From cb673885ca03cef1b81d055ee957f8e80c7ee1d1 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Tue, 9 Feb 2021 17:49:28 +0100 Subject: [PATCH 01/18] generating a DKIM key for all virtualDomains --- entrypoint.sh | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 0443c54..85cd9ef 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -19,6 +19,7 @@ Environment Variables: SMF_CONFIG - mail forward addresses mapping list. SMF_MYNETWORKS - configure relaying from trusted IPs, see http://www.postfix.org/postconf.5.html#mynetworks SMF_RELAYHOST - configure a relayhost + SMF_DKIM_ALL - If defined, generate a DKIM key for all domains found in SMF_CONFIG, in addition to the one in SMF_DOMAIN this creates a new smtp server which listens on port 25, forward all email from @@ -190,8 +191,7 @@ function start_postfix { postfix start - - # DKIM + # DKIM only for $HOSTNAME if [ ! -f /var/db/dkim/default.private ]; then mkdir -p /var/db/dkim echo "OpenDKIM: Keys not found, generating..." @@ -203,8 +203,25 @@ function start_postfix { echo "OpenDKIM: Add TXT record to DNS:" cat /var/db/dkim/default.txt fi + sed -n -e '/^Domain\s/!p' -e '$aDomain '$HOSTNAME -i /etc/opendkim/opendkim.conf + # DKIM for all virtual + if [ "$SMF_DKIM_ALL" != "" ]; then + + for virtualDomain in $virtualDomains; do + mkdir -p /var/db/dkim/${virtualDomain} + echo "OpenDKIM: Keys for ${virtualDomain} not found, generating..." + opendkim-genkey -b 2048 -d ${virtualDomain} -D /var/db/dkim/${virtualDomain} -s default -v + + chmod 400 /var/db/dkim/${virtualDomain}/default.private + chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private + + echo "OpenDKIM: Add TXT record to DNS for ${virtualDomain}:" + cat /var/db/dkim/${virtualDomain}/default.txt + done + fi + } # From 5bbc7bbfa7e37411d40c8fe7d7b495ce84f1f119 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Tue, 9 Feb 2021 17:52:52 +0100 Subject: [PATCH 02/18] including HOSTNAME in folder of domains for DKIM --- entrypoint.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 85cd9ef..a1c8f9f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -206,9 +206,10 @@ function start_postfix { sed -n -e '/^Domain\s/!p' -e '$aDomain '$HOSTNAME -i /etc/opendkim/opendkim.conf - # DKIM for all virtual + # DKIM for all virtual domains and $HOSTNAME if [ "$SMF_DKIM_ALL" != "" ]; then - + mkdir -p /var/db/dkim/$HOSTNAME + cp /var/db/dkim/default.* /var/db/dkim/$HOSTNAME for virtualDomain in $virtualDomains; do mkdir -p /var/db/dkim/${virtualDomain} echo "OpenDKIM: Keys for ${virtualDomain} not found, generating..." From c1d9c5fb6116f352e2a29deb4591992fd9e98095 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Tue, 9 Feb 2021 18:10:22 +0100 Subject: [PATCH 03/18] KeyTable, SigningTable, TrustedHosts for HOSTNAME and all virtualDomain --- entrypoint.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index a1c8f9f..1cbf3dd 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -210,6 +210,14 @@ function start_postfix { if [ "$SMF_DKIM_ALL" != "" ]; then mkdir -p /var/db/dkim/$HOSTNAME cp /var/db/dkim/default.* /var/db/dkim/$HOSTNAME + + echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private +" >> /etc/opendkim/KeyTable + + echo "${HOSTNAME} default._domainkey.${HOSTNAME}" >> /etc/opendkim/SigningTable + + echo "${HOSTNAME}" >> /etc/opendkim/TrustedHosts + for virtualDomain in $virtualDomains; do mkdir -p /var/db/dkim/${virtualDomain} echo "OpenDKIM: Keys for ${virtualDomain} not found, generating..." @@ -218,6 +226,13 @@ function start_postfix { chmod 400 /var/db/dkim/${virtualDomain}/default.private chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private + echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private +" >> /etc/opendkim/KeyTable + + echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable + + echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts + echo "OpenDKIM: Add TXT record to DNS for ${virtualDomain}:" cat /var/db/dkim/${virtualDomain}/default.txt done From f87d804c7daf99fa651d392a32596b375e473c4d Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Tue, 9 Feb 2021 18:14:36 +0100 Subject: [PATCH 04/18] Generate new DKIM data only if keys do not exist yet --- entrypoint.sh | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 1cbf3dd..e86a3be 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -207,34 +207,37 @@ function start_postfix { sed -n -e '/^Domain\s/!p' -e '$aDomain '$HOSTNAME -i /etc/opendkim/opendkim.conf # DKIM for all virtual domains and $HOSTNAME - if [ "$SMF_DKIM_ALL" != "" ]; then - mkdir -p /var/db/dkim/$HOSTNAME - cp /var/db/dkim/default.* /var/db/dkim/$HOSTNAME - - echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private -" >> /etc/opendkim/KeyTable + if [ "$SMF_DKIM_ALL" != "" ]; then + if [ ! -f /var/db/dkim/$HOSTNAME/default.private ]; then + mkdir -p /var/db/dkim/$HOSTNAME + cp /var/db/dkim/default.* /var/db/dkim/$HOSTNAME - echo "${HOSTNAME} default._domainkey.${HOSTNAME}" >> /etc/opendkim/SigningTable + echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private + " >> /etc/opendkim/KeyTable - echo "${HOSTNAME}" >> /etc/opendkim/TrustedHosts + echo "${HOSTNAME} default._domainkey.${HOSTNAME}" >> /etc/opendkim/SigningTable + echo "${HOSTNAME}" >> /etc/opendkim/TrustedHosts + fi for virtualDomain in $virtualDomains; do - mkdir -p /var/db/dkim/${virtualDomain} - echo "OpenDKIM: Keys for ${virtualDomain} not found, generating..." - opendkim-genkey -b 2048 -d ${virtualDomain} -D /var/db/dkim/${virtualDomain} -s default -v + if [ ! -f /var/db/dkim/${virtualDomain}/default.private ]; then + mkdir -p /var/db/dkim/${virtualDomain} + echo "OpenDKIM: Keys for ${virtualDomain} not found, generating..." + opendkim-genkey -b 2048 -d ${virtualDomain} -D /var/db/dkim/${virtualDomain} -s default -v - chmod 400 /var/db/dkim/${virtualDomain}/default.private - chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private + chmod 400 /var/db/dkim/${virtualDomain}/default.private + chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private - echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private -" >> /etc/opendkim/KeyTable + echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private + " >> /etc/opendkim/KeyTable - echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable + echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable - echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts + echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts - echo "OpenDKIM: Add TXT record to DNS for ${virtualDomain}:" - cat /var/db/dkim/${virtualDomain}/default.txt + echo "OpenDKIM: Add TXT record to DNS for ${virtualDomain}:" + cat /var/db/dkim/${virtualDomain}/default.txt + fi done fi From 2231fb7e2acf1e34cf5573922559a038e2dee2d3 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Tue, 9 Feb 2021 18:28:51 +0100 Subject: [PATCH 05/18] disabled opendkim.conf settings for single domain, added KeyTable,SigningTable,ExternalIgnoreList,InternalHosts --- entrypoint.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index e86a3be..68ee5d7 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -239,6 +239,13 @@ function start_postfix { cat /var/db/dkim/${virtualDomain}/default.txt fi done + sed -e '/KeyFile/ s/^#*/#/' -i /etc/opendkim/opendkim.conf + sed -e '/Selector/ s/^#*/#/' -i /etc/opendkim/opendkim.conf + sed -e '/Domain/ s/^#*/#/' -i /etc/opendkim/opendkim.conf + echo "KeyTable /etc/opendkim/KeyTable" >> /etc/opendkim/opendkim.conf + echo "SigningTable /etc/opendkim/SigningTable" >> /etc/opendkim/opendkim.conf + echo "ExternalIgnoreList /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf + echo "InternalHosts /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf fi } From d6e52a90df840279169397863e2f2f6983cc6a8f Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Tue, 9 Feb 2021 19:12:50 +0100 Subject: [PATCH 06/18] Correct permissions of DKIM files regardless of prior creation --- entrypoint.sh | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 68ee5d7..77644ac 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -209,36 +209,41 @@ function start_postfix { # DKIM for all virtual domains and $HOSTNAME if [ "$SMF_DKIM_ALL" != "" ]; then if [ ! -f /var/db/dkim/$HOSTNAME/default.private ]; then + echo "Moving ${HOSTNAME} keys to /var/db/dkim/$HOSTNAME/" mkdir -p /var/db/dkim/$HOSTNAME cp /var/db/dkim/default.* /var/db/dkim/$HOSTNAME - + fi + chmod 400 /var/db/dkim/default.private + chown opendkim:opendkim /var/db/dkim/default.private + echo "Inserting ${HOSTNAME} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private " >> /etc/opendkim/KeyTable echo "${HOSTNAME} default._domainkey.${HOSTNAME}" >> /etc/opendkim/SigningTable echo "${HOSTNAME}" >> /etc/opendkim/TrustedHosts - fi + for virtualDomain in $virtualDomains; do if [ ! -f /var/db/dkim/${virtualDomain}/default.private ]; then mkdir -p /var/db/dkim/${virtualDomain} echo "OpenDKIM: Keys for ${virtualDomain} not found, generating..." opendkim-genkey -b 2048 -d ${virtualDomain} -D /var/db/dkim/${virtualDomain} -s default -v + fi + chmod 400 /var/db/dkim/${virtualDomain}/default.private + chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private + echo "Inserting ${virtualDomain} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" + echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private + " >> /etc/opendkim/KeyTable - chmod 400 /var/db/dkim/${virtualDomain}/default.private - chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private - - echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private - " >> /etc/opendkim/KeyTable - - echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable + echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable - echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts + echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts - echo "OpenDKIM: Add TXT record to DNS for ${virtualDomain}:" - cat /var/db/dkim/${virtualDomain}/default.txt - fi + echo "OpenDKIM: Add TXT record to DNS for ${virtualDomain}:" + cat /var/db/dkim/${virtualDomain}/default.txt + done + echo "Moving from single DKIM key settings to multiple DKIM key settings." sed -e '/KeyFile/ s/^#*/#/' -i /etc/opendkim/opendkim.conf sed -e '/Selector/ s/^#*/#/' -i /etc/opendkim/opendkim.conf sed -e '/Domain/ s/^#*/#/' -i /etc/opendkim/opendkim.conf From 36aa8b80a926ea6a68a24d4e7de2bacac3a785b1 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Tue, 9 Feb 2021 21:12:29 +0100 Subject: [PATCH 07/18] Added test for multiple domains and DKIM. Ready for #88 --- test/simple-mail-forwarder.bats | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/test/simple-mail-forwarder.bats b/test/simple-mail-forwarder.bats index a4a56f4..ca63ba7 100644 --- a/test/simple-mail-forwarder.bats +++ b/test/simple-mail-forwarder.bats @@ -177,7 +177,13 @@ if [[ "$SKIP_TEST" == *"DKIM"* ]]; then skip "This test will fail on docker build workflow" fi + echo "Validating DKIM for $SMF_DOMAIN" opendkim-testkey -d $SMF_DOMAIN -s default -vvv - + if [ "$SMF_DKIM_ALL" != "" ]; then + cd /var/db/dkim/ && for domain in */ ; do + echo "Validating DKIM for ${domain::-1}" + opendkim-testkey -d ${domain::-1} -s default -vvv + done + fi [ $? -eq 0 ] } From cb56c39e4218164f410c212d8b1b8e7657570a9c Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Tue, 9 Feb 2021 21:40:05 +0100 Subject: [PATCH 08/18] Updated README on DKIM for multiple domains --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 4d204ae..ab2f08e 100644 --- a/README.md +++ b/README.md @@ -237,6 +237,15 @@ It is highly advised to mount `/var/db/dkim/` folder to host, so generated keypa docker run -e SMF_CONFIG="$SMF_CONFIG" -p 25:25 -v $(pwd)/dkim:/var/db/dkim/ zixia/simple-mail-forwarder ``` +DKIM and multiple domains +========================= + +If `$SMF_DKIM_ALL` is defined (any value will do, including `1`), SMF will generate private/public keypairs for `$SMF_DOMAIN` and for all source domains contained in `SMF_CONFIG`. All keys will be stored in `/var/db/dkim//`. + +This will enable DKIM for multiple domains and test for their validity on SMF startup. + +If a DKIM key was already present for `$SMF_DOMAIN` under `/var/db/dkim/`, it will be copied under `/var/db/dkim/{$SMF_DOMAIN}`. + Helper Scripts -------------------- From 333476b721ed86329125a3128c05220059297781 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Wed, 10 Feb 2021 10:49:55 +0100 Subject: [PATCH 09/18] Fixed indentation on entrypoint --- entrypoint.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 77644ac..e88ee88 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -216,8 +216,7 @@ function start_postfix { chmod 400 /var/db/dkim/default.private chown opendkim:opendkim /var/db/dkim/default.private echo "Inserting ${HOSTNAME} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" - echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private - " >> /etc/opendkim/KeyTable + echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private" >> /etc/opendkim/KeyTable echo "${HOSTNAME} default._domainkey.${HOSTNAME}" >> /etc/opendkim/SigningTable From 7e4ba430f005c302c5da4417a24f13f801c60273 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Wed, 10 Feb 2021 13:18:26 +0100 Subject: [PATCH 10/18] Fixed wrong indentation (style) --- entrypoint.sh | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index e88ee88..1d71a22 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -209,36 +209,34 @@ function start_postfix { # DKIM for all virtual domains and $HOSTNAME if [ "$SMF_DKIM_ALL" != "" ]; then if [ ! -f /var/db/dkim/$HOSTNAME/default.private ]; then - echo "Moving ${HOSTNAME} keys to /var/db/dkim/$HOSTNAME/" + echo "Copying ${HOSTNAME} keys to /var/db/dkim/$HOSTNAME/" mkdir -p /var/db/dkim/$HOSTNAME cp /var/db/dkim/default.* /var/db/dkim/$HOSTNAME fi - chmod 400 /var/db/dkim/default.private - chown opendkim:opendkim /var/db/dkim/default.private - echo "Inserting ${HOSTNAME} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" - echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private" >> /etc/opendkim/KeyTable - echo "${HOSTNAME} default._domainkey.${HOSTNAME}" >> /etc/opendkim/SigningTable + chmod 400 /var/db/dkim/default.private + chown opendkim:opendkim /var/db/dkim/default.private - echo "${HOSTNAME}" >> /etc/opendkim/TrustedHosts - + echo "Inserting ${HOSTNAME} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" + echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private" >> /etc/opendkim/KeyTable + echo "${HOSTNAME} default._domainkey.${HOSTNAME}" >> /etc/opendkim/SigningTable + echo "${HOSTNAME}" >> /etc/opendkim/TrustedHosts for virtualDomain in $virtualDomains; do if [ ! -f /var/db/dkim/${virtualDomain}/default.private ]; then mkdir -p /var/db/dkim/${virtualDomain} echo "OpenDKIM: Keys for ${virtualDomain} not found, generating..." opendkim-genkey -b 2048 -d ${virtualDomain} -D /var/db/dkim/${virtualDomain} -s default -v fi + chmod 400 /var/db/dkim/${virtualDomain}/default.private chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private - echo "Inserting ${virtualDomain} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" - echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private - " >> /etc/opendkim/KeyTable + echo "Inserting ${virtualDomain} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" + echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private" >> /etc/opendkim/KeyTable echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable - echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts - echo "OpenDKIM: Add TXT record to DNS for ${virtualDomain}:" + cat /var/db/dkim/${virtualDomain}/default.txt done From fb14166c7cb482fff4153c8cb40306ae96cdddb5 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Wed, 10 Feb 2021 17:52:53 +0100 Subject: [PATCH 11/18] Cleaner handling of multiple DKIM keys. No settings required. Renders #83 redundant --- README.md | 17 +++--- entrypoint.sh | 95 +++++++++++++++------------------ test/simple-mail-forwarder.bats | 12 ++--- 3 files changed, 53 insertions(+), 71 deletions(-) diff --git a/README.md b/README.md index ab2f08e..3b1088d 100644 --- a/README.md +++ b/README.md @@ -229,23 +229,18 @@ If you do not have a certificate and don't have the budget to afford one, you ca DKIM -------------------- -SMF generates private/public keypair for `$SMF_DOMAIN` and stores them in `/var/db/dkim/`. Public key must be set as TXT record in DNS under `default._domainkey` name. -`default._domainkey` can be found in `/var/db/dkim/default.txt`. +SMF will generate private/public keypairs for `$SMF_DOMAIN` and for all source domains contained in `SMF_CONFIG`. All keys will be stored in `/var/db/dkim//`. + +This will enable DKIM for multiple domains and test for their validity on SMF startup. + +Public key must be set as TXT record in DNS under `default._domainkey` name. `default._domainkey` can be found in `/var/db/dkim//default.txt`. It is highly advised to mount `/var/db/dkim/` folder to host, so generated keypair would not get lost/regenerated: + ``` docker run -e SMF_CONFIG="$SMF_CONFIG" -p 25:25 -v $(pwd)/dkim:/var/db/dkim/ zixia/simple-mail-forwarder ``` -DKIM and multiple domains -========================= - -If `$SMF_DKIM_ALL` is defined (any value will do, including `1`), SMF will generate private/public keypairs for `$SMF_DOMAIN` and for all source domains contained in `SMF_CONFIG`. All keys will be stored in `/var/db/dkim//`. - -This will enable DKIM for multiple domains and test for their validity on SMF startup. - -If a DKIM key was already present for `$SMF_DOMAIN` under `/var/db/dkim/`, it will be copied under `/var/db/dkim/{$SMF_DOMAIN}`. - Helper Scripts -------------------- diff --git a/entrypoint.sh b/entrypoint.sh index 1d71a22..9eb4a68 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -191,64 +191,55 @@ function start_postfix { postfix start - # DKIM only for $HOSTNAME - if [ ! -f /var/db/dkim/default.private ]; then - mkdir -p /var/db/dkim - echo "OpenDKIM: Keys not found, generating..." - opendkim-genkey -b 2048 -d $HOSTNAME -D /var/db/dkim/ -s default -v + # migrating older single-domain DKIM (/var/db/dkim/default.*) to /var/db/dkim/$HOSTNAME/default.* + if [ -f /var/db/dkim/default.private ]; then + echo "Migrating ${HOSTNAME} keys to /var/db/dkim/$HOSTNAME/" + mkdir -p /var/db/dkim/$HOSTNAME + mv /var/db/dkim/default.* /var/db/dkim/$HOSTNAME + chmod 400 /var/db/dkim/$HOSTNAME/default.private + chown opendkim:opendkim /var/db/dkim/$HOSTNAME/default.private + fi - chmod 400 /var/db/dkim/default.private - chown opendkim:opendkim /var/db/dkim/default.private + echo "Inserting ${HOSTNAME} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" + echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private" >> /etc/opendkim/KeyTable + echo "${HOSTNAME} default._domainkey.${HOSTNAME}" >> /etc/opendkim/SigningTable + echo "${HOSTNAME}" >> /etc/opendkim/TrustedHosts - echo "OpenDKIM: Add TXT record to DNS:" - cat /var/db/dkim/default.txt - fi + for virtualDomain in $virtualDomains; do + # skip generating keys for $HOSTNAME twice in case it is also used as forwarded domain. + if [ "$virtualDomain" = "$HOSTNAME" ]; then + continue + fi - - sed -n -e '/^Domain\s/!p' -e '$aDomain '$HOSTNAME -i /etc/opendkim/opendkim.conf - # DKIM for all virtual domains and $HOSTNAME - if [ "$SMF_DKIM_ALL" != "" ]; then - if [ ! -f /var/db/dkim/$HOSTNAME/default.private ]; then - echo "Copying ${HOSTNAME} keys to /var/db/dkim/$HOSTNAME/" - mkdir -p /var/db/dkim/$HOSTNAME - cp /var/db/dkim/default.* /var/db/dkim/$HOSTNAME + # generates new keys only if they are not already present + if [ ! -f /var/db/dkim/${virtualDomain}/default.private ]; then + mkdir -p /var/db/dkim/${virtualDomain} + echo "OpenDKIM: Keys for ${virtualDomain} not found, generating..." + opendkim-genkey -b 2048 -d ${virtualDomain} -D /var/db/dkim/${virtualDomain} -s default -v fi - chmod 400 /var/db/dkim/default.private - chown opendkim:opendkim /var/db/dkim/default.private - - echo "Inserting ${HOSTNAME} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" - echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private" >> /etc/opendkim/KeyTable - echo "${HOSTNAME} default._domainkey.${HOSTNAME}" >> /etc/opendkim/SigningTable - echo "${HOSTNAME}" >> /etc/opendkim/TrustedHosts - for virtualDomain in $virtualDomains; do - if [ ! -f /var/db/dkim/${virtualDomain}/default.private ]; then - mkdir -p /var/db/dkim/${virtualDomain} - echo "OpenDKIM: Keys for ${virtualDomain} not found, generating..." - opendkim-genkey -b 2048 -d ${virtualDomain} -D /var/db/dkim/${virtualDomain} -s default -v - fi + chmod 400 /var/db/dkim/${virtualDomain}/default.private + chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private - chmod 400 /var/db/dkim/${virtualDomain}/default.private - chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private - - echo "Inserting ${virtualDomain} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" - echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private" >> /etc/opendkim/KeyTable - echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable - echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts - echo "OpenDKIM: Add TXT record to DNS for ${virtualDomain}:" - - cat /var/db/dkim/${virtualDomain}/default.txt - - done - echo "Moving from single DKIM key settings to multiple DKIM key settings." - sed -e '/KeyFile/ s/^#*/#/' -i /etc/opendkim/opendkim.conf - sed -e '/Selector/ s/^#*/#/' -i /etc/opendkim/opendkim.conf - sed -e '/Domain/ s/^#*/#/' -i /etc/opendkim/opendkim.conf - echo "KeyTable /etc/opendkim/KeyTable" >> /etc/opendkim/opendkim.conf - echo "SigningTable /etc/opendkim/SigningTable" >> /etc/opendkim/opendkim.conf - echo "ExternalIgnoreList /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf - echo "InternalHosts /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf - fi + echo "Inserting ${virtualDomain} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" + echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private" >> /etc/opendkim/KeyTable + echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable + echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts + echo "OpenDKIM: Add TXT record to DNS for ${virtualDomain}:" + + cat /var/db/dkim/${virtualDomain}/default.txt + + done + + echo "Configuring DKIM key settings in /etc/opendkim/opendkim.conf" + sed -e '/KeyFile/ s/^#*/#/' -i /etc/opendkim/opendkim.conf + sed -e '/Selector/ s/^#*/#/' -i /etc/opendkim/opendkim.conf + sed -e '/Domain/ s/^#*/#/' -i /etc/opendkim/opendkim.conf + + echo "KeyTable /etc/opendkim/KeyTable" >> /etc/opendkim/opendkim.conf + echo "SigningTable /etc/opendkim/SigningTable" >> /etc/opendkim/opendkim.conf + echo "ExternalIgnoreList /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf + echo "InternalHosts /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf } diff --git a/test/simple-mail-forwarder.bats b/test/simple-mail-forwarder.bats index ca63ba7..28f4d12 100644 --- a/test/simple-mail-forwarder.bats +++ b/test/simple-mail-forwarder.bats @@ -177,13 +177,9 @@ if [[ "$SKIP_TEST" == *"DKIM"* ]]; then skip "This test will fail on docker build workflow" fi - echo "Validating DKIM for $SMF_DOMAIN" - opendkim-testkey -d $SMF_DOMAIN -s default -vvv - if [ "$SMF_DKIM_ALL" != "" ]; then - cd /var/db/dkim/ && for domain in */ ; do - echo "Validating DKIM for ${domain::-1}" - opendkim-testkey -d ${domain::-1} -s default -vvv - done - fi + cd /var/db/dkim/ && for domain in */ ; do + echo "Validating DKIM for ${domain::-1}" + opendkim-testkey -d ${domain::-1} -s default -vvv + done [ $? -eq 0 ] } From e18d099416ca9a20d4f5311d450a9a845d4372ff Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Wed, 10 Feb 2021 18:19:40 +0100 Subject: [PATCH 12/18] Making sure we never insert the same config twice #89 --- entrypoint.sh | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 9eb4a68..1ade374 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -222,12 +222,18 @@ function start_postfix { chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private echo "Inserting ${virtualDomain} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" - echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private" >> /etc/opendkim/KeyTable - echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable - echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts - echo "OpenDKIM: Add TXT record to DNS for ${virtualDomain}:" + if ! grep -q "default._domainkey.${virtualDomain}" /etc/opendkim/KeyTable; then + echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private" >> /etc/opendkim/KeyTable + fi + if ! grep -q "default._domainkey.${virtualDomain}" /etc/opendkim/SigningTable; then + echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable + fi + if ! grep -q "${virtualDomain}" /etc/opendkim/TrustedHosts; then + echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts + fi - cat /var/db/dkim/${virtualDomain}/default.txt + echo "OpenDKIM: this TXT record for ${virtualDomain} should be present:" + cat /var/db/dkim/${virtualDomain}/default.txt done @@ -236,10 +242,18 @@ function start_postfix { sed -e '/Selector/ s/^#*/#/' -i /etc/opendkim/opendkim.conf sed -e '/Domain/ s/^#*/#/' -i /etc/opendkim/opendkim.conf - echo "KeyTable /etc/opendkim/KeyTable" >> /etc/opendkim/opendkim.conf - echo "SigningTable /etc/opendkim/SigningTable" >> /etc/opendkim/opendkim.conf - echo "ExternalIgnoreList /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf - echo "InternalHosts /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf + if ! grep -q "KeyTable" /etc/opendkim/opendkim.conf; then + echo "KeyTable /etc/opendkim/KeyTable" >> /etc/opendkim/opendkim.conf; + fi + if ! grep -q "SigningTable" /etc/opendkim/opendkim.conf; then + echo "SigningTable /etc/opendkim/SigningTable" >> /etc/opendkim/opendkim.conf; + fi + if ! grep -q "ExternalIgnoreList" /etc/opendkim/opendkim.conf; then + echo "ExternalIgnoreList /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf; + fi + if ! grep -q "InternalHosts" /etc/opendkim/opendkim.conf; then + echo "InternalHosts /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf + fi } From 02f5f302274dc4436ae6ca34b2d48855766a5b8a Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Wed, 10 Feb 2021 18:22:26 +0100 Subject: [PATCH 13/18] Forgot one last mention of SMF_DKIM_ALL --- entrypoint.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 1ade374..86d351e 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -19,7 +19,6 @@ Environment Variables: SMF_CONFIG - mail forward addresses mapping list. SMF_MYNETWORKS - configure relaying from trusted IPs, see http://www.postfix.org/postconf.5.html#mynetworks SMF_RELAYHOST - configure a relayhost - SMF_DKIM_ALL - If defined, generate a DKIM key for all domains found in SMF_CONFIG, in addition to the one in SMF_DOMAIN this creates a new smtp server which listens on port 25, forward all email from From b7c3eff26f3ca9695af9ba0e0782f0995691f09d Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Thu, 11 Feb 2021 10:01:56 +0100 Subject: [PATCH 14/18] Better tld naming for DKIM in README Co-authored-by: Peeter N --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3b1088d..cff0580 100644 --- a/README.md +++ b/README.md @@ -229,11 +229,11 @@ If you do not have a certificate and don't have the budget to afford one, you ca DKIM -------------------- -SMF will generate private/public keypairs for `$SMF_DOMAIN` and for all source domains contained in `SMF_CONFIG`. All keys will be stored in `/var/db/dkim//`. +SMF will generate private/public keypairs for `$SMF_DOMAIN` and for all source domains contained in `SMF_CONFIG`. All keys will be stored in `/var/db/dkim//`. This will enable DKIM for multiple domains and test for their validity on SMF startup. -Public key must be set as TXT record in DNS under `default._domainkey` name. `default._domainkey` can be found in `/var/db/dkim//default.txt`. +Public key must be set as TXT record in DNS under `default._domainkey` name. `default._domainkey` can be found in `/var/db/dkim//default.txt`. It is highly advised to mount `/var/db/dkim/` folder to host, so generated keypair would not get lost/regenerated: From 7e3e41f8e56347e1690e4eccdc01c7a6fa0e25b6 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Thu, 11 Feb 2021 10:58:39 +0100 Subject: [PATCH 15/18] DKIM test no longer changes working directory Co-authored-by: Peeter N --- test/simple-mail-forwarder.bats | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/simple-mail-forwarder.bats b/test/simple-mail-forwarder.bats index 28f4d12..015658b 100644 --- a/test/simple-mail-forwarder.bats +++ b/test/simple-mail-forwarder.bats @@ -177,9 +177,9 @@ if [[ "$SKIP_TEST" == *"DKIM"* ]]; then skip "This test will fail on docker build workflow" fi - cd /var/db/dkim/ && for domain in */ ; do - echo "Validating DKIM for ${domain::-1}" - opendkim-testkey -d ${domain::-1} -s default -vvv + for domain in /var/db/dkim/*/ ; do + echo "Validating DKIM for ${domain:13:-1}" + opendkim-testkey -d ${domain:13:-1} -s default -vvv done [ $? -eq 0 ] } From 432b82cc8bacd4db0c56537dad18452c9aaa4a94 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Thu, 11 Feb 2021 11:22:03 +0100 Subject: [PATCH 16/18] More elegant generation of DKIM entries for HOSTNAME and virtual domains --- entrypoint.sh | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 86d351e..071c0c1 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -199,17 +199,12 @@ function start_postfix { chown opendkim:opendkim /var/db/dkim/$HOSTNAME/default.private fi - echo "Inserting ${HOSTNAME} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" - echo "default._domainkey.${HOSTNAME} ${HOSTNAME}:default:/var/db/dkim/${HOSTNAME}/default.private" >> /etc/opendkim/KeyTable - echo "${HOSTNAME} default._domainkey.${HOSTNAME}" >> /etc/opendkim/SigningTable - echo "${HOSTNAME}" >> /etc/opendkim/TrustedHosts - - for virtualDomain in $virtualDomains; do - # skip generating keys for $HOSTNAME twice in case it is also used as forwarded domain. - if [ "$virtualDomain" = "$HOSTNAME" ]; then - continue - fi + allDomains="$virtualDomains" + [[ $allDomains =~ $HOSTNAME ]] || { + allDomains="$allDomains $HOSTNAME" + } + for virtualDomain in $allDomains; do # generates new keys only if they are not already present if [ ! -f /var/db/dkim/${virtualDomain}/default.private ]; then mkdir -p /var/db/dkim/${virtualDomain} @@ -221,6 +216,8 @@ function start_postfix { chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private echo "Inserting ${virtualDomain} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" + echo "'No such file or directory' messages might be displayed here. This is normal." + if ! grep -q "default._domainkey.${virtualDomain}" /etc/opendkim/KeyTable; then echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private" >> /etc/opendkim/KeyTable fi From 78ca349c8c5bacf4833a8b7c9834ce01816c67f6 Mon Sep 17 00:00:00 2001 From: Daniel Graziotin Date: Fri, 12 Feb 2021 17:01:14 +0100 Subject: [PATCH 17/18] Correct switch to suppress grep complains when files miss --- entrypoint.sh | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 071c0c1..17cd512 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -216,15 +216,14 @@ function start_postfix { chown opendkim:opendkim /var/db/dkim/${virtualDomain}/default.private echo "Inserting ${virtualDomain} data to /etc/opendkim/{KeyTable, SigningTable, TrustedHosts}" - echo "'No such file or directory' messages might be displayed here. This is normal." - if ! grep -q "default._domainkey.${virtualDomain}" /etc/opendkim/KeyTable; then + if ! grep -q -s "default._domainkey.${virtualDomain}" /etc/opendkim/KeyTable; then echo "default._domainkey.${virtualDomain} ${virtualDomain}:default:/var/db/dkim/${virtualDomain}/default.private" >> /etc/opendkim/KeyTable fi - if ! grep -q "default._domainkey.${virtualDomain}" /etc/opendkim/SigningTable; then + if ! grep -q -s "default._domainkey.${virtualDomain}" /etc/opendkim/SigningTable; then echo "${virtualDomain} default._domainkey.${virtualDomain}" >> /etc/opendkim/SigningTable fi - if ! grep -q "${virtualDomain}" /etc/opendkim/TrustedHosts; then + if ! grep -q -s "${virtualDomain}" /etc/opendkim/TrustedHosts; then echo "${virtualDomain}" >> /etc/opendkim/TrustedHosts fi @@ -238,16 +237,16 @@ function start_postfix { sed -e '/Selector/ s/^#*/#/' -i /etc/opendkim/opendkim.conf sed -e '/Domain/ s/^#*/#/' -i /etc/opendkim/opendkim.conf - if ! grep -q "KeyTable" /etc/opendkim/opendkim.conf; then + if ! grep -q -s "KeyTable" /etc/opendkim/opendkim.conf; then echo "KeyTable /etc/opendkim/KeyTable" >> /etc/opendkim/opendkim.conf; fi - if ! grep -q "SigningTable" /etc/opendkim/opendkim.conf; then + if ! grep -q -s "SigningTable" /etc/opendkim/opendkim.conf; then echo "SigningTable /etc/opendkim/SigningTable" >> /etc/opendkim/opendkim.conf; fi - if ! grep -q "ExternalIgnoreList" /etc/opendkim/opendkim.conf; then + if ! grep -q -s "ExternalIgnoreList" /etc/opendkim/opendkim.conf; then echo "ExternalIgnoreList /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf; fi - if ! grep -q "InternalHosts" /etc/opendkim/opendkim.conf; then + if ! grep -q -s "InternalHosts" /etc/opendkim/opendkim.conf; then echo "InternalHosts /etc/opendkim/TrustedHosts" >> /etc/opendkim/opendkim.conf fi From 4d96a5fcca5ed40340fc798d9cb94a7e45c628b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Huan=20=28=E6=9D=8E=E5=8D=93=E6=A1=93=29?= Date: Sat, 13 Feb 2021 10:48:20 +0800 Subject: [PATCH 18/18] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 1892b92..88c5fb8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.3.2 +1.4.0