DKIM: only use random DKIM selector on staging.testrun.org for now

.github/workflows/test-and-deploy.yaml

@@ -5,6 +5,7 @@ on:
     branches:
       - main
       - staging-ci
+      - generate-dkim-selector
 
 jobs:
   deploy:

chatmaild/src/chatmaild/config.py

@@ -1,4 +1,5 @@
 import iniconfig
+from datetime import datetime
 
 
 def read_config(inipath):
@@ -24,6 +25,7 @@ class Config:
         self.privacy_mail = params.get("privacy_mail")
         self.privacy_pdo = params.get("privacy_pdo")
         self.privacy_supervisor = params.get("privacy_supervisor")
+        self.dkim_selector = params.get("dkim_selector")
 
     def _getbytefile(self):
         return open(self._inipath, "rb")
@@ -33,8 +35,16 @@ def write_initial_config(inipath, mail_domain):
     from importlib.resources import files
 
     inidir = files(__package__).joinpath("ini")
+    selector = "dkim"
+    if mail_domain == "staging.testrun.org":
+        selector = datetime.now().strftime("%Y%m%d%H%M")
     content = (
-        inidir.joinpath("chatmail.ini.f").read_text().format(mail_domain=mail_domain)
+        inidir.joinpath("chatmail.ini.f")
+        .read_text()
+        .format(
+            mail_domain=mail_domain,
+            dkim_selector=selector,
+        )
     )
     if mail_domain.endswith(".testrun.org"):
         override_inipath = inidir.joinpath("override-testrun.ini")

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -35,6 +35,8 @@ passthrough_senders =
 # list of e-mail recipients for which to accept outbound un-encrypted mails
 passthrough_recipients = xstore@testrun.org groupsbot@hispanilandia.net
 
+dkim_selector = {dkim_selector}
+
 #
 # Deployment Details
 #

cmdeploy/src/cmdeploy/__init__.py

@@ -495,7 +495,7 @@ def deploy_chatmail(config_path: Path) -> None:
     nginx_need_restart = _configure_nginx(mail_domain)
 
     remove_opendkim()
-    rspamd_need_restart = _configure_rspamd("dkim", mail_domain)
+    rspamd_need_restart = _configure_rspamd(config.dkim_selector, mail_domain)
 
     systemd.service(
         name="Start and enable rspamd",

cmdeploy/src/cmdeploy/dns.py

@@ -51,6 +51,7 @@ def show_dns(args, out) -> int:
     """Check existing DNS records, optionally write them to zone file, return exit code 0 or 1."""
     template = importlib.resources.files(__package__).joinpath("chatmail.zone.f")
     mail_domain = args.config.mail_domain
+    selector = args.config.dkim_selector
     ssh = f"ssh root@{mail_domain}"
     dns = DNS(out, mail_domain)
 
@@ -61,8 +62,8 @@ def show_dns(args, out) -> int:
                 continue
             line = line.replace("\t", " ")
             lines.append(line)
-        lines[0] = f"dkim._domainkey.{mail_domain}. IN TXT " + lines[0].strip(
+        lines[0] = f"{selector}._domainkey.{mail_domain}. IN TXT " + lines[0].strip(
-            "dkim._domainkey IN TXT "
+            f"{selector}._domainkey IN TXT "
         )
         return "\n".join(lines)
 
@@ -73,7 +74,9 @@ def show_dns(args, out) -> int:
         print("Please run `cmdeploy run` first.")
         return 1
     dkim_entry = read_dkim_entries(
-        out.shell_output(f"{ssh} -- cat /var/lib/rspamd/dkim/{mail_domain}.dkim.zone")
+        out.shell_output(
+            f"{ssh} -- cat /var/lib/rspamd/dkim/{mail_domain}.{selector}.zone"
+        )
     )
 
     ipv6 = dns.get_ipv6()

cmdeploy/src/cmdeploy/rspamd/dkim_signing.conf.j2

@@ -1,9 +1,9 @@
-selector = {{ config.dkim_selector }}
+selector = "{{ config.dkim_selector }}"
 use_esld = false  # don't cut c1.testrun.org down to testrun.org
 domain = {
     {{ config.mail_domain }} {
         selectors [
-            selector = {{ config.dkim_selector }}
+            selector = "{{ config.dkim_selector }}"
             path = {{ config.dkim_key_path }}
         ]
     }