diff --git a/bundles/dovecot/files/dovecot.conf b/bundles/dovecot/files/dovecot.conf index 35533b8..994a363 100644 --- a/bundles/dovecot/files/dovecot.conf +++ b/bundles/dovecot/files/dovecot.conf @@ -12,18 +12,19 @@ namespace inbox { inbox = yes separator = . mailbox Drafts { + auto = subscribe special_use = \Drafts } mailbox Junk { + auto = create special_use = \Junk } mailbox Trash { + auto = subscribe special_use = \Trash } mailbox Sent { - special_use = \Sent - } - mailbox "Sent Messages" { + auto = subscribe special_use = \Sent } } diff --git a/bundles/dovecot/items.py b/bundles/dovecot/items.py index 5738cf0..86c1105 100644 --- a/bundles/dovecot/items.py +++ b/bundles/dovecot/items.py @@ -17,7 +17,7 @@ users['vmail'] = { 'home': '/var/vmail', 'needs': [ 'group:vmail', - ] + ], } files = { diff --git a/bundles/dovecot/metadata.py b/bundles/dovecot/metadata.py index cc921f3..feb27ef 100644 --- a/bundles/dovecot/metadata.py +++ b/bundles/dovecot/metadata.py @@ -1,5 +1,3 @@ -from bundlewrap.metadata import atomic - defaults = { 'apt': { 'packages': { diff --git a/bundles/mailserver/items.py b/bundles/mailserver/items.py index a898dc8..3403575 100644 --- a/bundles/mailserver/items.py +++ b/bundles/mailserver/items.py @@ -1,4 +1,5 @@ assert node.has_bundle('postfix') +assert node.has_bundle('opendkim') assert node.has_bundle('dovecot') assert node.has_bundle('letsencrypt') assert node.has_bundle('roundcube') diff --git a/bundles/opendkim/files/key_table b/bundles/opendkim/files/key_table new file mode 100644 index 0000000..d669afe --- /dev/null +++ b/bundles/opendkim/files/key_table @@ -0,0 +1,3 @@ +% for domain in domains: +mail._domainkey.${domain} ${domain}:mail:/etc/opendkim/keys/${domain}/mail.private +% endfor diff --git a/bundles/opendkim/files/opendkim.conf b/bundles/opendkim/files/opendkim.conf new file mode 100644 index 0000000..ad5d0d5 --- /dev/null +++ b/bundles/opendkim/files/opendkim.conf @@ -0,0 +1,14 @@ +Mode sv +SignatureAlgorithm rsa-sha256 +Canonicalization relaxed/simple +KeyTable refile:/etc/opendkim/key_table +SigningTable refile:/etc/opendkim/signing_table + +UMask 002 +UserID opendkim:opendkim +PidFile /var/run/opendkim/opendkim.pid +Socket local:/var/run/opendkim/opendkim.sock + +Syslog yes +SyslogSuccess Yes +LogWhy Yes diff --git a/bundles/opendkim/files/signing_table b/bundles/opendkim/files/signing_table new file mode 100644 index 0000000..90bf076 --- /dev/null +++ b/bundles/opendkim/files/signing_table @@ -0,0 +1,3 @@ +% for domain in domains: +*@${domain} mail._domainkey.${domain} +% endfor diff --git a/bundles/opendkim/items.py b/bundles/opendkim/items.py new file mode 100644 index 0000000..9d05c00 --- /dev/null +++ b/bundles/opendkim/items.py @@ -0,0 +1,75 @@ +file_attributes = { + 'owner': 'opendkim', + 'group': 'opendkim', + 'mode': '700', + 'triggers': [ + 'svc_systemd:opendkim:restart', + ], +} + +groups['opendkim'] = {} +users['opendkim'] = {} + +directories = { + '/etc/opendkim': { + **file_attributes, + }, + '/etc/opendkim/keys': { + **file_attributes, + }, +} + +files = { + '/etc/opendkim.conf': { + **file_attributes, + }, + '/etc/defaults/opendkim': { + # https://metadata.ftp-master.debian.org/changelogs//main/o/opendkim/testing_opendkim.NEWS + 'delete': True, + }, + '/etc/opendkim/key_table': { + 'content_type': 'mako', + 'context': { + 'domains': node.metadata.get('opendkim/domains'), + }, + **file_attributes, + }, + '/etc/opendkim/signing_table': { + 'content_type': 'mako', + 'context': { + 'domains': node.metadata.get('opendkim/domains'), + }, + **file_attributes, + }, +} + +for domain in node.metadata.get('opendkim/domains'): + directories[f'/etc/opendkim/keys/{domain}'] = { + **file_attributes, + } + + actions[f'generate_{domain}_dkim_key'] = { + 'command': ( + 'sudo --user opendkim' + ' opendkim-genkey' + f' --directory=/etc/opendkim/keys/{domain}' + f' --domain={domain}' + ), + 'unless': f'test -f /etc/opendkim/keys/{domain}/default.private', + 'needs': [ + 'svc_systemd:opendkim', + f'directory:/etc/opendkim/keys/{domain}', + ], + 'triggers': [ + 'svc_systemd:opendkim:restart', + ], + } + +svc_systemd['opendkim'] = { + 'needs': [ + 'pkg_apt:opendkim', + 'file:/etc/opendkim.conf', + 'file:/etc/opendkim/key_table', + 'file:/etc/opendkim/signing_table', + ], +} diff --git a/bundles/opendkim/metadata.py b/bundles/opendkim/metadata.py new file mode 100644 index 0000000..ea62327 --- /dev/null +++ b/bundles/opendkim/metadata.py @@ -0,0 +1,11 @@ +defaults = { + 'apt': { + 'packages': { + 'opendkim': {}, + 'opendkim-tools': {}, + }, + }, + 'opendkim': { + 'domains': [], + }, +} diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf index 4014b85..4163172 100644 --- a/bundles/postfix/files/main.cf +++ b/bundles/postfix/files/main.cf @@ -41,3 +41,9 @@ smtpd_restriction_classes = mua_sender_restrictions, mua_client_restrictions, mu mua_client_restrictions = permit_sasl_authenticated, reject mua_sender_restrictions = permit_sasl_authenticated, reject mua_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit + +# opendkim +milter_protocol = 2 +milter_default_action = accept +smtpd_milters = local:/var/run/opendkim/opendkim.sock +non_smtpd_milters = local:/var/run/opendkim/opendkim.sock diff --git a/groups/applications/mailserver.py b/groups/applications/mailserver.py index 32d1830..f9f3f6b 100644 --- a/groups/applications/mailserver.py +++ b/groups/applications/mailserver.py @@ -1,5 +1,6 @@ { 'bundles': [ + 'opendkim', 'dovecot', 'letsencrypt', 'mailserver', diff --git a/nodes/htz.mails.py b/nodes/htz.mails.py index ce8a95b..ffa950e 100644 --- a/nodes/htz.mails.py +++ b/nodes/htz.mails.py @@ -10,7 +10,19 @@ 'zfs', ], 'metadata': { - 'interfaces': { + 'opendkim': { + 'domains': [ + "sublimity.de", + "freibrief.net", + "nadenau.net", + "naeder.net", + "rolfwerner.eu", + "wettengl.net", + "wingl.de", + "woodpipe.de", + ], + }, + 'interfaces': { 'eth0': { 'ips': { '162.55.188.157',