[DOCKER][MAIL] Cleanup opendkim.conf

Also improved consistency in other files
2020-11-23 14:55:33 +00:00 · 2020-11-23 14:55:33 +00:00 · d291a8dae5
parent 67483e415c
commit d291a8dae5
3 changed files with 37 additions and 133 deletions
--- a/docker/mail/Dockerfile
+++ b/docker/mail/Dockerfile
@ -26,11 +26,13 @@ RUN \
 	groupadd -g 2222 vmail \
 	&& mkdir -p -m 751 "/var/mail/" \
 	&& mkdir -p -m 755 "/etc/mail/" \
+	&& mkdir -p "/var/opendkim/keys/" \
 	&& useradd -d "/var/mail" -M -s "/usr/sbin/nologin" -u 2222 -g 2222 vmail \
 	&& usermod -aG vmail postfix \
 	&& usermod -aG vmail dovecot \
-	&& usermod -aG vmail opendkim\
-	&& chown vmail:vmail "/var/mail"
+	&& usermod -aG vmail opendkim \
+	&& chown vmail:vmail "/var/mail" \
+	&& chown opendkim:opendkim "/var/opendkim/keys/"

 # Copy config files
 COPY rootfs/ /
@ -42,7 +44,8 @@ RUN \
 	&& chmod +x "/etc/service/rsyslog/run"

 # Prepare user
-RUN mkdir -p "/var/mail/${DOMAINNAME}" \
+RUN \
+	mkdir -p "/var/mail/${DOMAINNAME}" \
 	&& mkdir -p "/var/mail/${DOMAINPART}/${USER%@*}" \
 	&& chown vmail:vmail "/var/mail/${DOMAINNAME}" \
 	&& chown vmail:vmail "/var/mail/${DOMAINPART}/${USER%@*}"
--- a/docker/mail/config/opendkim/opendkim.conf
+++ b/docker/mail/config/opendkim/opendkim.conf
@ -1,128 +1,30 @@
-## BASIC OPENDKIM CONFIGURATION FILE
-## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more
+# General
+Syslog                  yes
+SyslogSuccess	        yes
+UMask                   007
+LogWhy	                yes
+SoftwareHeader	        yes
+Socket                  inet:8891@localhost
+PidFile                 /var/run/opendkim/opendkim.pid
+OversignHeaders         From
+TrustAnchorFile         /usr/share/dns/root.key
+UserID                  opendkim:opendkim

-## BEFORE running OpenDKIM you must:
+# Signing options
+Canonicalization        relaxed/simple
+Mode                    sv
+Domain	                refile:/etc/mail/domains
+SubDomains              no
+AutoRestart             yes
+Background              yes
+DNSTimeout              5
+SignatureAlgorithm      rsa-sha256

-## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
-## - generate keys for your domain (if signing)
-## - edit your DNS records to publish your public keys (if signing)
+# Key file
+Selector	            default
+MinimumKeyBits	        1024
+KeyFile	                /var/opendkim/keys/default.private

-## See /usr/share/doc/opendkim/INSTALL for detailed instructions.
-
-## DEPRECATED CONFIGURATION OPTIONS
-## 
-## The following configuration options are no longer valid.  They should be
-## removed from your existing configuration file to prevent potential issues.
-## Failure to do so may result in opendkim being unable to start.
-## 
-## Removed in 2.10.0:
-##   AddAllSignatureResults
-##   ADSPAction
-##   ADSPNoSuchDomain
-##   BogusPolicy
-##   DisableADSP
-##   LDAPSoftStart
-##   LocalADSP
-##   NoDiscardableMailTo
-##   On-PolicyError
-##   SendADSPReports
-##   UnprotectedPolicy
-
-## CONFIGURATION OPTIONS
-
-##  Specifies the path to the process ID file.
-PidFile	/var/run/opendkim/opendkim.pid
-
-##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
-##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
-##  messages.
-Mode	s
-
-##  Log activity to the system log.
-Syslog	yes
-
-##  Log additional entries indicating successful signing or verification of messages.
-SyslogSuccess	yes
-
-##  If logging is enabled, include detailed logging about why or why not a message was
-##  signed or verified. This causes an increase in the amount of log data generated
-##  for each message, so set this to No (or comment it out) if it gets too noisy.
-LogWhy	yes
-
-##  Attempt to become the specified user before starting operations.
-UserID	opendkim:opendkim
-
-##  Create a socket through which your MTA can communicate.
-Socket	inet:8891@localhost
-
-##  Required to use local socket with MTAs that access the socket as a non-
-##  privileged user (e.g. Postfix)
-Umask	002
-
-##  This specifies a text file in which to store DKIM transaction statistics.
-##  OpenDKIM must be manually compiled with --enable-stats to enable this feature.
-# Statistics	/var/spool/opendkim/stats.dat
-
-##  Specifies whether or not the filter should generate report mail back
-##  to senders when verification fails and an address for such a purpose
-##  is provided. See opendkim.conf(5) for details.
-# SendReports	yes
-
-##  Specifies the sending address to be used on From: headers of outgoing
-##  failure reports.  By default, the e-mail address of the user executing
-##  the filter is used (executing_user@hostname).
-# ReportAddress	"Example.com Postmaster" <postmaster@example.com>
-
-##  Add a DKIM-Filter header field to messages passing through this filter
-##  to identify messages it has processed.
-SoftwareHeader	yes
-
-## SIGNING OPTIONS
-
-##  Selects the canonicalization method(s) to be used when signing messages.
-Canonicalization	relaxed/simple
-
-##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
-##  be verified rather than being signed. Uncomment and use your domain name.
-##  This parameter is not required if a SigningTable is in use.
-Domain	file:/etc/mail/domains
-
-
-##  Defines the name of the selector to be used when signing messages.
-Selector	default
-
-##  Specifies the minimum number of key bits for acceptable keys and signatures.
-MinimumKeyBits	1024
-
-##  Gives the location of a private key to be used for signing ALL messages. This
-##  directive is ignored if KeyTable is enabled.
-KeyFile	/var/opendkim/keys/default.private
-
-##  Gives the location of a file mapping key names to signing keys. In simple terms,
-##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
-##  directive in the configuration file. Requires SigningTable be enabled.
-# KeyTable	/etc/mail/opendkim/KeyTable
-
-##  Defines a table used to select one or more signatures to apply to a message based
-##  on the address found in the From: header field. In simple terms, this tells
-##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
-# SigningTable	refile:/etc/mail/opendkim/SigningTable
-
-##  Identifies a set of "external" hosts that may send mail through the server as one
-##  of the signing domains without credentials as such.
-# ExternalIgnoreList	refile:/etc/mail/opendkim/TrustedHosts
-
-##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
-InternalHosts	refile:/etc/mail/opendkim/TrustedHosts
-
-##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
-##  whose mail should be neither signed nor verified by this filter.  See man
-##  page for file format.
-# PeerList	X.X.X.X
-
-##  Always oversign From (sign using actual From and a null From to prevent
-##  malicious signatures header fields (From and/or others) between the signer
-##  and the verifier.  From is oversigned by default in the Fedora package
-##  because it is often the identity key used by reputation systems and thus
-##  somewhat security sensitive.
-OversignHeaders	From
+# Hosts
+ExternalIgnoreList      refile:/etc/mail/opendkim/TrustedHosts
+InternalHosts           refile:/etc/mail/opendkim/TrustedHosts
--- a/docker/mail/rootfs/usr/bin/start.sh
+++ b/docker/mail/rootfs/usr/bin/start.sh
@ -1,17 +1,16 @@
 #!/bin/sh

 # Run openssl
-if [ ! -e "$SSL_CERT" ]
+if [ ! -e "${SSL_CERT}" ]
 then
-	mkdir -p "$(dirname $SSL_CERT)" "$(dirname $SSL_KEY)"
-	openssl req -x509 -nodes -newkey rsa:2018 -days 365 -keyout "$SSL_CERT" -out "$SSL_KEY"
+	mkdir -p "$(dirname ${SSL_CERT})" "$(dirname $SSL_KEY)"
+	openssl req -x509 -nodes -newkey rsa:2018 -days 365 -keyout "${SSL_CERT}" -out "${SSL_KEY}"
 fi

 # Run opendkim
 if [ ! -e "/var/opendkim/keys/default.private" ]
 then
-	mkdir -p /var/opendkim/keys
-	opendkim-genkey -d "$DOMAINNAME" -D "/var/opendkim/keys"
+	opendkim-genkey -d "${DOMAINNAME}" -D "/var/opendkim/keys/"
 fi

 postmap /etc/mail/aliases /etc/mail/domains /etc/mail/mailboxes /etc/mail/passwd