Changes
Page history
service/email: rewrite dkim procedure for puppet setup (
#40989
)
authored
Dec 13, 2022
by
Jérôme Charaoui
Show whitespace changes
Inline
Side-by-side
service/email.md
View page @
8f9758ce
...
@@ -70,118 +70,84 @@ Interestingly, ran by [sparkpost](https://www.sparkpost.com/).
...
@@ -70,118 +70,84 @@ Interestingly, ran by [sparkpost](https://www.sparkpost.com/).
<!-- TODO: how to setup the service from scratch -->
<!-- TODO: how to setup the service from scratch -->
### Manual DKIM configuration
### DKIM configuration
This is a rushed OpenDKIM deployment procedure that was used in
Hosts which generate outbound mail should be configured to add
`DKIM-Signature`
[
tpo/tpa/team#40981
][]
and
[
tpo/tpa/team#40988
][]
. It will be added
headers. This is done by including the
`profile::postfix::dkim`
class on Puppet
to Puppet in
[
tpo/tpa/team#40989
][]
.
nodes which handle mail and configuring Postfix's
`main.cf`
to use it as a
milter. When the node's
`mail_processing`
flag is set to true, this is done
1.
install OpenDKIM:
automatically.
apt install opendkim opendkim-tools
This class will install the
`opendkim`
and
`opendkim-tools`
packages, manage
the
`/etc/opendkim.conf`
configuration file, generate a private key under
2.
ensure you have those lines in
`/etc/opendkim.conf`
:
`/etc/opendkim/keys`
and set up what is needed for opendkim and postfix to
communicate.
LogWhy yes
Mode s # sign only, use sv to also check incoming
By default, the class configures OpenDKIM to only sign email where the sender
Domain torproject.org
domain part is identical to the node's FQDN. However, this is not often the
Selector 2022-submit-01 # 2022-submit-01._domainkey.torproject.org
case and the OpenDKIM
`Domain`
parameter must be specified.
Keyfile /etc/opendkim/keys/2022-submit-01.private
Socket local:/var/spool/postfix/opendkim/opendkim.sock
To do this, add a
`profile::opendkim::domain`
key in Hiera, ideally in the
yaml file that provide data for the node's role, eg.
Note that the `Selector` and `Domain` fields are prone to change
`hiera/roles/email::submission.yaml`
for the submission sever. The value must
if the server is sending mail from more than one domain. For
be specified as an array containing one or more email sender domains. For
example, on `crm-int-01`, we also put `crm-int-01.torproject.org`
example, if a node sends mail as
`gettor@torproject.org`
, the
and `crm.torproject.org` in there. The selector is also based on
`profile::opendkim::domain`
must be an array that contains
`torproject.org`
.
the year of creation (`2022` in this case) and the short hostname
of the server the key belongs to (`submit-01`) so that we don't
Once this configuration is applied on the node, at least one new DNS entry must
have to copy that private key around.
be created for external hosts to be able to validate DKIM signatures. For
example, on the
`submit-01`
host, a
`/etc/opendkim/keys/2022-submit-01.txt`
3.
generate the keys and directories:
file is automatically generated containing a DNS entry appropriate for
validating mails signed for the
`@torproject.org`
sender domain:
mkdir -p /etc/opendkim/keys &&
mkdir /var/spool/postfix/opendkim &&
chown opendkim /var/spool/postfix/opendkim &&
opendkim-genkey --directory=/etc/opendkim/keys/ --selector=2022-submit-01 --domain=torproject.org --verbose
4.
grant Postfix access to the OpenDKIM socket:
adduser postfix opendkim
5.
restart the server:
service opendkim restart
6.
add the keys from
`/etc/opendkim/keys/2022-submit-01.txt`
into
DNS, e.g.:
2022-submit-01._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
2022-submit-01._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6iJa25pvx5qatYV4u44zolHLMiqkWZBvF6UJcX8hrSNES/aw/k4zXiliChs3eUtGHjf5aSNC6TrOndfQqRxMxNn+XhSEsUa6zFhZeeAOIi0A3TPRd5qL8aWfHH2NtHZAnZ5lodkA6HjJ/HpyrJvFuyuJ94yNL/bjvRWu+bMwixBIYr6znDoJYGTPC5YHZt48bJgvg3lAb3vIwD"
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6iJa25pvx5qatYV4u44zolHLMiqkWZBvF6UJcX8hrSNES/aw/k4zXiliChs3eUtGHjf5aSNC6TrOndfQqRxMxNn+XhSEsUa6zFhZeeAOIi0A3TPRd5qL8aWfHH2NtHZAnZ5lodkA6HjJ/HpyrJvFuyuJ94yNL/bjvRWu+bMwixBIYr6znDoJYGTPC5YHZt48bJgvg3lAb3vIwD"
"bkBw+bMkZCbRjSQuOM52pg6uQLSBiBeQHqWkSd03vp4A906jWaMLDHMfVZDDrXLg+QG2nAOoJmZ0l5argoIRiEG/8GO72FI2dEKJaXgXYqpSXGCtzZJNIr8schHFZBirZBLljbEwIDAQAB" ) ; ----- DKIM key 2022-submit-01 for torproject.org
"bkBw+bMkZCbRjSQuOM52pg6uQLSBiBeQHqWkSd03vp4A906jWaMLDHMfVZDDrXLg+QG2nAOoJmZ0l5argoIRiEG/8GO72FI2dEKJaXgXYqpSXGCtzZJNIr8schHFZBirZBLljbEwIDAQAB" ) ; ----- DKIM key 2022-submit-01 for torproject.org
if you had
a subdomain prefix
(e.g. in [tpo/tpa/team#40981][] w
e
If
a subdomain prefix
is used (e.g.
`crm.torproject.org`
) make sure th
e
used `crm.tpo`), make sure the
`_domainkey` is under that prefix:
`_domainkey`
is under that prefix:
2022._domainkey.crm IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
2022
-crm-int-01
._domainkey.crm IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtSNGCjHmZnGrnBb9nCsPUc6MjZd5QueGKV+iXwcRNfU0LapFZMi5t7WE/kTPJsRWIF8AMHymNqLA5835m5LwaBBXZdu1utNARKSXDzGsEjxuDiAnSqD0Rb1px1JA+Eex0RC3thYZuyIIAxK31pXxJt2mowXtrhIkuKFB2YpE0yUudKuDZIZZ3YNH025czK/jFLD6TH+5xD9Cej"
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtSNGCjHmZnGrnBb9nCsPUc6MjZd5QueGKV+iXwcRNfU0LapFZMi5t7WE/kTPJsRWIF8AMHymNqLA5835m5LwaBBXZdu1utNARKSXDzGsEjxuDiAnSqD0Rb1px1JA+Eex0RC3thYZuyIIAxK31pXxJt2mowXtrhIkuKFB2YpE0yUudKuDZIZZ3YNH025czK/jFLD6TH+5xD9Cej"
"H0MB6tE4O41rCjZUjSZ7Ar7BjVID6foCmlbr/3EG7dbzQv6YqH19OX6YgL0UMfG2RhvhWEUNYghS6K88vTelnHx/ShUzIeu05jd6mi9OLCA/Hl2bFRsa0f1ttHKpnzuC+ecn0sWwIDAQAB" ) ; ----- DKIM key 2022 for crm.torproject.org
"H0MB6tE4O41rCjZUjSZ7Ar7BjVID6foCmlbr/3EG7dbzQv6YqH19OX6YgL0UMfG2RhvhWEUNYghS6K88vTelnHx/ShUzIeu05jd6mi9OLCA/Hl2bFRsa0f1ttHKpnzuC+ecn0sWwIDAQAB" ) ; ----- DKIM key 2022 for crm.torproject.org
7.
then test the key with:
The key may now be tested with the command below. Make sure to use the correct
sender domain for the
`-d`
command line argument:
opendkim-testkey -d torproject.org -s 2022-
submit-01
-vv
opendkim-testkey -d torproject.org -s 2022-
$(hostname)
-vv
... which
should show, once DNS propagated:
This
should show, once DNS propagated:
root@submit-01:/etc/opendkim/keys# opendkim-testkey -d torproject.org -s 2022-
submit-01
-vv
root@submit-01:/etc/opendkim/keys# opendkim-testkey -d torproject.org -s 2022-
$(hostname)
-vv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key loaded from /etc/opendkim/keys/2022-submit-01.private
opendkim-testkey: key loaded from /etc/opendkim/keys/2022-submit-01.private
opendkim-testkey: checking key '2022-submit-01._domainkey.torproject.org'
opendkim-testkey: checking key '2022-submit-01._domainkey.torproject.org'
opendkim-testkey: key secure
opendkim-testkey: key secure
If you see `record not found`, it's because the DNS record wasn't
If you see
`record not found`
, it's because the DNS record wasn't found. See if
found. See if DNS has propagated properly, maybe flush negative
DNS has propagated properly, maybe flush negative responses with
responses with `unbound-control flush-negative`.
`unbound-control flush-negative`
.
The `keys not secure` message means you are not using DNSSEC,
which should *not* happen in our configuration. Investigate if you
do see the warning.
8.
stop puppet to keep it from messing with the Puppet config
puppet agent --disable 'rush opendkim deployment by hand, tpo/tpa/team#40988'
8.
hook into postfix:
postconf -e milter_default_action=accept &&
The
`keys not secure`
message means you are not using DNSSEC, which should
postconf -e smtpd_milters=local:opendkim/opendkim.sock &&
*not*
happen in our configuration. Investigate if you do see the warning.
postconf -e non_smtpd_milters=local:opendkim/opendkim.sock
9.
reload postfix (warning: this will retry the queue)
At this point it's a good idea to
[
test outgoing mail
](
#testing-outgoing-mail
)
:
service postfix reload
10.
[
test outgoing mail
](
#testing-outgoing-mail
)
:
echo "this is a test email" | mail -r postmaster@torproject.org -s 'test email from anarcat' -- check-auth@verifier.port25.com
echo "this is a test email" | mail -r postmaster@torproject.org -s 'test email from anarcat' -- check-auth@verifier.port25.com
[
tpo/tpa/team#40981
]:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/40981
#### DKIM signing on the mail relay
[
tpo/tpa/team#40988
]:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/40988
[
tpo/tpa/team#40989
]:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/40989
If you get double OpenDKIM signatures, consider adding
`receive_override_options=no_milters`
to the server in
`master.cf`
, if
already does some content filtering.
It's possible that some mail doesn't get signed when injected from
Mailman, consider changing the
`InternalHosts`
to:
InternalHosts eugeni.torproject.org,lists.torproject.org,127.0.0.1,::1,localhost # cargo-culted, to remove?
If the signatures come from another server and cause problems (for
On some hosts it's not practical to configure OpenDKIM because it generates
example with Mailman), you can strip those with:
some mail but otherwise doesn't process mail, so its
`mail_processing`
flag is
not enabled. Usually such hosts route their outbound email though
`eugeni`
, so
we can use it to sign email on behalf of other hosts.
# strip incoming sigs, typically from submit-01 or other servers on mailman
To do this, add the host's FQDN to the
`profile::opendkim::internal_hosts`
RemoveOldSignatures yes
Hiera key in
`hiera/roles/mta.yaml`
. If the host sends mail using the
`@torproject.org`
sender domain, nothing more is needed. Otherwise, when the
host uses a subdomain in its mail sender domain, eg.
`foo.torproject.org`
then
we need to add a new DNS entry by copying the
`eugeni`
DKIM key DNS entry
`2022-eugeni._domainkey`
to a new DNS entry
`2022-eugeni._domainkey.foo`
.
### SPF records
### SPF records
...
...
...
...
