From 4bb27992d8606151ddb1f84a248ea5dc6256f3dc Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 6 Jan 2026 23:21:08 +0100 Subject: [PATCH] install_opendkim.sh: adjust konfiguration. --- install_opendkim.sh | 183 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 159 insertions(+), 24 deletions(-) diff --git a/install_opendkim.sh b/install_opendkim.sh index b1e2adf..4b67c67 100755 --- a/install_opendkim.sh +++ b/install_opendkim.sh @@ -206,73 +206,208 @@ else cat < $opendkim_conf_file 2> $log_file # Datei $opendkim_conf_file +# AuthservID (string) +# # Sets the "authserv-id" to use when generating the Authentication-Results: # header field after verifying a message. The default is to use the name of # the MTA processing the message. If the string "HOSTNAME" is provided, the # name of the host running the filter (as returned by the gethostname(3) # function) will be used. -AuthservID "DKIM check $(hostname -f)" +AuthservID HOSTNAME +# Mode (string) +# # OpenDKIM agiert als Mail Filter (= Milter) in den # Modi signer (s) und verifier (v) und verwendet eine # Socket-Datei zur Kommunikation (alternativ: lokaler Port) Mode sv +# Socket (string) +# +# Specifies the socket that should be established by the filter to receive +# connections from sendmail(8) in order to provide service. socketspec is +# in one of two forms: local:path, which creates a UNIX domain socket at +# the specified path, or inet:port[@host] or inet6:port[@host] which +# creates a TCP socket on the specified port and in the specified protocol +# family. If the host is not given as either a hostname or an IP address, +# the socket will be listening on all interfaces. A literal IP address must +# be enclosed in square brackets. This option is mandatory either in the +# configuration file or on the command line. +# # Socket local:/var/run/opendkim/opendkim.sock # Socket local:$opendkim_socket_file # Socket inet:12345@localhost Socket local:$opendkim_socket_file -# OpenDKIM verwendet diesen Benutzer bzw. -# diese Gruppe +# UserID (string) +# +# Attempts to become the specified userid before starting operations. The +# value is of the form userid[:group]. The process will be assigned all of +# the groups and primary group ID of the named userid unless an alternate +# group is specified. UserID opendkim:opendkim + +# UMask (integer) +# +#Requests a specific permissions mask to be used for file creation. This +# only really applies to creation of the socket when Socket specifies a UNIX +# domain socket, and to the PidFile (if any); temporary files are created by +# the mkstemp(3) function that enforces a specific file mode on creation +# regardless of the process umask. See umask(2) for more information. +# UMask 002 + +# PidFile (string) +# +# Specifies the path to a file that should be created at process start +# containing the process ID. PidFile /var/run/opendkim/opendkim.pid -# OpenDKIM bei Problemen neustarten, -# aber max. 10 mal pro Stunde +# AutoRestart (Boolean) +# +# Automatically re-start on failures. Use with caution; if the filter fails +# instantly after it starts, this can cause a tight fork(2) loop. AutoRestart yes + +# AutoRestartRate (string) +# +# Sets the maximum automatic restart rate. If the filter begins restarting +# faster than the rate defined here, it will give up and terminate. This is +# a string of the form n/t[u] where n is an integer limiting the count of +# restarts in the given interval and t[u] defines the time interval through +# which the rate is calculated; t is an integer and u defines the units thus +# represented ("s" or "S" for seconds, the default; "m" or "M" for minutes; +# "h" or "H" for hours; "d" or "D" for days). For example, a value of "10/1h" +# limits the restarts to 10 in one hour. There is no default, meaning restart +# rate is not limited. AutoRestartRate 10/1h -# Logging (wenn alles funktioniert eventuell reduzieren) +# Syslog (Boolean) +# +# Log via calls to syslog(3) any interesting activity. Syslog yes + +# SyslogSuccess (Boolean) +# +# Log via calls to syslog(3) additional entries indicating successful signing +# or verification of messages. SyslogSuccess yes + +# LogWhy (boolean) +# +# If logging is enabled (see Syslog below), issues very detailed logging +# about the logic behind the filter’s decision to either sign a message or +# verify it. The logic behind the decision is non-trivial and can be confusing +# to administrators not familiar with its operation. A description of how the +# decision is made can be found in the OPERATIONS section of the opendkim(8) +# man page. This causes a large increase in the amount of log data generated +# for each message, so it should be limited to debugging use and not enabled +# for general operation. LogWhy yes # Verfahren, wie Header und Body durch # OpenDKIM verarbeitet werden sollen. Canonicalization relaxed/simple -# interne Mails nicht mit OpenDKIM verarbeiten +# ExternalIgnoreList (dataset) +# +# Identifies a set of "external" hosts that may send mail through the server +# as one of the signing domains without credentials as such. This has the +# effect of suppressing the "external host (hostname) tried to send mail as +# (domain)" log messages. Entries in the data set should be of the same form +# as those of the PeerList option below. The set is empty by default. ExternalIgnoreList refile:${opendkim_base_dir}/trusted + +# InternalHosts (dataset) +# +# Identifies a set internal hosts whose mail should be signed rather than +# verified. Entries in this data set follow the same form as those of the +# PeerList option below. If not specified, the default of "127.0.0.1" is applied. +# Naturally, providing a value here overrides the default, so if mail from +# 127.0.0.1 should be signed, the list provided here should include that address +# explicitly. InternalHosts refile:${opendkim_base_dir}/trusted -# welche Verschlüsselungs-Keys sollen für welche -# Domains verwendet werden -# (refile: für Dateien mit regulären Ausdrücke) +# SigningTable (dataset) +# +# Defines a table used to select one or more signatures to apply to a message +# based on the address found in the From: header field. Keys in this table vary +# depending on the type of table used; values in this data set should include +# one field that contains a name found in the KeyTable (see above) that +# identifies which key should be used in generating the signature, and an +# optional second field naming the signer of the message that will be included +# in the "i=" tag in the generated signature. Note that the "i=" value will not +# be included in the signature if it conflicts with the signing domain +# (the "d=" value). +# +# If the first field contains only a "%" character, it will be replaced by the +# domain found in the From: header field. Similarly, within the optional second +# field, any "%" character will be replaced by the domain found in the From: +# header field. +# +# If this table specifies a regular expression file ("refile"), then the keys are +# wildcard patterns that are matched against the address found in the From: +# header field. Entries are checked in the order in which they appear in the file. +# +# For all other database types, the full user@host is checked first, then simply +# host, then user@.domain (with all superdomains checked in sequence, so +# "foo.example.com" would first check "user@foo.example.com", then "user@.example.com", +# then "user@.com"), then .domain, then user@*, and finally *. SigningTable refile:${opendkim_base_dir}/signing.table + +# KeyTable (dataset) +# +# Gives the location of a file mapping key names to signing keys. If present, +# overrides any KeyFile setting in the configuration file. The data set named here +# maps each key name to three values: (a) the name of the domain to use in the +# signature's "d=" value; (b) the name of the selector to use in the signature's +# "s=" value; and (c) either a private key or a path to a file containing a private +# key. If the first value consists solely of a percent sign ("%") character, it +# will be replaced by the apparent domain of the sender when generating a signature. +# If the third value starts with a slash ("/") character, or "./" or "../", then it +# is presumed to refer to a file from which the private key should be read, otherwise +# it is itself a PEM-encoded private key or a base64-encoded DER private key; a "%" +# in the third value in this case will be replaced by the apparent domain name of +# the sender. The SigningTable (see below) is used to select records from this table +# to be used to add signatures based on the message sender. KeyTable ${opendkim_base_dir}/key.table -# diesen Signatur-Algorithmus verwenden +# SignatureAlgorithm (string) +# +# Selects the signing algorithm to use when generating signatures. Use 'opendkim -V' +# to see the list of supported algorithms. The default is rsa-sha256 if it is +# available, otherwise it will be rsa-sha1. SignatureAlgorithm rsa-sha256 -# Always oversign From (sign using actual From and a null From to prevent -# malicious signatures header fields (From and/or others) between the signer -# and the verifier. From is oversigned by default in the Debian pacakge -# because it is often the identity key used by reputation systems and thus -# somewhat security sensitive. +# OversignHeaders (dataset) +# +# Specifies a set of header fields that should be included in all signature header +# lists (the "h=" tag) once more than the number of times they were actually present +# in the signed message. The set is empty by default. The purpose of this, and +# especially of listing an absent header field, is to prevent the addition of +# important fields between the signer and the verifier. Since the verifier would +# include that header field when performing verification if it had been added by an +# intermediary, the signed message and the verified message were different and the +# verification would fail. Note that listing a field name here and not listing it in +# the SignHeaders list is likely to generate invalid signatures. OversignHeaders From +# AlwaysAddARHeader (Boolean) +# # Add an "Authentication-Results:" header field even to unsigned messages # from domains with no "signs all" policy. The reported DKIM result will be # "none" in such cases. Normally unsigned mail from non-strict domains does # not cause the results header field to be added. AlwaysAddARHeader yes +# Background (Boolean) +# # Causes opendkim to fork and exits immediately, leaving the service running # in the background. The default is "true". Background yes +# DNSTimeout (integer) +# # Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The # default is 5. Ignored if not using an asynchronous resolver package. See # also the NOTES section below. @@ -301,8 +436,8 @@ else fi -# - Create the directories to hold OpenDKIM’s data files, assign -# - ownership to the opendkim user, and restrict the file +# - Create the directories to hold OpenDKIM’s data files, assign +# - ownership to the opendkim user, and restrict the file # - permissions: # - echononl " Create directory '$opendkim_base_dir'" @@ -403,7 +538,7 @@ EOF fi -# - Create the OpenDKIM socket directory in Postfix’s work area +# - Create the OpenDKIM socket directory in Postfix’s work area # - and make sure it has the correct ownership: # - echononl " Create the OpenDKIM socket directory in Postfix’s work area.." @@ -462,7 +597,7 @@ EOF fi -# - Edit /etc/postfix/main.cf and add a section to activate +# - Edit /etc/postfix/main.cf and add a section to activate # - processing of e-mail through the OpenDKIM daemon: # - backup_date="$(date +%Y-%m-%d-%H%M)" @@ -554,15 +689,15 @@ fi # - Prevent Postfix from setting the DKIM Header twice (one befor # - and one after processing amavis # - -# - To disable milter processing after amavis, add to your master.cf in +# - To disable milter processing after amavis, add to your master.cf in # - the after-amavis section: # - 127.0.0.1:10025 inet n - - - - smtpd # - [...] # - -o smtpd_milters= # - # - If you want to run the milter after amavis, set in main.cf -# - smtpd_milters= -# - to an empty string and add the smtpd_milters configuration to master.cf +# - smtpd_milters= +# - to an empty string and add the smtpd_milters configuration to master.cf # - (after-section amavis) instead: # - -o smtpd_milters=local:/opendkim/opendkim.sock # - @@ -629,7 +764,7 @@ rm -f $tmp_master_file echo "" # - Restart OpenDKIM -# - +# - echononl " Restart OpenDKIM.." if $opendkim_needs_restart ; then if $SYSTEMD_EXISTS ; then