aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md2
-rw-r--r--opendkim/opendkim.conf51
-rw-r--r--postfix/main.cf12
3 files changed, 64 insertions, 1 deletions
diff --git a/README.md b/README.md
index adb4860..cacb751 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,8 @@ postfix
|- protected_destinations destionations only reachable by insiders
|- insiders insider addresses
|- update_aliases.sh script to compile aliases, insiders and protected_destinations, load them and reload postfix
+opendkim
+|- opendkim.conf opendkim config
dovecot
|- dovecot.conf dovecot config
gnu-mailutils
diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf
new file mode 100644
index 0000000..07108f8
--- /dev/null
+++ b/opendkim/opendkim.conf
@@ -0,0 +1,51 @@
+# This is a basic configuration for signing and verifying. It can easily be
+# adapted to suit a basic installation. See opendkim.conf(5) and
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
+# documentation of available configuration parameters.
+
+Syslog yes
+SyslogSuccess yes
+#LogWhy no
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization relaxed/simple
+Mode sv
+#SubDomains no
+OversignHeaders From
+
+# Signing domain, selector, and key (required). For example, perform signing
+# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
+# using the private key stored in /etc/dkimkeys/example.private. More granular
+# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
+Domain arf20.com
+Selector selector
+KeyFile /etc/opendkim/keys/arf20.com/selector.private
+
+# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
+# using a local socket with MTAs that access the socket as a non-privileged
+# user (for example, Postfix). You may need to add user "postfix" to group
+# "opendkim" in that case.
+UserID opendkim
+UMask 007
+
+# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
+# it must be ensured that the socket is accessible. In Debian, Postfix runs in
+# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
+# configured as shown on the last line below.
+#Socket local:/run/opendkim/opendkim.sock
+#Socket inet:8891@localhost
+#Socket inet:8891
+Socket local:/var/spool/postfix/opendkim/opendkim.sock
+
+PidFile /run/opendkim/opendkim.pid
+
+# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
+# OPERATION section of opendkim(8) for more information.
+#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile /usr/share/dns/root.key
+#Nameservers 127.0.0.1
diff --git a/postfix/main.cf b/postfix/main.cf
index 7b71024..d73d523 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -19,7 +19,12 @@ smtpd_tls_cert_file=/etc/letsencrypt/live/mail.arf20.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.arf20.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_security_level=may
-smtpd_tls_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
+smtpd_tls_mandatory_protocols = >=TLSv1.2
+smtpd_tls_protocols = >=TLSv1.2
+smtpd_tls_ciphers = high
+smtpd_tls_exclude_ciphers = aNULL, MD5
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_relay_before_recipient_restrictions=no
# restriction options
@@ -37,6 +42,11 @@ insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
smtpd_sasl_auth_enable=yes
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
+# milter options
+# chrooted to /var/spool/postfix/
+smtpd_milters=unix:/opendkim/opendkim.sock
+non_smtpd_milters = $smtpd_milters
+milter_default_action = accept
# common smtp (outgoing) options
# tls options