From: Christian Heller Date: Fri, 9 Oct 2015 03:53:03 +0000 (+0200) Subject: To server config, add opendkim / opendkim key installation. X-Git-Url: https://plomlompom.com/repos/%7B%7B%20web_path%20%7D%7D/decks/%7B%7Bdb.prefix%7D%7D/static/%27%29;%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20chunks.push%28escapeHTML%28span%5B2%5D%29%29;%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20chunks.push%28%27?a=commitdiff_plain;h=2df2a310bead167e85198376ef9fa501f5bd5406;p=config To server config, add opendkim / opendkim key installation. --- diff --git a/mails/server_postinstall_finished b/mails/server_postinstall_finished index fbc167b..92131b4 100644 --- a/mails/server_postinstall_finished +++ b/mails/server_postinstall_finished @@ -7,3 +7,7 @@ perform the following tasks: config/dotfiles_user_server/getmail/getmailrc, set [options] delete = true - ensure the following DNS TXT record for @: v=spf1 mx -all + +- run (as root) config/setup_opendkim.sh $selector to set up system for DKIM key + signing, with a second parameter $keyfile if a key already exists; without + second parameter, this will generate a new key and print the DNS record to add diff --git a/setup_opendkim.sh b/setup_opendkim.sh new file mode 100755 index 0000000..6d9749b --- /dev/null +++ b/setup_opendkim.sh @@ -0,0 +1,44 @@ +#!/bin/sh +set -x +set -e +selector=$1 +file=$2 + +if [ "$(id -u)" -eq "0" ]; then + echo "Must be run as root." + exit +fi + +apt-get -y install opendkim opendkim-tools +cp ~/config/systemfiles/opendkim.conf /etc/opendkim.conf + +if [ -f /etc/opendkim/dkim.key ]; then + cp /etc/opendkim/dkim.key /etc/opendkim/dkim.key~ +fi + +sed -r -i 's/^#Selector .*$/Selector '$selector'/' /etc/opendkim.conf + +if [ ! -f $file ]; then + opendkim-genkey -d plomlompom.com -s $selector + mv "$selector".private /etc/opendkim/dkim.key +else + cp $file /etc/opendkim/dkim.key +fi + +cp ~/config/systemfiles/main.cf /etc/postfix/main.cf +echo >> /etc/postfix/main.cf << EOF + +# Use opendkim at given port as mail filter. +non_smtpd_milters = inet:localhost:12301 +smtpd_milters = inet:localhost:12301 +EOF +service postfix restart +service opendkim restart + +echo 'TAKE NOTE:' +if [ -f $selector.txt ]; then + echo 'Apply the content of '$selector'.txt to your DNS record!' + cat $selector.txt +else + echo 'Make sure the DKIM TXT entry in your DNS record matches!' +fi diff --git a/systemfiles/main.cf b/systemfiles/main.cf index 4bc9749..bcb733c 100644 --- a/systemfiles/main.cf +++ b/systemfiles/main.cf @@ -14,7 +14,3 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 # Paranoid maximum error notification. notify_classes=2bounce, bounce, data, delay, policy, protocol, resource, software - -# Use opendkim at given port as mail filter. -#non_smtpd_milters = inet:localhost:12301 -#smtpd_milters = inet:localhost:12301 diff --git a/systemfiles/opendkim.conf b/systemfiles/opendkim.conf new file mode 100644 index 0000000..2bd3c19 --- /dev/null +++ b/systemfiles/opendkim.conf @@ -0,0 +1,22 @@ +# The domain for which mails are signed. +Domain plomlompom.com + +# Location of the private key to sign mails with. +KeyFile /etc/opendkim/dkim.key + +# Identifies the signing key; useful when replacing it. +#Selector keyname + +# Canonicalize the body strictly for signing, but the header (more legitimately +# subject to reformatting by forwarding servers) less so. +Canonicalization relaxed/simple + +# Invalidate the signature of mails to which additional From fields were added +# after the signing. (See RFC for details on how this works.) +OversignHeaders From + +# Where to communicate with the MTA. +Socket inet:12301@localhost + +# Don't act as root. +UserID opendkim:opendkim