From 9652257a80f65965fb1adb5857ccfe764cc46fc7 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Wed, 19 Jun 2024 02:53:59 -0400
Subject: opendkim: Setup package and data volume

The postfix user is added to the opendkim group so that the MTA can
eventually interact with the filter over its socket file.

Signed-off-by: Malfurious <m@lfurio.us>
---
 Dockerfile         | 9 +++++++++
 docker-compose.yml | 2 ++
 2 files changed, 11 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index f79830a..e7ca4b9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -25,6 +25,14 @@ RUN useradd \
     --skel /dev/null --create-home \
     mlmmj
 
+RUN useradd \
+    --uid 2003 \
+    --shell /usr/sbin/nologin \
+    --home-dir /run/opendkim \
+    opendkim
+
+RUN usermod -aG opendkim postfix
+
 # Install packages
 RUN apt update \
  && apt full-upgrade --yes \
@@ -32,6 +40,7 @@ RUN apt update \
     dovecot-core \
     dovecot-imapd \
     mlmmj \
+    opendkim \
     postfix \
     postfix-pcre \
     sudo \
diff --git a/docker-compose.yml b/docker-compose.yml
index 0aeda27..0c741b6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,6 +18,7 @@ services:
       - "mail:/var/mail"
       - "postfix:/var/spool/postfix"
       - "mlmmj:/var/spool/mlmmj"
+      - "dkim:/opendkim"
     ports:
       - "25:25"
       - "465:465"
@@ -62,6 +63,7 @@ volumes:
   mail:
   postfix:
   mlmmj:
+  dkim:
 
 networks:
   nginx-proxy-network:
-- 
cgit v1.2.3


From 067a9c14c41022f5a93846a5b4c8dba4d5030ec1 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sun, 30 Jun 2024 07:53:42 -0400
Subject: opendkim: Add default config file

Signed-off-by: Malfurious <m@lfurio.us>
---
 Dockerfile             |  3 ++-
 opendkim/opendkim.conf | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 opendkim/opendkim.conf

diff --git a/Dockerfile b/Dockerfile
index e7ca4b9..aa35a8f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -48,10 +48,11 @@ RUN apt update \
 
 # Install files
 COPY dovecot /etc/dovecot/
+COPY opendkim /etc/
 COPY postfix /etc/postfix/
 COPY userconfig /etc/userconfig/
 
-RUN find /etc/dovecot /etc/postfix -type f | xargs sed -i \
+RUN find /etc/dovecot /etc/opendkim.conf /etc/postfix -type f | xargs sed -i \
     "s/ENV_HOSTNAME/${HOSTNAME}/g; s/ENV_VIRTUAL_DOMAINS/${VIRTUAL_DOMAINS}/g"
 
 EXPOSE 25
diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf
new file mode 100644
index 0000000..50fc09a
--- /dev/null
+++ b/opendkim/opendkim.conf
@@ -0,0 +1,51 @@
+# This is a basic configuration for signing and verifying. It can easily be
+# adapted to suit a basic installation. See opendkim.conf(5) and
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
+# documentation of available configuration parameters.
+
+Syslog                  yes
+SyslogSuccess           yes
+#LogWhy                 no
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization        relaxed/simple
+#Mode                   sv
+#SubDomains             no
+OversignHeaders         From
+
+# Signing domain, selector, and key (required). For example, perform signing
+# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
+# using the private key stored in /etc/dkimkeys/example.private. More granular
+# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
+#Domain                 example.com
+#Selector               2020
+#KeyFile                /etc/dkimkeys/example.private
+
+# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
+# using a local socket with MTAs that access the socket as a non-privileged
+# user (for example, Postfix). You may need to add user "postfix" to group
+# "opendkim" in that case.
+UserID                  opendkim
+UMask                   007
+
+# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
+# it must be ensured that the socket is accessible. In Debian, Postfix runs in
+# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
+# configured as shown on the last line below.
+Socket                  local:/run/opendkim/opendkim.sock
+#Socket                 inet:8891@localhost
+#Socket                 inet:8891
+#Socket                 local:/var/spool/postfix/opendkim/opendkim.sock
+
+PidFile                 /run/opendkim/opendkim.pid
+
+# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
+# OPERATION section of opendkim(8) for more information.
+#InternalHosts          192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile         /usr/share/dns/root.key
+#Nameservers            127.0.0.1
-- 
cgit v1.2.3


From 335b9f49532ce012b6da7dc404aff1dee55bfa21 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Fri, 5 Jul 2024 06:04:49 -0400
Subject: opendkim: Configure signing parameters

We use a hard-coded key selector of "default" and store keyfiles in the
dkim volume.  `Domain` indicates the mail sources for which mail should
be signed rather than verified.

Because we are using ENV_VIRTUAL_DOMAINS in this context, we now require
the variable to be comma separated (no whitespace), as that is what this
file requires.  All previous usages of ENV_VIRTUAL_DOMAINS are
compatible with comma separation.

Signed-off-by: Malfurious <m@lfurio.us>
---
 docker-compose.yml     | 2 +-
 opendkim/opendkim.conf | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 0c741b6..69ac500 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,7 +9,7 @@ services:
         # CONFIGURE ME!
         # The FQDN this mail server identifies itself as
         HOSTNAME: "YOUR-DOMAIN.example"
-        # All domain names this server accepts mail for (space separated)
+        # All domain names this server accepts mail for (comma separated)
         VIRTUAL_DOMAINS: "YOUR-DOMAIN.example"
 
     restart: "always"
diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf
index 50fc09a..39072d2 100644
--- a/opendkim/opendkim.conf
+++ b/opendkim/opendkim.conf
@@ -19,9 +19,9 @@ OversignHeaders         From
 # for domain "example.com" with selector "2020" (2020._domainkey.example.com),
 # using the private key stored in /etc/dkimkeys/example.private. More granular
 # setup options can be found in /usr/share/doc/opendkim/README.opendkim.
-#Domain                 example.com
-#Selector               2020
-#KeyFile                /etc/dkimkeys/example.private
+Domain                  ENV_VIRTUAL_DOMAINS
+Selector                default
+KeyFile                 /opendkim/default.private
 
 # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
 # using a local socket with MTAs that access the socket as a non-privileged
-- 
cgit v1.2.3


From 08b83d5142f093a60ea2dfaeb9014a5831a1480b Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Wed, 19 Jun 2024 03:01:09 -0400
Subject: opendkim: Generate keys / TXT record

Keys are generated using the config from the previous commit and stored
in the dkim data volume.  The key length is set to 1024 bits for
compatibility with nameservers.  See this quote from the opendkim
readme:

    BIND servers have a 256 byte limit on serving TXT records, so a 1024
    bit RSA key is recommended if using BIND as your primary DNS server.

Signed-off-by: Malfurious <m@lfurio.us>
---
 Dockerfile | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index aa35a8f..aa7c1ca 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -46,6 +46,18 @@ RUN apt update \
     sudo \
  && apt clean
 
+# Generate OpenDKIM keypair
+# Do this here so we can print the pubkey/dns record to logs during build
+# process.  After initial run, a volume should preserve the keys for later
+# runs.
+RUN mkdir -p /opendkim \
+ && chown opendkim:opendkim /opendkim \
+ && opendkim-genkey \
+    --bits=1024 \
+    --directory=/opendkim \
+    --selector=default \
+ && cat /opendkim/default.txt
+
 # Install files
 COPY dovecot /etc/dovecot/
 COPY opendkim /etc/
-- 
cgit v1.2.3


From 053ecfdb5110b2a0eda01dfe78c62b446fc4866b Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Fri, 5 Jul 2024 06:54:58 -0400
Subject: opendkim: Configure postfix milter socket

Signed-off-by: Malfurious <m@lfurio.us>
---
 opendkim/opendkim.conf | 6 +-----
 postfix/main.cf        | 4 ++++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf
index 39072d2..5a23836 100644
--- a/opendkim/opendkim.conf
+++ b/opendkim/opendkim.conf
@@ -34,11 +34,7 @@ UMask                   007
 # it must be ensured that the socket is accessible. In Debian, Postfix runs in
 # a chroot in /var/spool/postfix, therefore a Unix socket would have to be
 # configured as shown on the last line below.
-Socket                  local:/run/opendkim/opendkim.sock
-#Socket                 inet:8891@localhost
-#Socket                 inet:8891
-#Socket                 local:/var/spool/postfix/opendkim/opendkim.sock
-
+Socket                  local:/opendkim/opendkim.sock
 PidFile                 /run/opendkim/opendkim.pid
 
 # Hosts for which to sign rather than verify, default is 127.0.0.1. See the
diff --git a/postfix/main.cf b/postfix/main.cf
index 7f701a8..6eb5ad2 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -53,6 +53,10 @@ virtual_uid_maps = static:2000
 virtual_gid_maps = static:2000
 virtual_mailbox_limit = 0
 
+# opendkim parameters
+smtpd_milters = local:/opendkim/opendkim.sock
+non_smtpd_milters = local:/opendkim/opendkim.sock
+
 # Mlmmj mailing list parameters
 mlmmj_destination_recipient_limit = 1
 transport_maps = hash:/etc/postfix/mltransport
-- 
cgit v1.2.3


From add7158e2817dbfbf4d46766dd4200061416d05b Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Fri, 5 Jul 2024 05:47:06 -0400
Subject: opendkim: Disable syslog

Signed-off-by: Malfurious <m@lfurio.us>
---
 opendkim/opendkim.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf
index 5a23836..11e1ec6 100644
--- a/opendkim/opendkim.conf
+++ b/opendkim/opendkim.conf
@@ -3,8 +3,8 @@
 # /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
 # documentation of available configuration parameters.
 
-Syslog                  yes
-SyslogSuccess           yes
+Syslog                  no
+SyslogSuccess           no
 #LogWhy                 no
 
 # Common signing and verification parameters. In Debian, the "From" header is
-- 
cgit v1.2.3


From 5d6a5e19976923daccf0464f797b44b6266e6941 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Fri, 5 Jul 2024 05:53:38 -0400
Subject: opendkim: Start milter service

Signed-off-by: Malfurious <m@lfurio.us>
---
 docker-compose.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 69ac500..0efa133 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -56,6 +56,15 @@ services:
       - "mlmmj:/var/spool/mlmmj"
     command: ["bash", "-c", "/usr/bin/mlmmj-maintd -d /var/spool/mlmmj && sleep infinity"]
 
+  opendkim:
+    image: "mailnode"
+    pull_policy: "never"
+
+    restart: "always"
+    volumes:
+      - "dkim:/opendkim"
+    command: ["/usr/sbin/opendkim", "-f"]
+
 volumes:
   certs:
     external: true
-- 
cgit v1.2.3