commit bf94217076257aebe45f3188adce2af42ee90ff0 Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Thu Jan 4 20:33:30 2018 +0100 Add opendkim files files/opendkim.conf | 133 ++++++++++++++++++++ files/opendkim/KeyTable | 7 + files/opendkim/SigningTable | 26 ++++ files/opendkim/TrustedHosts | 12 ++ files/opendkim/keys/default.txt | 2 + .../opendkim/keys/lists.rpmfusion.org/default.txt | 2 + 6 files changed, 182 insertions(+), 0 deletions(-) --- diff --git a/files/opendkim.conf b/files/opendkim.conf new file mode 100644 index 0000000..777334e --- /dev/null +++ b/files/opendkim.conf @@ -0,0 +1,133 @@ +## BASIC OPENDKIM CONFIGURATION FILE +## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more + +## BEFORE running OpenDKIM you must: + +## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM +## - generate keys for your domain (if signing) +## - edit your DNS records to publish your public keys (if signing) + +## See /usr/share/doc/opendkim/INSTALL for detailed instructions. + +## DEPRECATED CONFIGURATION OPTIONS +## +## The following configuration options are no longer valid. They should be +## removed from your existing configuration file to prevent potential issues. +## Failure to do so may result in opendkim being unable to start. +## +## Removed in 2.10.0: +## AddAllSignatureResults +## ADSPAction +## ADSPNoSuchDomain +## BogusPolicy +## DisableADSP +## LDAPSoftStart +## LocalADSP +## NoDiscardableMailTo +## On-PolicyError +## SendADSPReports +## UnprotectedPolicy + +## CONFIGURATION OPTIONS + +## Specifies the path to the process ID file. +PidFile /var/run/opendkim/opendkim.pid + +## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. +## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing +## messages. +Mode sv + +## Log activity to the system log. +Syslog yes + +## Log additional entries indicating successful signing or verification of messages. +SyslogSuccess yes + +## If logging is enabled, include detailed logging about why or why not a message was +## signed or verified. This causes an increase in the amount of log data generated +## for each message, so set this to No (or comment it out) if it gets too noisy. +LogWhy yes + +## Attempt to become the specified user before starting operations. +UserID opendkim:opendkim + +## Create a socket through which your MTA can communicate. +Socket inet:8891@localhost + +## Required to use local socket with MTAs that access the socket as a non- +## privileged user (e.g. Postfix) +Umask 002 + +## This specifies a text file in which to store DKIM transaction statistics. +## OpenDKIM must be manually compiled with --enable-stats to enable this feature. +# Statistics /var/spool/opendkim/stats.dat + +## Specifies whether or not the filter should generate report mail back +## to senders when verification fails and an address for such a purpose +## is provided. See opendkim.conf(5) for details. +SendReports yes + +## Specifies the sending address to be used on From: headers of outgoing +## failure reports. By default, the e-mail address of the user executing +## the filter is used (executing_user@hostname). +# ReportAddress "Example.com Postmaster" <postmaster(a)example.com&gt; + +## Add a DKIM-Filter header field to messages passing through this filter +## to identify messages it has processed. +SoftwareHeader yes + +## SIGNING OPTIONS + +## Selects the canonicalization method(s) to be used when signing messages. +Canonicalization relaxed/relaxed + +## Domain(s) whose mail should be signed by this filter. Mail from other domains will +## be verified rather than being signed. Uncomment and use your domain name. +## This parameter is not required if a SigningTable is in use. +#Domain rpmfusion.org + +## Defines the name of the selector to be used when signing messages. +Selector default + +## Specifies the minimum number of key bits for acceptable keys and signatures. +MinimumKeyBits 1024 + +## Gives the location of a private key to be used for signing ALL messages. This +## directive is ignored if KeyTable is enabled. +#KeyFile /etc/opendkim/keys/default.private + +## Gives the location of a file mapping key names to signing keys. In simple terms, +## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile +## directive in the configuration file. Requires SigningTable be enabled. +KeyTable /etc/opendkim/KeyTable + +## Defines a table used to select one or more signatures to apply to a message based +## on the address found in the From: header field. In simple terms, this tells +## OpenDKIM how to use your keys. Requires KeyTable be enabled. +SigningTable refile:/etc/opendkim/SigningTable + +## Identifies a set of "external" hosts that may send mail through the server as one +## of the signing domains without credentials as such. +# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts + +## Identifies a set "internal" hosts whose mail should be signed rather than verified. +InternalHosts refile:/etc/opendkim/TrustedHosts + +## Contains a list of IP addresses, CIDR blocks, hostnames or domain names +## whose mail should be neither signed nor verified by this filter. See man +## page for file format. +# PeerList X.X.X.X + +## Always oversign From (sign using actual From and a null From to prevent +## malicious signatures header fields (From and/or others) between the signer +## and the verifier. From is oversigned by default in the Fedora package +## because it is often the identity key used by reputation systems and thus +## somewhat security sensitive. +OversignHeaders From + +## Instructs the DKIM library to maintain its own local cache of keys and +## policies retrieved from DNS, rather than relying on the nameserver for +## caching service. Useful if the nameserver being used by the filter is +## not local. +QueryCache yes diff --git a/files/opendkim/KeyTable b/files/opendkim/KeyTable new file mode 100644 index 0000000..89fd30f --- /dev/null +++ b/files/opendkim/KeyTable @@ -0,0 +1,7 @@ +# OPENDKIM KEY TABLE +# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf, +# then uncomment the following line and replace example.com with your domain +# name, then restart OpenDKIM. Additional keys may be added on separate lines. + +default._domainkey.rpmfusion.org rpmfusion.org:default:/etc/opendkim/keys/default.private +default._domainkey.lists.rpmfusion.org lists.rpmfusion.org:default:/etc/opendkim/keys/lists.rpmfusion.org/defaul... diff --git a/files/opendkim/SigningTable b/files/opendkim/SigningTable new file mode 100644 index 0000000..5e5803d --- /dev/null +++ b/files/opendkim/SigningTable @@ -0,0 +1,26 @@ +# OPENDKIM SIGNING TABLE +# This table controls how to apply one or more signatures to outgoing messages based +# on the address found in the From: header field. In simple terms, this tells +# OpenDKIM "how" to apply your keys. + +# To use this file, uncomment the SigningTable option in /etc/opendkim.conf, +# then uncomment one of the usage examples below and replace example.com with your +# domain name, then restart OpenDKIM. + +# WILDCARD EXAMPLE +# Enables signing for any address on the listed domain(s), but will work only if +# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf. +# Create additional lines for additional domains. + +#*(a)example.com default._domainkey.example.com + +# NON-WILDCARD EXAMPLE +# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then +# wildcards will not work. Instead, full user@host is checked first, then simply host, +# then user@.domain (with all superdomains checked in sequence, so "foo.example.com" +# would first check &quot;user(a)foo.example.com&quot;, then "user@.example.com", then "user@.com"), +# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under +# "SigningTable" for more details. + +*(a)rpmfusion.org default._domainkey.rpmfusion.org +*(a)lists.rpmfusion.org default._domainkey.lists.rpmfusion.org diff --git a/files/opendkim/TrustedHosts b/files/opendkim/TrustedHosts new file mode 100644 index 0000000..ff5ac00 --- /dev/null +++ b/files/opendkim/TrustedHosts @@ -0,0 +1,12 @@ +# OPENDKIM TRUSTED HOSTS +# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts +# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts +# may be added on separate lines (IP addresses, hostnames, or CIDR ranges). +# The localhost IP (127.0.0.1) should always be the first entry in this file. +127.0.0.1 +::1 +#host.example.com +#192.168.1.0/24 +192.168.181.0/24 +192.168.182.0/24 +212.129.31.200/32 diff --git a/files/opendkim/keys/default.txt b/files/opendkim/keys/default.txt new file mode 100644 index 0000000..a68da4b --- /dev/null +++ b/files/opendkim/keys/default.txt @@ -0,0 +1,2 @@ +default._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8wVULGQX5DGJ5Wm1za1AzYl5zg7iaywao+5TL9caGh060L8HTvn7wNZ91D5ZWXqY4XRdOuJKggzVdKO5+7pSG/aBwO8/mSezn1tioNwxnRTiO25SdEtLqq1mG2ZMASehKcGMH7w4RITqAA3rPzeB/WKTKiSV1eW/Y2OKLOOjRmwIDAQAB" ) ; ----- DKIM key default for rpmfusion.org diff --git a/files/opendkim/keys/lists.rpmfusion.org/default.txt b/files/opendkim/keys/lists.rpmfusion.org/default.txt new file mode 100644 index 0000000..18a8551 --- /dev/null +++ b/files/opendkim/keys/lists.rpmfusion.org/default.txt @@ -0,0 +1,2 @@ +default._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDROK1sJQe852unJ8SkU/t2HyetU1UU1pG4kBfghdC/Owdu75eGMeBmbfiAcVhtYuvfCMXHHb4J8CwfjhkAYJLFBtuaOVeH5vzcT3eA5hk4c+1kbvcq7lJ82RE4VZek3AUYQF3+vZX/TVeYstT6YpNUZmzQhNHCSwp7Tjr3+ucDewIDAQAB" ) ; ----- DKIM key default for lists.rpmfusion.org