Ajout d'OpenDKIM aux trois MX publics

2015-10-01 21:56:08 +02:00 · 2015-10-01 21:56:08 +02:00 · 116e36c232
commit 116e36c232
parent 75433020b7
12 changed files with 120 additions and 0 deletions
--- a/Bundler/dkim.xml
+++ b/Bundler/dkim.xml
@ -0,0 +1,13 @@
+<Bundle name="dkim" version="2.0">
+    <Package name="opendkim"/>
+
+    <Service name="opendkim"/>
+
+    <Path name="/etc/opendkim/opendkim.conf"/>
+    <Path name="/etc/opendkim/KeyTable"/>
+    <Path name="/etc/opendkim/SigningTable"/>
+    <Path name="/etc/opendkim/TrustedHosts"/>
+
+    <Path type="directory" name="/etc/opendkim/"/>
+    <Path type="directory" name="/etc/opendkim/keys"/>
+</Bundle>
--- a/Cfg/etc/opendkim.conf/info.xml
+++ b/Cfg/etc/opendkim.conf/info.xml
@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='opendkim' group='opendkim' mode='0644'/>
+</FileInfo>
--- a/Cfg/etc/opendkim.conf/opendkim.conf
+++ b/Cfg/etc/opendkim.conf/opendkim.conf
@ -0,0 +1,51 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+AutoRestart             Yes
+AutoRestartRate         10/1h
+
+# Log to syslog
+Syslog          yes
+SyslogSuccess           Yes
+LogWhy                  Yes
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask           002
+
+# Sign for example.com with key in /etc/mail/dkim.key using
+# selector '2007' (e.g. 2007._domainkey.example.com)
+#Domain         example.com
+#KeyFile        /etc/mail/dkim.key
+#Selector       2007
+
+# Commonly-used options; the commented-out versions show the defaults.
+Canonicalization    relaxed/simple
+
+ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
+InternalHosts           refile:/etc/opendkim/TrustedHosts
+KeyTable                refile:/etc/opendkim/KeyTable
+SigningTable            refile:/etc/opendkim/SigningTable
+
+Mode            sv
+#SubDomains     no
+#ADSPDiscard        no
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders     From
+
+# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
+# (ATPS) (experimental)
+
+#ATPSDomains        example.com
+
+PidFile                 /var/run/opendkim/opendkim.pid
+SignatureAlgorithm      rsa-sha256
+
+UserID                  opendkim:opendkim
+
+Socket                  inet:12301@localhost
--- a/Cfg/etc/opendkim/KeyTable/KeyTable
+++ b/Cfg/etc/opendkim/KeyTable/KeyTable
@ -0,0 +1 @@
+mail._domainkey.crans.org crans.org:mail:/etc/opendkim/keys/crans.org/mail.private
--- a/Cfg/etc/opendkim/KeyTable/info.xml
+++ b/Cfg/etc/opendkim/KeyTable/info.xml
@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='opendkim' group='opendkim' mode='0644'/>
+</FileInfo>
--- a/Cfg/etc/opendkim/SigningTable/SigningTable
+++ b/Cfg/etc/opendkim/SigningTable/SigningTable
@ -0,0 +1,2 @@
+*@crans.org mail._domainkey.crans.org
+*@crans.eu  mail._domainkey.crans.org
--- a/Cfg/etc/opendkim/SigningTable/info.xml
+++ b/Cfg/etc/opendkim/SigningTable/info.xml
@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='opendkim' group='opendkim' mode='0644'/>
+</FileInfo>
--- a/Cfg/etc/opendkim/TrustedHosts/TrustedHosts
+++ b/Cfg/etc/opendkim/TrustedHosts/TrustedHosts
@ -0,0 +1,11 @@
+127.0.0.1
+localhost
+
+138.231.136.0/21
+138.231.144.0/21
+10.231.136.0/24
+10.2.9.0/24
+
+*.crans.org
+*.crans.fr
+*.crans.eu
--- a/Cfg/etc/opendkim/TrustedHosts/info.xml
+++ b/Cfg/etc/opendkim/TrustedHosts/info.xml
@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='opendkim' group='opendkim' mode='0644'/>
+</FileInfo>
--- a/Metadata/groups.xml
+++ b/Metadata/groups.xml
@ -1131,6 +1131,11 @@
  <Group name="mail-mx-public">
    <!-- serveur MX publique (principal ou secondaire mais pas interne) -->
    <Group name="greylisting"/>
+    <Group name="dkim"/>
+  </Group>
+
+  <Group name="dkim">
+    <Bundle name="dkim"/>
  </Group>

  <!-- *** Base de donnee  *** -->
--- a/Python/etc/postfix/main.cf
+++ b/Python/etc/postfix/main.cf
@ -275,6 +275,15 @@ if mx:
    @slow_destination_recipient_limit = 20
    @slow_destination_concurrency_limit = 2

+    if has("dkim"):
+        @
+        @# Filtrage mail
+        @milter_protocol = 2
+        @milter_default_action = accept
+        @smtpd_milters = inet:localhost:12301
+        @non_smtpd_milters = inet:localhost:12301
+        @
+
    if not secondary:
        @# +----------------------+
        @# | Connexion de secours |
--- a/Rules/dkim.xml
+++ b/Rules/dkim.xml
@ -0,0 +1,16 @@
+<!-- Règles concernant postfix //-->
+<Rules priority="1">
+    <Service type="deb" name="opendkim" status="on"/>
+
+    <Path name="/etc/opendkim/opendkim.conf"/>
+    <Path name="/etc/opendkim/KeyTable"/>
+    <Path name="/etc/opendkim/SigningTable"/>
+    <Path name="/etc/opendkim/TrustedHosts"/>
+
+    <Path type="directory" name="/etc/opendkim/" owner="dkim" group="dkim" mode="0775"/>
+    <Path type="directory" name="/etc/opendkim/keys" owner="dkim" group="dkim" mode="0750"/>
+
+    <Action name="dkim-echo" timing="post"
+        when="modified" status="check"
+        command="bash -c 'echo Vous devez mettre en place la clef publique et la clef privée pour opendkim. Pensez à les chmod/chown correctement, et n'oubliez pas de vérifier que tout est bon côté DNS. Appuyez sur entree quand vous avez fini. && read'"/>
+</Rules>
				`@ -0,0 +1 @@`
				`mail._domainkey.crans.org crans.org:mail:/etc/opendkim/keys/crans.org/mail.private`