mail: attempt to move to opendkim instead of rspamd for dkim signing/verify

conf/opendkim/opendkim.conf

@@ -0,0 +1,31 @@
+# General daemon config
+Socket            inet:8891@localhost
+PidFile           /run/opendkim/opendkim.pid
+UserID            opendkim
+UMask             007
+
+AutoRestart       yes
+AutoRestartCount  10
+AutoRestartRate   10/1h
+
+# Logging
+Syslog            yes
+SyslogSuccess     yes
+LogWhy            yes
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization  relaxed/simple
+Mode              sv
+OversignHeaders   From
+#On-BadSignature  reject
+
+# Key / signing table
+KeyTable          file:/etc/dkim/keytable
+SigningTable      refile:/etc/dkim/signingtable 
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile   /usr/share/dns/root.key
+#Nameservers      127.0.0.1

conf/postfix/main.cf

@@ -185,7 +185,8 @@ smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter
 # Rmilter
 milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
 milter_protocol = 6
-smtpd_milters = inet:localhost:11332
+smtpd_milters = inet:localhost:8891 {% if rspamd_enabled == "true" %}inet:localhost:11332{% endif %}
+non_smtpd_milters = inet:localhost:8891
 
 # Skip email without checking if milter has died
 milter_default_action = accept

conf/rspamd/milter_headers.conf

@@ -1,9 +0,0 @@
-use = ["spam-header"];
-
-routines {
-  spam-header {
-    header = "X-Spam";
-    value = "Yes";
-    remove = 1;
-  }
-}

conf/yunohost/services.yml

@@ -28,6 +28,9 @@ nginx:
 #  log: /var/log/php7.4-fpm.log
 #  test_conf: php-fpm7.4 --test
 #  category: web
+opendkim:
+  category: email
+  test_conf: opendkim -n
 postfix:
   log: [/var/log/mail.log,/var/log/mail.err]
   actual_systemd_service: postfix@-

debian/control

@@ -25,7 +25,7 @@ Depends: ${python3:Depends}, ${misc:Depends}
  , dnsmasq, resolvconf, libnss-myhostname
  , postfix, postfix-ldap, postfix-policyd-spf-perl, postfix-pcre
  , dovecot-core, dovecot-ldap, dovecot-lmtpd, dovecot-managesieved, dovecot-antispam
- , opendkim-tools, postsrsd, procmail, mailutils
+ , opendkim-tools, opendkim, postsrsd, procmail, mailutils
  , redis-server
  , acl
  , git, curl, wget, cron, unzip, jq, bc, at, procps

hooks/conf_regen/19-postfix

@@ -24,6 +24,9 @@ do_pre_regen() {
     # Support different strategy for security configurations
     export compatibility="$(jq -r '.postfix_compatibility' <<< "$YNH_SETTINGS")"
 
+    dpkg --list | grep -q 'ii *rspamd ' && rspamd_enable=true || rspamd_enable=false
+    export rspamd_enable
+
     # Add possibility to specify a relay
     # Could be useful with some isp with no 25 port open or more complex setup
     export relay_port=""

hooks/conf_regen/30-opendkim

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+    pending_dir=$1
+
+    cd /usr/share/yunohost/conf/opendkim
+
+    install -D -m 644 opendkim.conf "${pending_dir}/etc/opendkim.conf"
+}
+
+do_post_regen() {
+    mkdir -p /etc/dkim
+
+    # Create / empty those files because we're force-regenerating them
+    echo "" > /etc/dkim/keytable
+    echo "" > /etc/dkim/signingtable
+
+    # create DKIM key for domains
+    domain_list="$(yunohost domain list --features mail_in mail_out --output-as json | jq -r ".domains[]" | tr '\n' ' ')"
+    for domain in $domain_list; do
+        domain_key="/etc/dkim/${domain}.mail.key"
+        [ ! -f "$domain_key" ] && {
+            # We use a 1024 bit size because nsupdate doesn't seem to be able to
+            # handle 2048...
+            opendkim-genkey --domain="$domain" \
+                --selector=mail --directory=/etc/dkim -b 1024
+            mv /etc/dkim/mail.private "$domain_key"
+            mv /etc/dkim/mail.txt "/etc/dkim/${domain}.mail.txt"
+        }
+
+        echo "mail._domainkey.${domain} ${domain}:mail:${domain_key}" >> /etc/dkim/keytable
+        echo "*@$domain mail._domainkey.${domain}" >> /etc/dkim/signingtable
+    done
+
+    chown -R opendkim /etc/dkim/
+    chmod 700 /etc/dkim/
+}
+
+do_$1_regen ${@:2}

hooks/conf_regen/31-rspamd

@@ -15,42 +15,17 @@ do_pre_regen() {
 
     install -D -m 644 metrics.local.conf \
         "${pending_dir}/etc/rspamd/local.d/metrics.conf"
-    install -D -m 644 dkim_signing.conf \
-        "${pending_dir}/etc/rspamd/local.d/dkim_signing.conf"
     install -D -m 644 rspamd.sieve \
         "${pending_dir}/etc/dovecot/global_script/rspamd.sieve"
 	install -D -m 644 redis.conf \
 		"${pending_dir}/etc/rspamd/local.d/redis.conf"
+
+    # Old conf file to be deleted
+    touch "${pending_dir}/etc/rspamd/local.d/dkim_signing.conf"
 }
 
 do_post_regen() {
 
-    ##
-    ## DKIM key generation
-    ##
-
-    # create DKIM directory with proper permission
-    mkdir -p /etc/dkim
-    chown _rspamd /etc/dkim
-
-    # create DKIM key for domains
-    domain_list="$(yunohost domain list --features mail_in mail_out --output-as json | jq -r ".domains[]" | tr '\n' ' ')"
-    for domain in $domain_list; do
-        domain_key="/etc/dkim/${domain}.mail.key"
-        [ ! -f "$domain_key" ] && {
-            # We use a 1024 bit size because nsupdate doesn't seem to be able to
-            # handle 2048...
-            opendkim-genkey --domain="$domain" \
-                --selector=mail --directory=/etc/dkim -b 1024
-            mv /etc/dkim/mail.private "$domain_key"
-            mv /etc/dkim/mail.txt "/etc/dkim/${domain}.mail.txt"
-        }
-    done
-
-    # fix DKIM keys permissions
-    chown _rspamd /etc/dkim/*.mail.key
-    chmod 400 /etc/dkim/*.mail.key
-
     [ ! -e /var/log/rspamd ] || chown -R _rspamd:_rspamd /var/log/rspamd
 
     regen_conf_files=$1