From 9a4ac18ebd26d6537e0509aec7ecaeaf15d7d5f2 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Wed, 5 Apr 2017 15:15:25 +0200 Subject: [PATCH] After fixing Amavis and testing opendkim --- .etckeeper | 6 + amavis/conf.d/50-user | 46 +- default/opendkim | 2 + opendkim.conf | 16 +- opendkim.conf.sample | 802 +++++++++++++++++++++++++++++ opendkim/keytable.txt | 10 + opendkim/signingtable.txt | 10 + postfix/main.cf | 4 + postfix/master.cf | 4 +- rc2.d/{S02opendkim => K01opendkim} | 0 rc3.d/{S02opendkim => K01opendkim} | 0 rc4.d/{S02opendkim => K01opendkim} | 0 rc5.d/{S02opendkim => K01opendkim} | 0 13 files changed, 885 insertions(+), 15 deletions(-) create mode 100644 opendkim.conf.sample create mode 100644 opendkim/keytable.txt create mode 100644 opendkim/signingtable.txt rename rc2.d/{S02opendkim => K01opendkim} (100%) rename rc3.d/{S02opendkim => K01opendkim} (100%) rename rc4.d/{S02opendkim => K01opendkim} (100%) rename rc5.d/{S02opendkim => K01opendkim} (100%) diff --git a/.etckeeper b/.etckeeper index 7826b37..baf6dc6 100755 --- a/.etckeeper +++ b/.etckeeper @@ -10,6 +10,7 @@ mkdir -p './clamav/onupdateexecute.d' mkdir -p './clamav/virusevent.d' mkdir -p './console' mkdir -p './dbus-1/session.d' +mkdir -p './dkimkeys' mkdir -p './dovecot/private' mkdir -p './dpkg/dpkg.cfg.d' mkdir -p './fail2ban/fail2ban.d' @@ -280,6 +281,7 @@ maybe chmod 0755 'dictionaries-common' maybe chmod 0644 'discover-modprobe.conf' maybe chmod 0755 'discover.conf.d' maybe chmod 0644 'discover.conf.d/00discover' +maybe chmod 0700 'dkimkeys' maybe chmod 0755 'dovecot' maybe chmod 0644 'dovecot/README' maybe chmod 0755 'dovecot/conf.d' @@ -815,7 +817,11 @@ maybe chmod 0644 'nginx/templates/sogo.tmpl' maybe chmod 0644 'nginx/uwsgi_params' maybe chmod 0644 'nginx/win-utf' maybe chmod 0644 'nsswitch.conf' +maybe chmod 0755 'opendkim' maybe chmod 0644 'opendkim.conf' +maybe chmod 0644 'opendkim.conf.sample' +maybe chmod 0644 'opendkim/keytable.txt' +maybe chmod 0644 'opendkim/signingtable.txt' maybe chmod 0755 'opt' maybe chmod 0644 'pam.conf' maybe chmod 0755 'pam.d' diff --git a/amavis/conf.d/50-user b/amavis/conf.d/50-user index 34c29db..f970870 100644 --- a/amavis/conf.d/50-user +++ b/amavis/conf.d/50-user @@ -14,7 +14,20 @@ use strict; chomp($mydomain = "sarah.uhu-banane.de"); -@local_domains_maps = 1; +#@local_domains_maps = 1; +@local_domains_maps = ( [ + ".$mydomain", + ".brehm-berlin.de", + ".brehm-online.com", + ".brehm-online.eu", + ".frankepedia.eu", + ".hennig-berlin.org", + ".uhu-banane.com", + ".uhu-banane.de", + ".uhu-banane.eu", + ".uhu-banane.net", + ".uhu-banane.org", +] ); @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); @@ -232,7 +245,16 @@ $signed_header_fields{'received'} = 0; $signed_header_fields{'to'} = 1; # Add dkim_key here. +dkim_key("brehm-berlin.de", "dkim", "/var/lib/dkim/uhu-banane.net.pem"); +dkim_key("brehm-online.com", "dkim", "/var/lib/dkim/uhu-banane.net.pem"); +dkim_key("brehm-online.eu", "dkim", "/var/lib/dkim/uhu-banane.net.pem"); +dkim_key("frankepedia.eu", "mail-2017-04-05", "/var/lib/dkim/frankepedia.eu.2017-04-05.pem"); +dkim_key("hennig-berlin.org", "dkim", "/var/lib/dkim/uhu-banane.net.pem"); +dkim_key("uhu-banane.com", "dkim", "/var/lib/dkim/uhu-banane.net.pem"); +dkim_key("uhu-banane.de", "dkim", "/var/lib/dkim/uhu-banane.net.pem"); +dkim_key("uhu-banane.eu", "dkim", "/var/lib/dkim/uhu-banane.net.pem"); dkim_key("uhu-banane.net", "dkim", "/var/lib/dkim/uhu-banane.net.pem"); +dkim_key("uhu-banane.org", "dkim", "/var/lib/dkim/uhu-banane.net.pem"); # Note that signing mail for subdomains with a key of a parent # domain is treated by recipients as a third-party key, which @@ -262,16 +284,16 @@ dkim_key("uhu-banane.net", "dkim", "/var/lib/dkim/uhu-banane.net.pem"); #"spam-reporter@uhu-banane.net" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 7*24*3600 }, # explicit 'd' forces a third-party signature on foreign (hosted) domains - "brehm-berlin.de" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, - "brehm-online.com" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, - "brehm-online.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, - "frankepedia.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, - "hennig-berlin.org" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, - "uhu-banane.com" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, - "uhu-banane.de" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, - "uhu-banane.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, - "uhu-banane.net" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, - "uhu-banane.org" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + # "brehm-berlin.de" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + # "brehm-online.com" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + # "brehm-online.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + # "frankepedia.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + # "hennig-berlin.org" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + # "uhu-banane.com" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + # "uhu-banane.de" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + # "uhu-banane.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + # "uhu-banane.net" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + # "uhu-banane.org" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, #"host1.uhu-banane.net" => { d => "host1.uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, #"host2.uhu-banane.net" => { d => "host2.uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 }, # ---- End domain: uhu-banane.net ---- @@ -326,7 +348,7 @@ $max_servers = 2; # Enable DKIM signing/verification $enable_dkim_verification = 1; -#$enable_dkim_signing = 1; # we have dkim signing enabled in policy banks. +$enable_dkim_signing = 1; # we have dkim signing enabled in policy banks. # Amavisd log level. Verbosity: 0, 1, 2, 3, 4, 5, -d. $log_level = 0; diff --git a/default/opendkim b/default/opendkim index 7ab3d24..a89c368 100644 --- a/default/opendkim +++ b/default/opendkim @@ -8,3 +8,5 @@ #SOCKET="inet:54321" # listen on all interfaces on port 54321 #SOCKET="inet:12345@localhost" # listen on loopback on port 12345 #SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345 +USER=amavis +GROUP=amavis diff --git a/opendkim.conf b/opendkim.conf index 46cff22..38704cd 100644 --- a/opendkim.conf +++ b/opendkim.conf @@ -4,6 +4,7 @@ # Log to syslog Syslog yes +SyslogSuccess yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 002 @@ -11,13 +12,24 @@ UMask 002 # Sign for example.com with key in /etc/mail/dkim.key using # selector '2007' (e.g. 2007._domainkey.example.com) #Domain example.com +Domain frankepedia.eu #KeyFile /etc/mail/dkim.key -#Selector 2007 +KeyFile /var/lib/dkim/frankepedia.eu.2017-04-05.pem +Selector mail-2017-04-05 + +KeyTable /etc/opendkim/keytable.txt +SigningTable refile:/etc/opendkim/signingtable.txt + +Canonicalization relaxed/simple +OmitHeaders Return-Path,Received,Comments,Keywords,Bcc,Resent-Bcc + +Socket inet:8891@127.0.0.1 +Background yes # Commonly-used options; the commented-out versions show the defaults. #Canonicalization simple #Mode sv -#SubDomains no +SubDomains yes #ADSPAction continue # Always oversign From (sign using actual From and a null From to prevent diff --git a/opendkim.conf.sample b/opendkim.conf.sample new file mode 100644 index 0000000..b83037f --- /dev/null +++ b/opendkim.conf.sample @@ -0,0 +1,802 @@ +## +## opendkim.conf -- configuration file for OpenDKIM filter +## +## Copyright (c) 2010-2014, The Trusted Domain Project. All rights reserved. +## + +## +## For settings that refer to a "dataset", see the opendkim(8) man page. +## + +## AddAllSignatureResults { yes | no } +## default "no" +## +## If enabled, results for all signatures will be reported by an added +## Authentication-Results header field. Otherwise, only one signature will +## be reported, and which one depends on the TrustSignaturesFrom +## setting or, in its absence, which one(s) passed first or, if none passed, +## which one was found first during message processing. + +# AddAllSignatureResults no + +## ADSPAction { continue | discard | reject } +## default "continue" +## +## Defines the action to be taken when a message is passed through the +## ADSP algorithm and found to be discardable. By default, no action is +## taken, though the failure will be noted by the addition of an +## Authentication-Results report. + +# ADSPAction continue + +## ADSPNoSuchDomain { yes | no } +## default "no" +## +## Reject messages which are determined to be from nonexistent domains during +## the Author Domain Signing Practises (ADSP) check. + +# ADSPNoSuchDomain No + +## AllowSHA1Only { yes | no } +## default "no" +## +## By default, the filter will refuse to start if support for SHA256 is +## not available since this violates the strong recommendations of +## RFC6376 Section 3.3, which says: +## +## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST +## implement and SHOULD sign using rsa-sha256." +## +## This forces that violation to be explicitly selected by the administrator. + +# AllowSHA1Only no + +## AlwaysAddARHeader { yes | no } +## default "no" +## +## Add an "Authentication-Results:" header even to unsigned messages +## from domains with no "signs all" policy. The reported DKIM result +## will be "none" in such cases. Normally unsigned mail from non-strict +## domains does not cause the results header to be added. + +# AlwaysAddARHeader no + +## AuthservID string +## default (local host name) +## +## Defines the "authserv-id" token to be used when generating +## Authentication-Results headers after message verification. + +# AuthservID example.com + +## AuthservIDWithJobID +## default "no" +## +## Appends a "/" followed by the MTA's job ID to the "authserv-id" token +## when generating Authentication-Results headers after message verification. + +# AuthservIDWithJobId no + +## AutoRestart { yes | no } +## default "no" +## +## Indicate whether or not the filter should arrange to restart automatically +## if it crashes. + +# AutoRestart No + +## AutoRestartCount n +## default 0 +## +## Sets the maximum automatic restart count. After this number of +## automatic restarts, the filter will give up and terminate. A value of 0 +## implies no limit. + +# AutoRestartCount 0 + +## AutoRestartRate n/t[u] +## default (none) +## +## Sets the maximum automatic restart rate. See the opendkim.conf(5) +## man page for the format of this parameter. + +# AutoRestartRate n/tu + +## Background { yes | no } +## default "yes" +## +## Indicate whether or not the filter should run in the background. + +# Background Yes + +## BaseDirectory path +## default (none) +## +## Causes the filter to change to the named directory before beginning +## operation. Thus, cores will be dumped here and configuration files +## are read relative to this location. + +# BaseDirectory /var/run/opendkim + +## BodyLengthDB dataset +## default (none) +## +## A data set that is checked against envelope recipients to see if a +## body length tag should be included in the generated signature. +## This has security implications; see opendkim.conf(5) for details. + +# BodyLengthDB dataset + +## Canonicalization hdrcanon[/bodycanon] +## default "simple/simple" +## +## Select canonicalizations to use when signing. If the "bodycanon" is +## omitted, "simple" is used. Valid values for each are "simple" and +## "relaxed". + +# Canonicalization simple/simple + +## ClockDrift n +## default 300 +## +## Specify the tolerance range for expired signatures or signatures +## which appear to have timestamps in the future, allowing for clock +## drift. + +# ClockDrift 300 + +## Diagnostics { yes | no } +## default "no" +## +## Specifies whether or not signatures with header diagnostic tags should +## be generated. + +# Diagnostics No + +## DisableADSP { yes | no } +## default "no" +## +## Suppresses Author Domain Signing Practices (ADSP) checks, which conduct +## additional DNS queries. + +# DisableADSP No + +## DNSTimeout n +## default 10 +## +## Specify the time in seconds to wait for replies from the nameserver when +## requesting keys or signing policies. + +# DNSTimeout 10 + +## Domain dataset +## default (none) +## +## Specify for which domain(s) signing should be done. No default; must +## be specified for signing. + +Domain example.com + +## DomainKeysCompat { yes | no } +## default "no" +## +## When enabled, backward compatibility with DomainKeys (RFC4870) key +## records is enabled. Otherwise, such key records are considered to be +## syntactically invalid. + +# DomainKeysCompat no + +## DontSignMailTo dataset +## default (none) +## +## Gives a list of recipient addresses or address patterns whose mail should +## not be signed. + +# DontSignMailTo addr1,addr2,... + +## EnableCoredumps { yes | no } +## default "no" +## +## On systems which have support for such, requests that the kernel dump +## core even though the process may change user ID during its execution. + +# EnableCoredumps no + +## ExemptDomains dataset +## default (none) +## +## A data set of domain names that are checked against the message sender's +## domain. If a match is found, the message is ignored by the filter. + +# ExemptDomains domain1,domain2,... + +## ExternalIgnoreList filename +## +## Names a file from which a list of externally-trusted hosts is read. +## These are hosts which are allowed to send mail through you for signing. +## Automatically contains 127.0.0.1. See man page for file format. + +# ExternalIgnoreList filename + +## FixCRLF { yes | no } +## +## Requests that the library convert "naked" CR and LF characters to +## CRLFs during canonicalization. The default is "no". + +# FixCRLF no + +## InternalHosts dataset +## default "127.0.0.1" +## +## Names a file from which a list of internal hosts is read. These are +## hosts from which mail should be signed rather than verified. +## Automatically contains 127.0.0.1. + +# InternalHosts dataset + +## KeepTemporaryFiles { yes | no } +## default "no" +## +## If set, causes temporary files generated during message signing or +## verifying to be left behind for debugging use. Not for normal operation; +## can fill your disks quite fast on busy systems. + +# KeepTemporaryFiles no + +## KeyFile filename +## default (none) +## +## Specifies the path to the private key to use when signing. Ignored if +## SigningTable and KeyTable are used. No default; must be specified for +## signing if SigningTable/KeyTable are not in use. + +KeyFile /var/db/dkim/example.private + +## KeyTable dataset +## default (none) +## +## Defines a table that will be queried to convert key names to +## sets of data of the form (signing domain, signing selector, private key). +## The private key can either contain a PEM-formatted private key, +## a base64-encoded DER format private key, or a path to a file containing +## one of those. + +# KeyTable dataset + +## LocalADSP dataset +## default (none) +## +## Allows specification of local ADSP overrides for domains. This should be +## a path to a file containing entries, one per line, with comments and +## blank lines allowed. An entry is of the form "domain:policy" where +## "domain" is either a fully-qualified domain name (e.g. "foo.example.com") +## or a subdomain name preceded by a period (e.g. ".example.com"), and +## "policy" is either "unknown", "all", or "discardable", as per the current +## ADSP draft specification. This allows local overrides of policies to +## enforce for domains which either don't publish ADSP or publish weaker +## policies than the verifier would like to enforce. + +# LocalADSP /etc/mail/local-adsp-rules + +## LogWhy { yes | no } +## default "no" +## +## If logging is enabled (see Syslog below), issues very detailed logging +## about the logic behind the filter's decision to either sign a message +## or verify it. The logic behind the decision is non-trivial and can be +## confusing to administrators not familiar with its operation. A +## description of how the decision is made can be found in the OPERATIONS +## section of the opendkim(8) man page. This causes a large increase +## in the amount of log data generated for each message, so it should be +## limited to debugging use and not enabled for general operation. + +# LogWhy no + +## MacroList macro[=value][,...] +## +## Gives a set of MTA-provided macros which should be checked to see +## if the sender has been determined to be a local user and therefore +## whether or not signing should be done. See opendkim.conf(5) for +## more information. + +# MacroList foo=bar,baz=blivit + +## MaximumHeaders n +## +## Disallow messages whose header blocks are bigger than "n" bytes. +## Intended to detect and block a denial-of-service attack. The default +## is 65536. A value of 0 disables this test. + +# MaximumHeaders n + +## MaximumSignaturesToVerify n +## (default 3) +## +## Verify no more than "n" signatures on an arriving message. +## A value of 0 means "no limit". + +# MaximumSignaturesToVerify n + +## MaximumSignedBytes n +## +## Don't sign more than "n" bytes of the message. The default is to +## sign the entire message. Setting this implies "BodyLengths". + +# MaximumSignedBytes n + +## MilterDebug n +## +## Request a debug level of "n" from the milter library. The default is 0. + +# MilterDebug 0 + +## Minimum n[% | +] +## default 0 +## +## Sets a minimum signing volume; one of the following formats: +## n at least n bytes (or the whole message, whichever is less) +## must be signed +## n% at least n% of the message must be signed +## n+ if a length limit was presented in the signature, no more than +## n bytes may have been added + +# Minimum n + +## MinimumKeyBits n +## default 1024 +## +## Causes the library not to accept signatures matching keys made of fewer +## than the specified number of bits, even if they would otherwise pass +## DKIM signing. + +# MinimumKeyBits 1024 + +## Mode [sv] +## default sv +## +## Indicates which mode(s) of operation should be provided. "s" means +## "sign", "v" means "verify". + +# Mode sv + +## MTA dataset +## default (none) +## +## Specifies a list of MTAs whos mail should always be signed rather than +## verified. The "mtaname" is extracted from the DaemonPortOptions line +## in effect. + +# MTA name + +## MultipleSignatures { yes | no } +## default no +## +## Allows multiple signatures to be added. If set to "true" and a SigningTable +## is in use, all SigningTable entries that match the candidate message will +## cause a signature to be added. Otherwise, only the first matching +## SigningTable entry will be added, or only the key defined by Domain, +## Selector and KeyFile will be added. + +# MultipleSignatures no + +## MustBeSigned dataset +## default (none) +## +## Defines a list of headers which, if present on a message, must be +## signed for the signature to be considered acceptable. + +# MustBeSigned header1,header2,... + +## Nameservers addr1[,addr2[,...]] +## default (none) +## +## Provides a comma-separated list of IP addresses that are to be used when +## doing DNS queries to retrieve DKIM keys, ADSP policies, VBR records, etc. +## These override any local defaults built in to the resolver in use, which +## may be defined in /etc/resolv.conf or hard-coded into the software. + +# Nameservers addr1,addr2,... + +## NoHeaderB { yes | no } +## default "no" +## +## Suppresses addition of "header.b" tags on Authentication-Results +## header fields. + +# NoHeaderB no + +## OmitHeaders dataset +## default (none) +## +## Specifies a list of headers that should always be omitted when signing. +## Header names should be separated by commas. + +# OmitHeaders header1,header2,... + +## On-... +## +## Specifies what to do when certain error conditions are encountered. +## +## See opendkim.conf(5) for more information. + +# On-Default +# On-BadSignature +# On-DNSError +# On-InternalError +# On-NoSignature +# On-Security +# On-SignatureError + +## OversignHeaders dataset +## default (none) +## +## Specifies a set of header fields that should be included in all signature +## header lists (the "h=" tag) once more than the number of times they were +## actually present in the signed message. See opendkim.conf(5) for more +## information. + +# OverSignHeaders header1,header2,... + +## PeerList dataset +## default (none) +## +## Contains a list of IP addresses, CIDR blocks, hostnames or domain names +## whose mail should be neither signed nor verified by this filter. See man +## page for file format. + +# PeerList filename + +## PidFile filename +## default (none) +## +## Name of the file where the filter should write its pid before beginning +## normal operations. + +# PidFile filename + +## POPDBFile dataset +## default (none) +## +## Names a database which should be checked for "POP before SMTP" records +## as a form of authentication of users who may be sending mail through +## the MTA for signing. Requires special compilation of the filter. +## See opendkim.conf(5) for more information. + +# POPDBFile filename + +## Quarantine { yes | no } +## default "no" +## +## Indicates whether or not the filter should arrange to quarantine mail +## which fails verification. Intended for diagnostic use only. + +# Quarantine No + +## QueryCache { yes | no } +## default "no" +## +## Instructs the DKIM library to maintain its own local cache of keys and +## policies retrieved from DNS, rather than relying on the nameserver for +## caching service. Useful if the nameserver being used by the filter is +## not local. The filter must be compiled with the QUERY_CACHE flag to enable +## this feature, since it adds a library dependency. + +# QueryCache No + +## RedirectFailuresTo address +## default (none) +## +## Redirects signed messages to the specified address if none of the +## signatures present failed to verify. + +# RedirectFailuresTo postmaster@example.com + +## RemoveARAll { yes | no } +## default "no" +## +## Remove all Authentication-Results: headers on all arriving mail. + +# RemoveARAll No + +## RemoveARFrom dataset +## default (none) +## +## Remove all Authentication-Results: headers on all arriving mail that +## claim to have been added by hosts listed in this parameter. The list +## should be comma-separated. Entire domains may be specified by preceding +## the dopmain name by a single dot (".") character. + +# RemoveARFrom host1,host2,.domain1,.domain2,... + +## RemoveOldSignatures { yes | no } +## default "no" +## +## Remove old signatures on messages, if any, when generating a signature. + +# RemoveOldSignatures No + +## ReportAddress addr +## default (executing user)@(hostname) +## +## Specifies the sending address to be used on From: headers of outgoing +## failure reports. By default, the e-mail address of the user executing +## the filter is used. + +# ReportAddress "DKIM Error Postmaster" + +## ReportBccAddress addr +## default (none) +## +## Specifies additional recipient address(es) to receive outgoing failure +## reports. + +# ReportBccAddress postmaster@example.com, john@example.com + +## RequiredHeaders { yes | no } +## default no +## +## Rejects messages which don't conform to RFC5322 header count requirements. + +# RequiredHeaders No + +## RequireSafeKeys { yes | no } +## default yes +## +## Refuses to use key files that appear to have unsafe permissions. + +# RequireSafeKeys Yes + +## ResignAll { yes | no } +## default no +## +## Where ResignMailTo triggers a re-signing action, this flag indicates +## whether or not all mail should be signed (if set) versus only verified +## mail being signed (if not set). + +# ResignAll No + +## ResignMailTo dataset +## default (none) +## +## Checks each message recipient against the specified dataset for a +## matching record. The full address is checked in each case, then the +## hostname, then each domain preceded by ".". If there is a match, the +## value returned is presumed to be the name of a key in the KeyTable +## (if defined) to be used to re-sign the message in addition to +## verifying it. If there is a match without a KeyTable, the default key +## is applied. + +# ResignMailTo dataset + +## ResolverConfiguration string +## +## Passes arbitrary configuration data to the resolver. For the stock UNIX +## resolver, this is ignored; for Unbound, it names a resolv.conf(5)-style +## file that should be read for configuration information. + +# ResolverConfiguration string + +## ResolverTracing { yes | no } +## +## Requests enabling of resolver trace features, if available. The effect +## of setting this flag depends on how trace features, if any, are implemented +## in the resolver in use. Currently only effective when used with the +## OpenDKIM asynchronous resolver. + +# ResolverTracing no + +## Selector name +## +## The name of the selector to use when signing. No default; must be +## specified for signing. + +Selector my-selector-name + +## SendADSPReports { yes | no } +## default "no" +## +## Specifies whether or not the filter should generate report mail back +## to senders when the ADSP (Author Domain Signing Practises) check fails for +## a message. See opendkim.conf(5) for details. + +# SendADSPReports No + +## SenderHeaders dataset +## default (none) +## +## Overrides the default list of headers that will be used to determine +## the sending domain for use when evaluating ADSP. See opendkim.conf(5) +## for details. + +# SenderHeaders From + +## SendReports { yes | no } +## default "no" +## +## Specifies whether or not the filter should generate report mail back +## to senders when verification fails and an address for such a purpose +## is provided. See opendkim.conf(5) for details. + +# SendReports No + +## SignatureAlgorithm signalg +## default "rsa-sha256" +## +## Signature algorithm to use when generating signatures. Must be either +## "rsa-sha1" or "rsa-sha256". + +# SignatureAlgorithm rsa-sha256 + +## SignatureTTL seconds +## default "0" +## +## Specifies the lifetime in seconds of signatures generated by the +## filter. A value of 0 means no expiration time is included in the +## signature. + +# SignatureTTL 0 + +## SignHeaders dataset +## default (none) +## +## Specifies the list of headers which should be included when generating +## signatures. The string should be a comma-separated list of header names. +## See the opendkim.conf(5) man page for more information. + +# SignHeaders header1,header2,... + +## SigningTable dataset +## default (none) +## +## Defines a dataset that will be queried for the message sender's address +## to determine which private key(s) (if any) should be used to sign the +## message. The sender is determined from the value of the sender +## header fields as described with SenderHeaders above. The key for this +## lookup should be an address or address pattern that matches senders; +## see the opendkim.conf(5) man page for more information. The value +## of the lookup should return the name of a key found in the KeyTable +## that should be used to sign the message. If MultipleSignatures +## is set, all possible lookup keys will be attempted which may result +## in multiple signatures being applied. + +# SigningTable filename + +## SingleAuthResult { yes | no} +## default "no" +## +## When DomainKeys verification is enabled, multiple Authentication-Results +## will be added, one for DK and one for DKIM. With this enabled, only +## a DKIM result will be reported unless DKIM failed but DK passed, in which +## case only a DK result will be reported. + +# SingleAuthResult no + +## SMTPURI uri +## +## Specifies a URI (e.g., "smtp://localhost") to which mail should be sent +## via SMTP when notifications are generated. + +# Socket smtp://localhost + +## Socket socketspec +## +## Names the socket where this filter should listen for milter connections +## from the MTA. Required. Should be in one of these forms: +## +## inet:port@address to listen on a specific interface +## inet:port to listen on all interfaces +## local:/path/to/socket to listen on a UNIX domain socket + +Socket inet:port@localhost + +## SoftwareHeader { yes | no } +## default "no" +## +## Add a DKIM-Filter header field to messages passing through this filter +## to identify messages it has processed. + +# SoftwareHeader no + +## StrictHeaders { yes | no } +## default "no" +## +## Requests that the DKIM library refuse to process a message whose +## header fields do not conform to the standards, in particular Section 3.6 +## of RFC5322. + +# StrictHeaders no + +## StrictTestMode { yes | no } +## default "no" +## +## Selects strict CRLF mode during testing (see the "-t" command line +## flag in the opendkim(8) man page). Messages for which all header +## fields and body lines are not CRLF-terminated are considered malformed +## and will produce an error. + +# StrictTestMode no + +## SubDomains { yes | no } +## default "no" +## +## Sign for subdomains as well? + +# SubDomains No + +## Syslog { yes | no } +## default "yes" +## +## Log informational and error activity to syslog? + +Syslog Yes + +## SyslogFacility facility +## default "mail" +## +## Valid values are : +## auth cron daemon kern lpr mail news security syslog user uucp +## local0 local1 local2 local3 local4 local5 local6 local7 +## +## syslog facility to be used + +# SyslogFacility mail + +## SyslogSuccess { yes | no } +## default "no" +## +## Log success activity to syslog? + +# SyslogSuccess No + +## TemporaryDirectory path +## default /tmp +## +## Specifies which directory will be used for creating temporary files +## during message processing. + +# TemporaryDirectory /tmp + +## TestPublicKeys filename +## default (none) +## +## Names a file from which public keys should be read. Intended for use +## only during automated testing. + +# TestPublicKeys /tmp/testkeys + +## TrustAnchorFile filename +## default (none) +## +## Specifies a file from which trust anchor data should be read when doing +## DNS queries and applying the DNSSEC protocol. See the Unbound documentation +## at http://unbound.net for the expected format of this file. + +# TrustAnchorFile /var/named/trustanchor + +## UMask mask +## default (none) +## +## Change the process umask for file creation to the specified value. +## The system has its own default which will be used (usually 022). +## See the umask(2) man page for more information. + +# UMask 022 + +## UnboundConfigFile filename +## default (none) +## +## Specifies a configuration file to be passed to the Unbound library that +## performs DNS queries applying the DNSSEC protocol. See the Unbound +## documentation at http://unbound.net for the expected content of this file. +## The results of using this and the TrustAnchorFile setting at the same +## time are undefined. + +# UnboundConfigFile /var/named/unbound.conf + +## Userid userid +## default (none) +## +## Change to user "userid" before starting normal operation? May include +## a group ID as well, separated from the userid by a colon. + +# UserID userid diff --git a/opendkim/keytable.txt b/opendkim/keytable.txt new file mode 100644 index 0000000..3dfb66a --- /dev/null +++ b/opendkim/keytable.txt @@ -0,0 +1,10 @@ +bbde_key brehm-berlin.de:dkim:/var/lib/dkim/uhu-banane.net.pem +bocom_key brehm-online.com:dkim:/var/lib/dkim/uhu-banane.net.pem +boeu_key brehm-online.eu:dkim:/var/lib/dkim/uhu-banane.net.pem +frankepedia_key frankepedia.eu:mail-2017-04-05:/var/lib/dkim/frankepedia.eu.2017-04-05.pem +hborg_key hennig-berlin.org:dkim:/var/lib/dkim/uhu-banane.net.pem +ubcom_key uhu-banane.com:dkim:/var/lib/dkim/uhu-banane.net.pem +ubde_key uhu-banane.de:dkim:/var/lib/dkim/uhu-banane.net.pem +ubeu_key uhu-banane.eu:dkim:/var/lib/dkim/uhu-banane.net.pem +ubnet_key uhu-banane.net:dkim:/var/lib/dkim/uhu-banane.net.pem +uborg_key uhu-banane.org:dkim:/var/lib/dkim/uhu-banane.net.pem diff --git a/opendkim/signingtable.txt b/opendkim/signingtable.txt new file mode 100644 index 0000000..062b92a --- /dev/null +++ b/opendkim/signingtable.txt @@ -0,0 +1,10 @@ +*@brehm-berlin.de bbde_key +*@brehm-online.com bocom_key +*@brehm-online.eu boeu_key +*@frankepedia.eu frankepedia_key +*@hennig-berlin.org hborg_key +*@uhu-banane.com ubcom_key +*@uhu-banane.de ubde_key +*@uhu-banane.eu ubeu_key +*@uhu-banane.net ubnet_key +*@uhu-banane.org uborg_key diff --git a/postfix/main.cf b/postfix/main.cf index 881fcf9..319d0d5 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -303,3 +303,7 @@ content_filter = smtp-amavis:[127.0.0.1]:10024 smtp-amavis_destination_recipient_limit = 1 mailbox_size_limit = 524288000 smtpd_tls_received_header = yes + +# smtpd_milters = inet:localhost:8891 +# non_smtpd_milters = inet:localhost:8891 + diff --git a/postfix/master.cf b/postfix/master.cf index 6872e7b..895d40d 100644 --- a/postfix/master.cf +++ b/postfix/master.cf @@ -38,6 +38,7 @@ tlsproxy unix - - - - 0 tlsproxy # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup unix n - - 60 1 pickup + -o content_filter=smtp-amavis:[127.0.0.1]:10026 cleanup unix n - - - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr @@ -162,4 +163,5 @@ smtp-amavis unix - - n - 2 smtp -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 - -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings,no_milters + diff --git a/rc2.d/S02opendkim b/rc2.d/K01opendkim similarity index 100% rename from rc2.d/S02opendkim rename to rc2.d/K01opendkim diff --git a/rc3.d/S02opendkim b/rc3.d/K01opendkim similarity index 100% rename from rc3.d/S02opendkim rename to rc3.d/K01opendkim diff --git a/rc4.d/S02opendkim b/rc4.d/K01opendkim similarity index 100% rename from rc4.d/S02opendkim rename to rc4.d/K01opendkim diff --git a/rc5.d/S02opendkim b/rc5.d/K01opendkim similarity index 100% rename from rc5.d/S02opendkim rename to rc5.d/K01opendkim -- 2.39.5