[DOCKER][MAIL] Cleanup opendkim.conf
Also improved consistency in other files
This commit is contained in:
parent
67483e415c
commit
d291a8dae5
@ -26,11 +26,13 @@ RUN \
|
|||||||
groupadd -g 2222 vmail \
|
groupadd -g 2222 vmail \
|
||||||
&& mkdir -p -m 751 "/var/mail/" \
|
&& mkdir -p -m 751 "/var/mail/" \
|
||||||
&& mkdir -p -m 755 "/etc/mail/" \
|
&& mkdir -p -m 755 "/etc/mail/" \
|
||||||
|
&& mkdir -p "/var/opendkim/keys/" \
|
||||||
&& useradd -d "/var/mail" -M -s "/usr/sbin/nologin" -u 2222 -g 2222 vmail \
|
&& useradd -d "/var/mail" -M -s "/usr/sbin/nologin" -u 2222 -g 2222 vmail \
|
||||||
&& usermod -aG vmail postfix \
|
&& usermod -aG vmail postfix \
|
||||||
&& usermod -aG vmail dovecot \
|
&& usermod -aG vmail dovecot \
|
||||||
&& usermod -aG vmail opendkim\
|
&& usermod -aG vmail opendkim \
|
||||||
&& chown vmail:vmail "/var/mail"
|
&& chown vmail:vmail "/var/mail" \
|
||||||
|
&& chown opendkim:opendkim "/var/opendkim/keys/"
|
||||||
|
|
||||||
# Copy config files
|
# Copy config files
|
||||||
COPY rootfs/ /
|
COPY rootfs/ /
|
||||||
@ -42,7 +44,8 @@ RUN \
|
|||||||
&& chmod +x "/etc/service/rsyslog/run"
|
&& chmod +x "/etc/service/rsyslog/run"
|
||||||
|
|
||||||
# Prepare user
|
# Prepare user
|
||||||
RUN mkdir -p "/var/mail/${DOMAINNAME}" \
|
RUN \
|
||||||
|
mkdir -p "/var/mail/${DOMAINNAME}" \
|
||||||
&& mkdir -p "/var/mail/${DOMAINPART}/${USER%@*}" \
|
&& mkdir -p "/var/mail/${DOMAINPART}/${USER%@*}" \
|
||||||
&& chown vmail:vmail "/var/mail/${DOMAINNAME}" \
|
&& chown vmail:vmail "/var/mail/${DOMAINNAME}" \
|
||||||
&& chown vmail:vmail "/var/mail/${DOMAINPART}/${USER%@*}"
|
&& chown vmail:vmail "/var/mail/${DOMAINPART}/${USER%@*}"
|
||||||
|
@ -1,128 +1,30 @@
|
|||||||
## BASIC OPENDKIM CONFIGURATION FILE
|
# General
|
||||||
## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more
|
Syslog yes
|
||||||
|
SyslogSuccess yes
|
||||||
|
UMask 007
|
||||||
|
LogWhy yes
|
||||||
|
SoftwareHeader yes
|
||||||
|
Socket inet:8891@localhost
|
||||||
|
PidFile /var/run/opendkim/opendkim.pid
|
||||||
|
OversignHeaders From
|
||||||
|
TrustAnchorFile /usr/share/dns/root.key
|
||||||
|
UserID opendkim:opendkim
|
||||||
|
|
||||||
## BEFORE running OpenDKIM you must:
|
# Signing options
|
||||||
|
Canonicalization relaxed/simple
|
||||||
|
Mode sv
|
||||||
|
Domain refile:/etc/mail/domains
|
||||||
|
SubDomains no
|
||||||
|
AutoRestart yes
|
||||||
|
Background yes
|
||||||
|
DNSTimeout 5
|
||||||
|
SignatureAlgorithm rsa-sha256
|
||||||
|
|
||||||
## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
|
# Key file
|
||||||
## - generate keys for your domain (if signing)
|
Selector default
|
||||||
## - edit your DNS records to publish your public keys (if signing)
|
MinimumKeyBits 1024
|
||||||
|
KeyFile /var/opendkim/keys/default.private
|
||||||
|
|
||||||
## See /usr/share/doc/opendkim/INSTALL for detailed instructions.
|
# Hosts
|
||||||
|
ExternalIgnoreList refile:/etc/mail/opendkim/TrustedHosts
|
||||||
## DEPRECATED CONFIGURATION OPTIONS
|
InternalHosts refile:/etc/mail/opendkim/TrustedHosts
|
||||||
##
|
|
||||||
## The following configuration options are no longer valid. They should be
|
|
||||||
## removed from your existing configuration file to prevent potential issues.
|
|
||||||
## Failure to do so may result in opendkim being unable to start.
|
|
||||||
##
|
|
||||||
## Removed in 2.10.0:
|
|
||||||
## AddAllSignatureResults
|
|
||||||
## ADSPAction
|
|
||||||
## ADSPNoSuchDomain
|
|
||||||
## BogusPolicy
|
|
||||||
## DisableADSP
|
|
||||||
## LDAPSoftStart
|
|
||||||
## LocalADSP
|
|
||||||
## NoDiscardableMailTo
|
|
||||||
## On-PolicyError
|
|
||||||
## SendADSPReports
|
|
||||||
## UnprotectedPolicy
|
|
||||||
|
|
||||||
## CONFIGURATION OPTIONS
|
|
||||||
|
|
||||||
## Specifies the path to the process ID file.
|
|
||||||
PidFile /var/run/opendkim/opendkim.pid
|
|
||||||
|
|
||||||
## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
|
|
||||||
## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
|
|
||||||
## messages.
|
|
||||||
Mode s
|
|
||||||
|
|
||||||
## Log activity to the system log.
|
|
||||||
Syslog yes
|
|
||||||
|
|
||||||
## Log additional entries indicating successful signing or verification of messages.
|
|
||||||
SyslogSuccess yes
|
|
||||||
|
|
||||||
## If logging is enabled, include detailed logging about why or why not a message was
|
|
||||||
## signed or verified. This causes an increase in the amount of log data generated
|
|
||||||
## for each message, so set this to No (or comment it out) if it gets too noisy.
|
|
||||||
LogWhy yes
|
|
||||||
|
|
||||||
## Attempt to become the specified user before starting operations.
|
|
||||||
UserID opendkim:opendkim
|
|
||||||
|
|
||||||
## Create a socket through which your MTA can communicate.
|
|
||||||
Socket inet:8891@localhost
|
|
||||||
|
|
||||||
## Required to use local socket with MTAs that access the socket as a non-
|
|
||||||
## privileged user (e.g. Postfix)
|
|
||||||
Umask 002
|
|
||||||
|
|
||||||
## This specifies a text file in which to store DKIM transaction statistics.
|
|
||||||
## OpenDKIM must be manually compiled with --enable-stats to enable this feature.
|
|
||||||
# Statistics /var/spool/opendkim/stats.dat
|
|
||||||
|
|
||||||
## Specifies whether or not the filter should generate report mail back
|
|
||||||
## to senders when verification fails and an address for such a purpose
|
|
||||||
## is provided. See opendkim.conf(5) for details.
|
|
||||||
# SendReports yes
|
|
||||||
|
|
||||||
## Specifies the sending address to be used on From: headers of outgoing
|
|
||||||
## failure reports. By default, the e-mail address of the user executing
|
|
||||||
## the filter is used (executing_user@hostname).
|
|
||||||
# ReportAddress "Example.com Postmaster" <postmaster@example.com>
|
|
||||||
|
|
||||||
## Add a DKIM-Filter header field to messages passing through this filter
|
|
||||||
## to identify messages it has processed.
|
|
||||||
SoftwareHeader yes
|
|
||||||
|
|
||||||
## SIGNING OPTIONS
|
|
||||||
|
|
||||||
## Selects the canonicalization method(s) to be used when signing messages.
|
|
||||||
Canonicalization relaxed/simple
|
|
||||||
|
|
||||||
## Domain(s) whose mail should be signed by this filter. Mail from other domains will
|
|
||||||
## be verified rather than being signed. Uncomment and use your domain name.
|
|
||||||
## This parameter is not required if a SigningTable is in use.
|
|
||||||
Domain file:/etc/mail/domains
|
|
||||||
|
|
||||||
|
|
||||||
## Defines the name of the selector to be used when signing messages.
|
|
||||||
Selector default
|
|
||||||
|
|
||||||
## Specifies the minimum number of key bits for acceptable keys and signatures.
|
|
||||||
MinimumKeyBits 1024
|
|
||||||
|
|
||||||
## Gives the location of a private key to be used for signing ALL messages. This
|
|
||||||
## directive is ignored if KeyTable is enabled.
|
|
||||||
KeyFile /var/opendkim/keys/default.private
|
|
||||||
|
|
||||||
## Gives the location of a file mapping key names to signing keys. In simple terms,
|
|
||||||
## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
|
|
||||||
## directive in the configuration file. Requires SigningTable be enabled.
|
|
||||||
# KeyTable /etc/mail/opendkim/KeyTable
|
|
||||||
|
|
||||||
## Defines a table used to select one or more signatures to apply to a message based
|
|
||||||
## on the address found in the From: header field. In simple terms, this tells
|
|
||||||
## OpenDKIM how to use your keys. Requires KeyTable be enabled.
|
|
||||||
# SigningTable refile:/etc/mail/opendkim/SigningTable
|
|
||||||
|
|
||||||
## Identifies a set of "external" hosts that may send mail through the server as one
|
|
||||||
## of the signing domains without credentials as such.
|
|
||||||
# ExternalIgnoreList refile:/etc/mail/opendkim/TrustedHosts
|
|
||||||
|
|
||||||
## Identifies a set "internal" hosts whose mail should be signed rather than verified.
|
|
||||||
InternalHosts refile:/etc/mail/opendkim/TrustedHosts
|
|
||||||
|
|
||||||
## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
|
|
||||||
## whose mail should be neither signed nor verified by this filter. See man
|
|
||||||
## page for file format.
|
|
||||||
# PeerList X.X.X.X
|
|
||||||
|
|
||||||
## Always oversign From (sign using actual From and a null From to prevent
|
|
||||||
## malicious signatures header fields (From and/or others) between the signer
|
|
||||||
## and the verifier. From is oversigned by default in the Fedora package
|
|
||||||
## because it is often the identity key used by reputation systems and thus
|
|
||||||
## somewhat security sensitive.
|
|
||||||
OversignHeaders From
|
|
||||||
|
@ -1,17 +1,16 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
# Run openssl
|
# Run openssl
|
||||||
if [ ! -e "$SSL_CERT" ]
|
if [ ! -e "${SSL_CERT}" ]
|
||||||
then
|
then
|
||||||
mkdir -p "$(dirname $SSL_CERT)" "$(dirname $SSL_KEY)"
|
mkdir -p "$(dirname ${SSL_CERT})" "$(dirname $SSL_KEY)"
|
||||||
openssl req -x509 -nodes -newkey rsa:2018 -days 365 -keyout "$SSL_CERT" -out "$SSL_KEY"
|
openssl req -x509 -nodes -newkey rsa:2018 -days 365 -keyout "${SSL_CERT}" -out "${SSL_KEY}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Run opendkim
|
# Run opendkim
|
||||||
if [ ! -e "/var/opendkim/keys/default.private" ]
|
if [ ! -e "/var/opendkim/keys/default.private" ]
|
||||||
then
|
then
|
||||||
mkdir -p /var/opendkim/keys
|
opendkim-genkey -d "${DOMAINNAME}" -D "/var/opendkim/keys/"
|
||||||
opendkim-genkey -d "$DOMAINNAME" -D "/var/opendkim/keys"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
postmap /etc/mail/aliases /etc/mail/domains /etc/mail/mailboxes /etc/mail/passwd
|
postmap /etc/mail/aliases /etc/mail/domains /etc/mail/mailboxes /etc/mail/passwd
|
||||||
|
Loading…
Reference in New Issue
Block a user