Enable ARC signing for outgoing messages

2023-09-30 21:14:12 +01:00 · 2023-09-30 21:14:12 +01:00 · 82551916bb
commit 82551916bb
parent 2218afb811
4 changed files with 33 additions and 3 deletions
--- a/abra.sh
+++ b/abra.sh
@ -1,5 +1,5 @@
-export CORE_ENTRYPOINT_CONF_VERSION=v1
-export MAILMAN_EXTRA_CFG_VERSION=v1
+export CORE_ENTRYPOINT_CONF_VERSION=v3
+export MAILMAN_EXTRA_CFG_VERSION=v2
 export NGINX_CONF_VERSION=v1
 export SETTINGS_LOCAL_VERSION=v2
 export WEB_ENTRYPOINT_CONF_VERSION=v1
--- a/compose.yml
+++ b/compose.yml
@ -30,9 +30,10 @@ services:
      - MTA=postfix
      - SMTP_HOST
      - SMTP_PORT
+      - DOMAIN=lists-test.autonomic.zone
    configs:
      - source: mailman_extra_cfg
-        target: /opt/mailman/core/mailman-extra.cfg
+        target: /opt/mailman/mailman-extra.cfg
      - source: core_entrypoint_sh
        target: /usr/local/bin/docker-entrypoint-custom.sh
        mode: 0555
--- a/entrypoint.core.sh.tmpl
+++ b/entrypoint.core.sh.tmpl
@ -39,6 +39,19 @@ export DATABASE_URL="postgres://${DATABASE_USER}:${DATABASE_PASSWORD}@${DATABASE
 sed "/192.168/d" /etc/hosts > /etc/hosts-single-hostname
 cat /etc/hosts-single-hostname > /etc/hosts

+# Diabolical hack to generate DKIM key for ARC, see:
+# https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/arc_sign.html
+# https://gitlab.com/mailman/mailman/blob/master/src/mailman/config/schema.cfg#L655-734
+
+apk add openssl
+
+dkim_private_key_file="/opt/mailman/dkim-{{ env "DOMAIN" }}.pem"
+if [ ! -f "$dkim_private_key_file" ]; then
+  openssl genrsa -out "$dkim_private_key_file" 2048
+fi
+dkim_pub_key=$(openssl rsa -in "$dkim_private_key_file" -pubout -outform der 2>/dev/null | openssl base64 -A)
+echo "DKIM public key: $dkim_pub_key" 
+
 # --- upstream entrypoint below ---

 function wait_for_postgres () {
--- a/mailman-extra.cfg.tmpl
+++ b/mailman-extra.cfg.tmpl
@ -17,3 +17,19 @@ configuration: /etc/postfix-mailman.cfg
 # bounce from a list owner), will be sent to this address.  It should point to
 # a human.
 site_owner: {{ env "MAILMAN_ADMIN_EMAIL" }}
+
+[ARC]
+enabled: yes
+dmarc: yes
+dkim: yes
+authserv_id: {{ env "DOMAIN" }}
+
+privkey: /opt/mailman/dkim-{{ env "DOMAIN" }}.pem
+selector: dkim
+domain: {{ env "DOMAIN" }}
+
+# This configures the headers that will be cryptographically signed
+# This list is what is recommended by the DKIM & ARC specifications.
+# Inclusion of the From header is mandatory.
+sig_headers: From, Sender, Reply-To, Subject, Date, Message-ID, To, Cc, MIME-Version, Content-Type, Content-Transfer-Encoding, Content-ID, Content-Description, Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc, Resent-Message-ID, In-Reply-To, References, List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive
+