docker-mailserver.docker-ma.../target/scripts/startup/setup.d/dmarc_dkim_spf.sh

#!/bin/bash

# Set up OpenDKIM
#
# ## Attention
#
# The OpenDKIM milter must come before the OpenDMARC milter in Postfix's
# `smtpd_milters` milters options.
function _setup_opendkim() {
  if [[ ${ENABLE_OPENDKIM} -eq 1 ]]; then
    _log 'debug' 'Configuring DKIM'

    mkdir -p /etc/opendkim/keys/
    touch /etc/opendkim/{SigningTable,TrustedHosts,KeyTable}

    _log 'trace' "Adding OpenDKIM to Postfix's milters"
    postconf 'dkim_milter = inet:localhost:8891'
    # shellcheck disable=SC2016
    _add_to_or_update_postfix_main 'smtpd_milters' '$dkim_milter'
    # shellcheck disable=SC2016
    _add_to_or_update_postfix_main 'non_smtpd_milters' '$dkim_milter'

    # check if any keys are available
    if [[ -e /tmp/docker-mailserver/opendkim/KeyTable ]]; then
      cp -a /tmp/docker-mailserver/opendkim/* /etc/opendkim/

      local DKIM_DOMAINS
      DKIM_DOMAINS=$(find /etc/opendkim/keys/ -maxdepth 1 -type f -printf '%f ')
      _log 'trace' "DKIM keys added for: ${DKIM_DOMAINS}"

      chown -R opendkim:opendkim /etc/opendkim/
      chmod -R 0700 /etc/opendkim/keys/
    else
      _log 'debug' 'OpenDKIM enabled but no DKIM key(s) provided'
    fi

    # setup nameservers parameter from /etc/resolv.conf if not defined
    if ! grep -q '^Nameservers' /etc/opendkim.conf; then
      local NAMESERVER_IPS
      NAMESERVER_IPS=$(grep '^nameserver' /etc/resolv.conf | awk -F " " '{print $2}' | paste -sd ',' -)
      echo "Nameservers ${NAMESERVER_IPS}" >>/etc/opendkim.conf
      _log 'trace' "Nameservers added to '/etc/opendkim.conf'"
    fi
  else
    # Even though we do nothing here and the message suggests we perform some action, the
    # message is due to the default value being `1`, i.e. enabled. If the default were `0`,
    # we could have said `OpenDKIM is disabled`, but we need to make it uniform with all
    # other functions.
    _log 'debug' 'Disabling OpenDKIM'
  fi
}

# Set up OpenDMARC
#
# ## Attention
#
# The OpenDMARC milter must come after the OpenDKIM milter in Postfix's
# `smtpd_milters` milters options.
function _setup_opendmarc() {
  if [[ ${ENABLE_OPENDMARC} -eq 1 ]]; then
    # TODO When disabling SPF is possible, add a check whether DKIM and SPF is disabled
    #      for DMARC to work, you should have at least one enabled
    #      (see RFC 7489 https://www.rfc-editor.org/rfc/rfc7489#page-24)
    _log 'debug' 'Configuring OpenDMARC'

    _log 'trace' "Adding OpenDMARC to Postfix's milters"
    postconf 'dmarc_milter = inet:localhost:8893'
    # Make sure to append the OpenDMARC milter _after_ the OpenDKIM milter!
    # shellcheck disable=SC2016
    _add_to_or_update_postfix_main 'smtpd_milters' '$dmarc_milter'

    sed -i \
      -e "s|^AuthservID.*$|AuthservID          ${HOSTNAME}|g" \
      -e "s|^TrustedAuthservIDs.*$|TrustedAuthservIDs  ${HOSTNAME}|g" \
      /etc/opendmarc.conf
  else
    # Even though we do nothing here and the message suggests we perform some action, the
    # message is due to the default value being `1`, i.e. enabled. If the default were `0`,
    # we could have said `OpenDKIM is disabled`, but we need to make it uniform with all
    # other functions.
    _log 'debug' 'Disabling OpenDMARC'
  fi
}

# Configures the SPF check inside Postfix's configuration via policyd-spf. When
# using Rspamd, you will likely want to turn that off.
function _setup_policyd_spf() {
  if [[ ${ENABLE_POLICYD_SPF} -eq 1 ]]; then
    _log 'debug' 'Configuring policyd-spf'
    cat >>/etc/postfix/master.cf <<EOF

policyd-spf    unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf
EOF

    # SPF policy settings
    postconf 'policyd-spf_time_limit = 3600'
    sedfile -i -E \
      's|^(smtpd_recipient_restrictions.*reject_unauth_destination)(.*)|\1, check_policy_service unix:private/policyd-spf\2|' \
      /etc/postfix/main.cf
  else
    _log 'debug' 'Disabling policyd-spf'
  fi
}
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00			`#!/bin/bash`

scripts: housekeeping & cleanup setup (1/2) (#3121) 2023-02-27 20:21:45 +01:00			`# Set up OpenDKIM`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00			`#`
			`# ## Attention`
			`#`
scripts: housekeeping & cleanup setup (1/2) (#3121) 2023-02-27 20:21:45 +01:00			`# The OpenDKIM milter must come before the OpenDMARC milter in Postfix's`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00			# `smtpd_milters` milters options.
Change 'function' style (#3364) 2023-05-26 01:01:41 +02:00			`function _setup_opendkim() {`
change if style (#3361) 2023-05-24 09:06:59 +02:00			`if [[ ${ENABLE_OPENDKIM} -eq 1 ]]; then`
scripts: housekeeping & cleanup setup (1/2) (#3121) 2023-02-27 20:21:45 +01:00			`_log 'debug' 'Configuring DKIM'`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00
			`mkdir -p /etc/opendkim/keys/`
			`touch /etc/opendkim/{SigningTable,TrustedHosts,KeyTable}`

			`_log 'trace' "Adding OpenDKIM to Postfix's milters"`
			`postconf 'dkim_milter = inet:localhost:8891'`
			`# shellcheck disable=SC2016`
scripts: add wrapper to update Postfix configuration safely (#3484) The new function can 1. update/append 2. update/prepend 3. initialize if non-existent options in `/etc/postfix/main.cf` in a safe and secure manner. When the container is improperly restarted, the option is not applied twice. --- Co-authored-by: Casper <casperklein@users.noreply.github.com> Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> 2023-08-22 10:03:41 +02:00			`_add_to_or_update_postfix_main 'smtpd_milters' '$dkim_milter'`
			`# shellcheck disable=SC2016`
			`_add_to_or_update_postfix_main 'non_smtpd_milters' '$dkim_milter'`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00
			`# check if any keys are available`
change if style (#3361) 2023-05-24 09:06:59 +02:00			`if [[ -e /tmp/docker-mailserver/opendkim/KeyTable ]]; then`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00			`cp -a /tmp/docker-mailserver/opendkim/* /etc/opendkim/`
refactor: setup CLI `open-dkim` (#4375) Refactoring this `setup` CLI command as part of the effort to unify our DKIM feature support between OpenDKIM + Rspamd: - Adds a `main()` method similar to other setup CLI commands. - Help text more aligned with equivalent rspamd DKIM setup CLI command. - DRY some repetition such as hard-coded paths to use variables. - OpenDKIM config files are created / initialized early on now with `_create_opendkim_configs()`. `while` loop only needs to append entries, so is easier to grok. - `_create_dkim_key()` to scope just the logic (_and additional notes_) to key generation via `opendkim-genkey` - Now overall logic with the `while` loop of the script occurs in `_generate_dkim_keys()`: - Ownership fixes are now applied after the `while` loop as that seems more appropriate than per iteration. - Temporary VHOST config is now removed since it's no longer useful after running. - Tests adjusted for one new log for adding of default trusted hosts content. Overall this should be nicer to grok/maintain. Some of this logic will be reused for the unified DKIM generation command in future, which is more likely to shift towards all domains using the same keypair by default with rspamd/opendkim config generated at runtime rather than reliant upon DMS config volume to provide that (_still expected for private key_). --------- Co-authored-by: Casper <casperklein@users.noreply.github.com> Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> 2025-03-31 22:27:28 +13:00
			`local DKIM_DOMAINS`
			`DKIM_DOMAINS=$(find /etc/opendkim/keys/ -maxdepth 1 -type f -printf '%f ')`
			`_log 'trace' "DKIM keys added for: ${DKIM_DOMAINS}"`

scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00			`chown -R opendkim:opendkim /etc/opendkim/`
			`chmod -R 0700 /etc/opendkim/keys/`
			`else`
			`_log 'debug' 'OpenDKIM enabled but no DKIM key(s) provided'`
			`fi`

			`# setup nameservers parameter from /etc/resolv.conf if not defined`
change if style (#3361) 2023-05-24 09:06:59 +02:00			`if ! grep -q '^Nameservers' /etc/opendkim.conf; then`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00			`local NAMESERVER_IPS`
			`NAMESERVER_IPS=$(grep '^nameserver' /etc/resolv.conf \| awk -F " " '{print $2}' \| paste -sd ',' -)`
			`echo "Nameservers ${NAMESERVER_IPS}" >>/etc/opendkim.conf`
			`_log 'trace' "Nameservers added to '/etc/opendkim.conf'"`
			`fi`
scripts: housekeeping & cleanup setup (1/2) (#3121) 2023-02-27 20:21:45 +01:00			`else`
			`# Even though we do nothing here and the message suggests we perform some action, the`
			# message is due to the default value being `1`, i.e. enabled. If the default were `0`,
			# we could have said `OpenDKIM is disabled`, but we need to make it uniform with all
			`# other functions.`
			`_log 'debug' 'Disabling OpenDKIM'`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00			`fi`
scripts: housekeeping & cleanup setup (1/2) (#3121) 2023-02-27 20:21:45 +01:00			`}`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00
fix: typo about OpenDMARC (#3330) Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> 2023-05-11 17:10:51 +01:00			`# Set up OpenDMARC`
scripts: housekeeping & cleanup setup (1/2) (#3121) 2023-02-27 20:21:45 +01:00			`#`
			`# ## Attention`
			`#`
			`# The OpenDMARC milter must come after the OpenDKIM milter in Postfix's`
			# `smtpd_milters` milters options.
Change 'function' style (#3364) 2023-05-26 01:01:41 +02:00			`function _setup_opendmarc() {`
change if style (#3361) 2023-05-24 09:06:59 +02:00			`if [[ ${ENABLE_OPENDMARC} -eq 1 ]]; then`
scripts: housekeeping & cleanup setup (1/2) (#3121) 2023-02-27 20:21:45 +01:00			`# TODO When disabling SPF is possible, add a check whether DKIM and SPF is disabled`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00			`# for DMARC to work, you should have at least one enabled`
			`# (see RFC 7489 https://www.rfc-editor.org/rfc/rfc7489#page-24)`
scripts: housekeeping & cleanup setup (1/2) (#3121) 2023-02-27 20:21:45 +01:00			`_log 'debug' 'Configuring OpenDMARC'`

scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00			`_log 'trace' "Adding OpenDMARC to Postfix's milters"`
			`postconf 'dmarc_milter = inet:localhost:8893'`
			`# Make sure to append the OpenDMARC milter _after_ the OpenDKIM milter!`
			`# shellcheck disable=SC2016`
scripts: add wrapper to update Postfix configuration safely (#3484) The new function can 1. update/append 2. update/prepend 3. initialize if non-existent options in `/etc/postfix/main.cf` in a safe and secure manner. When the container is improperly restarted, the option is not applied twice. --- Co-authored-by: Casper <casperklein@users.noreply.github.com> Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> 2023-08-22 10:03:41 +02:00			`_add_to_or_update_postfix_main 'smtpd_milters' '$dmarc_milter'`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00
scripts: housekeeping & cleanup setup (1/2) (#3121) 2023-02-27 20:21:45 +01:00			`sed -i \`
			`-e "s\|^AuthservID.*$\|AuthservID ${HOSTNAME}\|g" \`
			`-e "s\|^TrustedAuthservIDs.*$\|TrustedAuthservIDs ${HOSTNAME}\|g" \`
			`/etc/opendmarc.conf`
			`else`
			`# Even though we do nothing here and the message suggests we perform some action, the`
			# message is due to the default value being `1`, i.e. enabled. If the default were `0`,
			# we could have said `OpenDKIM is disabled`, but we need to make it uniform with all
			`# other functions.`
			`_log 'debug' 'Disabling OpenDMARC'`
			`fi`
scripts: split `setup-stack.sh` (#3115) 2023-02-26 11:42:14 +01:00			`}`
scripts: make `policyd-spf` configurable (#3246) 2023-04-11 08:52:43 +02:00
			`# Configures the SPF check inside Postfix's configuration via policyd-spf. When`
			`# using Rspamd, you will likely want to turn that off.`
Change 'function' style (#3364) 2023-05-26 01:01:41 +02:00			`function _setup_policyd_spf() {`
change if style (#3361) 2023-05-24 09:06:59 +02:00			`if [[ ${ENABLE_POLICYD_SPF} -eq 1 ]]; then`
scripts: make `policyd-spf` configurable (#3246) 2023-04-11 08:52:43 +02:00			`_log 'debug' 'Configuring policyd-spf'`
			`cat >>/etc/postfix/master.cf <<EOF`

			`policyd-spf unix - n n - 0 spawn`
			`user=policyd-spf argv=/usr/bin/policyd-spf`
			`EOF`
scripts: get all `policyd-spf` setup in one place (#3263) 2023-04-15 00:40:42 +02:00
scripts: misc improvements (#3281) * corrected typo * corrected indentation 2023-04-23 12:16:53 +02:00			`# SPF policy settings`
			`postconf 'policyd-spf_time_limit = 3600'`
			`sedfile -i -E \`
			`'s\|^(smtpd_recipient_restrictions.reject_unauth_destination)(.)\|\1, check_policy_service unix:private/policyd-spf\2\|' \`
			`/etc/postfix/main.cf`
scripts: make `policyd-spf` configurable (#3246) 2023-04-11 08:52:43 +02:00			`else`
			`_log 'debug' 'Disabling policyd-spf'`
			`fi`
			`}`