mirror of
https://github.com/chatmail/relay.git
synced 2026-05-18 03:58:58 +00:00
do DKIM signing with rspamd instead of openDKIM
This commit is contained in:
missytake
link2xt
@@ -370,6 +370,86 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool:
|
|||||||
return need_restart
|
return need_restart
|
||||||
|
|
||||||
|
|
||||||
|
def remove_opendkim() -> bool:
|
||||||
|
"""Remove OpenDKIM, deprecated"""
|
||||||
|
files.file(
|
||||||
|
name="Remove legacy opendkim.conf",
|
||||||
|
path="/etc/opendkim.conf",
|
||||||
|
present=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
files.directory(
|
||||||
|
name="Remove legacy opendkim socket directory from /var/spool/postfix",
|
||||||
|
path="/var/spool/postfix/opendkim",
|
||||||
|
present=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
apt.packages(
|
||||||
|
name="Remove openDKIM",
|
||||||
|
packages="opendkim",
|
||||||
|
present=False
|
||||||
|
)
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def _configure_rspamd(dkim_selector: str, mail_domain: str) -> bool:
|
||||||
|
"""Configures rspamd for Rate Limiting."""
|
||||||
|
need_restart = False
|
||||||
|
|
||||||
|
dkim_directory = "/var/lib/rspamd/dkim/"
|
||||||
|
dkim_key_path = f"{dkim_directory}{mail_domain}.{dkim_selector}.key"
|
||||||
|
|
||||||
|
dkim_config = files.template(
|
||||||
|
src=importlib.resources.files(__package__).joinpath("rspamd/dkim_signing.conf.j2"),
|
||||||
|
dest="/etc/rspamd/local.d/dkim_signing.conf",
|
||||||
|
user="root",
|
||||||
|
group="root",
|
||||||
|
mode="644",
|
||||||
|
config={
|
||||||
|
"dkim_selector": str(dkim_selector),
|
||||||
|
"mail_domain": mail_domain,
|
||||||
|
"dkim_key_path": dkim_key_path,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
need_restart |= dkim_config.changed
|
||||||
|
|
||||||
|
files.directory(
|
||||||
|
name="ensure DKIM key directory exists",
|
||||||
|
path=dkim_directory,
|
||||||
|
present=True,
|
||||||
|
user="_rspamd",
|
||||||
|
group="_rspamd",
|
||||||
|
)
|
||||||
|
|
||||||
|
if not host.get_fact(File, dkim_key_path):
|
||||||
|
server.shell(
|
||||||
|
name="Generate DKIM domain keys with rspamd",
|
||||||
|
commands=[
|
||||||
|
f"rspamadm dkim_keygen -s {dkim_selector} -d {mail_domain} -k {dkim_key_path}"
|
||||||
|
],
|
||||||
|
_sudo=True,
|
||||||
|
_sudo_user="_rspamd",
|
||||||
|
)
|
||||||
|
|
||||||
|
return need_restart
|
||||||
|
|
||||||
|
|
||||||
|
def _configure_redis() -> bool:
|
||||||
|
"""Configures redis as a key-value storage for rspamd."""
|
||||||
|
need_restart = False
|
||||||
|
|
||||||
|
redis_config = files.put(
|
||||||
|
src=importlib.resources.files(__package__).joinpath("rspamd/redis.conf"),
|
||||||
|
dest="/etc/redis/redis.conf",
|
||||||
|
user="redis",
|
||||||
|
group="redis",
|
||||||
|
mode="640",
|
||||||
|
)
|
||||||
|
need_restart |= redis_config.changed
|
||||||
|
|
||||||
|
return need_restart
|
||||||
|
|
||||||
|
|
||||||
def check_config(config):
|
def check_config(config):
|
||||||
mail_domain = config.mail_domain
|
mail_domain = config.mail_domain
|
||||||
if mail_domain != "testrun.org" and not mail_domain.endswith(".testrun.org"):
|
if mail_domain != "testrun.org" and not mail_domain.endswith(".testrun.org"):
|
||||||
@@ -468,18 +548,30 @@ def deploy_chatmail(config_path: Path) -> None:
|
|||||||
debug = False
|
debug = False
|
||||||
dovecot_need_restart = _configure_dovecot(config, debug=debug)
|
dovecot_need_restart = _configure_dovecot(config, debug=debug)
|
||||||
postfix_need_restart = _configure_postfix(config, debug=debug)
|
postfix_need_restart = _configure_postfix(config, debug=debug)
|
||||||
opendkim_need_restart = _configure_opendkim(mail_domain)
|
|
||||||
mta_sts_need_restart = _install_mta_sts_daemon()
|
mta_sts_need_restart = _install_mta_sts_daemon()
|
||||||
nginx_need_restart = _configure_nginx(mail_domain)
|
nginx_need_restart = _configure_nginx(mail_domain)
|
||||||
|
|
||||||
|
remove_opendkim()
|
||||||
|
rspamd_need_restart = _configure_rspamd("dkim", mail_domain)
|
||||||
|
redis_need_restart = _configure_redis()
|
||||||
|
|
||||||
systemd.service(
|
systemd.service(
|
||||||
name="Start and enable OpenDKIM",
|
name="Start and enable redis-server",
|
||||||
service="opendkim.service",
|
service="redis-server.service",
|
||||||
running=True,
|
running=True,
|
||||||
enabled=True,
|
enabled=True,
|
||||||
restarted=opendkim_need_restart,
|
restarted=redis_need_restart,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
systemd.service(
|
||||||
|
name="Start and enable rspamd",
|
||||||
|
service="rspamd.service",
|
||||||
|
running=True,
|
||||||
|
enabled=True,
|
||||||
|
restarted=rspamd_need_restart,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
systemd.service(
|
systemd.service(
|
||||||
name="Start and enable MTA-STS daemon",
|
name="Start and enable MTA-STS daemon",
|
||||||
service="mta-sts-daemon.service",
|
service="mta-sts-daemon.service",
|
||||||
|
|||||||
@@ -46,7 +46,7 @@ inet_protocols = all
|
|||||||
virtual_transport = lmtp:unix:private/dovecot-lmtp
|
virtual_transport = lmtp:unix:private/dovecot-lmtp
|
||||||
virtual_mailbox_domains = {{ config.mail_domain }}
|
virtual_mailbox_domains = {{ config.mail_domain }}
|
||||||
|
|
||||||
smtpd_milters = unix:opendkim/opendkim.sock
|
smtpd_milters = inet:127.0.0.1:11332
|
||||||
non_smtpd_milters = $smtpd_milters
|
non_smtpd_milters = $smtpd_milters
|
||||||
|
|
||||||
header_checks = regexp:/etc/postfix/submission_header_cleanup
|
header_checks = regexp:/etc/postfix/submission_header_cleanup
|
||||||
|
|||||||
@@ -0,0 +1,10 @@
|
|||||||
|
selector = {{ config.dkim_selector }}
|
||||||
|
use_esld = false # don't cut c1.testrun.org down to testrun.org
|
||||||
|
domain = {
|
||||||
|
{{ config.mail_domain }} {
|
||||||
|
selectors [
|
||||||
|
selector = {{ config.dkim_selector }}
|
||||||
|
path = {{ config.dkim_key_path }}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
2276
deploy-chatmail/src/deploy_chatmail/rspamd/redis.conf
Normal file
2276
deploy-chatmail/src/deploy_chatmail/rspamd/redis.conf
Normal file
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user