From e4274ef113931d7241cec6534494b7fc17de2a6d Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Date: Thu, 11 May 2023 18:08:54 +0200 Subject: [PATCH] docs: improve Rspamd docs about DKIM signing of multiple domains (#3329) * improve Rspamd docs See #3326 & #3328 * improve warning message See #3328 --- .../config/best-practices/dkim_dmarc_spf.md | 20 ++++++++----------- .../startup/setup.d/security/rspamd.sh | 4 ++-- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/docs/content/config/best-practices/dkim_dmarc_spf.md b/docs/content/config/best-practices/dkim_dmarc_spf.md index 0db4150a..3fece48b 100644 --- a/docs/content/config/best-practices/dkim_dmarc_spf.md +++ b/docs/content/config/best-practices/dkim_dmarc_spf.md @@ -109,6 +109,10 @@ DKIM is currently supported by either OpenDKIM or Rspamd: will execute the helper script with default parameters. + ??? warning "Using Multiple Domains" + + Unlike the current script for OpenDKIM, the Rspamd script will **not** create keys for all domains DMS is managing, but only for the one it assumes to be the main domain (derived from DMS' domain name). Moreover, the default `dkim_signing.conf` configuration file that DMS ships will also only contain one domain. If you have multiple domains, you need to run the command `docker exec -ti setup config dkim domain ` multiple times to create all the keys for all domains, and then provide a custom `dkim_signing.conf` (for which an example is shown below). + !!! info "About the Helper Script" The script will persist the keys in `/tmp/docker-mailserver/rspamd/dkim/`. Hence, if you are already using the default volume mounts, the keys are persisted in a volume. The script also restarts Rspamd directly, so changes take effect without restarting DMS. @@ -148,24 +152,16 @@ DKIM is currently supported by either OpenDKIM or Rspamd: As shown next: - - You can add more domains into the `domain { ... }` section. - - A domain can also be configured with multiple selectors and keys within a `selectors [ ... ]` array. + - You can add more domains into the `domain { ... }` section (in the following example: `example.com` and `example.org`). + - A domain can also be configured with multiple selectors and keys within a `selectors [ ... ]` array (in the following example, this is done for `example.org`). ```cf # ... domain { example.com { - selectors [ - { - path = "/tmp/docker-mailserver/rspamd/dkim/example.com/rsa.private"; - selector = "dkim-rsa"; - }, - { - path = /tmp/docker-mailserver/rspamd/example.com/ed25519.private"; - selector = "dkim-ed25519"; - } - ] + path = /tmp/docker-mailserver/rspamd/example.com/ed25519.private"; + selector = "dkim-ed25519"; } example.org { selectors [ diff --git a/target/scripts/startup/setup.d/security/rspamd.sh b/target/scripts/startup/setup.d/security/rspamd.sh index e171736a..4ddb82ca 100644 --- a/target/scripts/startup/setup.d/security/rspamd.sh +++ b/target/scripts/startup/setup.d/security/rspamd.sh @@ -78,11 +78,11 @@ function __rspamd__run_early_setup_and_checks if [[ -d ${RSPAMD_DMS_OVERRIDE_D} ]] then __rspamd__log 'debug' "Found directory '${RSPAMD_DMS_OVERRIDE_D}' - linking it to '${RSPAMD_OVERRIDE_D}'" - if rmdir "${RSPAMD_OVERRIDE_D}" + if rmdir "${RSPAMD_OVERRIDE_D}" 2>/dev/null then ln -s "${RSPAMD_DMS_OVERRIDE_D}" "${RSPAMD_OVERRIDE_D}" else - __rspamd__log 'warn' "Could not remove '${RSPAMD_OVERRIDE_D}' (not empty?) - not linking '${RSPAMD_DMS_OVERRIDE_D}'" + __rspamd__log 'warn' "Could not remove '${RSPAMD_OVERRIDE_D}' (not empty? not a directory?; did you restart properly?) - not linking '${RSPAMD_DMS_OVERRIDE_D}'" fi fi