install_opendkim.sh: adjust konfiguration.
This commit is contained in:
@@ -206,73 +206,208 @@ else
|
||||
cat <<EOF > $opendkim_conf_file 2> $log_file
|
||||
# Datei $opendkim_conf_file
|
||||
|
||||
# AuthservID (string)
|
||||
#
|
||||
# Sets the "authserv-id" to use when generating the Authentication-Results:
|
||||
# header field after verifying a message. The default is to use the name of
|
||||
# the MTA processing the message. If the string "HOSTNAME" is provided, the
|
||||
# name of the host running the filter (as returned by the gethostname(3)
|
||||
# function) will be used.
|
||||
AuthservID "DKIM check $(hostname -f)"
|
||||
AuthservID HOSTNAME
|
||||
|
||||
# Mode (string)
|
||||
#
|
||||
# OpenDKIM agiert als Mail Filter (= Milter) in den
|
||||
# Modi signer (s) und verifier (v) und verwendet eine
|
||||
# Socket-Datei zur Kommunikation (alternativ: lokaler Port)
|
||||
Mode sv
|
||||
|
||||
# Socket (string)
|
||||
#
|
||||
# Specifies the socket that should be established by the filter to receive
|
||||
# connections from sendmail(8) in order to provide service. socketspec is
|
||||
# in one of two forms: local:path, which creates a UNIX domain socket at
|
||||
# the specified path, or inet:port[@host] or inet6:port[@host] which
|
||||
# creates a TCP socket on the specified port and in the specified protocol
|
||||
# family. If the host is not given as either a hostname or an IP address,
|
||||
# the socket will be listening on all interfaces. A literal IP address must
|
||||
# be enclosed in square brackets. This option is mandatory either in the
|
||||
# configuration file or on the command line.
|
||||
#
|
||||
# Socket local:/var/run/opendkim/opendkim.sock
|
||||
# Socket local:$opendkim_socket_file
|
||||
# Socket inet:12345@localhost
|
||||
Socket local:$opendkim_socket_file
|
||||
|
||||
# OpenDKIM verwendet diesen Benutzer bzw.
|
||||
# diese Gruppe
|
||||
# UserID (string)
|
||||
#
|
||||
# Attempts to become the specified userid before starting operations. The
|
||||
# value is of the form userid[:group]. The process will be assigned all of
|
||||
# the groups and primary group ID of the named userid unless an alternate
|
||||
# group is specified.
|
||||
UserID opendkim:opendkim
|
||||
|
||||
# UMask (integer)
|
||||
#
|
||||
#Requests a specific permissions mask to be used for file creation. This
|
||||
# only really applies to creation of the socket when Socket specifies a UNIX
|
||||
# domain socket, and to the PidFile (if any); temporary files are created by
|
||||
# the mkstemp(3) function that enforces a specific file mode on creation
|
||||
# regardless of the process umask. See umask(2) for more information.
|
||||
#
|
||||
UMask 002
|
||||
|
||||
# PidFile (string)
|
||||
#
|
||||
# Specifies the path to a file that should be created at process start
|
||||
# containing the process ID.
|
||||
PidFile /var/run/opendkim/opendkim.pid
|
||||
|
||||
# OpenDKIM bei Problemen neustarten,
|
||||
# aber max. 10 mal pro Stunde
|
||||
# AutoRestart (Boolean)
|
||||
#
|
||||
# Automatically re-start on failures. Use with caution; if the filter fails
|
||||
# instantly after it starts, this can cause a tight fork(2) loop.
|
||||
AutoRestart yes
|
||||
|
||||
# AutoRestartRate (string)
|
||||
#
|
||||
# Sets the maximum automatic restart rate. If the filter begins restarting
|
||||
# faster than the rate defined here, it will give up and terminate. This is
|
||||
# a string of the form n/t[u] where n is an integer limiting the count of
|
||||
# restarts in the given interval and t[u] defines the time interval through
|
||||
# which the rate is calculated; t is an integer and u defines the units thus
|
||||
# represented ("s" or "S" for seconds, the default; "m" or "M" for minutes;
|
||||
# "h" or "H" for hours; "d" or "D" for days). For example, a value of "10/1h"
|
||||
# limits the restarts to 10 in one hour. There is no default, meaning restart
|
||||
# rate is not limited.
|
||||
AutoRestartRate 10/1h
|
||||
|
||||
# Logging (wenn alles funktioniert eventuell reduzieren)
|
||||
# Syslog (Boolean)
|
||||
#
|
||||
# Log via calls to syslog(3) any interesting activity.
|
||||
Syslog yes
|
||||
|
||||
# SyslogSuccess (Boolean)
|
||||
#
|
||||
# Log via calls to syslog(3) additional entries indicating successful signing
|
||||
# or verification of messages.
|
||||
SyslogSuccess yes
|
||||
|
||||
# LogWhy (boolean)
|
||||
#
|
||||
# If logging is enabled (see Syslog below), issues very detailed logging
|
||||
# about the logic behind the filter’s decision to either sign a message or
|
||||
# verify it. The logic behind the decision is non-trivial and can be confusing
|
||||
# to administrators not familiar with its operation. A description of how the
|
||||
# decision is made can be found in the OPERATIONS section of the opendkim(8)
|
||||
# man page. This causes a large increase in the amount of log data generated
|
||||
# for each message, so it should be limited to debugging use and not enabled
|
||||
# for general operation.
|
||||
LogWhy yes
|
||||
|
||||
# Verfahren, wie Header und Body durch
|
||||
# OpenDKIM verarbeitet werden sollen.
|
||||
Canonicalization relaxed/simple
|
||||
|
||||
# interne Mails nicht mit OpenDKIM verarbeiten
|
||||
# ExternalIgnoreList (dataset)
|
||||
#
|
||||
# Identifies a set of "external" hosts that may send mail through the server
|
||||
# as one of the signing domains without credentials as such. This has the
|
||||
# effect of suppressing the "external host (hostname) tried to send mail as
|
||||
# (domain)" log messages. Entries in the data set should be of the same form
|
||||
# as those of the PeerList option below. The set is empty by default.
|
||||
ExternalIgnoreList refile:${opendkim_base_dir}/trusted
|
||||
|
||||
# InternalHosts (dataset)
|
||||
#
|
||||
# Identifies a set internal hosts whose mail should be signed rather than
|
||||
# verified. Entries in this data set follow the same form as those of the
|
||||
# PeerList option below. If not specified, the default of "127.0.0.1" is applied.
|
||||
# Naturally, providing a value here overrides the default, so if mail from
|
||||
# 127.0.0.1 should be signed, the list provided here should include that address
|
||||
# explicitly.
|
||||
InternalHosts refile:${opendkim_base_dir}/trusted
|
||||
|
||||
# welche Verschlüsselungs-Keys sollen für welche
|
||||
# Domains verwendet werden
|
||||
# (refile: für Dateien mit regulären Ausdrücke)
|
||||
# SigningTable (dataset)
|
||||
#
|
||||
# Defines a table used to select one or more signatures to apply to a message
|
||||
# based on the address found in the From: header field. Keys in this table vary
|
||||
# depending on the type of table used; values in this data set should include
|
||||
# one field that contains a name found in the KeyTable (see above) that
|
||||
# identifies which key should be used in generating the signature, and an
|
||||
# optional second field naming the signer of the message that will be included
|
||||
# in the "i=" tag in the generated signature. Note that the "i=" value will not
|
||||
# be included in the signature if it conflicts with the signing domain
|
||||
# (the "d=" value).
|
||||
#
|
||||
# If the first field contains only a "%" character, it will be replaced by the
|
||||
# domain found in the From: header field. Similarly, within the optional second
|
||||
# field, any "%" character will be replaced by the domain found in the From:
|
||||
# header field.
|
||||
#
|
||||
# If this table specifies a regular expression file ("refile"), then the keys are
|
||||
# wildcard patterns that are matched against the address found in the From:
|
||||
# header field. Entries are checked in the order in which they appear in the file.
|
||||
#
|
||||
# For all other database types, the full user@host is checked first, then simply
|
||||
# host, then user@.domain (with all superdomains checked in sequence, so
|
||||
# "foo.example.com" would first check "user@foo.example.com", then "user@.example.com",
|
||||
# then "user@.com"), then .domain, then user@*, and finally *.
|
||||
SigningTable refile:${opendkim_base_dir}/signing.table
|
||||
|
||||
# KeyTable (dataset)
|
||||
#
|
||||
# Gives the location of a file mapping key names to signing keys. If present,
|
||||
# overrides any KeyFile setting in the configuration file. The data set named here
|
||||
# maps each key name to three values: (a) the name of the domain to use in the
|
||||
# signature's "d=" value; (b) the name of the selector to use in the signature's
|
||||
# "s=" value; and (c) either a private key or a path to a file containing a private
|
||||
# key. If the first value consists solely of a percent sign ("%") character, it
|
||||
# will be replaced by the apparent domain of the sender when generating a signature.
|
||||
# If the third value starts with a slash ("/") character, or "./" or "../", then it
|
||||
# is presumed to refer to a file from which the private key should be read, otherwise
|
||||
# it is itself a PEM-encoded private key or a base64-encoded DER private key; a "%"
|
||||
# in the third value in this case will be replaced by the apparent domain name of
|
||||
# the sender. The SigningTable (see below) is used to select records from this table
|
||||
# to be used to add signatures based on the message sender.
|
||||
KeyTable ${opendkim_base_dir}/key.table
|
||||
|
||||
# diesen Signatur-Algorithmus verwenden
|
||||
# SignatureAlgorithm (string)
|
||||
#
|
||||
# Selects the signing algorithm to use when generating signatures. Use 'opendkim -V'
|
||||
# to see the list of supported algorithms. The default is rsa-sha256 if it is
|
||||
# available, otherwise it will be rsa-sha1.
|
||||
SignatureAlgorithm rsa-sha256
|
||||
|
||||
# Always oversign From (sign using actual From and a null From to prevent
|
||||
# malicious signatures header fields (From and/or others) between the signer
|
||||
# and the verifier. From is oversigned by default in the Debian pacakge
|
||||
# because it is often the identity key used by reputation systems and thus
|
||||
# somewhat security sensitive.
|
||||
# OversignHeaders (dataset)
|
||||
#
|
||||
# Specifies a set of header fields that should be included in all signature header
|
||||
# lists (the "h=" tag) once more than the number of times they were actually present
|
||||
# in the signed message. The set is empty by default. The purpose of this, and
|
||||
# especially of listing an absent header field, is to prevent the addition of
|
||||
# important fields between the signer and the verifier. Since the verifier would
|
||||
# include that header field when performing verification if it had been added by an
|
||||
# intermediary, the signed message and the verified message were different and the
|
||||
# verification would fail. Note that listing a field name here and not listing it in
|
||||
# the SignHeaders list is likely to generate invalid signatures.
|
||||
OversignHeaders From
|
||||
|
||||
# AlwaysAddARHeader (Boolean)
|
||||
#
|
||||
# Add an "Authentication-Results:" header field even to unsigned messages
|
||||
# from domains with no "signs all" policy. The reported DKIM result will be
|
||||
# "none" in such cases. Normally unsigned mail from non-strict domains does
|
||||
# not cause the results header field to be added.
|
||||
AlwaysAddARHeader yes
|
||||
|
||||
# Background (Boolean)
|
||||
#
|
||||
# Causes opendkim to fork and exits immediately, leaving the service running
|
||||
# in the background. The default is "true".
|
||||
Background yes
|
||||
|
||||
# DNSTimeout (integer)
|
||||
#
|
||||
# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
|
||||
# default is 5. Ignored if not using an asynchronous resolver package. See
|
||||
# also the NOTES section below.
|
||||
@@ -301,8 +436,8 @@ else
|
||||
fi
|
||||
|
||||
|
||||
# - Create the directories to hold OpenDKIM’s data files, assign
|
||||
# - ownership to the opendkim user, and restrict the file
|
||||
# - Create the directories to hold OpenDKIM’s data files, assign
|
||||
# - ownership to the opendkim user, and restrict the file
|
||||
# - permissions:
|
||||
# -
|
||||
echononl " Create directory '$opendkim_base_dir'"
|
||||
@@ -403,7 +538,7 @@ EOF
|
||||
fi
|
||||
|
||||
|
||||
# - Create the OpenDKIM socket directory in Postfix’s work area
|
||||
# - Create the OpenDKIM socket directory in Postfix’s work area
|
||||
# - and make sure it has the correct ownership:
|
||||
# -
|
||||
echononl " Create the OpenDKIM socket directory in Postfix’s work area.."
|
||||
@@ -462,7 +597,7 @@ EOF
|
||||
fi
|
||||
|
||||
|
||||
# - Edit /etc/postfix/main.cf and add a section to activate
|
||||
# - Edit /etc/postfix/main.cf and add a section to activate
|
||||
# - processing of e-mail through the OpenDKIM daemon:
|
||||
# -
|
||||
backup_date="$(date +%Y-%m-%d-%H%M)"
|
||||
@@ -554,15 +689,15 @@ fi
|
||||
# - Prevent Postfix from setting the DKIM Header twice (one befor
|
||||
# - and one after processing amavis
|
||||
# -
|
||||
# - To disable milter processing after amavis, add to your master.cf in
|
||||
# - To disable milter processing after amavis, add to your master.cf in
|
||||
# - the after-amavis section:
|
||||
# - 127.0.0.1:10025 inet n - - - - smtpd
|
||||
# - [...]
|
||||
# - -o smtpd_milters=
|
||||
# -
|
||||
# - If you want to run the milter after amavis, set in main.cf
|
||||
# - smtpd_milters=
|
||||
# - to an empty string and add the smtpd_milters configuration to master.cf
|
||||
# - smtpd_milters=
|
||||
# - to an empty string and add the smtpd_milters configuration to master.cf
|
||||
# - (after-section amavis) instead:
|
||||
# - -o smtpd_milters=local:/opendkim/opendkim.sock
|
||||
# -
|
||||
@@ -629,7 +764,7 @@ rm -f $tmp_master_file
|
||||
echo ""
|
||||
|
||||
# - Restart OpenDKIM
|
||||
# -
|
||||
# -
|
||||
echononl " Restart OpenDKIM.."
|
||||
if $opendkim_needs_restart ; then
|
||||
if $SYSTEMD_EXISTS ; then
|
||||
|
||||
Reference in New Issue
Block a user