|
2021-12-10 23:54:56 +00:00
|
|
|
# All defaults are supposed to be ok, default key for rsa is 2048 bit
|
2021-12-28 22:33:22 +00:00
|
|
|
dknewkey --ktype rsa $STORAGE_ROOT/mail/dkim/box-rsa
|
|
|
|
dknewkey --ktype ed25519 $STORAGE_ROOT/mail/dkim/box-ed25519
|
2021-12-10 23:54:56 +00:00
|
|
|
|
|
|
|
# Force them into the format dns_update.py expects
|
2021-12-28 22:33:22 +00:00
|
|
|
sed -i 's/v=DKIM1;/box-rsa._domainkey IN TXT ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim/box-rsa.dns
|
2022-02-01 22:14:26 +00:00
|
|
|
echo '" )' >> $STORAGE_ROOT/mail/dkim/box-rsa.dns
|
2021-12-28 22:33:22 +00:00
|
|
|
sed -i 's/v=DKIM1;/box-ed25519._domainkey IN TXT ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim/box-ed25519.dns
|
2022-02-01 22:14:26 +00:00
|
|
|
echo '" )' >> $STORAGE_ROOT/mail/dkim/box-ed25519.dns
|
2013-08-21 20:53:22 +00:00
|
|
|
fi
|
|
|
|
|
2021-12-10 23:54:56 +00:00
|
|
|
# Ensure files are owned by the dkimpy-milter user and are private otherwise.
|
2021-12-28 22:33:22 +00:00
|
|
|
chown -R dkimpy-milter:dkimpy-milter $STORAGE_ROOT/mail/dkim
|
2013-08-21 20:53:22 +00:00
|
|
|
chmod go-rwx $STORAGE_ROOT/mail/dkim
|
|
|
|
|
2015-02-16 23:16:09 +00:00
|
|
|
tools/editconf.py /etc/opendmarc.conf -s \
|
|
|
|
"Syslog=true" \
|
2021-02-28 13:21:15 +00:00
|
|
|
"Socket=inet:8893@[127.0.0.1]" \
|
|
|
|
"FailureReports=true"
|
2015-02-16 23:16:09 +00:00
|
|
|
|
2020-12-25 22:22:24 +00:00
|
|
|
# SPFIgnoreResults causes the filter to ignore any SPF results in the header
|
|
|
|
# of the message. This is useful if you want the filter to perfrom SPF checks
|
|
|
|
# itself, or because you don't trust the arriving header. This added header is
|
|
|
|
# used by spamassassin to evaluate the mail for spamminess.
|
|
|
|
|
|
|
|
tools/editconf.py /etc/opendmarc.conf -s \
|
|
|
|
"SPFIgnoreResults=true"
|
|
|
|
|
|
|
|
# SPFSelfValidate causes the filter to perform a fallback SPF check itself
|
|
|
|
# when it can find no SPF results in the message header. If SPFIgnoreResults
|
|
|
|
# is also set, it never looks for SPF results in headers and always performs
|
|
|
|
# the SPF check itself when this is set. This added header is used by
|
|
|
|
# spamassassin to evaluate the mail for spamminess.
|
|
|
|
|
|
|
|
tools/editconf.py /etc/opendmarc.conf -s \
|
|
|
|
"SPFSelfValidate=true"
|
|
|
|
|
2021-02-28 13:21:15 +00:00
|
|
|
# Enables generation of failure reports for sending domains that publish a
|
|
|
|
# "none" policy.
|
|
|
|
|
|
|
|
tools/editconf.py /etc/opendmarc.conf -s \
|
|
|
|
"FailureReportsOnNone=true"
|
|
|
|
|
2020-12-25 22:22:24 +00:00
|
|
|
# AlwaysAddARHeader Adds an "Authentication-Results:" header field even to
|
|
|
|
# unsigned messages from domains with no "signs all" policy. The reported DKIM
|
|
|
|
# result will be "none" in such cases. Normally unsigned mail from non-strict
|
|
|
|
# domains does not cause the results header field to be added. This added header
|
|
|
|
# is used by spamassassin to evaluate the mail for spamminess.
|
|
|
|
|
2021-12-10 23:54:56 +00:00
|
|
|
tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \
|
2020-12-25 22:22:24 +00:00
|
|
|
"AlwaysAddARHeader=true"
|
|
|
|
|
2021-12-10 23:54:56 +00:00
|
|
|
# Add DKIMpy and OpenDMARC as milters to postfix, which is how DKIMpy
|
2015-02-16 23:16:09 +00:00
|
|
|
# intercepts outgoing mail to perform the signing (by adding a mail header)
|
|
|
|
# and how they both intercept incoming mail to add Authentication-Results
|
|
|
|
# headers. The order possibly/probably matters: OpenDMARC relies on the
|
2021-12-10 23:54:56 +00:00
|
|
|
# DKIM Authentication-Results header already being present.
|
2015-02-16 23:16:09 +00:00
|
|
|
#
|
|
|
|
# Be careful. If we add other milters later, this needs to be concatenated
|
|
|
|
# on the smtpd_milters line.
|
2015-03-21 16:14:01 +00:00
|
|
|
#
|
|
|
|
# The OpenDMARC milter is skipped in the SMTP submission listener by
|
2021-12-10 23:54:56 +00:00
|
|
|
# configuring smtpd_milters there to only list the DKIMpy milter
|
2015-03-21 16:14:01 +00:00
|
|
|
# (see mail-postfix.sh).
|
2013-08-21 20:53:22 +00:00
|
|
|
tools/editconf.py /etc/postfix/main.cf \
|
2021-12-10 23:54:56 +00:00
|
|
|
"smtpd_milters=inet:127.0.0.1:8892 inet:127.0.0.1:8893"\
|
2013-08-21 20:53:22 +00:00
|
|
|
non_smtpd_milters=\$smtpd_milters \
|
|
|
|
milter_default_action=accept
|
|
|
|
|
2018-07-07 18:41:41 +00:00
|
|
|
# We need to explicitly enable the opendmarc service, or it will not start
|
|
|
|
hide_output systemctl enable opendmarc
|
|
|
|
|
2013-09-01 14:13:51 +00:00
|
|
|
# Restart services.
|
2021-12-10 23:54:56 +00:00
|
|
|
restart_service dkimpy-milter
|
2015-02-16 23:16:09 +00:00
|
|
|
restart_service opendmarc
|
2014-07-16 13:06:45 +00:00
|
|
|
restart_service postfix
|
2013-08-21 20:53:22 +00:00
|
|
|
|