Changes

Page history
service/email: rewrite dkim procedure for puppet setup (#40989) authored by Jérôme Charaoui's avatar Jérôme Charaoui
Show whitespace changes
Inline Side-by-side
service/email.md
View page @ 8f9758ce
......@@ -70,118 +70,84 @@ Interestingly, ran by [sparkpost](https://www.sparkpost.com/).
<!-- TODO: how to setup the service from scratch -->
### Manual DKIM configuration
This is a rushed OpenDKIM deployment procedure that was used in
[tpo/tpa/team#40981][] and [tpo/tpa/team#40988][]. It will be added
to Puppet in [tpo/tpa/team#40989][].
1. install OpenDKIM:
apt install opendkim opendkim-tools
2. ensure you have those lines in `/etc/opendkim.conf`:
LogWhy yes
Mode s # sign only, use sv to also check incoming
Domain torproject.org
Selector 2022-submit-01 # 2022-submit-01._domainkey.torproject.org
Keyfile /etc/opendkim/keys/2022-submit-01.private
Socket local:/var/spool/postfix/opendkim/opendkim.sock
Note that the `Selector` and `Domain` fields are prone to change
if the server is sending mail from more than one domain. For
example, on `crm-int-01`, we also put `crm-int-01.torproject.org`
and `crm.torproject.org` in there. The selector is also based on
the year of creation (`2022` in this case) and the short hostname
of the server the key belongs to (`submit-01`) so that we don't
have to copy that private key around.
3. generate the keys and directories:
mkdir -p /etc/opendkim/keys &&
mkdir /var/spool/postfix/opendkim &&
chown opendkim /var/spool/postfix/opendkim &&
opendkim-genkey --directory=/etc/opendkim/keys/ --selector=2022-submit-01 --domain=torproject.org --verbose
4. grant Postfix access to the OpenDKIM socket:
adduser postfix opendkim
5. restart the server:
service opendkim restart
6. add the keys from `/etc/opendkim/keys/2022-submit-01.txt` into
DNS, e.g.:
### DKIM configuration
Hosts which generate outbound mail should be configured to add `DKIM-Signature`
headers. This is done by including the `profile::postfix::dkim` class on Puppet
nodes which handle mail and configuring Postfix's `main.cf` to use it as a
milter. When the node's `mail_processing` flag is set to true, this is done
automatically.
This class will install the `opendkim` and `opendkim-tools` packages, manage
the `/etc/opendkim.conf` configuration file, generate a private key under
`/etc/opendkim/keys` and set up what is needed for opendkim and postfix to
communicate.
By default, the class configures OpenDKIM to only sign email where the sender
domain part is identical to the node's FQDN. However, this is not often the
case and the OpenDKIM `Domain` parameter must be specified.
To do this, add a `profile::opendkim::domain` key in Hiera, ideally in the
yaml file that provide data for the node's role, eg.
`hiera/roles/email::submission.yaml` for the submission sever. The value must
be specified as an array containing one or more email sender domains. For
example, if a node sends mail as `gettor@torproject.org`, the
`profile::opendkim::domain` must be an array that contains `torproject.org`.
Once this configuration is applied on the node, at least one new DNS entry must
be created for external hosts to be able to validate DKIM signatures. For
example, on the `submit-01` host, a `/etc/opendkim/keys/2022-submit-01.txt`
file is automatically generated containing a DNS entry appropriate for
validating mails signed for the `@torproject.org` sender domain:
2022-submit-01._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6iJa25pvx5qatYV4u44zolHLMiqkWZBvF6UJcX8hrSNES/aw/k4zXiliChs3eUtGHjf5aSNC6TrOndfQqRxMxNn+XhSEsUa6zFhZeeAOIi0A3TPRd5qL8aWfHH2NtHZAnZ5lodkA6HjJ/HpyrJvFuyuJ94yNL/bjvRWu+bMwixBIYr6znDoJYGTPC5YHZt48bJgvg3lAb3vIwD"
"bkBw+bMkZCbRjSQuOM52pg6uQLSBiBeQHqWkSd03vp4A906jWaMLDHMfVZDDrXLg+QG2nAOoJmZ0l5argoIRiEG/8GO72FI2dEKJaXgXYqpSXGCtzZJNIr8schHFZBirZBLljbEwIDAQAB" ) ; ----- DKIM key 2022-submit-01 for torproject.org
if you had a subdomain prefix (e.g. in [tpo/tpa/team#40981][] we
used `crm.tpo`), make sure the `_domainkey` is under that prefix:
If a subdomain prefix is used (e.g. `crm.torproject.org`) make sure the
`_domainkey` is under that prefix:
2022._domainkey.crm IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
2022-crm-int-01._domainkey.crm IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtSNGCjHmZnGrnBb9nCsPUc6MjZd5QueGKV+iXwcRNfU0LapFZMi5t7WE/kTPJsRWIF8AMHymNqLA5835m5LwaBBXZdu1utNARKSXDzGsEjxuDiAnSqD0Rb1px1JA+Eex0RC3thYZuyIIAxK31pXxJt2mowXtrhIkuKFB2YpE0yUudKuDZIZZ3YNH025czK/jFLD6TH+5xD9Cej"
"H0MB6tE4O41rCjZUjSZ7Ar7BjVID6foCmlbr/3EG7dbzQv6YqH19OX6YgL0UMfG2RhvhWEUNYghS6K88vTelnHx/ShUzIeu05jd6mi9OLCA/Hl2bFRsa0f1ttHKpnzuC+ecn0sWwIDAQAB" ) ; ----- DKIM key 2022 for crm.torproject.org
7. then test the key with:
The key may now be tested with the command below. Make sure to use the correct
sender domain for the `-d` command line argument:
opendkim-testkey -d torproject.org -s 2022-submit-01 -vv
opendkim-testkey -d torproject.org -s 2022-$(hostname) -vv
... which should show, once DNS propagated:
This should show, once DNS propagated:
root@submit-01:/etc/opendkim/keys# opendkim-testkey -d torproject.org -s 2022-submit-01 -vv
root@submit-01:/etc/opendkim/keys# opendkim-testkey -d torproject.org -s 2022-$(hostname) -vv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key loaded from /etc/opendkim/keys/2022-submit-01.private
opendkim-testkey: checking key '2022-submit-01._domainkey.torproject.org'
opendkim-testkey: key secure
If you see `record not found`, it's because the DNS record wasn't
found. See if DNS has propagated properly, maybe flush negative
responses with `unbound-control flush-negative`.
The `keys not secure` message means you are not using DNSSEC,
which should *not* happen in our configuration. Investigate if you
do see the warning.
8. stop puppet to keep it from messing with the Puppet config
puppet agent --disable 'rush opendkim deployment by hand, tpo/tpa/team#40988'
8. hook into postfix:
If you see `record not found`, it's because the DNS record wasn't found. See if
DNS has propagated properly, maybe flush negative responses with
`unbound-control flush-negative`.
postconf -e milter_default_action=accept &&
postconf -e smtpd_milters=local:opendkim/opendkim.sock &&
postconf -e non_smtpd_milters=local:opendkim/opendkim.sock
The `keys not secure` message means you are not using DNSSEC, which should
*not* happen in our configuration. Investigate if you do see the warning.
9. reload postfix (warning: this will retry the queue)
service postfix reload
10. [test outgoing mail](#testing-outgoing-mail):
At this point it's a good idea to [test outgoing mail](#testing-outgoing-mail):
echo "this is a test email" | mail -r postmaster@torproject.org -s 'test email from anarcat' -- check-auth@verifier.port25.com
[tpo/tpa/team#40981]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40981
[tpo/tpa/team#40988]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40988
[tpo/tpa/team#40989]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40989
If you get double OpenDKIM signatures, consider adding
`receive_override_options=no_milters` to the server in `master.cf`, if
already does some content filtering.
It's possible that some mail doesn't get signed when injected from
Mailman, consider changing the `InternalHosts` to:
InternalHosts eugeni.torproject.org,lists.torproject.org,127.0.0.1,::1,localhost # cargo-culted, to remove?
#### DKIM signing on the mail relay
If the signatures come from another server and cause problems (for
example with Mailman), you can strip those with:
On some hosts it's not practical to configure OpenDKIM because it generates
some mail but otherwise doesn't process mail, so its `mail_processing` flag is
not enabled. Usually such hosts route their outbound email though `eugeni`, so
we can use it to sign email on behalf of other hosts.
# strip incoming sigs, typically from submit-01 or other servers on mailman
RemoveOldSignatures yes
To do this, add the host's FQDN to the `profile::opendkim::internal_hosts`
Hiera key in `hiera/roles/mta.yaml`. If the host sends mail using the
`@torproject.org` sender domain, nothing more is needed. Otherwise, when the
host uses a subdomain in its mail sender domain, eg. `foo.torproject.org` then
we need to add a new DNS entry by copying the `eugeni` DKIM key DNS entry
`2022-eugeni._domainkey` to a new DNS entry `2022-eugeni._domainkey.foo`.
### SPF records
......
......