Fix errors handling DKIM signatures and DMARC proofs.

install_amavis.sh

@@ -5116,6 +5116,8 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
 smtp      inet  n       -       y       -       -       smtpd
    -o smtpd_proxy_filter=127.0.0.1:10024
    -o content_filter=
+   -o smtpd_milters=
+   -o non_smtpd_milters=
 EOF
       if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
          cat >> $postfix_master_cf << EOF

install_opendkim.sh

@@ -14,6 +14,8 @@ echo -e "\n   \033[32mStart Installation of OpenDKIM..\033[m"
 
 log_file="$(mktemp)"
 
+backup_date="$(date +%Y-%m-%d-%H%M)"
+
 _opendkim_packages="opendkim opendkim-tools"
 
 opendkim_base_dir="/etc/opendkim"
@@ -28,6 +30,7 @@ opendkim_socket_file="${opendkim_socket_dir}/opendkim.sock"
 postfix_needs_restart=false
 opendkim_needs_restart=false
 
+
 # -------------
 # --- Some functions
 # -------------
@@ -175,6 +178,18 @@ else
    echo_skipped
 fi
 
+echononl "   Backup existing file '${opendkim_conf_file}'.."
+if [[ -f "${opendkim_conf_file}" ]] ; then
+   mv "${opendkim_conf_file}" "${opendkim_conf_file}.${backup_date}"
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
 
 # - Create OpenDKIM configuration
 # -
@@ -200,6 +215,7 @@ AuthservID              "DKIM check $(hostname -f)"
 # Modi signer (s) und verifier (v) und verwendet eine
 # Socket-Datei zur Kommunikation (alternativ: lokaler Port)
 Mode                    sv
+
 # Socket                local:/var/run/opendkim/opendkim.sock
 # Socket                local:$opendkim_socket_file
 # Socket                inet:12345@localhost
@@ -544,7 +560,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
       _found=false
    fi
 
-   if echo "$_line" | grep -i -q -E "^\s*(127.0.0.1|localhost):10025\s+inet\s+" 2> /dev/null ; then
+   if echo "$_line" | grep -i -q -E "^\s*(submission|smtps)\s+inet\s+" 2> /dev/null ; then
       _found=true
    fi
 

install_opendmarc.sh

@@ -3,6 +3,7 @@
 clear
 echo -e "\n   \033[32mStart Installation of OpenDMARC..\033[m"
 
+overwrite_config_files=true
 
 
 # -------------
@@ -23,13 +24,15 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
 opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
 
 config_file_name_value_parameters="
-   AuthservID|DMARC check $(hostname -f)
+   AuthservID|$(hostname -f)
+   TrustedAuthservIDs|$(hostname -f)
    PidFile|/run/opendmarc/opendmarc.pid
    RejectFailures|true
    Syslog|true
    SyslogFacility|mail
    TrustedAuthservIDs|$(hostname -f)
-   IgnoreHosts|/etc/opendmarc/ignore.hosts
+   IgnoreHosts|${opendmarc_base_dir}/ignore.hosts
+   IgnoreMailFrom|${opendmarc_base_dir}/ignore.mailfrom
    IgnoreAuthenticatedClients|true
    RequiredHeaders|false
    UMask|002
@@ -194,6 +197,9 @@ if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
 ## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
 #
 IgnoreHosts 127.0.0.1
+
+# Optional - auch nach Absender-Domain ignorieren:
+IgnoreMailFrom ${opendmarc_base_dir}/ignore.mailfrom
 EOF
    if [[ $? -eq 0 ]] ; then
       echo_ok
@@ -229,6 +235,33 @@ else
 fi
 
 
+# - Add 'TrustedAuthservIDs' with default value to the original opendmarc.conf file
+#
+_param="TrustedAuthservIDs"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+# Provides a list of authserv-ids that are to be used to identify Authentication-Results
+# header fields whose contents are to be assumed as valid input for the DMARC assessment.
+# To provide a list, separate values by commas. If the string "HOSTNAME" is provided,
+# the name of the host running the filter (as returned by the gethostname(3) function)
+# will be used. Matching against this list is case-insensitive. The default is to use the
+# value of AuthservID.
+#
+TrustedAuthservIDs OpenDMARC
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
 # - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
 #
 _param="IgnoreAuthenticatedClients"
@@ -472,6 +505,18 @@ else
 fi
 
 
+echononl "   Backup existing file '${opendmarc_base_dir}/ignore.hosts'.."
+if [[ -f "${opendmarc_base_dir}/ignore.hosts" ]] ; then
+   mv "${opendmarc_base_dir}/ignore.hosts" "${opendmarc_base_dir}/ignore.hosts.${backup_date}"
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
 
 # - Create the file ${opendmarc_base_dir}/ignore.hosts
 # -
@@ -480,11 +525,49 @@ if [[ -f "${opendmarc_base_dir}/ignore.hosts" ]] ; then
    echo_skipped
 else
    cat <<EOF > ${opendmarc_base_dir}/ignore.hosts 2> $log_file
-# We are using AmaViS at 'localhost 127.0.0.1 . So we cannot bypass them
+# /etc/opendmarc/ignore.hosts
 #
-# 127.0.0.1
-# localhost
-$(hostname -f)
+# Diese Datei wird aktuell NICHT genutzt, da OpenDMARC
+# auf localhost:10025 arbeitet und dort immer nur
+# 127.0.0.1/::1 als Client-IP sieht.
+
+# Bitte KEINE Einträge hinzufügen.
+EOF
+   opendmarc_needs_restart=true
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+fi
+
+
+# - Create the file ${opendmarc_base_dir}/ignore.hosts
+# -
+
+echononl "   Backup existing file '${opendmarc_base_dir}/ignore.mailfrom'.."
+if [[ -f "${opendmarc_base_dir}/ignore.mailfrom" ]] ; then
+   mv "${opendmarc_base_dir}/ignore.mailfrom" "${opendmarc_base_dir}/ignore.mailfrom.${backup_date}"
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+echononl "   Create file '${opendmarc_base_dir}/ignore.mailfrom'.."
+if [[ -f "${opendmarc_base_dir}/ignore.mailfrom" ]] ; then
+   echo_skipped
+else
+   cat <<EOF > ${opendmarc_base_dir}/ignore.mailfrom 2> $log_file
+# /etc/opendmarc/ignore.mailfrom
+#
+# Wird derzeit nicht genutzt.
+# Keine Einträge hinzufügen.
 EOF
    opendmarc_needs_restart=true
    if [[ $? -eq 0 ]] ; then

install_postfix_advanced.sh

@@ -3011,21 +3011,45 @@ milter_protocol = 6
 #
 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
 smtpd_milters =
+# Was sind non_smtpd_milters?
+#
+# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT 
+# der smtpd-Daemon sind.
+#
+# Das betrifft z. B.:
+#
+#     cleanup        Header/Content-Bereinigung
+#     qmgr           Queue-Manager
+#     lmtp / smtp    Auslieferung nach extern
+#     local          lokale Zustellung
+#
+# Das sind z. B.:
+#
+#     -  interne Bounces (MAILER-DAEMON)
+#
+#     -  Cron-Mails vom Server
+#
+#     -  Weiterleitungen, die Postfix selbst generiert
+#
+#     -  Mails, die über sendmail CLI gesendet werden
+#
+#     -  Mails, die Amavis über LMTP zurückgibt
+#
+#     -  etc.
+#
+#
 EOF
 fi
+
 if [[ -n "$(which opendkim)" ]] ; then
-   if [[ -n "$(which opendmarc)" ]] ; then
    cat <<EOF >> /etc/postfix/main.cf
-non_smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock
+# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
+#
+non_smtpd_milters = local:/opendkim/opendkim.sock
 EOF
 else
    cat <<EOF >> /etc/postfix/main.cf
-non_smtpd_milters = local:/opendkim/opendkim.sock
-EOF
-   fi
-elif [[ -n "$(which opendmarc)" ]] ; then
-   cat <<EOF >> /etc/postfix/main.cf
-non_smtpd_milters = local:/opendmarc/opendmarc.sock
+non_smtpd_milters =
 EOF
 fi