rspamd: generate DKIM keys with rspamadm

cmdeploy/src/cmdeploy/__init__.py

@@ -130,6 +130,19 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
     """Configures OpenDKIM"""
     need_restart = False
 
+    server.group(name="Create opendkim group", group="opendkim", system=True)
+    server.user(
+        name="Add postfix user to opendkim group for socket access",
+        user="postfix",
+        groups=["opendkim"],
+        system=True,
+    )
+
+    apt.packages(
+        name="apt install opendkim opendkim-tools",
+        packages=["opendkim", "opendkim-tools"],
+    )
+
     main_config = files.template(
         src=importlib.resources.files(__package__).joinpath("opendkim/opendkim.conf"),
         dest="/etc/opendkim.conf",
@@ -168,7 +181,6 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
         config={"domain_name": domain, "opendkim_selector": dkim_selector},
     )
     need_restart |= signing_table.changed
-
     files.directory(
         name="Add opendkim socket directory to /var/spool/postfix",
         path="/var/spool/postfix/opendkim",
@@ -459,6 +471,7 @@ def _configure_rspamd(dkim_selector: str, mail_domain: str) -> bool:
 
     dkim_directory = "/var/lib/rspamd/dkim/"
     dkim_key_path = f"{dkim_directory}{mail_domain}.{dkim_selector}.key"
+    dkim_dns_file = f"{dkim_directory}{mail_domain}.{dkim_selector}.zone"
 
     dkim_config = files.template(
         src=importlib.resources.files(__package__).joinpath(
@@ -488,7 +501,7 @@ def _configure_rspamd(dkim_selector: str, mail_domain: str) -> bool:
         server.shell(
             name="Generate DKIM domain keys with rspamd",
             commands=[
-                f"rspamadm dkim_keygen -s {dkim_selector} -d {mail_domain} -k {dkim_key_path}"
+                f"rspamadm dkim_keygen -b 2048 -s {dkim_selector} -d {mail_domain} -k {dkim_key_path} > {dkim_dns_file}"
             ],
             _sudo=True,
             _sudo_user="_rspamd",
@@ -545,14 +558,6 @@ def deploy_chatmail(config_path: Path) -> None:
     server.group(name="Create vmail group", group="vmail", system=True)
     server.user(name="Create vmail user", user="vmail", group="vmail", system=True)
 
-    server.group(name="Create opendkim group", group="opendkim", system=True)
-    server.user(
-        name="Add postfix user to opendkim group for socket access",
-        user="postfix",
-        groups=["opendkim"],
-        system=True,
-    )
-
     # Run local DNS resolver `unbound`.
     # `resolvconf` takes care of setting up /etc/resolv.conf
     # to use 127.0.0.1 as the resolver.
@@ -587,14 +592,6 @@ def deploy_chatmail(config_path: Path) -> None:
         packages=["dovecot-imapd", "dovecot-lmtpd"],
     )
 
-    apt.packages(
-        name="Install OpenDKIM",
-        packages=[
-            "opendkim",
-            "opendkim-tools",
-        ],
-    )
-
     apt.packages(
         name="Install nginx",
         packages=["nginx"],

cmdeploy/src/cmdeploy/chatmail.zone.f

@@ -7,7 +7,7 @@ _imap._tcp.{chatmail_domain}.        SRV 0 1 143 {chatmail_domain}.
 _imaps._tcp.{chatmail_domain}.       SRV 0 1 993 {chatmail_domain}.
 {chatmail_domain}.                   CAA 128 issue "letsencrypt.org;accounturi={acme_account_url}"
 {chatmail_domain}.                   TXT "v=spf1 a:{chatmail_domain} -all"
-_dmarc.{chatmail_domain}.            TXT "v=DMARC1;p=reject;rua=mailto:{email};ruf=mailto:{email};fo=1;adkim=r;aspf=r"
+_dmarc.{chatmail_domain}.            TXT "v=DMARC1;p=reject;rua=mailto:{email};ruf=mailto:{email};fo=1;adkim=s;aspf=s"
 _mta-sts.{chatmail_domain}.          TXT "v=STSv1; id={sts_id}"
 mta-sts.{chatmail_domain}.           CNAME {chatmail_domain}.
 www.{chatmail_domain}.               CNAME {chatmail_domain}.

cmdeploy/src/cmdeploy/dns.py

@@ -60,6 +60,7 @@ def show_dns(args, out):
                 continue
             line = line.replace("\t", " ")
             lines.append(line)
+        lines[0] = f"dkim._domainkey.{mail_domain}. IN TXT " + lines[0].strip("dkim._domainkey IN TXT ")
         return "\n".join(lines)
 
     print("Checking your DKIM keys and DNS entries...")
@@ -68,7 +69,8 @@ def show_dns(args, out):
     except subprocess.CalledProcessError:
         print("Please run `cmdeploy run` first.")
         return
-    dkim_entry = read_dkim_entries(out.shell_output(f"{ssh} -- opendkim-genzone -F"))
+    dkim_entry = read_dkim_entries(out.shell_output(f"{ssh} -- cat /var/lib/rspamd/dkim/{mail_domain}.dkim.zone"))
+
 
     ipv6 = dns.get_ipv6()
     reverse_ipv6 = dns.check_ptr_record(ipv6, mail_domain)
@@ -142,8 +144,8 @@ def show_dns(args, out):
         domain, data = "\n".join(dkim_lines).split(" IN TXT ")
         current = dns.get("TXT", domain.strip()[:-1])
         if current:
-            current = "( %s )" % (current.replace('" "', '"\n "'))
+            current = "( %s" % (current.replace('" "', '"\n "'))
-            if current.replace(";", "\\;") != data:
+            if current != data:
                 to_print.append(dkim_entry)
         else:
             to_print.append(dkim_entry)