Add DKIM support (huan#83)

* Add DKIM support * 1.2.11 Co-authored-by: Huan (李卓桓) <zixia@zixia.net>
haratosan · Jan 26, 2021 · 1b7b051 · 1b7b051
1 parent 79f8201
commit 1b7b051
Show file tree

Hide file tree

Showing 9 changed files with 80 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -40,10 +40,11 @@ RUN /app/install-s6-overlay.sh "$S6_VERSION"
 COPY install/main.dist.cf /etc/postfix/main.cf
 COPY install/master.dist.cf /etc/postfix/master.cf
 COPY install/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY install/opendkim.conf /etc/opendkim/opendkim.conf
 
 RUN cat /dev/null > /etc/postfix/aliases && newaliases \
     && echo simple-mail-forwarder.com > /etc/hostname \
-    \
+    && mkdir -p /run/opendkim && chown opendkim:opendkim /run/opendkim \
     && echo test | saslpasswd2 -p test@test.com \
     && chown postfix /etc/sasl2/sasldb2 \
     && saslpasswd2 -d test@test.com
@@ -61,6 +62,9 @@ RUN bash -n /etc/services.d/postfix/run && chmod +x /etc/services.d/postfix/run
 COPY install/syslog-ng.sh /etc/services.d/syslog-ng/run
 RUN bash -n /etc/services.d/syslog-ng/run && chmod +x /etc/services.d/syslog-ng/run
 
+COPY install/opendkim.sh /etc/services.d/opendkim/run
+RUN bash -n /etc/services.d/opendkim/run && chmod +x /etc/services.d/opendkim/run
+
 COPY entrypoint.sh /entrypoint.sh
 RUN bash -n /entrypoint.sh && chmod a+x /entrypoint.sh
 

diff --git a/README.md b/README.md
@@ -226,6 +226,17 @@ If you do not have a certificate and don't have the budget to afford one, you ca
 
 > This was a quick way of how to use letsencrypt. For a full tutorial based on your OS see: <a href="https://certbot.eff.org/" tareget="_blank">https://certbot.eff.org/</a>
 
+DKIM
+--------------------
+
+SMF generates private/public keypair for `$SMF_DOMAIN` and stores them in `/var/db/dkim/`. Public key must be set as TXT record in DNS under `default._domainkey` name.
+`default._domainkey` can be found in `/var/db/dkim/default.txt`.
+
+It is highly advised to mount `/var/db/dkim/` folder to host, so generated keypair would not get lost/regenerated:
+```
+docker run -e SMF_CONFIG="$SMF_CONFIG" -p 25:25 -v $(pwd)/dkim:/var/db/dkim/ zixia/simple-mail-forwarder
+```
+
 Helper Scripts
 --------------------
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.3.1
+1.3.2
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -189,6 +189,22 @@ function start_postfix {
     fi
 
     postfix start
+
+
+    # DKIM
+    if [ ! -f /var/db/dkim/default.private ]; then
+        mkdir -p /var/db/dkim
+        echo "OpenDKIM: Keys not found, generating..."
+        opendkim-genkey -b 2048 -d $HOSTNAME -D /var/db/dkim/ -s default -v
+
+        chmod 400 /var/db/dkim/default.private
+        chown opendkim:opendkim /var/db/dkim/default.private
+
+        echo "OpenDKIM: Add TXT record to DNS:"
+        cat /var/db/dkim/default.txt
+    fi
+
+    sed -n -e '/^Domain\s/!p' -e '$aDomain '$HOSTNAME -i /etc/opendkim/opendkim.conf
 }
 
 #

diff --git a/install/main.dist.cf b/install/main.dist.cf
@@ -743,3 +743,9 @@ smtpd_tls_exclude_ciphers =
 smtp_tls_security_level = may
 
 message_size_limit = 40960000
+
+#Setup DKIM
+milter_protocol = 2
+milter_default_action = accept
+smtpd_milters = unix:/run/opendkim/opendkim.sock
+non_smtpd_milters = unix:/run/opendkim/opendkim.sock
diff --git a/install/opendkim.conf b/install/opendkim.conf
@@ -0,0 +1,17 @@
+UserID                  opendkim:opendkim
+BaseDirectory           /run/opendkim
+
+Socket local:/run/opendkim/opendkim.sock
+UMask 000
+PidFile /run/opendkim/opendkim.pid
+
+Syslog                  Yes
+SyslogSuccess           Yes
+
+Mode                    sv
+Canonicalization        relaxed/simple
+
+# Domain will be replaced at startup with $SMF_DOMAIN
+Domain			simple-mail-forwarder.com
+KeyFile			/var/db/dkim/default.private
+Selector		default
diff --git a/install/opendkim.sh b/install/opendkim.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
+export PATH
+
+# run OpenDKIM
+/usr/sbin/opendkim -f -l -x /etc/opendkim/opendkim.conf
+
+ret=$?
+sleep 1
+exit $ret
diff --git a/script/build.sh b/script/build.sh
@@ -35,7 +35,7 @@ GIT_LOG='`git log -1 --format=%s`'
 _EOF
 
 CMD1="docker build -t ${IMAGE_NAME}${TAG} ."
-CMD2="docker run --rm --name $NAME ${IMAGE_NAME}${TAG} test"
+CMD2="docker run --rm -e SKIP_TEST='DKIM' --name $NAME ${IMAGE_NAME}${TAG} test"
 
 echo ">> Run $CMD1"
 $CMD1

diff --git a/test/simple-mail-forwarder.bats b/test/simple-mail-forwarder.bats
@@ -68,7 +68,7 @@
 }
 
 @test "confirm port 25 is open" {
-    run netstat -nlt 
+    run netstat -nlt
     [ $status = 0 ]
     [[ $output =~ ":25 " ]]
 }
@@ -172,3 +172,12 @@
         )
     [[ $output =~ "535 5.7.8 Error: authentication failed: authentication failure" ]]
 }
+
+@test "test DKIM keys" {
+    if [[ "$SKIP_TEST" == *"DKIM"*  ]]; then
+        skip "This test will fail on docker build workflow"
+    fi
+    opendkim-testkey -d $SMF_DOMAIN -s default -vvv
+
+    [ $? -eq 0 ]
+}