From 291156ae4a7ef65fae14e7f5ea1fd465e9d3d018 Mon Sep 17 00:00:00 2001 From: arf20 Date: Fri, 23 Feb 2024 18:05:25 +0000 Subject: Actually use opendkim milter in postfix --- README.md | 2 ++ opendkim/opendkim.conf | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++ postfix/main.cf | 12 +++++++++++- 3 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 opendkim/opendkim.conf diff --git a/README.md b/README.md index adb4860..cacb751 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,8 @@ postfix |- protected_destinations destionations only reachable by insiders |- insiders insider addresses |- update_aliases.sh script to compile aliases, insiders and protected_destinations, load them and reload postfix +opendkim +|- opendkim.conf opendkim config dovecot |- dovecot.conf dovecot config gnu-mailutils diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf new file mode 100644 index 0000000..07108f8 --- /dev/null +++ b/opendkim/opendkim.conf @@ -0,0 +1,51 @@ +# This is a basic configuration for signing and verifying. It can easily be +# adapted to suit a basic installation. See opendkim.conf(5) and +# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete +# documentation of available configuration parameters. + +Syslog yes +SyslogSuccess yes +#LogWhy no + +# Common signing and verification parameters. In Debian, the "From" header is +# oversigned, because it is often the identity key used by reputation systems +# and thus somewhat security sensitive. +Canonicalization relaxed/simple +Mode sv +#SubDomains no +OversignHeaders From + +# Signing domain, selector, and key (required). For example, perform signing +# for domain "example.com" with selector "2020" (2020._domainkey.example.com), +# using the private key stored in /etc/dkimkeys/example.private. More granular +# setup options can be found in /usr/share/doc/opendkim/README.opendkim. +Domain arf20.com +Selector selector +KeyFile /etc/opendkim/keys/arf20.com/selector.private + +# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when +# using a local socket with MTAs that access the socket as a non-privileged +# user (for example, Postfix). You may need to add user "postfix" to group +# "opendkim" in that case. +UserID opendkim +UMask 007 + +# Socket for the MTA connection (required). If the MTA is inside a chroot jail, +# it must be ensured that the socket is accessible. In Debian, Postfix runs in +# a chroot in /var/spool/postfix, therefore a Unix socket would have to be +# configured as shown on the last line below. +#Socket local:/run/opendkim/opendkim.sock +#Socket inet:8891@localhost +#Socket inet:8891 +Socket local:/var/spool/postfix/opendkim/opendkim.sock + +PidFile /run/opendkim/opendkim.pid + +# Hosts for which to sign rather than verify, default is 127.0.0.1. See the +# OPERATION section of opendkim(8) for more information. +#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 + +# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided +# by the package dns-root-data. +TrustAnchorFile /usr/share/dns/root.key +#Nameservers 127.0.0.1 diff --git a/postfix/main.cf b/postfix/main.cf index 7b71024..d73d523 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -19,7 +19,12 @@ smtpd_tls_cert_file=/etc/letsencrypt/live/mail.arf20.com/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/mail.arf20.com/privkey.pem smtpd_use_tls=yes smtpd_tls_security_level=may -smtpd_tls_protocols = !SSLv2, !SSLv3 +smtpd_tls_mandatory_ciphers = high +smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 +smtpd_tls_mandatory_protocols = >=TLSv1.2 +smtpd_tls_protocols = >=TLSv1.2 +smtpd_tls_ciphers = high +smtpd_tls_exclude_ciphers = aNULL, MD5 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_relay_before_recipient_restrictions=no # restriction options @@ -37,6 +42,11 @@ insiders_only = check_sender_access hash:/etc/postfix/insiders, reject smtpd_sasl_auth_enable=yes smtpd_sasl_type=dovecot smtpd_sasl_path=private/auth +# milter options +# chrooted to /var/spool/postfix/ +smtpd_milters=unix:/opendkim/opendkim.sock +non_smtpd_milters = $smtpd_milters +milter_default_action = accept # common smtp (outgoing) options # tls options -- cgit v1.2.3