From 42c04538d84dd63af85f16ddef2875c01e40ea79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Mon, 4 Dec 2023 13:40:37 +0100 Subject: [PATCH] Set up DKIM signing and verification --- .../kosmos_email/recipes/default.rb | 1 + .../kosmos_email/recipes/opendkim.rb | 74 +++++++++++++++++++ .../kosmos_email/recipes/postfix.rb | 5 +- .../kosmos_email/templates/opendkim.conf.erb | 59 +++++++++++++++ .../templates/opendkim_default.erb | 31 ++++++++ .../templates/opendkim_keytable.erb | 1 + .../templates/opendkim_signingtable.erb | 1 + 7 files changed, 171 insertions(+), 1 deletion(-) create mode 100644 site-cookbooks/kosmos_email/recipes/opendkim.rb create mode 100644 site-cookbooks/kosmos_email/templates/opendkim.conf.erb create mode 100644 site-cookbooks/kosmos_email/templates/opendkim_default.erb create mode 100644 site-cookbooks/kosmos_email/templates/opendkim_keytable.erb create mode 100644 site-cookbooks/kosmos_email/templates/opendkim_signingtable.erb diff --git a/site-cookbooks/kosmos_email/recipes/default.rb b/site-cookbooks/kosmos_email/recipes/default.rb index c431328..d775dfa 100644 --- a/site-cookbooks/kosmos_email/recipes/default.rb +++ b/site-cookbooks/kosmos_email/recipes/default.rb @@ -21,5 +21,6 @@ firewall_rule "private network access" do source "10.1.1.0/24" end +include_recipe 'kosmos_email::opendkim' include_recipe 'kosmos_email::postfix' include_recipe 'kosmos_email::dovecot' diff --git a/site-cookbooks/kosmos_email/recipes/opendkim.rb b/site-cookbooks/kosmos_email/recipes/opendkim.rb new file mode 100644 index 0000000..1447895 --- /dev/null +++ b/site-cookbooks/kosmos_email/recipes/opendkim.rb @@ -0,0 +1,74 @@ +# +# Cookbook:: kosmos_email +# Recipe:: opendkim +# + +%w[ + opendkim + opendkim-tools +].each do |pkg| + apt_package pkg +end + +domain = node["email"]["domain"] +selector = "mail" +socket = "inet:12301@localhost" + +template "/etc/opendkim.conf" do + source "opendkim.conf.erb" + mode 0644 + variables domain: domain, + selector: selector, + socket: socket + notifies :restart, "service[opendkim]", :delayed +end + +template "/etc/default/opendkim" do + source "opendkim_default.erb" + mode 0644 + variables socket: socket + notifies :restart, "service[opendkim]", :delayed +end + +directory "/run/opendkim" do + owner "opendkim" + group "opendkim" + action :create +end + +directory "/etc/opendkim" + +template "/etc/opendkim/keytable" do + source "opendkim_keytable.erb" + mode 0644 + variables domain: domain, + selector: selector + notifies :restart, "service[opendkim]", :delayed +end + +template "/etc/opendkim/signingtable" do + source "opendkim_signingtable.erb" + mode 0644 + variables domain: domain, + selector: selector + notifies :restart, "service[opendkim]", :delayed +end + +directory "/etc/opendkim/keys/#{domain}" do + recursive true +end + +execute "Create DKIM keys" do + cwd "/etc/opendkim/keys/#{domain}" + command "opendkim-genkey -s #{selector} -d #{domain}" + creates "/etc/opendkim/keys/#{domain}/#{selector}.private" +end + +file "/etc/opendkim/keys/#{domain}/#{selector}.private" do + owner "opendkim" + group "opendkim" +end + +service "opendkim" do + action [:enable, :start] +end diff --git a/site-cookbooks/kosmos_email/recipes/postfix.rb b/site-cookbooks/kosmos_email/recipes/postfix.rb index 7c61475..1e9475c 100644 --- a/site-cookbooks/kosmos_email/recipes/postfix.rb +++ b/site-cookbooks/kosmos_email/recipes/postfix.rb @@ -36,7 +36,10 @@ node.normal['postfix']['main']['virtual_transport'] = "lmtp:unix:private/dovecot node.normal['postfix']['main']['smtputf8_enable'] = "no" node.normal['postfix']['main']['recipient_delimiter'] = "+" node.normal['postfix']['main']['alias_maps'] = "hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf" -# node.normal['postfix']['main']['virtual_mailbox_maps'] = "ldap:/etc/postfix/ldap-virtual-mailboxes.cf" +node.normal['postfix']['main']['milter_protocol'] = "2" +node.normal['postfix']['main']['milter_default_action'] = "accept" +node.normal['postfix']['main']['smtpd_milters'] = "inet:localhost:12301" +node.normal['postfix']['main']['non_smtpd_milters'] = "inet:localhost:12301" node.normal['postfix']['master'] = { "#{ip_addr}:2525": { diff --git a/site-cookbooks/kosmos_email/templates/opendkim.conf.erb b/site-cookbooks/kosmos_email/templates/opendkim.conf.erb new file mode 100644 index 0000000..9616128 --- /dev/null +++ b/site-cookbooks/kosmos_email/templates/opendkim.conf.erb @@ -0,0 +1,59 @@ +# This is a basic configuration for signing and verifying. It can easily be +# adapted to suit a basic installation. See opendkim.conf(5) and +# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete +# documentation of available configuration parameters. + +Syslog yes +SyslogSuccess yes +LogWhy yes + +AutoRestart yes +AutoRestartRate 10/1h + +# Common signing and verification parameters. In Debian, the "From" header is +# oversigned, because it is often the identity key used by reputation systems +# and thus somewhat security sensitive. +Canonicalization relaxed/simple +Mode sv +#SubDomains no +OversignHeaders From + +# Signing domain, selector, and key (required). For example, perform signing +# for domain "example.com" with selector "2020" (2020._domainkey.example.com), +# using the private key stored in /etc/dkimkeys/example.private. More granular +# setup options can be found in /usr/share/doc/opendkim/README.opendkim. +Domain <%= @domain %> +Selector <%= @selector %> +#KeyFile /etc/dkimkeys/example.private + +# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when +# using a local socket with MTAs that access the socket as a non-privileged +# user (for example, Postfix). You may need to add user "postfix" to group +# "opendkim" in that case. +UserID opendkim +UMask 007 + +# Socket for the MTA connection (required). If the MTA is inside a chroot jail, +# it must be ensured that the socket is accessible. In Debian, Postfix runs in +# a chroot in /var/spool/postfix, therefore a Unix socket would have to be +# configured as shown on the last line below. +Socket local:/run/opendkim/opendkim.sock +#Socket inet:8891@localhost +#Socket inet:8891 +#Socket local:/var/spool/postfix/opendkim/opendkim.sock + +PidFile /run/opendkim/opendkim.pid + +# Hosts for which to sign rather than verify, default is 127.0.0.1. See the +# OPERATION section of opendkim(8) for more information. +#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 + +KeyTable refile:/etc/opendkim/keytable +SigningTable refile:/etc/opendkim/signingtable + +# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided +# by the package dns-root-data. +TrustAnchorFile /usr/share/dns/root.key +#Nameservers 127.0.0.1 + +Socket <%= @socket %> diff --git a/site-cookbooks/kosmos_email/templates/opendkim_default.erb b/site-cookbooks/kosmos_email/templates/opendkim_default.erb new file mode 100644 index 0000000..08e9032 --- /dev/null +++ b/site-cookbooks/kosmos_email/templates/opendkim_default.erb @@ -0,0 +1,31 @@ +# NOTE: This is a legacy configuration file. It is not used by the opendkim +# systemd service. Please use the corresponding configuration parameters in +# /etc/opendkim.conf instead. +# +# Previously, one would edit the default settings here, and then execute +# /lib/opendkim/opendkim.service.generate to generate systemd override files at +# /etc/systemd/system/opendkim.service.d/override.conf and +# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now +# recommended to adjust the settings directly in /etc/opendkim.conf. +# +#DAEMON_OPTS="" +# Change to /var/spool/postfix/run/opendkim to use a Unix socket with +# postfix in a chroot: +#RUNDIR=/var/spool/postfix/run/opendkim +RUNDIR=/run/opendkim +# +# Uncomment to specify an alternate socket +# Note that setting this will override any Socket value in opendkim.conf +# default: +#SOCKET=local:$RUNDIR/opendkim.sock +# listen on all interfaces on port 54321: +#SOCKET=inet:54321 +# listen on loopback on port 12345: +#SOCKET=inet:12345@localhost +# listen on 192.0.2.1 on port 12345: +#SOCKET=inet:12345@192.0.2.1 +SOCKET=<%= @socket %> +USER=opendkim +GROUP=opendkim +PIDFILE=$RUNDIR/$NAME.pid +EXTRAAFTER= diff --git a/site-cookbooks/kosmos_email/templates/opendkim_keytable.erb b/site-cookbooks/kosmos_email/templates/opendkim_keytable.erb new file mode 100644 index 0000000..9935194 --- /dev/null +++ b/site-cookbooks/kosmos_email/templates/opendkim_keytable.erb @@ -0,0 +1 @@ +<%= @selector %>._domainkey.<%= @domain %> <%= @domain %>:<%= @selector %>:/etc/opendkim/keys/<%= @domain %>/mail.private diff --git a/site-cookbooks/kosmos_email/templates/opendkim_signingtable.erb b/site-cookbooks/kosmos_email/templates/opendkim_signingtable.erb new file mode 100644 index 0000000..5f21353 --- /dev/null +++ b/site-cookbooks/kosmos_email/templates/opendkim_signingtable.erb @@ -0,0 +1 @@ +*@<%= @domain %> <%= @selector %>._domainkey.<%= @domain %>