From 2df2a310bead167e85198376ef9fa501f5bd5406 Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Fri, 9 Oct 2015 05:53:03 +0200
Subject: [PATCH] To server config, add opendkim / opendkim key installation.

---
 mails/server_postinstall_finished |  4 +++
 setup_opendkim.sh                 | 44 +++++++++++++++++++++++++++++++
 systemfiles/main.cf               |  4 ---
 systemfiles/opendkim.conf         | 22 ++++++++++++++++
 4 files changed, 70 insertions(+), 4 deletions(-)
 create mode 100755 setup_opendkim.sh
 create mode 100644 systemfiles/opendkim.conf

diff --git a/mails/server_postinstall_finished b/mails/server_postinstall_finished
index fbc167b..92131b4 100644
--- a/mails/server_postinstall_finished
+++ b/mails/server_postinstall_finished
@@ -7,3 +7,7 @@ perform the following tasks:
   config/dotfiles_user_server/getmail/getmailrc, set [options] delete = true
 
 - ensure the following DNS TXT record for @: v=spf1 mx -all
+
+- run (as root) config/setup_opendkim.sh $selector to set up system for DKIM key
+  signing, with a second parameter $keyfile if a key already exists; without
+  second parameter, this will generate a new key and print the DNS record to add
diff --git a/setup_opendkim.sh b/setup_opendkim.sh
new file mode 100755
index 0000000..6d9749b
--- /dev/null
+++ b/setup_opendkim.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+set -x
+set -e
+selector=$1
+file=$2
+
+if [ "$(id -u)" -eq "0" ]; then
+    echo "Must be run as root."
+    exit
+fi
+
+apt-get -y install opendkim opendkim-tools
+cp ~/config/systemfiles/opendkim.conf /etc/opendkim.conf
+
+if [ -f /etc/opendkim/dkim.key ]; then
+    cp /etc/opendkim/dkim.key /etc/opendkim/dkim.key~
+fi
+
+sed -r -i 's/^#Selector .*$/Selector '$selector'/' /etc/opendkim.conf
+
+if [ ! -f $file ]; then
+    opendkim-genkey -d plomlompom.com -s $selector
+    mv "$selector".private /etc/opendkim/dkim.key
+else
+    cp $file /etc/opendkim/dkim.key
+fi
+
+cp ~/config/systemfiles/main.cf /etc/postfix/main.cf
+echo >> /etc/postfix/main.cf << EOF
+
+# Use opendkim at given port as mail filter.
+non_smtpd_milters = inet:localhost:12301
+smtpd_milters = inet:localhost:12301
+EOF
+service postfix restart
+service opendkim restart
+
+echo 'TAKE NOTE:'
+if [ -f $selector.txt ]; then
+    echo 'Apply the content of '$selector'.txt to your DNS record!'
+    cat $selector.txt 
+else
+    echo 'Make sure the DKIM TXT entry in your DNS record matches!'
+fi
diff --git a/systemfiles/main.cf b/systemfiles/main.cf
index 4bc9749..bcb733c 100644
--- a/systemfiles/main.cf
+++ b/systemfiles/main.cf
@@ -14,7 +14,3 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 
 # Paranoid maximum error notification.
 notify_classes=2bounce, bounce, data, delay, policy, protocol, resource, software
-
-# Use opendkim at given port as mail filter.
-#non_smtpd_milters = inet:localhost:12301
-#smtpd_milters = inet:localhost:12301
diff --git a/systemfiles/opendkim.conf b/systemfiles/opendkim.conf
new file mode 100644
index 0000000..2bd3c19
--- /dev/null
+++ b/systemfiles/opendkim.conf
@@ -0,0 +1,22 @@
+# The domain for which mails are signed.
+Domain plomlompom.com
+
+# Location of the private key to sign mails with.
+KeyFile /etc/opendkim/dkim.key
+
+# Identifies the signing key; useful when replacing it.
+#Selector keyname
+
+# Canonicalize the body strictly for signing, but the header (more legitimately
+# subject to reformatting by forwarding servers) less so.
+Canonicalization relaxed/simple
+
+# Invalidate the signature of mails to which additional From fields were added
+# after the signing. (See RFC for details on how this works.)
+OversignHeaders From
+
+# Where to communicate with the MTA.
+Socket inet:12301@localhost
+
+# Don't act as root.
+UserID opendkim:opendkim
-- 
2.30.2