mailinabox/setup/dkim.sh

#!/bin/bash
# DKIM
# --------
#
# DKIMpy provides a service that puts a DKIM signature on outbound mail.
#
# The DNS configuration for DKIM is done in the management daemon.

source setup/functions.sh # load our functions
source /etc/mailinabox.conf # load global vars

# Install DKIM...
echo Installing DKIMpy/OpenDMARC...
apt_install dkimpy-milter python3-dkim opendmarc

# Make sure configuration directories exist.
mkdir -p /etc/dkim;
mkdir -p $STORAGE_ROOT/mail/dkim2

# Used in InternalHosts and ExternalIgnoreList configuration directives.
# Not quite sure why.
echo "127.0.0.1" > /etc/dkim/TrustedHosts

# We need to at least create these files, since we reference them later.
touch /etc/dkim/KeyTable
touch /etc/dkim/SigningTable

tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \
    "MacroList=daemon_name|ORIGINATING"
    "MacroListVerify=daemon_name|VERIFYING"
    "Canonicalization=relaxed/simple"
    "MinimumKeyBits=1024"
    "ExternalIgnoreList=refile:/etc/dkim/TrustedHosts"
    "InternalHosts=refile:/etc/dkim/TrustedHosts"
    "KeyTable=refile:/etc/dkim/KeyTable"
    "KeyTableEd25519=refile:/etc/dkim/KeyTableEd25519"
    "SigningTable=refile:/etc/dkim/SigningTable"
    "Socket=inet:8892@127.0.0.1"
    "RequireSafeKeys=false"

# Create a new DKIM key. This creates mail.private and mail.txt
# in $STORAGE_ROOT/mail/dkim. The former is the private key and
# the latter is the suggested DNS TXT entry which we'll include
# in our DNS setup. Note that the files are named after the
# 'selector' of the key, which we can change later on to support
# key rotation.
if [ ! -f "$STORAGE_ROOT/mail/dkim2/box-rsa.key" ]; then
	# All defaults are supposed to be ok, default key for rsa is 2048 bit
	dknewkey --ktype rsa $STORAGE_ROOT/mail/dkim2/box-rsa
	dknewkey --ktype ed25519 $STORAGE_ROOT/mail/dkim2/box-ed25519
	
	# Force them into the format dns_update.py expects
	sed -i 's/v=DKIM1;/box-rsa._domainkey IN      TXT      ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim2/box-rsa.dns
	echo '" )' >> box-rsa.dns
	sed -i 's/v=DKIM1;/box-ed25519._domainkey IN      TXT      ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim2/box-ed25519.dns
	echo '" )' >> box-ed25519.dns
fi

# Ensure files are owned by the dkimpy-milter user and are private otherwise.
chown -R dkimpy-milter:dkimpy-milter $STORAGE_ROOT/mail/dkim2
chmod go-rwx $STORAGE_ROOT/mail/dkim2

tools/editconf.py /etc/opendmarc.conf -s \
	"Syslog=true" \
	"Socket=inet:8893@[127.0.0.1]" \
	"FailureReports=true"

# SPFIgnoreResults causes the filter to ignore any SPF results in the header
# of the message. This is useful if you want the filter to perfrom SPF checks
# itself, or because you don't trust the arriving header. This added header is
# used by spamassassin to evaluate the mail for spamminess.

tools/editconf.py /etc/opendmarc.conf -s \
        "SPFIgnoreResults=true"

# SPFSelfValidate causes the filter to perform a fallback SPF check itself
# when it can find no SPF results in the message header. If SPFIgnoreResults
# is also set, it never looks for SPF results in headers and always performs
# the SPF check itself when this is set. This added header is used by
# spamassassin to evaluate the mail for spamminess.

tools/editconf.py /etc/opendmarc.conf -s \
        "SPFSelfValidate=true"

# Enables generation of failure reports for sending domains that publish a
# "none" policy.

tools/editconf.py /etc/opendmarc.conf -s \
        "FailureReportsOnNone=true"

# AlwaysAddARHeader Adds an "Authentication-Results:" header field even to
# unsigned messages from domains with no "signs all" policy. The reported DKIM
# result will be  "none" in such cases. Normally unsigned mail from non-strict
# domains does not cause the results header field to be added. This added header
# is used by spamassassin to evaluate the mail for spamminess.

tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \
        "AlwaysAddARHeader=true"

# Add DKIMpy and OpenDMARC as milters to postfix, which is how DKIMpy
# intercepts outgoing mail to perform the signing (by adding a mail header)
# and how they both intercept incoming mail to add Authentication-Results
# headers. The order possibly/probably matters: OpenDMARC relies on the
# DKIM Authentication-Results header already being present.
#
# Be careful. If we add other milters later, this needs to be concatenated
# on the smtpd_milters line.
#
# The OpenDMARC milter is skipped in the SMTP submission listener by
# configuring smtpd_milters there to only list the DKIMpy milter
# (see mail-postfix.sh).
tools/editconf.py /etc/postfix/main.cf \
	"smtpd_milters=inet:127.0.0.1:8892 inet:127.0.0.1:8893"\
	non_smtpd_milters=\$smtpd_milters \
	milter_default_action=accept

# We need to explicitly enable the opendmarc service, or it will not start
hide_output systemctl enable opendmarc

# There is a fault in the dkim code for Ubuntu 20.04, let's fix it. Not necessary for Ubuntu 21.04 or newer
sed -i 's/return b""\.join(r\.items\[0\]\.strings)/return b""\.join(list(r\.items)\[0\]\.strings)/' /usr/lib/python3/dist-packages/dkim/dnsplug.py

# Restart services.
restart_service dkimpy-milter
restart_service opendmarc
restart_service postfix
Add shebangs to enable running dkim and webmail scripts separately 2014-10-20 20:20:24 +00:00			`#!/bin/bash`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`# DKIM`
various improvements in bash comments 2014-10-13 14:00:26 +00:00			`# --------`
more work on making the bash scripts readable 2014-10-04 21:57:26 +00:00			`#`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`# DKIMpy provides a service that puts a DKIM signature on outbound mail.`
more work on making the bash scripts readable 2014-10-04 21:57:26 +00:00			`#`
			`# The DNS configuration for DKIM is done in the management daemon.`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
rename the scripts directory to setup 2014-06-03 11:12:38 +00:00			`source setup/functions.sh # load our functions`
Add source line so dkim should actually work when run separately 2014-10-20 20:33:20 +00:00			`source /etc/mailinabox.conf # load global vars`
make a bash function to use everywhere we apt-get-install (`DEBIAN_FRONTEND=noninteractive apt-get -qq -y `) ensures the output is quiet 2014-05-01 19:13:00 +00:00
more work on making the bash scripts readable 2014-10-04 21:57:26 +00:00			`# Install DKIM...`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`echo Installing DKIMpy/OpenDMARC...`
backport fix for dns resolver in python3-dkim 2021-12-30 23:33:34 +00:00			`apt_install dkimpy-milter python3-dkim opendmarc`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
improve comments throughout the scripts 2013-09-01 14:13:51 +00:00			`# Make sure configuration directories exist.`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`mkdir -p /etc/dkim;`
			`mkdir -p $STORAGE_ROOT/mail/dkim2`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
improve comments throughout the scripts 2013-09-01 14:13:51 +00:00			`# Used in InternalHosts and ExternalIgnoreList configuration directives.`
			`# Not quite sure why.`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`echo "127.0.0.1" > /etc/dkim/TrustedHosts`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
minimal changeset to get things working on 18.04 @joshdata squashed pull request #1398, removed some comments, and added these notes: * The old init.d script for the management daemon is replaced with a systemd service. * A systemd service configuration is added to configure permissions for munin on startup. * nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2. * Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config. * The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04. * The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders. * Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing. * Other minor changes. 2018-07-07 18:41:41 +00:00			`# We need to at least create these files, since we reference them later.`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`touch /etc/dkim/KeyTable`
			`touch /etc/dkim/SigningTable`
minimal changeset to get things working on 18.04 @joshdata squashed pull request #1398, removed some comments, and added these notes: * The old init.d script for the management daemon is replaced with a systemd service. * A systemd service configuration is added to configure permissions for munin on startup. * nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2. * Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config. * The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04. * The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders. * Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing. * Other minor changes. 2018-07-07 18:41:41 +00:00
dkimpy dev and nextcloud installation details 2022-01-06 21:06:27 +00:00			`tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \`
			`"MacroList=daemon_name\|ORIGINATING"`
			`"MacroListVerify=daemon_name\|VERIFYING"`
			`"Canonicalization=relaxed/simple"`
			`"MinimumKeyBits=1024"`
			`"ExternalIgnoreList=refile:/etc/dkim/TrustedHosts"`
			`"InternalHosts=refile:/etc/dkim/TrustedHosts"`
			`"KeyTable=refile:/etc/dkim/KeyTable"`
			`"KeyTableEd25519=refile:/etc/dkim/KeyTableEd25519"`
			`"SigningTable=refile:/etc/dkim/SigningTable"`
			`"Socket=inet:8892@127.0.0.1"`
			`"RequireSafeKeys=false"`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
dkim 2048 bits - migration and zone file generation changes * Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.) * Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings. * When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec. * Added a changelog entry. 2015-06-25 13:02:40 +00:00			`# Create a new DKIM key. This creates mail.private and mail.txt`
			`# in $STORAGE_ROOT/mail/dkim. The former is the private key and`
			`# the latter is the suggested DNS TXT entry which we'll include`
Fix small typo in comments 2016-02-18 14:38:33 +00:00			`# in our DNS setup. Note that the files are named after the`
dkim 2048 bits - migration and zone file generation changes * Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.) * Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings. * When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec. * Added a changelog entry. 2015-06-25 13:02:40 +00:00			`# 'selector' of the key, which we can change later on to support`
			`# key rotation.`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`if [ ! -f "$STORAGE_ROOT/mail/dkim2/box-rsa.key" ]; then`
			`# All defaults are supposed to be ok, default key for rsa is 2048 bit`
			`dknewkey --ktype rsa $STORAGE_ROOT/mail/dkim2/box-rsa`
			`dknewkey --ktype ed25519 $STORAGE_ROOT/mail/dkim2/box-ed25519`

			`# Force them into the format dns_update.py expects`
correct dns tag for DKIM key 2021-12-11 00:00:02 +00:00			`sed -i 's/v=DKIM1;/box-rsa._domainkey IN TXT ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim2/box-rsa.dns`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`echo '" )' >> box-rsa.dns`
correct dns tag for DKIM key 2021-12-11 00:00:02 +00:00			`sed -i 's/v=DKIM1;/box-ed25519._domainkey IN TXT ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim2/box-ed25519.dns`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`echo '" )' >> box-ed25519.dns`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`fi`

First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`# Ensure files are owned by the dkimpy-milter user and are private otherwise.`
			`chown -R dkimpy-milter:dkimpy-milter $STORAGE_ROOT/mail/dkim2`
			`chmod go-rwx $STORAGE_ROOT/mail/dkim2`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
install opendmarc to add Authentication-Results headers for DMARC too 2015-02-16 23:16:09 +00:00			`tools/editconf.py /etc/opendmarc.conf -s \`
			`"Syslog=true" \`
Enable sending DMARC failure reports (#1929) Configures opendmarc to send failure reports for domains that request them, including when p=none. The emails are sent as the package default of package name and user@hostname: OpenDMARC Filter <opendmarc@box.example.com> Note I have been running this for several months with a configuration I did not include in the PR to have reports BCC'd to me (FailureReportsBcc postmaster@example.com). Very low load for my personal server of rarely more than a dozen emails sent out per day. I am not familiar with editing scripts, so apologies in advance and please feel free to correct me. 2021-02-28 13:21:15 +00:00			`"Socket=inet:8893@[127.0.0.1]" \`
			`"FailureReports=true"`
install opendmarc to add Authentication-Results headers for DMARC too 2015-02-16 23:16:09 +00:00
Implement SPF/DMARC checks, add spam weight to those mails (#1836) 2020-12-25 22:22:24 +00:00			`# SPFIgnoreResults causes the filter to ignore any SPF results in the header`
			`# of the message. This is useful if you want the filter to perfrom SPF checks`
			`# itself, or because you don't trust the arriving header. This added header is`
			`# used by spamassassin to evaluate the mail for spamminess.`

			`tools/editconf.py /etc/opendmarc.conf -s \`
			`"SPFIgnoreResults=true"`

			`# SPFSelfValidate causes the filter to perform a fallback SPF check itself`
			`# when it can find no SPF results in the message header. If SPFIgnoreResults`
			`# is also set, it never looks for SPF results in headers and always performs`
			`# the SPF check itself when this is set. This added header is used by`
			`# spamassassin to evaluate the mail for spamminess.`

			`tools/editconf.py /etc/opendmarc.conf -s \`
			`"SPFSelfValidate=true"`

Enable sending DMARC failure reports (#1929) Configures opendmarc to send failure reports for domains that request them, including when p=none. The emails are sent as the package default of package name and user@hostname: OpenDMARC Filter <opendmarc@box.example.com> Note I have been running this for several months with a configuration I did not include in the PR to have reports BCC'd to me (FailureReportsBcc postmaster@example.com). Very low load for my personal server of rarely more than a dozen emails sent out per day. I am not familiar with editing scripts, so apologies in advance and please feel free to correct me. 2021-02-28 13:21:15 +00:00			`# Enables generation of failure reports for sending domains that publish a`
			`# "none" policy.`

			`tools/editconf.py /etc/opendmarc.conf -s \`
			`"FailureReportsOnNone=true"`

Implement SPF/DMARC checks, add spam weight to those mails (#1836) 2020-12-25 22:22:24 +00:00			`# AlwaysAddARHeader Adds an "Authentication-Results:" header field even to`
			`# unsigned messages from domains with no "signs all" policy. The reported DKIM`
			`# result will be "none" in such cases. Normally unsigned mail from non-strict`
			`# domains does not cause the results header field to be added. This added header`
			`# is used by spamassassin to evaluate the mail for spamminess.`

First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \`
Implement SPF/DMARC checks, add spam weight to those mails (#1836) 2020-12-25 22:22:24 +00:00			`"AlwaysAddARHeader=true"`

First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`# Add DKIMpy and OpenDMARC as milters to postfix, which is how DKIMpy`
install opendmarc to add Authentication-Results headers for DMARC too 2015-02-16 23:16:09 +00:00			`# intercepts outgoing mail to perform the signing (by adding a mail header)`
			`# and how they both intercept incoming mail to add Authentication-Results`
			`# headers. The order possibly/probably matters: OpenDMARC relies on the`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`# DKIM Authentication-Results header already being present.`
install opendmarc to add Authentication-Results headers for DMARC too 2015-02-16 23:16:09 +00:00			`#`
			`# Be careful. If we add other milters later, this needs to be concatenated`
			`# on the smtpd_milters line.`
the opendmarc miter should run on incoming mail only I added OpenDMARC's milter in fba4d4702e233fa66591ca37e6fe71225c661846. But this started setting Authentication-Results headers on outbound mail with failures. Not sure why it fails at that point, but it shouldn't be set at all. The failure might cause recipients to junk the mail. See #358. This commit removes the milter from the SMTP submission (port 587) listener. 2015-03-21 16:14:01 +00:00			`#`
			`# The OpenDMARC milter is skipped in the SMTP submission listener by`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`# configuring smtpd_milters there to only list the DKIMpy milter`
the opendmarc miter should run on incoming mail only I added OpenDMARC's milter in fba4d4702e233fa66591ca37e6fe71225c661846. But this started setting Authentication-Results headers on outbound mail with failures. Not sure why it fails at that point, but it shouldn't be set at all. The failure might cause recipients to junk the mail. See #358. This commit removes the milter from the SMTP submission (port 587) listener. 2015-03-21 16:14:01 +00:00			`# (see mail-postfix.sh).`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`tools/editconf.py /etc/postfix/main.cf \`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`"smtpd_milters=inet:127.0.0.1:8892 inet:127.0.0.1:8893"\`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00			`non_smtpd_milters=\$smtpd_milters \`
			`milter_default_action=accept`

minimal changeset to get things working on 18.04 @joshdata squashed pull request #1398, removed some comments, and added these notes: * The old init.d script for the management daemon is replaced with a systemd service. * A systemd service configuration is added to configure permissions for munin on startup. * nginx SSL settings are updated because nginx's options and defaults have changed, and we now enable http2. * Automatic SSHFP record generation is updated to know that 22 is the default SSH daemon port, since it is no longer explicit in sshd_config. * The dovecot-lucene package is dropped because the Mail-in-a-Box PPA where we built the package has not been updated for Ubuntu 18.04. * The stock postgrey package is installed instead of the one from our PPA (which we no longer support), which loses the automatic whitelisting of DNSWL.org-whitelisted senders. * Drop memcached and the status check for memcached, which we used to use with ownCloud long ago but are no longer installing. * Other minor changes. 2018-07-07 18:41:41 +00:00			`# We need to explicitly enable the opendmarc service, or it will not start`
			`hide_output systemctl enable opendmarc`

backport fix for dns resolver in python3-dkim 2021-12-30 23:33:34 +00:00			`# There is a fault in the dkim code for Ubuntu 20.04, let's fix it. Not necessary for Ubuntu 21.04 or newer`
			`sed -i 's/return b""\.join(r\.items\[0\]\.strings)/return b""\.join(list(r\.items)\[0\]\.strings)/' /usr/lib/python3/dist-packages/dkim/dnsplug.py`

improve comments throughout the scripts 2013-09-01 14:13:51 +00:00			`# Restart services.`
First steps in migrating to dkimpy-milter 2021-12-10 23:54:56 +00:00			`restart_service dkimpy-milter`
install opendmarc to add Authentication-Results headers for DMARC too 2015-02-16 23:16:09 +00:00			`restart_service opendmarc`
hide lots of unnecessary and scary output during setup 2014-07-16 13:06:45 +00:00			`restart_service postfix`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00