From 5176ac03b56e955bd680c67f81a510bc766698ae Mon Sep 17 00:00:00 2001 From: bilak Date: Wed, 20 Jan 2016 16:41:34 +0100 Subject: [PATCH 1/2] - added DKIM support --- .gitignore | 1 + Dockerfile | 13 ++++++++- Makefile | 8 +++++- README.md | 3 ++ postfix/TrustedHosts | 2 ++ postfix/default-opendkim | 12 ++++++++ postfix/main.cf | 5 ++++ postfix/opendkim.conf | 21 ++++++++++++++ start-mailserver.sh | 62 +++++++++++++++++++++++++++++++++++----- 9 files changed, 118 insertions(+), 9 deletions(-) create mode 100644 postfix/TrustedHosts create mode 100644 postfix/default-opendkim create mode 100644 postfix/opendkim.conf diff --git a/.gitignore b/.gitignore index 1ad63838..b7eb58c0 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ docker-compose.yml postfix/ssl/* letsencrypt/ +.idea diff --git a/Dockerfile b/Dockerfile index 5f53147d..31394985 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,10 @@ MAINTAINER Thomas VIAL # Packages RUN apt-get update -q --fix-missing RUN apt-get -y upgrade -RUN DEBIAN_FRONTEND=noninteractive apt-get -y install vim postfix sasl2-bin courier-imap courier-imap-ssl courier-authdaemon supervisor gamin amavisd-new spamassassin clamav clamav-daemon libnet-dns-perl libmail-spf-perl pyzor razor arj bzip2 cabextract cpio file gzip nomarch p7zip pax unzip zip zoo rsyslog mailutils netcat +RUN DEBIAN_FRONTEND=noninteractive apt-get -y install vim postfix sasl2-bin courier-imap courier-imap-ssl \ + courier-authdaemon supervisor gamin amavisd-new spamassassin clamav clamav-daemon libnet-dns-perl libmail-spf-perl \ + pyzor razor arj bzip2 cabextract cpio file gzip nomarch p7zip pax unzip zip zoo rsyslog mailutils netcat \ + opendkim opendkim-tools RUN apt-get autoclean && rm -rf /var/lib/apt/lists/* # Configures Saslauthd @@ -30,6 +33,14 @@ RUN chmod 644 /etc/clamav/freshclam.conf RUN (crontab -l ; echo "0 1 * * * /usr/bin/freshclam --quiet") | sort - | uniq - | crontab - RUN freshclam +# Configure DKIM (opendkim) +RUN mkdir -p /etc/opendkim/keys +ADD postfix/TrustedHosts /etc/opendkim/TrustedHosts +# DKIM config files +ADD postfix/opendkim.conf /etc/opendkim.conf +ADD postfix/default-opendkim /etc/default/opendkim + + # Configures Postfix ADD postfix/main.cf /etc/postfix/main.cf ADD postfix/master.cf /etc/postfix/master.cf diff --git a/Makefile b/Makefile index a019057e..0d420a4e 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,13 @@ run: cp test/accounts.cf postfix/ cp test/virtual postfix/ # Run container - docker run -d --name mail -v "`pwd`/postfix":/tmp/postfix -v "`pwd`/spamassassin":/tmp/spamassassin -v "`pwd`/test":/tmp/test -h mail.my-domain.com -t $(NAME):$(VERSION) + docker run -d --name mail \ + -v "`pwd`/postfix":/tmp/postfix \ + -v "`pwd`/spamassassin":/tmp/spamassassin \ + -v "`pwd`/test":/tmp/test \ + -h mail.my-domain.com \ + -e domainname=my-domain.com \ + -t $(NAME):$(VERSION) sleep 25 prepare: diff --git a/README.md b/README.md index 8bc438f4..69649dae 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ Includes: - amavis - spamassasin - clamav with automatic updates +- opendkim Why I created this image: [Simple mail server with Docker](http://tvi.al/simple-mail-server-with-docker/) @@ -29,6 +30,7 @@ Why I created this image: [Simple mail server with Docker](http://tvi.al/simple- - ssl is strongly recommended, read [SSL.md](SSL.md) to use LetsEncrypt or Self-Signed Certificates - [includes integration tests](https://travis-ci.org/tomav/docker-mailserver) - [builds automated on docker hub](https://hub.docker.com/r/tvial/docker-mailserver/) +- dkim public key will be echoed to log. If you have your previous configuration, you cant mount volume with it `-v "$(pwd)/opendkim":/etc/opendkim"` ## installation @@ -46,6 +48,7 @@ Why I created this image: [Simple mail server with Docker](http://tvi.al/simple- -v "$(pwd)/letsencrypt/etc":/etc/letsencrypt \ -p "25:25" -p "143:143" -p "587:587" -p "993:993" \ -e DMS_SSL=letsencrypt \ + -e domainname=domain.com \ -h mail.domain.com \ -t tvial/docker-mailserver diff --git a/postfix/TrustedHosts b/postfix/TrustedHosts new file mode 100644 index 00000000..0587f890 --- /dev/null +++ b/postfix/TrustedHosts @@ -0,0 +1,2 @@ +127.0.0.1 +localhost \ No newline at end of file diff --git a/postfix/default-opendkim b/postfix/default-opendkim new file mode 100644 index 00000000..20ead7e4 --- /dev/null +++ b/postfix/default-opendkim @@ -0,0 +1,12 @@ +# Command-line options specified here will override the contents of +# /etc/opendkim.conf. See opendkim(8) for a complete list of options. +#DAEMON_OPTS="" +# +# Uncomment to specify an alternate socket +# Note that setting this will override any Socket value in opendkim.conf +#SOCKET="local:/var/run/opendkim/opendkim.sock" # default +#SOCKET="inet:54321" # listen on all interfaces on port 54321 +#SOCKET="inet:12345@localhost" # listen on loopback on port 12345 +#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345 + +SOCKET="inet:12301@localhost" \ No newline at end of file diff --git a/postfix/main.cf b/postfix/main.cf index 32ba810e..8c3ce2fd 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -59,3 +59,8 @@ virtual_gid_maps = static:5000 # Additional option for filtering content_filter = smtp-amavis:[127.0.0.1]:10024 +# Milters used by DKIM +milter_protocol = 2 +milter_default_action = accept +smtpd_milters = inet:localhost:12301 +non_smtpd_milters = inet:localhost:12301 diff --git a/postfix/opendkim.conf b/postfix/opendkim.conf new file mode 100644 index 00000000..05c9d340 --- /dev/null +++ b/postfix/opendkim.conf @@ -0,0 +1,21 @@ +AutoRestart Yes +AutoRestartRate 10/1h +UMask 002 +Syslog yes +SyslogSuccess Yes +LogWhy Yes + +Canonicalization relaxed/simple + +ExternalIgnoreList refile:/etc/opendkim/TrustedHosts +InternalHosts refile:/etc/opendkim/TrustedHosts +KeyTable refile:/etc/opendkim/KeyTable +SigningTable refile:/etc/opendkim/SigningTable + +Mode sv +PidFile /var/run/opendkim/opendkim.pid +SignatureAlgorithm rsa-sha256 + +UserID opendkim:opendkim + +Socket inet:12301@localhost \ No newline at end of file diff --git a/start-mailserver.sh b/start-mailserver.sh index 8edb783b..042bb764 100644 --- a/start-mailserver.sh +++ b/start-mailserver.sh @@ -1,10 +1,55 @@ -#!/bin/sh +#!/bin/bash die () { echo >&2 "$@" exit 1 } +# DKIM Setup +mkdir -p /etc/opendkim/keys/$domainname +if [ ! -f "/etc/opendkim/keys/$domainname/mail.private" ]; then + echo "Creating DKIM private key /etc/opendkim/keys/$domainname/mail.private" + pushd /etc/opendkim/keys/$domainname + opendkim-genkey --subdomains --domain=$domainname --selector=mail + popd + echo "" + echo "DKIM PUBLIC KEY ################################################################" + cat /etc/opendkim/keys/$domainname/mail.txt + echo "################################################################################" +fi +# Write to KeyTable if necessary +if [ ! -f "/etc/opendkim/KeyTable" ]; then + echo "Creating DKIM KeyTable" + echo "mail._domainkey.$domainname $domainname:mail:/etc/opendkim/keys/$domainname/mail.private" > /etc/opendkim/KeyTable +fi +# Write to SigningTable if necessary +if [ ! -f "/etc/opendkim/SigningTable" ]; then + echo "Creating DKIM SigningTable" + echo "*@$domainname mail._domainkey.$domainname" > /etc/opendkim/SigningTable +fi +echo "Changing permissions on /etc/opendkim" +# chown entire directory +chown -R opendkim:opendkim /etc/opendkim/ +# And make sure permissions are right +chmod -R 0700 /etc/opendkim/keys/ + +# Opendkim: +echo "" +echo "opendkim.conf" +cat /etc/opendkim.conf +echo "" +echo "TrustedHosts" +cat /etc/opendkim/TrustedHosts +echo "" +echo "SigningTable" +cat /etc/opendkim/SigningTable +echo "" +echo "KeyTable" +cat /etc/opendkim/KeyTable +echo "" + + + if [ -f /tmp/postfix/accounts.cf ]; then echo "Regenerating postfix 'vmailbox' and 'virtual' for given users" echo "# WARNING: this file is auto-generated. Modify accounts.cf in postfix directory on host" > /etc/postfix/vmailbox @@ -66,7 +111,7 @@ case $DMS_SSL in sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/privkey.pem/g' /etc/postfix/main.cf # Courier configuration - cat /etc/letsencrypt/live/$(hostname)/privkey.pem /etc/letsencrypt/live/$(hostname)/cert.pem > /etc/letsencrypt/live/$(hostname)/combined.pem + cat "/etc/letsencrypt/live/$(hostname)/privkey.pem" "/etc/letsencrypt/live/$(hostname)/cert.pem" > "/etc/letsencrypt/live/$(hostname)/combined.pem" sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/'$(hostname)'\/combined.pem/g' /etc/courier/imapd-ssl echo "SSL configured with letsencrypt certificates" @@ -75,15 +120,15 @@ case $DMS_SSL in "self-signed" ) # Adding self-signed SSL certificate if provided in 'postfix/ssl' folder - if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \ + if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \ && [ -e "/tmp/postfix/ssl/$(hostname)-key.pem" ] \ && [ -e "/tmp/postfix/ssl/$(hostname)-combined.pem" ] \ && [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ]; then echo "Adding $(hostname) SSL certificate" mkdir -p /etc/postfix/ssl - cp /tmp/postfix/ssl/$(hostname)-cert.pem /etc/postfix/ssl - cp /tmp/postfix/ssl/$(hostname)-key.pem /etc/postfix/ssl - cp /tmp/postfix/ssl/$(hostname)-combined.pem /etc/postfix/ssl + cp "/tmp/postfix/ssl/$(hostname)-cert.pem" /etc/postfix/ssl + cp "/tmp/postfix/ssl/$(hostname)-key.pem" /etc/postfix/ssl + cp "/tmp/postfix/ssl/$(hostname)-combined.pem" /etc/postfix/ssl cp /tmp/postfix/ssl/demoCA/cacert.pem /etc/postfix/ssl # Postfix configuration @@ -91,10 +136,12 @@ case $DMS_SSL in sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/'$(hostname)'-key.pem/g' /etc/postfix/main.cf sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf - ln -s /etc/postfix/ssl/cacert.pem /etc/ssl/certs/cacert-$(hostname).pem + ln -s /etc/postfix/ssl/cacert.pem "/etc/ssl/certs/cacert-$(hostname).pem" # Courier configuration sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/'$(hostname)'-combined.pem/g' /etc/courier/imapd-ssl + + echo "SSL configured with self-signed/custom certificates" fi ;; @@ -126,6 +173,7 @@ cron /etc/init.d/spamassassin start /etc/init.d/clamav-daemon start /etc/init.d/amavis start +/etc/init.d/opendkim start /etc/init.d/postfix start echo "Listing SASL users" From 426f87d916c0c95747d603270984d40fc468a1f4 Mon Sep 17 00:00:00 2001 From: bilak Date: Sat, 23 Jan 2016 18:38:21 +0100 Subject: [PATCH 2/2] - reworked dkim (configuring for all domains based on postfix/vhost) --- Makefile | 1 - README.md | 3 +- start-mailserver.sh | 87 ++++++++++++++++++++++----------------------- 3 files changed, 43 insertions(+), 48 deletions(-) diff --git a/Makefile b/Makefile index 0d420a4e..521d87e9 100644 --- a/Makefile +++ b/Makefile @@ -16,7 +16,6 @@ run: -v "`pwd`/spamassassin":/tmp/spamassassin \ -v "`pwd`/test":/tmp/test \ -h mail.my-domain.com \ - -e domainname=my-domain.com \ -t $(NAME):$(VERSION) sleep 25 diff --git a/README.md b/README.md index 69649dae..9e969aa0 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ Why I created this image: [Simple mail server with Docker](http://tvi.al/simple- - ssl is strongly recommended, read [SSL.md](SSL.md) to use LetsEncrypt or Self-Signed Certificates - [includes integration tests](https://travis-ci.org/tomav/docker-mailserver) - [builds automated on docker hub](https://hub.docker.com/r/tvial/docker-mailserver/) -- dkim public key will be echoed to log. If you have your previous configuration, you cant mount volume with it `-v "$(pwd)/opendkim":/etc/opendkim"` +- dkim public key will be echoed to log. If you have your previous configuration, you can mount volume with it `-v "$(pwd)/opendkim":/etc/opendkim"` ## installation @@ -48,7 +48,6 @@ Why I created this image: [Simple mail server with Docker](http://tvi.al/simple- -v "$(pwd)/letsencrypt/etc":/etc/letsencrypt \ -p "25:25" -p "143:143" -p "587:587" -p "993:993" \ -e DMS_SSL=letsencrypt \ - -e domainname=domain.com \ -h mail.domain.com \ -t tvial/docker-mailserver diff --git a/start-mailserver.sh b/start-mailserver.sh index 042bb764..e470141b 100644 --- a/start-mailserver.sh +++ b/start-mailserver.sh @@ -5,51 +5,6 @@ die () { exit 1 } -# DKIM Setup -mkdir -p /etc/opendkim/keys/$domainname -if [ ! -f "/etc/opendkim/keys/$domainname/mail.private" ]; then - echo "Creating DKIM private key /etc/opendkim/keys/$domainname/mail.private" - pushd /etc/opendkim/keys/$domainname - opendkim-genkey --subdomains --domain=$domainname --selector=mail - popd - echo "" - echo "DKIM PUBLIC KEY ################################################################" - cat /etc/opendkim/keys/$domainname/mail.txt - echo "################################################################################" -fi -# Write to KeyTable if necessary -if [ ! -f "/etc/opendkim/KeyTable" ]; then - echo "Creating DKIM KeyTable" - echo "mail._domainkey.$domainname $domainname:mail:/etc/opendkim/keys/$domainname/mail.private" > /etc/opendkim/KeyTable -fi -# Write to SigningTable if necessary -if [ ! -f "/etc/opendkim/SigningTable" ]; then - echo "Creating DKIM SigningTable" - echo "*@$domainname mail._domainkey.$domainname" > /etc/opendkim/SigningTable -fi -echo "Changing permissions on /etc/opendkim" -# chown entire directory -chown -R opendkim:opendkim /etc/opendkim/ -# And make sure permissions are right -chmod -R 0700 /etc/opendkim/keys/ - -# Opendkim: -echo "" -echo "opendkim.conf" -cat /etc/opendkim.conf -echo "" -echo "TrustedHosts" -cat /etc/opendkim/TrustedHosts -echo "" -echo "SigningTable" -cat /etc/opendkim/SigningTable -echo "" -echo "KeyTable" -cat /etc/opendkim/KeyTable -echo "" - - - if [ -f /tmp/postfix/accounts.cf ]; then echo "Regenerating postfix 'vmailbox' and 'virtual' for given users" echo "# WARNING: this file is auto-generated. Modify accounts.cf in postfix directory on host" > /etc/postfix/vmailbox @@ -101,6 +56,48 @@ echo "Postfix configurations" touch /etc/postfix/vmailbox && postmap /etc/postfix/vmailbox touch /etc/postfix/virtual && postmap /etc/postfix/virtual +# DKIM +grep -vE '^(\s*$|#)' /etc/postfix/vhost | while read domainname; do + mkdir -p /etc/opendkim/keys/$domainname + if [ ! -f "/etc/opendkim/keys/$domainname/mail.private" ]; then + echo "Creating DKIM private key /etc/opendkim/keys/$domainname/mail.private" + pushd /etc/opendkim/keys/$domainname + opendkim-genkey --subdomains --domain=$domainname --selector=mail + popd + echo "" + echo "DKIM PUBLIC KEY ################################################################" + cat /etc/opendkim/keys/$domainname/mail.txt + echo "################################################################################" + fi + # Write to KeyTable if necessary + keytableentry="mail._domainkey.$domainname $domainname:mail:/etc/opendkim/keys/$domainname/mail.private" + if [ ! -f "/etc/opendkim/KeyTable" ]; then + echo "Creating DKIM KeyTable" + echo "mail._domainkey.$domainname $domainname:mail:/etc/opendkim/keys/$domainname/mail.private" > /etc/opendkim/KeyTable + else + if ! grep -q "$keytableentry" "/etc/opendkim/KeyTable" ; then + echo $keytableentry >> /etc/opendkim/KeyTable + fi + fi + # Write to SigningTable if necessary + signingtableentry="*@$domainname mail._domainkey.$domainname" + if [ ! -f "/etc/opendkim/SigningTable" ]; then + echo "Creating DKIM SigningTable" + echo "*@$domainname mail._domainkey.$domainname" > /etc/opendkim/SigningTable + else + if ! grep -q "$signingtableentry" "/etc/opendkim/SigningTable" ; then + echo $signingtableentry >> /etc/opendkim/SigningTable + fi + fi +done + +echo "Changing permissions on /etc/opendkim" +# chown entire directory +chown -R opendkim:opendkim /etc/opendkim/ +# And make sure permissions are right +chmod -R 0700 /etc/opendkim/keys/ + + # SSL Configuration case $DMS_SSL in "letsencrypt" )