Merge branch 'dkim'

Install and configure OpenDKIM according to the instructions found in
the OpenDKIM readme: http://www.opendkim.org/opendkim-README

* dkim:
  opendkim: Start milter service
  opendkim: Disable syslog
  opendkim: Configure postfix milter socket
  opendkim: Generate keys / TXT record
  opendkim: Configure signing parameters
  opendkim: Add default config file
  opendkim: Setup package and data volume

4 files changed, 86 insertions, 2 deletions

diff --git a/Dockerfile b/Dockerfile
index f79830a..aa7c1ca 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -25,6 +25,14 @@ RUN useradd \
     --skel /dev/null --create-home \
     mlmmj
 
+RUN useradd \
+    --uid 2003 \
+    --shell /usr/sbin/nologin \
+    --home-dir /run/opendkim \
+    opendkim
+
+RUN usermod -aG opendkim postfix
+
 # Install packages
 RUN apt update \
  && apt full-upgrade --yes \
@@ -32,17 +40,31 @@ RUN apt update \
     dovecot-core \
     dovecot-imapd \
     mlmmj \
+    opendkim \
     postfix \
     postfix-pcre \
     sudo \
  && apt clean
 
+# Generate OpenDKIM keypair
+# Do this here so we can print the pubkey/dns record to logs during build
+# process.  After initial run, a volume should preserve the keys for later
+# runs.
+RUN mkdir -p /opendkim \
+ && chown opendkim:opendkim /opendkim \
+ && opendkim-genkey \
+    --bits=1024 \
+    --directory=/opendkim \
+    --selector=default \
+ && cat /opendkim/default.txt
+
 # Install files
 COPY dovecot /etc/dovecot/
+COPY opendkim /etc/
 COPY postfix /etc/postfix/
 COPY userconfig /etc/userconfig/
 
-RUN find /etc/dovecot /etc/postfix -type f | xargs sed -i \
+RUN find /etc/dovecot /etc/opendkim.conf /etc/postfix -type f | xargs sed -i \
     "s/ENV_HOSTNAME/${HOSTNAME}/g; s/ENV_VIRTUAL_DOMAINS/${VIRTUAL_DOMAINS}/g"
 
 EXPOSE 25
diff --git a/docker-compose.yml b/docker-compose.yml
index 0aeda27..0efa133 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,7 +9,7 @@ services:
         # CONFIGURE ME!
         # The FQDN this mail server identifies itself as
         HOSTNAME: "YOUR-DOMAIN.example"
-        # All domain names this server accepts mail for (space separated)
+        # All domain names this server accepts mail for (comma separated)
         VIRTUAL_DOMAINS: "YOUR-DOMAIN.example"
 
     restart: "always"
@@ -18,6 +18,7 @@ services:
       - "mail:/var/mail"
       - "postfix:/var/spool/postfix"
       - "mlmmj:/var/spool/mlmmj"
+      - "dkim:/opendkim"
     ports:
       - "25:25"
       - "465:465"
@@ -55,6 +56,15 @@ services:
       - "mlmmj:/var/spool/mlmmj"
     command: ["bash", "-c", "/usr/bin/mlmmj-maintd -d /var/spool/mlmmj && sleep infinity"]
 
+  opendkim:
+    image: "mailnode"
+    pull_policy: "never"
+
+    restart: "always"
+    volumes:
+      - "dkim:/opendkim"
+    command: ["/usr/sbin/opendkim", "-f"]
+
 volumes:
   certs:
     external: true
@@ -62,6 +72,7 @@ volumes:
   mail:
   postfix:
   mlmmj:
+  dkim:
 
 networks:
   nginx-proxy-network:
diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf
new file mode 100644
index 0000000..11e1ec6
--- /dev/null
+++ b/opendkim/opendkim.conf
@@ -0,0 +1,47 @@
+# This is a basic configuration for signing and verifying. It can easily be
+# adapted to suit a basic installation. See opendkim.conf(5) and
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
+# documentation of available configuration parameters.
+
+Syslog                  no
+SyslogSuccess           no
+#LogWhy                 no
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization        relaxed/simple
+#Mode                   sv
+#SubDomains             no
+OversignHeaders         From
+
+# Signing domain, selector, and key (required). For example, perform signing
+# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
+# using the private key stored in /etc/dkimkeys/example.private. More granular
+# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
+Domain                  ENV_VIRTUAL_DOMAINS
+Selector                default
+KeyFile                 /opendkim/default.private
+
+# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
+# using a local socket with MTAs that access the socket as a non-privileged
+# user (for example, Postfix). You may need to add user "postfix" to group
+# "opendkim" in that case.
+UserID                  opendkim
+UMask                   007
+
+# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
+# it must be ensured that the socket is accessible. In Debian, Postfix runs in
+# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
+# configured as shown on the last line below.
+Socket                  local:/opendkim/opendkim.sock
+PidFile                 /run/opendkim/opendkim.pid
+
+# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
+# OPERATION section of opendkim(8) for more information.
+#InternalHosts          192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile         /usr/share/dns/root.key
+#Nameservers            127.0.0.1
diff --git a/postfix/main.cf b/postfix/main.cf
index 7f701a8..6eb5ad2 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -53,6 +53,10 @@ virtual_uid_maps = static:2000
 virtual_gid_maps = static:2000
 virtual_mailbox_limit = 0
 
+# opendkim parameters
+smtpd_milters = local:/opendkim/opendkim.sock
+non_smtpd_milters = local:/opendkim/opendkim.sock
+
 # Mlmmj mailing list parameters
 mlmmj_destination_recipient_limit = 1
 transport_maps = hash:/etc/postfix/mltransport