From fd679af577375cd72a792f7d3a51978ba5f6c6cd Mon Sep 17 00:00:00 2001 From: missytake Date: Tue, 26 Dec 2023 10:27:11 +0100 Subject: [PATCH] rspamd: generate DKIM keys with rspamadm --- cmdeploy/src/cmdeploy/__init__.py | 33 ++++++++++++--------------- cmdeploy/src/cmdeploy/chatmail.zone.f | 2 +- cmdeploy/src/cmdeploy/dns.py | 8 ++++--- 3 files changed, 21 insertions(+), 22 deletions(-) diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py index bb977097..3a361678 100644 --- a/cmdeploy/src/cmdeploy/__init__.py +++ b/cmdeploy/src/cmdeploy/__init__.py @@ -130,6 +130,19 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool: """Configures OpenDKIM""" need_restart = False + server.group(name="Create opendkim group", group="opendkim", system=True) + server.user( + name="Add postfix user to opendkim group for socket access", + user="postfix", + groups=["opendkim"], + system=True, + ) + + apt.packages( + name="apt install opendkim opendkim-tools", + packages=["opendkim", "opendkim-tools"], + ) + main_config = files.template( src=importlib.resources.files(__package__).joinpath("opendkim/opendkim.conf"), dest="/etc/opendkim.conf", @@ -168,7 +181,6 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool: config={"domain_name": domain, "opendkim_selector": dkim_selector}, ) need_restart |= signing_table.changed - files.directory( name="Add opendkim socket directory to /var/spool/postfix", path="/var/spool/postfix/opendkim", @@ -459,6 +471,7 @@ def _configure_rspamd(dkim_selector: str, mail_domain: str) -> bool: dkim_directory = "/var/lib/rspamd/dkim/" dkim_key_path = f"{dkim_directory}{mail_domain}.{dkim_selector}.key" + dkim_dns_file = f"{dkim_directory}{mail_domain}.{dkim_selector}.zone" dkim_config = files.template( src=importlib.resources.files(__package__).joinpath( @@ -488,7 +501,7 @@ def _configure_rspamd(dkim_selector: str, mail_domain: str) -> bool: server.shell( name="Generate DKIM domain keys with rspamd", commands=[ - f"rspamadm dkim_keygen -s {dkim_selector} -d {mail_domain} -k {dkim_key_path}" + f"rspamadm dkim_keygen -b 2048 -s {dkim_selector} -d {mail_domain} -k {dkim_key_path} > {dkim_dns_file}" ], _sudo=True, _sudo_user="_rspamd", @@ -545,14 +558,6 @@ def deploy_chatmail(config_path: Path) -> None: server.group(name="Create vmail group", group="vmail", system=True) server.user(name="Create vmail user", user="vmail", group="vmail", system=True) - server.group(name="Create opendkim group", group="opendkim", system=True) - server.user( - name="Add postfix user to opendkim group for socket access", - user="postfix", - groups=["opendkim"], - system=True, - ) - # Run local DNS resolver `unbound`. # `resolvconf` takes care of setting up /etc/resolv.conf # to use 127.0.0.1 as the resolver. @@ -587,14 +592,6 @@ def deploy_chatmail(config_path: Path) -> None: packages=["dovecot-imapd", "dovecot-lmtpd"], ) - apt.packages( - name="Install OpenDKIM", - packages=[ - "opendkim", - "opendkim-tools", - ], - ) - apt.packages( name="Install nginx", packages=["nginx"], diff --git a/cmdeploy/src/cmdeploy/chatmail.zone.f b/cmdeploy/src/cmdeploy/chatmail.zone.f index 2fd55ad0..da58aa88 100644 --- a/cmdeploy/src/cmdeploy/chatmail.zone.f +++ b/cmdeploy/src/cmdeploy/chatmail.zone.f @@ -7,7 +7,7 @@ _imap._tcp.{chatmail_domain}. SRV 0 1 143 {chatmail_domain}. _imaps._tcp.{chatmail_domain}. SRV 0 1 993 {chatmail_domain}. {chatmail_domain}. CAA 128 issue "letsencrypt.org;accounturi={acme_account_url}" {chatmail_domain}. TXT "v=spf1 a:{chatmail_domain} -all" -_dmarc.{chatmail_domain}. TXT "v=DMARC1;p=reject;rua=mailto:{email};ruf=mailto:{email};fo=1;adkim=r;aspf=r" +_dmarc.{chatmail_domain}. TXT "v=DMARC1;p=reject;rua=mailto:{email};ruf=mailto:{email};fo=1;adkim=s;aspf=s" _mta-sts.{chatmail_domain}. TXT "v=STSv1; id={sts_id}" mta-sts.{chatmail_domain}. CNAME {chatmail_domain}. www.{chatmail_domain}. CNAME {chatmail_domain}. diff --git a/cmdeploy/src/cmdeploy/dns.py b/cmdeploy/src/cmdeploy/dns.py index e8e740a8..5a051a62 100644 --- a/cmdeploy/src/cmdeploy/dns.py +++ b/cmdeploy/src/cmdeploy/dns.py @@ -60,6 +60,7 @@ def show_dns(args, out): continue line = line.replace("\t", " ") lines.append(line) + lines[0] = f"dkim._domainkey.{mail_domain}. IN TXT " + lines[0].strip("dkim._domainkey IN TXT ") return "\n".join(lines) print("Checking your DKIM keys and DNS entries...") @@ -68,7 +69,8 @@ def show_dns(args, out): except subprocess.CalledProcessError: print("Please run `cmdeploy run` first.") return - dkim_entry = read_dkim_entries(out.shell_output(f"{ssh} -- opendkim-genzone -F")) + dkim_entry = read_dkim_entries(out.shell_output(f"{ssh} -- cat /var/lib/rspamd/dkim/{mail_domain}.dkim.zone")) + ipv6 = dns.get_ipv6() reverse_ipv6 = dns.check_ptr_record(ipv6, mail_domain) @@ -142,8 +144,8 @@ def show_dns(args, out): domain, data = "\n".join(dkim_lines).split(" IN TXT ") current = dns.get("TXT", domain.strip()[:-1]) if current: - current = "( %s )" % (current.replace('" "', '"\n "')) - if current.replace(";", "\\;") != data: + current = "( %s" % (current.replace('" "', '"\n "')) + if current != data: to_print.append(dkim_entry) else: to_print.append(dkim_entry)