From d291a8dae5bca0cfcb1e66041950321b7f74e0c9 Mon Sep 17 00:00:00 2001 From: Pastilhas Date: Mon, 23 Nov 2020 14:55:33 +0000 Subject: [PATCH] [DOCKER][MAIL] Cleanup opendkim.conf Also improved consistency in other files --- docker/mail/Dockerfile | 9 +- docker/mail/config/opendkim/opendkim.conf | 152 ++++------------------ docker/mail/rootfs/usr/bin/start.sh | 9 +- 3 files changed, 37 insertions(+), 133 deletions(-) diff --git a/docker/mail/Dockerfile b/docker/mail/Dockerfile index 131d1da301..8dd1707ffb 100644 --- a/docker/mail/Dockerfile +++ b/docker/mail/Dockerfile @@ -26,11 +26,13 @@ RUN \ groupadd -g 2222 vmail \ && mkdir -p -m 751 "/var/mail/" \ && mkdir -p -m 755 "/etc/mail/" \ + && mkdir -p "/var/opendkim/keys/" \ && useradd -d "/var/mail" -M -s "/usr/sbin/nologin" -u 2222 -g 2222 vmail \ && usermod -aG vmail postfix \ && usermod -aG vmail dovecot \ - && usermod -aG vmail opendkim\ - && chown vmail:vmail "/var/mail" + && usermod -aG vmail opendkim \ + && chown vmail:vmail "/var/mail" \ + && chown opendkim:opendkim "/var/opendkim/keys/" # Copy config files COPY rootfs/ / @@ -42,7 +44,8 @@ RUN \ && chmod +x "/etc/service/rsyslog/run" # Prepare user -RUN mkdir -p "/var/mail/${DOMAINNAME}" \ +RUN \ + mkdir -p "/var/mail/${DOMAINNAME}" \ && mkdir -p "/var/mail/${DOMAINPART}/${USER%@*}" \ && chown vmail:vmail "/var/mail/${DOMAINNAME}" \ && chown vmail:vmail "/var/mail/${DOMAINPART}/${USER%@*}" diff --git a/docker/mail/config/opendkim/opendkim.conf b/docker/mail/config/opendkim/opendkim.conf index 979bec49a4..c021ac8d4e 100644 --- a/docker/mail/config/opendkim/opendkim.conf +++ b/docker/mail/config/opendkim/opendkim.conf @@ -1,128 +1,30 @@ -## BASIC OPENDKIM CONFIGURATION FILE -## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more +# General +Syslog yes +SyslogSuccess yes +UMask 007 +LogWhy yes +SoftwareHeader yes +Socket inet:8891@localhost +PidFile /var/run/opendkim/opendkim.pid +OversignHeaders From +TrustAnchorFile /usr/share/dns/root.key +UserID opendkim:opendkim -## BEFORE running OpenDKIM you must: +# Signing options +Canonicalization relaxed/simple +Mode sv +Domain refile:/etc/mail/domains +SubDomains no +AutoRestart yes +Background yes +DNSTimeout 5 +SignatureAlgorithm rsa-sha256 -## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM -## - generate keys for your domain (if signing) -## - edit your DNS records to publish your public keys (if signing) +# Key file +Selector default +MinimumKeyBits 1024 +KeyFile /var/opendkim/keys/default.private -## See /usr/share/doc/opendkim/INSTALL for detailed instructions. - -## DEPRECATED CONFIGURATION OPTIONS -## -## The following configuration options are no longer valid. They should be -## removed from your existing configuration file to prevent potential issues. -## Failure to do so may result in opendkim being unable to start. -## -## Removed in 2.10.0: -## AddAllSignatureResults -## ADSPAction -## ADSPNoSuchDomain -## BogusPolicy -## DisableADSP -## LDAPSoftStart -## LocalADSP -## NoDiscardableMailTo -## On-PolicyError -## SendADSPReports -## UnprotectedPolicy - -## CONFIGURATION OPTIONS - -## Specifies the path to the process ID file. -PidFile /var/run/opendkim/opendkim.pid - -## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. -## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing -## messages. -Mode s - -## Log activity to the system log. -Syslog yes - -## Log additional entries indicating successful signing or verification of messages. -SyslogSuccess yes - -## If logging is enabled, include detailed logging about why or why not a message was -## signed or verified. This causes an increase in the amount of log data generated -## for each message, so set this to No (or comment it out) if it gets too noisy. -LogWhy yes - -## Attempt to become the specified user before starting operations. -UserID opendkim:opendkim - -## Create a socket through which your MTA can communicate. -Socket inet:8891@localhost - -## Required to use local socket with MTAs that access the socket as a non- -## privileged user (e.g. Postfix) -Umask 002 - -## This specifies a text file in which to store DKIM transaction statistics. -## OpenDKIM must be manually compiled with --enable-stats to enable this feature. -# Statistics /var/spool/opendkim/stats.dat - -## Specifies whether or not the filter should generate report mail back -## to senders when verification fails and an address for such a purpose -## is provided. See opendkim.conf(5) for details. -# SendReports yes - -## Specifies the sending address to be used on From: headers of outgoing -## failure reports. By default, the e-mail address of the user executing -## the filter is used (executing_user@hostname). -# ReportAddress "Example.com Postmaster" - -## Add a DKIM-Filter header field to messages passing through this filter -## to identify messages it has processed. -SoftwareHeader yes - -## SIGNING OPTIONS - -## Selects the canonicalization method(s) to be used when signing messages. -Canonicalization relaxed/simple - -## Domain(s) whose mail should be signed by this filter. Mail from other domains will -## be verified rather than being signed. Uncomment and use your domain name. -## This parameter is not required if a SigningTable is in use. -Domain file:/etc/mail/domains - - -## Defines the name of the selector to be used when signing messages. -Selector default - -## Specifies the minimum number of key bits for acceptable keys and signatures. -MinimumKeyBits 1024 - -## Gives the location of a private key to be used for signing ALL messages. This -## directive is ignored if KeyTable is enabled. -KeyFile /var/opendkim/keys/default.private - -## Gives the location of a file mapping key names to signing keys. In simple terms, -## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile -## directive in the configuration file. Requires SigningTable be enabled. -# KeyTable /etc/mail/opendkim/KeyTable - -## Defines a table used to select one or more signatures to apply to a message based -## on the address found in the From: header field. In simple terms, this tells -## OpenDKIM how to use your keys. Requires KeyTable be enabled. -# SigningTable refile:/etc/mail/opendkim/SigningTable - -## Identifies a set of "external" hosts that may send mail through the server as one -## of the signing domains without credentials as such. -# ExternalIgnoreList refile:/etc/mail/opendkim/TrustedHosts - -## Identifies a set "internal" hosts whose mail should be signed rather than verified. -InternalHosts refile:/etc/mail/opendkim/TrustedHosts - -## Contains a list of IP addresses, CIDR blocks, hostnames or domain names -## whose mail should be neither signed nor verified by this filter. See man -## page for file format. -# PeerList X.X.X.X - -## Always oversign From (sign using actual From and a null From to prevent -## malicious signatures header fields (From and/or others) between the signer -## and the verifier. From is oversigned by default in the Fedora package -## because it is often the identity key used by reputation systems and thus -## somewhat security sensitive. -OversignHeaders From +# Hosts +ExternalIgnoreList refile:/etc/mail/opendkim/TrustedHosts +InternalHosts refile:/etc/mail/opendkim/TrustedHosts diff --git a/docker/mail/rootfs/usr/bin/start.sh b/docker/mail/rootfs/usr/bin/start.sh index 4eea3cc5e9..0ca9e6e0b2 100644 --- a/docker/mail/rootfs/usr/bin/start.sh +++ b/docker/mail/rootfs/usr/bin/start.sh @@ -1,17 +1,16 @@ #!/bin/sh # Run openssl -if [ ! -e "$SSL_CERT" ] +if [ ! -e "${SSL_CERT}" ] then - mkdir -p "$(dirname $SSL_CERT)" "$(dirname $SSL_KEY)" - openssl req -x509 -nodes -newkey rsa:2018 -days 365 -keyout "$SSL_CERT" -out "$SSL_KEY" + mkdir -p "$(dirname ${SSL_CERT})" "$(dirname $SSL_KEY)" + openssl req -x509 -nodes -newkey rsa:2018 -days 365 -keyout "${SSL_CERT}" -out "${SSL_KEY}" fi # Run opendkim if [ ! -e "/var/opendkim/keys/default.private" ] then - mkdir -p /var/opendkim/keys - opendkim-genkey -d "$DOMAINNAME" -D "/var/opendkim/keys" + opendkim-genkey -d "${DOMAINNAME}" -D "/var/opendkim/keys/" fi postmap /etc/mail/aliases /etc/mail/domains /etc/mail/mailboxes /etc/mail/passwd