docs: Update DKIM section in overview.rst

We are now using dkim-milter instead of OpenDKIM.

Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>

.github/workflows/test-and-deploy-ipv4only.yaml

@@ -80,7 +80,7 @@ jobs:
 
       - name: set DNS entries
         run: |
-          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown dkim-milter:dkim-milter -R /etc/dkimkeys
           cmdeploy dns --zonefile staging-generated.zone
           cat staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
           cat .github/workflows/staging-ipv4.testrun.org-default.zone

.github/workflows/test-and-deploy.yaml

@@ -82,7 +82,7 @@ jobs:
 
       - name: set DNS entries
         run: |
-          ssh -o StrictHostKeyChecking=accept-new root@staging2.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
+          ssh -o StrictHostKeyChecking=accept-new root@staging2.testrun.org chown dkim-milter:dkim-milter -R /etc/dkimkeys
           cmdeploy dns --zonefile staging-generated.zone --verbose
           cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone
           cat .github/workflows/staging.testrun.org-default.zone

chatmaild/src/chatmaild/config.py

@@ -56,7 +56,6 @@ class Config:
         self.privacy_mail = params.get("privacy_mail")
         self.privacy_pdo = params.get("privacy_pdo")
         self.privacy_supervisor = params.get("privacy_supervisor")
-        self.tmpfs_index = params.get("tmpfs_index", "false").lower() == "true"
 
         # deprecated option
         mbdir = params.get("mailboxes_dir", f"/home/vmail/mail/{self.mail_domain}")
@@ -112,10 +111,10 @@ def get_default_config_content(mail_domain, **overrides):
 
     if mail_domain.endswith(".testrun.org"):
         override_inipath = inidir.joinpath("override-testrun.ini")
-        params = iniconfig.IniConfig(override_inipath)["params"]
+        privacy = iniconfig.IniConfig(override_inipath)["privacy"]
         lines = []
         for line in content.split("\n"):
-            for key, value in params.items():
+            for key, value in privacy.items():
                 value_lines = value.format(mail_domain=mail_domain).strip().split("\n")
                 if not line.startswith(f"{key} =") or not value_lines:
                     continue

chatmaild/src/chatmaild/expire.py

@@ -17,14 +17,14 @@ from chatmaild.config import read_config
 FileEntry = namedtuple("FileEntry", ("path", "mtime", "size"))
 
 
-def iter_mailboxes(basedir, maxnum, tmpfs_index):
+def iter_mailboxes(basedir, maxnum):
     if not os.path.exists(basedir):
         print_info(f"no mailboxes found at: {basedir}")
         return
 
     for name in os_listdir_if_exists(basedir)[:maxnum]:
         if "@" in name:
-            yield MailboxStat(basedir + "/" + name, name, tmpfs_index)
+            yield MailboxStat(basedir + "/" + name)
 
 
 def get_file_entry(path):
@@ -49,14 +49,11 @@ def os_listdir_if_exists(path):
 class MailboxStat:
     last_login = None
 
-    def __init__(self, basedir, name, tmpfs_index):
+    def __init__(self, basedir):
         self.basedir = str(basedir)
-        self.name = name
         self.messages = []
         self.extrafiles = []
         self.scandir(self.basedir)
-        if tmpfs_index:
-            self.scandir("/dev/shm/" + name)
 
     def scandir(self, folderdir):
         for name in os_listdir_if_exists(folderdir):
@@ -93,13 +90,11 @@ class Expiry:
         self.all_files = 0
         self.start = time.time()
 
-    def remove_mailbox(self, mboxdir, name):
+    def remove_mailbox(self, mboxdir):
         if self.verbose:
             print_info(f"removing {mboxdir}")
         if not self.dry:
             shutil.rmtree(mboxdir)
-            if self.config.tmpfs_index:
-                shutil.rmtree("/dev/shm/" + name)
         self.del_mboxes += 1
 
     def remove_file(self, path, mtime=None):
@@ -126,7 +121,7 @@ class Expiry:
         self.all_mboxes += 1
         changed = False
         if mbox.last_login and mbox.last_login < cutoff_without_login:
-            self.remove_mailbox(mbox.basedir, mbox.name)
+            self.remove_mailbox(mbox.basedir)
             return
 
         mboxname = os.path.basename(mbox.basedir)
@@ -150,9 +145,6 @@ class Expiry:
             changed = True
         if changed:
             self.remove_file(f"{mbox.basedir}/maildirsize")
-        for file in mbox.extrafiles:
-            if "dovecot.index" in file.path.split("/")[-1] and file.size > 500 * 1024:
-                self.remove_file(file.path)
 
     def get_summary(self):
         return (
@@ -205,9 +197,7 @@ def main(args=None):
 
     maxnum = int(args.maxnum) if args.maxnum else None
     exp = Expiry(config, dry=not args.remove, now=now, verbose=args.verbose)
-    for mailbox in iter_mailboxes(
-        str(config.mailboxes_dir), maxnum, config.tmpfs_index
-    ):
+    for mailbox in iter_mailboxes(str(config.mailboxes_dir), maxnum=maxnum):
         exp.process_mailbox_stat(mailbox)
     print(exp.get_summary())
 

chatmaild/src/chatmaild/fsreport.py

@@ -159,7 +159,7 @@ def main(args=None):
 
     maxnum = int(args.maxnum) if args.maxnum else None
     rep = Report(now=now, min_login_age=int(args.min_login_age), mdir=args.mdir)
-    for mbox in iter_mailboxes(str(config.mailboxes_dir), maxnum, config.tmpfs_index):
+    for mbox in iter_mailboxes(str(config.mailboxes_dir), maxnum=maxnum):
         rep.process_mailbox_stat(mbox)
     rep.dump_summary()
 

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -48,9 +48,6 @@ passthrough_senders =
 # (space-separated, item may start with "@" to whitelist whole recipient domains)
 passthrough_recipients =
 
-# store index files in tmpfs (good for disk size and I/O, bad for ram)
-tmpfs_index = false
-
 # path to www directory - documented here: https://chatmail.at/doc/relay/getting_started.html#custom-web-pages
 #www_folder = www
 

chatmaild/src/chatmaild/ini/override-testrun.ini

@@ -1,6 +1,5 @@
-[params]
 
-tmpfs_index = true
+[privacy]
 
 passthrough_recipients = privacy@testrun.org echo@{mail_domain}
 

chatmaild/src/chatmaild/tests/test_expire.py

@@ -43,22 +43,20 @@ def create_new_messages(basedir, relpaths, size=1000, days=0):
 
 @pytest.fixture
 def mbox1(example_config):
-    addr = "mailbox1@example.org"
-    mboxdir = example_config.mailboxes_dir.joinpath(addr)
+    mboxdir = example_config.mailboxes_dir.joinpath("mailbox1@example.org")
     mboxdir.mkdir()
     fill_mbox(mboxdir)
-    return MailboxStat(mboxdir, addr, False)
+    return MailboxStat(mboxdir)
 
 
 def test_deltachat_folder(example_config):
     """Test old setups that might have a .DeltaChat folder where messages also need to get removed."""
-    addr = "mailbox1@example.org"
-    mboxdir = example_config.mailboxes_dir.joinpath(addr)
+    mboxdir = example_config.mailboxes_dir.joinpath("mailbox1@example.org")
     mboxdir.mkdir()
     mbox2dir = mboxdir.joinpath(".DeltaChat")
     mbox2dir.mkdir()
     fill_mbox(mbox2dir)
-    mb = MailboxStat(mboxdir, addr, False)
+    mb = MailboxStat(mboxdir)
     assert len(mb.messages) == 2
 
 
@@ -71,11 +69,7 @@ def test_filentry_ordering(tmp_path):
 
 
 def test_no_mailbxoes(tmp_path, capsys):
-    assert [] == list(
-        iter_mailboxes(
-            str(tmp_path.joinpath("notexists")), maxnum=10, tmpfs_index=False
-        )
-    )
+    assert [] == list(iter_mailboxes(str(tmp_path.joinpath("notexists")), maxnum=10))
     out, err = capsys.readouterr()
     assert "no mailboxes" in err
 
@@ -92,13 +86,13 @@ def test_stats_mailbox(mbox1):
 
     create_new_messages(mbox1.basedir, ["large-extra"], size=1000)
     create_new_messages(mbox1.basedir, ["index-something"], size=3)
-    mbox2 = MailboxStat(mbox1.basedir, mbox1.name, False)
+    mbox2 = MailboxStat(mbox1.basedir)
     assert len(mbox2.extrafiles) == 5
     assert mbox2.extrafiles[0].size == 1000
 
     # cope well with mailbox dirs that have no password (for whatever reason)
     Path(mbox1.basedir).joinpath("password").unlink()
-    mbox3 = MailboxStat(mbox1.basedir, mbox1.name, False)
+    mbox3 = MailboxStat(mbox1.basedir)
     assert mbox3.last_login is None
 
 

cmdeploy/src/cmdeploy/deployers.py

@@ -25,11 +25,11 @@ from .basedeploy import (
     configure_remote_units,
     get_resource,
 )
+from .dkim_milter.deployer import DkimMilterDeployer
 from .dovecot.deployer import DovecotDeployer
 from .filtermail.deployer import FiltermailDeployer
 from .mtail.deployer import MtailDeployer
 from .nginx.deployer import NginxDeployer
-from .opendkim.deployer import OpendkimDeployer
 from .postfix.deployer import PostfixDeployer
 from .www import build_webpages, find_merge_conflict, get_paths
 
@@ -141,10 +141,6 @@ def _configure_remote_venv_with_chatmaild(config) -> None:
 
 
 class UnboundDeployer(Deployer):
-    def __init__(self, config):
-        self.config = config
-        self.need_restart = False
-
     def install(self):
         # Run local DNS resolver `unbound`.
         # `resolvconf` takes care of setting up /etc/resolv.conf
@@ -181,27 +177,6 @@ class UnboundDeployer(Deployer):
                 "unbound-anchor -a /var/lib/unbound/root.key || true",
             ],
         )
-        if self.config.disable_ipv6:
-            files.directory(
-                path="/etc/unbound/unbound.conf.d",
-                present=True,
-                user="root",
-                group="root",
-                mode="755",
-            )
-            conf = files.put(
-                src=get_resource("unbound/unbound.conf.j2"),
-                dest="/etc/unbound/unbound.conf.d/chatmail.conf",
-                user="root",
-                group="root",
-                mode="644",
-            )
-        else:
-            conf = files.file(
-                path="/etc/unbound/unbound.conf.d/chatmail.conf",
-                present=False,
-            )
-        self.need_restart |= conf.changed
 
     def activate(self):
         server.shell(
@@ -216,7 +191,6 @@ class UnboundDeployer(Deployer):
             service="unbound.service",
             running=True,
             enabled=True,
-            restarted=self.need_restart,
         )
 
 
@@ -553,8 +527,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
         files.line(
             name="Add 9.9.9.9 to resolv.conf",
             path="/etc/resolv.conf",
-            # Guard against resolv.conf missing a trailing newline (SolusVM bug).
-            line="\nnameserver 9.9.9.9",
+            line="nameserver 9.9.9.9",
         )
 
     port_services = [
@@ -592,14 +565,14 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
         LegacyRemoveDeployer(),
         FiltermailDeployer(),
         JournaldDeployer(),
-        UnboundDeployer(config),
+        UnboundDeployer(),
         TurnDeployer(mail_domain),
         IrohDeployer(config.enable_iroh_relay),
         AcmetoolDeployer(config.acme_email, tls_domains),
         WebsiteDeployer(config),
         ChatmailVenvDeployer(config),
         MtastsDeployer(),
-        OpendkimDeployer(mail_domain),
+        DkimMilterDeployer(mail_domain),
         # Dovecot should be started before Postfix
         # because it creates authentication socket
         # required by Postfix.

cmdeploy/src/cmdeploy/dkim_milter/deployer.py

@@ -0,0 +1,169 @@
+"""
+Installs DKIM Milter.
+"""
+
+from pyinfra import facts, host
+from pyinfra.facts.files import File, Sha256File
+from pyinfra.operations import apt, files, server, systemd
+
+from cmdeploy.basedeploy import Deployer, get_resource
+
+
+class DkimMilterDeployer(Deployer):
+    required_users = [("dkim-milter", None, ["dkim-milter"])]
+
+    def __init__(self, mail_domain):
+        self.mail_domain = mail_domain
+        self.need_restart = False
+
+    def install(self):
+        """Builds and installs dkim-milter"""
+
+        # openssl is required to generate the signing key
+        apt.packages(
+            name="Install openssl required by DKIM Milter",
+            packages=["openssl"],
+        )
+
+        (url, sha256sum) = {
+            "x86_64": (
+                "https://github.com/chatmail/dkim-milter/releases/download/0.1.0/dkim-milter-x86_64",
+                "e676837b362ebef461881079e3e1151ed2db2d942d98b7103974921ac69ce5de",
+            ),
+            "aarch64": (
+                "https://github.com/chatmail/dkim-milter/releases/download/0.1.0/dkim-milter-aarch64",
+                "b853ab85a535b7e7e548ae0e4d85a61d4c0fd44f2912c3439662c56ca8a369e6",
+            ),
+        }[host.get_fact(facts.server.Arch)]
+
+        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/sbin/dkim-milter")
+        if existing_sha256sum != sha256sum:
+            server.shell(
+                name="Download DKIM Milter",
+                commands=[
+                    f"(curl -L {url} >/usr/local/sbin/dkim-milter.new && (echo '{sha256sum} /usr/local/sbin/dkim-milter.new' | sha256sum -c) && mv /usr/local/sbin/dkim-milter.new /usr/local/sbin/dkim-milter)",
+                    "chmod 755 /usr/local/sbin/dkim-milter",
+                ],
+            )
+            self.need_restart = True
+
+    def configure(self):
+        """Configures dkim-milter"""
+
+        domain = self.mail_domain
+        # note - we are using "opendkim" for backward compatibility
+        # for relays that were set up before we migrated from OpenDKIM
+        # to DKIM Milter.
+        selector = "opendkim"
+        signing_key_name = selector
+        # for backward compatibility with opendkim-genkey
+        signing_key_filename = f"{signing_key_name}.private"
+        config_common = {
+            "domain": domain,
+            "selector": selector,
+            "signing_key_name": signing_key_name,
+            "signing_key_filename": signing_key_filename,
+        }
+        config_verify = {
+            **config_common,
+            "mode": "verify",
+            "config_file": "/etc/dkim-milter/dkim-milter-verify.conf",
+            "socket_name": "dkim-milter-verify.sock",
+        }
+        config_sign = {
+            **config_common,
+            "mode": "sign",
+            "config_file": "/etc/dkim-milter/dkim-milter-sign.conf",
+            "socket_name": "dkim-milter-sign.sock",
+        }
+
+        self.need_restart |= files.directory(
+            name="Create a directory for DKIM Milter configs",
+            path="/etc/dkim-milter",
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="750",
+            present=True,
+        ).changed
+
+        for config in [config_verify, config_sign]:
+            self.need_restart |= files.template(
+                src=get_resource("dkim_milter/dkim-milter.conf.j2"),
+                dest=config["config_file"],
+                user="dkim-milter",
+                group="dkim-milter",
+                mode="644",
+                config=config,
+            ).changed
+
+        self.need_restart |= files.directory(
+            name="Create dkimkeys directory",
+            path="/etc/dkimkeys",
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="750",
+            present=True,
+        ).changed
+
+        self.need_restart |= files.template(
+            src=get_resource("dkim_milter/signing-keys"),
+            dest="/etc/dkim-milter/signing-keys",
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="644",
+            config=config_common,
+        ).changed
+
+        self.need_restart |= files.template(
+            src=get_resource("dkim_milter/signing-senders"),
+            dest="/etc/dkim-milter/signing-senders",
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="644",
+            config=config_common,
+        ).changed
+
+        self.need_restart |= files.directory(
+            name="Create DKIM Milter unix sockets directory",
+            path="/var/spool/postfix/dkim-milter",
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="770",
+        ).changed
+
+        if not host.get_fact(File, f"/etc/dkimkeys/{signing_key_filename}"):
+            server.shell(
+                name=f"Generate DKIM Milter signing key '{signing_key_name}'",
+                commands=[
+                    f"openssl genpkey -algorithm RSA -out /etc/dkimkeys/{signing_key_filename}"
+                ],
+            )
+            self.need_restart = True
+
+        # enforce restrictive permissions for the signing key
+        self.need_restart |= files.file(
+            path=f"/etc/dkimkeys/{signing_key_filename}",
+            present=True,
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="0400",
+        ).changed
+
+        self.need_restart |= files.put(
+            name="Create dkim-milter service",
+            src=get_resource("dkim_milter/dkim-milter@.service"),
+            dest=f"/etc/systemd/system/dkim-milter@.service",
+        ).changed
+
+    def activate(self):
+        """Start and enable DKIM Milter"""
+        for mode in ["sign", "verify"]:
+            systemd.service(
+                name=f"Start and enable DKIM Milter in {mode} mode",
+                service=f"dkim-milter@{mode}",
+                running=True,
+                enabled=True,
+                daemon_reload=self.need_restart,
+                restarted=self.need_restart,
+            )
+            self.need_restart = False

cmdeploy/src/cmdeploy/dkim_milter/dkim-milter.conf.j2

@@ -0,0 +1,30 @@
+mode = {{ config.mode }}
+
+{% if config.mode == "verify" %}
+# DKIM milter will skip verification for trusted sources,
+# which in our case is everything, since we run DKIM milter on a reinjection port,
+# and all connections are local.
+# We force verification for local connections by not trusting anyone.
+trusted_networks =
+{% endif %}
+
+log_destination = syslog
+log_level = info
+
+canonicalization = relaxed/simple
+
+lookup_timeout = 60s
+
+signing_keys = /etc/dkim-milter/signing-keys
+signing_senders = /etc/dkim-milter/signing-senders
+
+# Signing
+sign_headers = default; autocrypt:content-type
+oversign_headers = signed-extended
+
+# Verification
+required_signed_headers = From*
+forbid_unsigned_content = yes
+reject_failures = missing, no-pass, author-mismatch
+
+socket = unix:/var/spool/postfix/dkim-milter/{{ config.socket_name }}

cmdeploy/src/cmdeploy/dkim_milter/dkim-milter@.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=DKIM Milter %i
+Documentation=man:dkim-milter(8) man:dkim-milter.conf(5)
+After=network-online.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+User=dkim-milter
+UMask=007
+ExecStart=/usr/local/sbin/dkim-milter -c /etc/dkim-milter/dkim-milter-%i.conf
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

cmdeploy/src/cmdeploy/dkim_milter/signing-keys

@@ -0,0 +1,2 @@
+# Key name                       Signing key
+{{ config.signing_key_name }}    </etc/dkimkeys/{{ config.signing_key_filename }}

cmdeploy/src/cmdeploy/dkim_milter/signing-senders

@@ -0,0 +1,2 @@
+# Sender expression    Domain                 Selector                 Key name
+.{{ config.domain }}   {{ config.domain }}    {{ config.selector }}    {{ config.signing_key_name }}

cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2

@@ -1,7 +1,7 @@
 ## Dovecot configuration file
 
 {% if disable_ipv6 %}
-listen = 0.0.0.0
+listen = *
 {% endif %}
 
 protocols = imap lmtp
@@ -68,11 +68,13 @@ userdb {
 ##
 
 # Mailboxes are stored in the "mail" directory of the vmail user home.
-{% if config.tmpfs_index %}
-mail_location = maildir:{{ config.mailboxes_dir }}/%u:INDEX=/dev/shm/%u
-{% else %}
 mail_location = maildir:{{ config.mailboxes_dir }}/%u
-{% endif %}
+
+# index/cache files are not very useful for chatmail relay operations 
+# but it's not clear how to disable them completely. 
+# According to https://doc.dovecot.org/2.3/settings/advanced/#core_setting-mail_cache_max_size
+# if the cache file becomes larger than the specified size, it is truncated by dovecot 
+mail_cache_max_size = 500K
 
 namespace inbox {
   inbox = yes

cmdeploy/src/cmdeploy/opendkim/KeyTable

@@ -1 +0,0 @@
-{{ config.opendkim_selector }}._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/{{ config.opendkim_selector }}.private

cmdeploy/src/cmdeploy/opendkim/SigningTable

@@ -1 +0,0 @@
-*@{{ config.domain_name }} {{ config.opendkim_selector }}._domainkey.{{ config.domain_name }}

cmdeploy/src/cmdeploy/opendkim/deployer.py

@@ -1,123 +0,0 @@
-"""
-Installs OpenDKIM
-"""
-
-from pyinfra import host
-from pyinfra.facts.files import File
-from pyinfra.operations import apt, files, server, systemd
-
-from cmdeploy.basedeploy import Deployer, get_resource
-
-
-class OpendkimDeployer(Deployer):
-    required_users = [("opendkim", None, ["opendkim"])]
-
-    def __init__(self, mail_domain):
-        self.mail_domain = mail_domain
-
-    def install(self):
-        apt.packages(
-            name="apt install opendkim opendkim-tools",
-            packages=["opendkim", "opendkim-tools"],
-        )
-
-    def configure(self):
-        domain = self.mail_domain
-        dkim_selector = "opendkim"
-        """Configures OpenDKIM"""
-        need_restart = False
-
-        main_config = files.template(
-            src=get_resource("opendkim/opendkim.conf"),
-            dest="/etc/opendkim.conf",
-            user="root",
-            group="root",
-            mode="644",
-            config={"domain_name": domain, "opendkim_selector": dkim_selector},
-        )
-        need_restart |= main_config.changed
-
-        screen_script = files.put(
-            src=get_resource("opendkim/screen.lua"),
-            dest="/etc/opendkim/screen.lua",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        need_restart |= screen_script.changed
-
-        final_script = files.put(
-            src=get_resource("opendkim/final.lua"),
-            dest="/etc/opendkim/final.lua",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        need_restart |= final_script.changed
-
-        files.directory(
-            name="Add opendkim directory to /etc",
-            path="/etc/opendkim",
-            user="opendkim",
-            group="opendkim",
-            mode="750",
-            present=True,
-        )
-
-        keytable = files.template(
-            src=get_resource("opendkim/KeyTable"),
-            dest="/etc/dkimkeys/KeyTable",
-            user="opendkim",
-            group="opendkim",
-            mode="644",
-            config={"domain_name": domain, "opendkim_selector": dkim_selector},
-        )
-        need_restart |= keytable.changed
-
-        signing_table = files.template(
-            src=get_resource("opendkim/SigningTable"),
-            dest="/etc/dkimkeys/SigningTable",
-            user="opendkim",
-            group="opendkim",
-            mode="644",
-            config={"domain_name": domain, "opendkim_selector": dkim_selector},
-        )
-        need_restart |= signing_table.changed
-        files.directory(
-            name="Add opendkim socket directory to /var/spool/postfix",
-            path="/var/spool/postfix/opendkim",
-            user="opendkim",
-            group="opendkim",
-            mode="750",
-            present=True,
-        )
-
-        if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
-            server.shell(
-                name="Generate OpenDKIM domain keys",
-                commands=[
-                    f"/usr/sbin/opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
-                ],
-                _use_su_login=True,
-                _su_user="opendkim",
-            )
-
-        service_file = files.put(
-            name="Configure opendkim to restart once a day",
-            src=get_resource("opendkim/systemd.conf"),
-            dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
-        )
-        need_restart |= service_file.changed
-
-        self.need_restart = need_restart
-
-    def activate(self):
-        systemd.service(
-            name="Start and enable OpenDKIM",
-            service="opendkim.service",
-            running=True,
-            enabled=True,
-            daemon_reload=self.need_restart,
-            restarted=self.need_restart,
-        )
-        self.need_restart = False

cmdeploy/src/cmdeploy/opendkim/final.lua

@@ -1,42 +0,0 @@
-mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}")
-if mtaname == "ORIGINATING" then
-	-- Outgoing message will be signed,
-	-- no need to look for signatures.
-	return nil
-end
-
-nsigs = odkim.get_sigcount(ctx)
-if nsigs == nil then
-	return nil
-end
-
-local valid = false
-local error_msg = "No valid DKIM signature found."
-for i = 1, nsigs do
-	sig = odkim.get_sighandle(ctx, i - 1)
-	sigres = odkim.sig_result(sig)
-
-	-- All signatures that do not correspond to From: 
-	-- were ignored in screen.lua and return sigres -1.
-	-- 
-	-- Any valid signature that was not ignored like this
-	-- means the message is acceptable.
-	if sigres == 0 then
-		valid = true
-    else
-        error_msg = "DKIM signature is invalid, error code " .. tostring(sigres) .. ", search https://github.com/trusteddomainproject/OpenDKIM/blob/master/libopendkim/dkim.h#L108"
-	end
-end
-
-if valid then
-	-- Strip all DKIM-Signature headers after successful validation
-	-- Delete in reverse order to avoid index shifting.
-	for i = nsigs, 1, -1 do
-		odkim.del_header(ctx, "DKIM-Signature", i)
-	end
-else
-	odkim.set_reply(ctx, "554", "5.7.1", error_msg)
-	odkim.set_result(ctx, SMFIS_REJECT)
-end
-
-return nil

cmdeploy/src/cmdeploy/opendkim/opendkim.conf

@@ -1,73 +0,0 @@
-# OpenDKIM configuration.
-
-Syslog			yes
-SyslogSuccess		yes
-#LogWhy			no
-
-# Common signing and verification parameters. In Debian, the "From" header is
-# oversigned, because it is often the identity key used by reputation systems
-# and thus somewhat security sensitive.
-Canonicalization	relaxed/simple
-OversignHeaders		From
-
-On-BadSignature         reject
-On-KeyNotFound          reject
-On-NoSignature          reject
-DNSTimeout          60
-
-# Signing domain, selector, and key (required). For example, perform signing
-# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
-# using the private key stored in /etc/dkimkeys/example.private. More granular
-# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
-Domain			{{ config.domain_name }}
-Selector		{{ config.opendkim_selector }}
-KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
-KeyTable          /etc/dkimkeys/KeyTable
-SigningTable      refile:/etc/dkimkeys/SigningTable
-
-# Sign Autocrypt header in addition to the default specified in RFC 6376.
-#
-# Default list is here:
-# <https://github.com/trusteddomainproject/OpenDKIM/blob/5c539587561785a66c1f67f720f2fb741f320785/libopendkim/dkim.c#L221-L245>
-SignHeaders *,+autocrypt,+content-type
-
-# Prevent addition of second Content-Type header
-# and other important headers that should not be added
-# after signing the message.
-# See
-# <https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/>
-# and RFC 6376 (page 41) for reference.
-#
-# We don't use "l=" body length so the problem described in RFC 6376
-# is not applicable, but adding e.g. a second "From" header
-# or second "Autocrypt" header is better prevented in any case.
-#
-# Default is empty.
-OversignHeaders from,reply-to,subject,date,to,cc,resent-date,resent-from,resent-sender,resent-to,resent-cc,in-reply-to,references,list-id,list-help,list-unsubscribe,list-subscribe,list-post,list-owner,list-archive,autocrypt
-
-# Script to ignore signatures that do not correspond to the From: domain.
-ScreenPolicyScript /etc/opendkim/screen.lua
-
-# Script to reject mails without a valid DKIM signature.
-FinalPolicyScript /etc/opendkim/final.lua
-
-# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
-# using a local socket with MTAs that access the socket as a non-privileged
-# user (for example, Postfix). You may need to add user "postfix" to group
-# "opendkim" in that case.
-UserID			opendkim
-UMask			007
-
-Socket			local:/var/spool/postfix/opendkim/opendkim.sock
-
-PidFile			/run/opendkim/opendkim.pid
-
-# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
-# by the package dns-root-data.
-TrustAnchorFile		/usr/share/dns/root.key
-
-# Sign messages when `-o milter_macro_daemon_name=ORIGINATING` is set.
-MTA ORIGINATING
-
-# No hosts are treated as internal, ORIGINATING daemon name should be set explicitly.
-InternalHosts -

cmdeploy/src/cmdeploy/opendkim/screen.lua

@@ -1,21 +0,0 @@
--- Ignore signatures that do not correspond to the From: domain.
-
-from_domain = odkim.get_fromdomain(ctx)
-if from_domain == nil then
-	return nil
-end
-
-n = odkim.get_sigcount(ctx)
-if n == nil then
-	return nil
-end
-
-for i = 1, n do
-	sig = odkim.get_sighandle(ctx, i - 1)
-	sig_domain = odkim.sig_getdomain(sig)
-	if from_domain ~= sig_domain then
-		odkim.sig_ignore(sig)
-	end
-end
-
-return nil

cmdeploy/src/cmdeploy/opendkim/systemd.conf

@@ -1,3 +0,0 @@
-[Service]
-Restart=always
-RuntimeMaxSec=1d

cmdeploy/src/cmdeploy/postfix/deployer.py

@@ -4,7 +4,7 @@ from cmdeploy.basedeploy import Deployer, get_resource
 
 
 class PostfixDeployer(Deployer):
-    required_users = [("postfix", None, ["opendkim"])]
+    required_users = [("postfix", None, ["dkim-milter"])]
     daemon_reload = False
 
     def __init__(self, config, disable_mail):

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -64,11 +64,7 @@ alias_database = hash:/etc/aliases
 mydestination =
 
 relayhost = 
-{% if disable_ipv6 %}
-mynetworks = 127.0.0.0/8
-{% else %}
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-{% endif %}
 mailbox_size_limit = 0
 message_size_limit = {{config.max_message_size}}
 recipient_delimiter = +

cmdeploy/src/cmdeploy/postfix/master.cf.j2

@@ -80,13 +80,13 @@ filter    unix -        n       n       -       -       lmtp
 127.0.0.1:{{ config.postfix_reinject_port }} inet  n       -       n       -       100      smtpd
   -o syslog_name=postfix/reinject
   -o milter_macro_daemon_name=ORIGINATING
-  -o smtpd_milters=unix:opendkim/opendkim.sock
+  -o smtpd_milters=unix:dkim-milter/dkim-milter-sign.sock
   -o cleanup_service_name=authclean
 
 # Local SMTP server for reinjecting incoming filtered mail 
 127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet  n       -       n       -       100      smtpd
   -o syslog_name=postfix/reinject_incoming
-  -o smtpd_milters=unix:opendkim/opendkim.sock
+  -o smtpd_milters=unix:dkim-milter/dkim-milter-verify.sock
 
 # Cleanup `Received` headers for authenticated mail
 # to avoid leaking client IP.

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -1,4 +1,3 @@
-import datetime
 import smtplib
 import socket
 import subprocess
@@ -58,15 +57,6 @@ class TestSSHExecutor:
         else:
             pytest.fail("didn't raise exception")
 
-    def test_opendkim_restarted(self, sshexec):
-        """check that opendkim is not running for longer than a day."""
-        cmd = "systemctl show opendkim --timestamp=utc --property=ActiveEnterTimestamp"
-        out = sshexec(call=remote.rshell.shell, kwargs=dict(command=cmd))
-        datestring = out.split("=")[1]
-        since_date = datetime.datetime.strptime(datestring, "%a %Y-%m-%d %H:%M:%S %Z")
-        now = datetime.datetime.now(since_date.tzinfo)
-        assert (now - since_date).total_seconds() < 60 * 60 * 51
-
 
 def test_timezone_env(remote):
     for line in remote.iter_output("env"):
@@ -146,7 +136,7 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
     conn.starttls()
 
     with conn as s:
-        with pytest.raises(smtplib.SMTPDataError, match="No valid DKIM signature"):
+        with pytest.raises(smtplib.SMTPDataError, match="No DKIM signature found"):
             s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
 
 

cmdeploy/src/cmdeploy/tests/online/test_3_status.py

@@ -24,7 +24,7 @@ def test_status_cmd(chatmail_config, capsys, request):
         "filtermail",
         "lastlogin",
         "nginx",
-        "opendkim",
+        "dkim-milter",
         "postfix@-",
         "systemd-journald",
         "turnserver",

cmdeploy/src/cmdeploy/unbound/unbound.conf.j2

@@ -1,4 +0,0 @@
-# Managed by cmdeploy: disable IPv6 in unbound.
-server:
-  interface: 127.0.0.1
-  do-ip6: no

doc/source/migrate.rst

@@ -72,7 +72,7 @@ in this case, just run ``ssh-keygen -R "mail.example.org"`` as recommended.
 
        ssh root@$NEW_IP4
        chown root: -R /var/lib/acme
-       chown opendkim: -R /etc/dkimkeys
+       chown dkim-milter: -R /etc/dkimkeys
        chown vmail: -R /home/vmail/mail
 
 

doc/source/overview.rst

@@ -52,7 +52,7 @@ The deployed system components of a chatmail relay are:
 -  `acmetool <https://hlandau.github.io/acmetool/>`_ manages TLS
    certificates for Dovecot, Postfix, and Nginx
 
--  `OpenDKIM <http://www.opendkim.org/>`_ for signing messages with
+-  `DKIM Milter <https://github.com/chatmail/dkim-milter>`_ for signing messages with
    DKIM and rejecting inbound messages without DKIM
 
 -  `mtail <https://google.github.io/mtail/>`_ for collecting anonymized
@@ -268,12 +268,10 @@ Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails.
 Incoming emails must have a valid DKIM signature with
 Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
 header) equal to the ``From:`` header domain. This property is checked
-by OpenDKIM screen policy script before validating the signatures. This
+by dkim-milter ``reject_failures = author-mismatch `` policy. This
 corresponds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
 If there is no valid DKIM signature on the incoming email, the
 sender receives a “5.7.1 No valid DKIM signature found” error.
-After validating the DKIM signature,
-the `final.lua` script strips all ``OpenDKIM:`` headers to reduce message size on disc.
 
 Note that chatmail relays