From 6d6eb420342c2962063f92f8fc5e8b23e5cb1dbf Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Tue, 27 Nov 2018 03:25:29 +0100
Subject: [PATCH] WIP.

---
 .../etc/dovecot/conf.d/99-master.conf         |  0
 .../etc/dovecot/conf.d/99-ssl.conf            |  0
 .../linkable_etc_files/mail/etc/opendkim.conf | 86 +++++++++++++++++++
 .../{server => mail}/etc/postfix/main.cf      |  4 +
 .../{server => mail}/etc/postfix/master.cf    |  0
 all_new_2018/setup_mail.sh                    | 47 ++++++++--
 6 files changed, 132 insertions(+), 5 deletions(-)
 rename all_new_2018/linkable_etc_files/{server => mail}/etc/dovecot/conf.d/99-master.conf (100%)
 rename all_new_2018/linkable_etc_files/{server => mail}/etc/dovecot/conf.d/99-ssl.conf (100%)
 create mode 100644 all_new_2018/linkable_etc_files/mail/etc/opendkim.conf
 rename all_new_2018/linkable_etc_files/{server => mail}/etc/postfix/main.cf (94%)
 rename all_new_2018/linkable_etc_files/{server => mail}/etc/postfix/master.cf (100%)

diff --git a/all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-master.conf b/all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-master.conf
similarity index 100%
rename from all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-master.conf
rename to all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-master.conf
diff --git a/all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-ssl.conf b/all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-ssl.conf
similarity index 100%
rename from all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-ssl.conf
rename to all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-ssl.conf
diff --git a/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf b/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf
new file mode 100644
index 0000000..c7691ea
--- /dev/null
+++ b/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf
@@ -0,0 +1,86 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog			yes
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask			002
+
+# Sign for example.com with key in /etc/dkimkeys/dkim.key using
+# selector '2007' (e.g. 2007._domainkey.example.com)
+#Domain			example.com
+#KeyFile		/etc/dkimkeys/dkim.key
+#Selector		2007
+Domain		REPLACE_Domain_ECALPER
+KeyFile		/etc/dkimkeys/REPLACE_Selector_ECALPER.private
+Selector	REPLACE_Selector_ECALPER
+
+# Commonly-used options; the commented-out versions show the defaults.
+#Canonicalization	simple
+#Mode			sv
+#SubDomains		no
+#SubDomains	yes
+Canonicalization relaxed/simple
+
+# Socket smtp://localhost
+#
+# ##  Socket socketspec
+# ##
+# ##  Names the socket where this filter should listen for milter connections
+# ##  from the MTA.  Required.  Should be in one of these forms:
+# ##
+# ##  inet:port@address           to listen on a specific interface
+# ##  inet:port                   to listen on all interfaces
+# ##  local:/path/to/socket       to listen on a UNIX domain socket
+#
+#Socket                  inet:8892@localhost
+#Socket			local:/var/run/opendkim/opendkim.sock
+Socket	inet:12301@localhost
+
+##  PidFile filename
+###      default (none)
+###
+###  Name of the file where the filter should write its pid before beginning
+###  normal operations.
+#
+PidFile               /var/run/opendkim/opendkim.pid
+
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders		From
+
+##  ResolverConfiguration filename
+##      default (none)
+##
+##  Specifies a configuration file to be passed to the Unbound library that
+##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
+##  documentation at http://unbound.net for the expected content of this file.
+##  The results of using this and the TrustAnchorFile setting at the same
+##  time are undefined.
+##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
+##  unbound package
+
+# ResolverConfiguration     /etc/unbound/unbound.conf
+
+##  TrustAnchorFile filename
+##      default (none)
+##
+## Specifies a file from which trust anchor data should be read when doing
+## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
+## at http://unbound.net for the expected format of this file.
+
+TrustAnchorFile       /usr/share/dns/root.key
+
+##  Userid userid
+###      default (none)
+###
+###  Change to user "userid" before starting normal operation?  May include
+###  a group ID as well, separated from the userid by a colon.
+#
+UserID                opendkim
\ No newline at end of file
diff --git a/all_new_2018/linkable_etc_files/server/etc/postfix/main.cf b/all_new_2018/linkable_etc_files/mail/etc/postfix/main.cf
similarity index 94%
rename from all_new_2018/linkable_etc_files/server/etc/postfix/main.cf
rename to all_new_2018/linkable_etc_files/mail/etc/postfix/main.cf
index 7e38957..dbb2b5d 100644
--- a/all_new_2018/linkable_etc_files/server/etc/postfix/main.cf
+++ b/all_new_2018/linkable_etc_files/mail/etc/postfix/main.cf
@@ -47,3 +47,7 @@ smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem
 smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
+
+# connect to opendkim
+smtpd_milters = inet:localhost:12301
+non_smtpd_milters = inet:localhost:12301
\ No newline at end of file
diff --git a/all_new_2018/linkable_etc_files/server/etc/postfix/master.cf b/all_new_2018/linkable_etc_files/mail/etc/postfix/master.cf
similarity index 100%
rename from all_new_2018/linkable_etc_files/server/etc/postfix/master.cf
rename to all_new_2018/linkable_etc_files/mail/etc/postfix/master.cf
diff --git a/all_new_2018/setup_mail.sh b/all_new_2018/setup_mail.sh
index a3045e6..285ecb6 100755
--- a/all_new_2018/setup_mail.sh
+++ b/all_new_2018/setup_mail.sh
@@ -1,11 +1,48 @@
 #/bin/sh
 set -e
 
+selector=$1
+if [ ! -n "${selector}" ]; then
+    echo "Give DKIM selector argument."
+    false
+fi
+
+# Set up DKIM key if necessary.
+mkdir -p /etc/dkimkeys/
+add_dkim_record=0
+if [ ! -f "/etc/dkimkeys/${dkim_selector}.private" ]; then
+    add_dkim_record=1
+    dpkg -s opendkim-tools &> /dev/null
+    preinstalled="$?"
+    if [ ! "${preinstalled}" -eq "0" ]; then
+        apt install -y opendkim-tools
+    fi
+    opendkim-genkey -s "${dkim_selector}"
+    if [ ! "${preinstalled}" -eq "0" ]; then
+        apt --purge autoremove opendkim-tools
+    fi
+fi
+
+# Link and adapt mail-server-specific /etc/ files.
+./hardlink_etc.sh mail
+sed -i "s/REPLACE_Domain_ECALPER/$(hostname -f)/g" /etc/opendkim.conf
+sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf
+
+# Some useful debconf selections.
 echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
-echo "$(hostname -f)" > /etc/mailname
-apt install -y postfix
-mkdir -p /etc/dovecot/conf.d/
 echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
 echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
-apt install -y dovecot-imapd
+
+# The second line should not be necessary due to the first line, but for
+# some reason the installation forgets to set up /etc/mailname early
+# enough to not (when running newaliases) stumble over its absence.
+echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
+echo "$(hostname -f)" > /etc/mailname
+
+# Everything should now be ready for installations.
+apt install -y postfix dovecot-imapd opendkim
+echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration."
+if [ "${add_dkim_record}" -eq "1" ]; then
+    echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):"
+    cat "${dkim_selector}.txt"
+fi
-- 
2.30.2