feat(dkim): Replace OpenDKIM with DKIM Milter

Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>

Author: j-g00da

cmdeploy/src/cmdeploy/deployers.py

@@ -25,10 +25,10 @@
     configure_remote_units,
     get_resource,
 )
+from .dkim_milter.deployer import DkimMilterDeployer
 from .dovecot.deployer import DovecotDeployer
 from .mtail.deployer import MtailDeployer
 from .nginx.deployer import NginxDeployer
-from .opendkim.deployer import OpendkimDeployer
 from .postfix.deployer import PostfixDeployer
 from .www import build_webpages, find_merge_conflict, get_paths
 
@@ -565,7 +565,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
         WebsiteDeployer(config),
         ChatmailVenvDeployer(config),
         MtastsDeployer(),
-        OpendkimDeployer(mail_domain),
+        DkimMilterDeployer(mail_domain),
         # Dovecot should be started before Postfix
         # because it creates authentication socket
         # required by Postfix.

cmdeploy/src/cmdeploy/dkim_milter/deployer.py

@@ -0,0 +1,134 @@
+"""
+Installs DKIM Milter.
+"""
+
+from pyinfra import host
+from pyinfra.facts.files import File
+from pyinfra.operations import apt, files, server, systemd
+
+from cmdeploy.basedeploy import Deployer, get_resource
+
+
+class DkimMilterDeployer(Deployer):
+    required_users = [("dkim-milter", None, ["dkim-milter"])]
+
+    def __init__(self, mail_domain):
+        self.mail_domain = mail_domain
+
+    def install(self):
+        """Builds and installs dkim-milter"""
+
+        # openssl is required to generate the signing key
+        apt.packages(
+            name="Install openssl required by DKIM Milter",
+            packages=["openssl"],
+        )
+
+        # TODO: publish the binaries and install script
+        server.shell(
+            name="Install DKIM Milter",
+            commands=[
+                """INSTALL_PATH='/usr/sbin' bash -c 'curl --proto "=https" --tlsv1.2 -LsSf https://github.com/chatmail/dkim-milter/releases/download/1.0.0/dkim-milter-installer.sh | sh'"""
+            ],
+        )
+
+    def configure(self):
+        """Configures dkim-milter"""
+
+        domain = self.mail_domain
+        # note - we are using "opendkim" for backward compatibility
+        # for relays that were set up before we migrated from OpenDKIM
+        # to DKIM Milter.
+        selector = "opendkim"
+        signing_key_name = selector
+        # for backward compatibility with opendkim-genkey
+        signing_key_filename = f"{signing_key_name}.private"
+        config = {
+            "domain": domain,
+            "selector": selector,
+            "signing_key_name": signing_key_name,
+            "signing_key_filename": signing_key_filename,
+        }
+
+        self.need_restart = False
+
+        self.need_restart |= files.directory(
+            name="Create a directory for DKIM Milter config",
+            path="/etc/dkim-milter",
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="750",
+            present=True,
+        ).changed
+
+        self.need_restart |= files.directory(
+            name="Create dkimkeys directory",
+            path="/etc/dkimkeys",
+            user="opendkim",
+            group="opendkim",
+            mode="750",
+            present=True,
+        ).changed
+
+        self.need_restart |= files.template(
+            src=get_resource("dkim_milter/dkim-milter.conf"),
+            dest="/etc/dkim-milter/dkim-milter.conf",
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="644",
+            config=config,
+        ).changed
+
+        self.need_restart |= files.template(
+            src=get_resource("dkim_milter/signing-keys"),
+            dest="/etc/dkim-milter/signing-keys",
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="644",
+            config=config,
+        ).changed
+
+        self.need_restart |= files.template(
+            src=get_resource("dkim_milter/signing-senders"),
+            dest="/etc/dkim-milter/signing-senders",
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="644",
+            config=config,
+        ).changed
+
+        if not host.get_fact(File, f"/etc/dkimkeys/{signing_key_filename}"):
+            server.shell(
+                name=f"Generate DKIM Milter signing key '{signing_key_name}'",
+                commands=[
+                    f"openssl genpkey -algorithm RSA -out /etc/dkimkeys/{signing_key_filename}"
+                ],
+            )
+            self.need_restart = True
+
+        # enforce restrictive permissions for the signing key
+        self.need_restart |= files.file(
+            path=f"/etc/dkimkeys/{signing_key_filename}",
+            present=True,
+            user="dkim-milter",
+            group="dkim-milter",
+            mode="0400",
+        ).changed
+
+        self.need_restart |= files.put(
+            name="Create dkim-milter service",
+            src=get_resource("dkim-milter/dkim-milter.service"),
+            dest="/etc/systemd/system/dkim-milter.service",
+        ).changed
+
+    def activate(self):
+        """Start and enable DKIM Milter"""
+        systemd.service(
+            name="Start and enable DKIM Milter",
+            service="dkim-milter.service",
+            running=True,
+            enabled=True,
+            daemon_reload=self.need_restart,
+            restarted=self.need_restart,
+        )
+        self.need_restart = False

cmdeploy/src/cmdeploy/dkim_milter/dkim-milter.conf

@@ -0,0 +1,3 @@
+signing_keys = /etc/dkim-milter/signing-keys
+signing_senders = /etc/dkim-milter/signing-senders
+socket = unix:dkim-milter/dkim-milter.sock

cmdeploy/src/cmdeploy/dkim_milter/dkim-milter.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=DKIM Milter
+Documentation=man:dkim-milter(8) man:dkim-milter.conf(5)
+After=network-online.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+User=dkim-milter
+ExecStart=/usr/sbin/dkim-milter
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

cmdeploy/src/cmdeploy/dkim_milter/signing-keys

@@ -0,0 +1,2 @@
+# Key name                       Signing key
+{{ config.signing_key_name }}    </etc/dkimkeys/{{ config.signing_key_filename }}

cmdeploy/src/cmdeploy/dkim_milter/signing-senders

@@ -0,0 +1,2 @@
+# Sender expression    Domain                 Selector                 Key name
+.{{ config.domain }}   {{ config.domain }}    {{ config.selector }}    {{ config.signing_key_name }}