From 6d6eb420342c2962063f92f8fc5e8b23e5cb1dbf Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Tue, 27 Nov 2018 03:25:29 +0100 Subject: [PATCH] WIP. --- .../etc/dovecot/conf.d/99-master.conf | 0 .../etc/dovecot/conf.d/99-ssl.conf | 0 .../linkable_etc_files/mail/etc/opendkim.conf | 86 +++++++++++++++++++ .../{server => mail}/etc/postfix/main.cf | 4 + .../{server => mail}/etc/postfix/master.cf | 0 all_new_2018/setup_mail.sh | 47 ++++++++-- 6 files changed, 132 insertions(+), 5 deletions(-) rename all_new_2018/linkable_etc_files/{server => mail}/etc/dovecot/conf.d/99-master.conf (100%) rename all_new_2018/linkable_etc_files/{server => mail}/etc/dovecot/conf.d/99-ssl.conf (100%) create mode 100644 all_new_2018/linkable_etc_files/mail/etc/opendkim.conf rename all_new_2018/linkable_etc_files/{server => mail}/etc/postfix/main.cf (94%) rename all_new_2018/linkable_etc_files/{server => mail}/etc/postfix/master.cf (100%) diff --git a/all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-master.conf b/all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-master.conf similarity index 100% rename from all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-master.conf rename to all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-master.conf diff --git a/all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-ssl.conf b/all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-ssl.conf similarity index 100% rename from all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-ssl.conf rename to all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-ssl.conf diff --git a/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf b/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf new file mode 100644 index 0000000..c7691ea --- /dev/null +++ b/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf @@ -0,0 +1,86 @@ +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +# Log to syslog +Syslog yes +# Required to use local socket with MTAs that access the socket as a non- +# privileged user (e.g. Postfix) +UMask 002 + +# Sign for example.com with key in /etc/dkimkeys/dkim.key using +# selector '2007' (e.g. 2007._domainkey.example.com) +#Domain example.com +#KeyFile /etc/dkimkeys/dkim.key +#Selector 2007 +Domain REPLACE_Domain_ECALPER +KeyFile /etc/dkimkeys/REPLACE_Selector_ECALPER.private +Selector REPLACE_Selector_ECALPER + +# Commonly-used options; the commented-out versions show the defaults. +#Canonicalization simple +#Mode sv +#SubDomains no +#SubDomains yes +Canonicalization relaxed/simple + +# Socket smtp://localhost +# +# ## Socket socketspec +# ## +# ## Names the socket where this filter should listen for milter connections +# ## from the MTA. Required. Should be in one of these forms: +# ## +# ## inet:port@address to listen on a specific interface +# ## inet:port to listen on all interfaces +# ## local:/path/to/socket to listen on a UNIX domain socket +# +#Socket inet:8892@localhost +#Socket local:/var/run/opendkim/opendkim.sock +Socket inet:12301@localhost + +## PidFile filename +### default (none) +### +### Name of the file where the filter should write its pid before beginning +### normal operations. +# +PidFile /var/run/opendkim/opendkim.pid + + +# Always oversign From (sign using actual From and a null From to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From + +## ResolverConfiguration filename +## default (none) +## +## Specifies a configuration file to be passed to the Unbound library that +## performs DNS queries applying the DNSSEC protocol. See the Unbound +## documentation at http://unbound.net for the expected content of this file. +## The results of using this and the TrustAnchorFile setting at the same +## time are undefined. +## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested +## unbound package + +# ResolverConfiguration /etc/unbound/unbound.conf + +## TrustAnchorFile filename +## default (none) +## +## Specifies a file from which trust anchor data should be read when doing +## DNS queries and applying the DNSSEC protocol. See the Unbound documentation +## at http://unbound.net for the expected format of this file. + +TrustAnchorFile /usr/share/dns/root.key + +## Userid userid +### default (none) +### +### Change to user "userid" before starting normal operation? May include +### a group ID as well, separated from the userid by a colon. +# +UserID opendkim \ No newline at end of file diff --git a/all_new_2018/linkable_etc_files/server/etc/postfix/main.cf b/all_new_2018/linkable_etc_files/mail/etc/postfix/main.cf similarity index 94% rename from all_new_2018/linkable_etc_files/server/etc/postfix/main.cf rename to all_new_2018/linkable_etc_files/mail/etc/postfix/main.cf index 7e38957..dbb2b5d 100644 --- a/all_new_2018/linkable_etc_files/server/etc/postfix/main.cf +++ b/all_new_2018/linkable_etc_files/mail/etc/postfix/main.cf @@ -47,3 +47,7 @@ smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth + +# connect to opendkim +smtpd_milters = inet:localhost:12301 +non_smtpd_milters = inet:localhost:12301 \ No newline at end of file diff --git a/all_new_2018/linkable_etc_files/server/etc/postfix/master.cf b/all_new_2018/linkable_etc_files/mail/etc/postfix/master.cf similarity index 100% rename from all_new_2018/linkable_etc_files/server/etc/postfix/master.cf rename to all_new_2018/linkable_etc_files/mail/etc/postfix/master.cf diff --git a/all_new_2018/setup_mail.sh b/all_new_2018/setup_mail.sh index a3045e6..285ecb6 100755 --- a/all_new_2018/setup_mail.sh +++ b/all_new_2018/setup_mail.sh @@ -1,11 +1,48 @@ #/bin/sh set -e +selector=$1 +if [ ! -n "${selector}" ]; then + echo "Give DKIM selector argument." + false +fi + +# Set up DKIM key if necessary. +mkdir -p /etc/dkimkeys/ +add_dkim_record=0 +if [ ! -f "/etc/dkimkeys/${dkim_selector}.private" ]; then + add_dkim_record=1 + dpkg -s opendkim-tools &> /dev/null + preinstalled="$?" + if [ ! "${preinstalled}" -eq "0" ]; then + apt install -y opendkim-tools + fi + opendkim-genkey -s "${dkim_selector}" + if [ ! "${preinstalled}" -eq "0" ]; then + apt --purge autoremove opendkim-tools + fi +fi + +# Link and adapt mail-server-specific /etc/ files. +./hardlink_etc.sh mail +sed -i "s/REPLACE_Domain_ECALPER/$(hostname -f)/g" /etc/opendkim.conf +sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf + +# Some useful debconf selections. echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections -echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections -echo "$(hostname -f)" > /etc/mailname -apt install -y postfix -mkdir -p /etc/dovecot/conf.d/ echo "ssl_cert = /etc/dovecot/conf.d/99-ssl-certs.conf echo "ssl_key = > /etc/dovecot/conf.d/99-ssl-certs.conf -apt install -y dovecot-imapd + +# The second line should not be necessary due to the first line, but for +# some reason the installation forgets to set up /etc/mailname early +# enough to not (when running newaliases) stumble over its absence. +echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections +echo "$(hostname -f)" > /etc/mailname + +# Everything should now be ready for installations. +apt install -y postfix dovecot-imapd opendkim +echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration." +if [ "${add_dkim_record}" -eq "1" ]; then + echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):" + cat "${dkim_selector}.txt" +fi -- 2.30.2