From 067a9c14c41022f5a93846a5b4c8dba4d5030ec1 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Sun, 30 Jun 2024 07:53:42 -0400 Subject: opendkim: Add default config file Signed-off-by: Malfurious --- opendkim/opendkim.conf | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 opendkim/opendkim.conf (limited to 'opendkim/opendkim.conf') diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf new file mode 100644 index 0000000..50fc09a --- /dev/null +++ b/opendkim/opendkim.conf @@ -0,0 +1,51 @@ +# This is a basic configuration for signing and verifying. It can easily be +# adapted to suit a basic installation. See opendkim.conf(5) and +# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete +# documentation of available configuration parameters. + +Syslog yes +SyslogSuccess yes +#LogWhy no + +# Common signing and verification parameters. In Debian, the "From" header is +# oversigned, because it is often the identity key used by reputation systems +# and thus somewhat security sensitive. +Canonicalization relaxed/simple +#Mode sv +#SubDomains no +OversignHeaders From + +# Signing domain, selector, and key (required). For example, perform signing +# for domain "example.com" with selector "2020" (2020._domainkey.example.com), +# using the private key stored in /etc/dkimkeys/example.private. More granular +# setup options can be found in /usr/share/doc/opendkim/README.opendkim. +#Domain example.com +#Selector 2020 +#KeyFile /etc/dkimkeys/example.private + +# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when +# using a local socket with MTAs that access the socket as a non-privileged +# user (for example, Postfix). You may need to add user "postfix" to group +# "opendkim" in that case. +UserID opendkim +UMask 007 + +# Socket for the MTA connection (required). If the MTA is inside a chroot jail, +# it must be ensured that the socket is accessible. In Debian, Postfix runs in +# a chroot in /var/spool/postfix, therefore a Unix socket would have to be +# configured as shown on the last line below. +Socket local:/run/opendkim/opendkim.sock +#Socket inet:8891@localhost +#Socket inet:8891 +#Socket local:/var/spool/postfix/opendkim/opendkim.sock + +PidFile /run/opendkim/opendkim.pid + +# Hosts for which to sign rather than verify, default is 127.0.0.1. See the +# OPERATION section of opendkim(8) for more information. +#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 + +# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided +# by the package dns-root-data. +TrustAnchorFile /usr/share/dns/root.key +#Nameservers 127.0.0.1 -- cgit v1.2.3 From 335b9f49532ce012b6da7dc404aff1dee55bfa21 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Fri, 5 Jul 2024 06:04:49 -0400 Subject: opendkim: Configure signing parameters We use a hard-coded key selector of "default" and store keyfiles in the dkim volume. `Domain` indicates the mail sources for which mail should be signed rather than verified. Because we are using ENV_VIRTUAL_DOMAINS in this context, we now require the variable to be comma separated (no whitespace), as that is what this file requires. All previous usages of ENV_VIRTUAL_DOMAINS are compatible with comma separation. Signed-off-by: Malfurious --- opendkim/opendkim.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'opendkim/opendkim.conf') diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf index 50fc09a..39072d2 100644 --- a/opendkim/opendkim.conf +++ b/opendkim/opendkim.conf @@ -19,9 +19,9 @@ OversignHeaders From # for domain "example.com" with selector "2020" (2020._domainkey.example.com), # using the private key stored in /etc/dkimkeys/example.private. More granular # setup options can be found in /usr/share/doc/opendkim/README.opendkim. -#Domain example.com -#Selector 2020 -#KeyFile /etc/dkimkeys/example.private +Domain ENV_VIRTUAL_DOMAINS +Selector default +KeyFile /opendkim/default.private # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when # using a local socket with MTAs that access the socket as a non-privileged -- cgit v1.2.3 From 053ecfdb5110b2a0eda01dfe78c62b446fc4866b Mon Sep 17 00:00:00 2001 From: Malfurious Date: Fri, 5 Jul 2024 06:54:58 -0400 Subject: opendkim: Configure postfix milter socket Signed-off-by: Malfurious --- opendkim/opendkim.conf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'opendkim/opendkim.conf') diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf index 39072d2..5a23836 100644 --- a/opendkim/opendkim.conf +++ b/opendkim/opendkim.conf @@ -34,11 +34,7 @@ UMask 007 # it must be ensured that the socket is accessible. In Debian, Postfix runs in # a chroot in /var/spool/postfix, therefore a Unix socket would have to be # configured as shown on the last line below. -Socket local:/run/opendkim/opendkim.sock -#Socket inet:8891@localhost -#Socket inet:8891 -#Socket local:/var/spool/postfix/opendkim/opendkim.sock - +Socket local:/opendkim/opendkim.sock PidFile /run/opendkim/opendkim.pid # Hosts for which to sign rather than verify, default is 127.0.0.1. See the -- cgit v1.2.3 From add7158e2817dbfbf4d46766dd4200061416d05b Mon Sep 17 00:00:00 2001 From: Malfurious Date: Fri, 5 Jul 2024 05:47:06 -0400 Subject: opendkim: Disable syslog Signed-off-by: Malfurious --- opendkim/opendkim.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'opendkim/opendkim.conf') diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf index 5a23836..11e1ec6 100644 --- a/opendkim/opendkim.conf +++ b/opendkim/opendkim.conf @@ -3,8 +3,8 @@ # /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete # documentation of available configuration parameters. -Syslog yes -SyslogSuccess yes +Syslog no +SyslogSuccess no #LogWhy no # Common signing and verification parameters. In Debian, the "From" header is -- cgit v1.2.3