Attempt at ARC/DKIM signing for mailman

..including attempting to group options by likelihood of being edited,
removing some settings that weren't really configurable, and adding some
explanatory text

.env.sample

@@ -1,66 +1,72 @@
-TYPE=mailu
+# See https://mailu.io/2.0/configuration.html for explanation of (most of) these
+# settings. "Quoted text" in this file comes from that page.
 
-# Main mail domain, NOT main web domain (if they are different)
-DOMAIN=example.com
+###############################################################################
+# BOILERPLATE SETTINGS (shouldn't need to change these)                       #
+###############################################################################
+TYPE=mailu
 LETS_ENCRYPT_ENV=production
-# Run `docker stack ls | grep traefik | cut -f 1 -d " "` on the target machine to get that one
+COMPOSE_FILE="compose.yml"
+
+###############################################################################
+# REQUIRED SETTINGS (always need to change these)                             #
+###############################################################################
+
+# Main web domain, NOT main mail domain (if they are different)
+DOMAIN=mailu.example.com
+
+# "This email domain is used for bounce emails, for generating the postmaster
+# email and other technical addresses."
+MAIL_DOMAIN=mailu.example.com
+
+# Hostnames for this server, separated with commas
+# "The first declared hostname is the main hostname and will be exposed over
+# SMTP, IMAP, etc."
+HOSTNAMES=$DOMAIN
+
+# Run `DOCKER_CONTEXT=<yourserver> docker stack ls | grep traefik | cut -f 1 -d " "` to get that one
 TRAEFIK_STACK_NAME=traefik_example_com
 
-# Custom settings used by certdumper_post.sh and Traefik
-WEB_DOMAIN=example.com
-ACME_JSON=${LETS_ENCRYPT_ENV}-acme.json
+###############################################################################
+# OPTIONAL SETTINGS                                                           #
+###############################################################################
 
-# Mailu settings
-# https://mailu.io
+# Name of the instance, displayed in the web UI
+SITENAME=mymail
 
-TLS_CERT_FILENAME=$WEB_DOMAIN/certificate.crt
-TLS_KEYPAIR_FILENAME=$WEB_DOMAIN/privatekey.key
-
-REDIS_ADDRESS=db
-
-# Set to a randomly generated 16 bytes string
-SECRET_KEY=XXXXXXXXXXXXXXXX
-
-# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
-SUBNET=192.168.203.0/24
-
-# Hostnames for this server, separated with comas
-HOSTNAMES=$WEB_DOMAIN
+# Linked Website URL
+WEBSITE=https://$DOMAIN
 
 # Postmaster local part (will append the main mail domain)
-POSTMASTER=admin
-
-# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
-TLS_FLAVOR=mail
+POSTMASTER=c
 
 # Authentication rate limit per IP (per /24 on ipv4 and /56 on ipv6)
 AUTH_RATELIMIT_IP=60/hour
 
-# Opt-out of statistics, replace with "True" to opt out
+# Opt-in to statistics, change to "False" to opt in
 DISABLE_STATISTICS=True
 
-###################################
-# Optional features
-###################################
+# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
+LOG_LEVEL=WARNING
+
+# Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+TZ=Etc/UTC
 
 # Expose the admin interface (value: true, false)
 ADMIN=true
 
-# Choose which webmail to run if any (values: roundcube, rainloop, none)
+# Choose which webmail to run if any (values: snappymail, roundcube, none)
 WEBMAIL=snappymail
 
-# Dav server implementation (value: radicale, none)
-WEBDAV=none
+# API settings
+# -------------
 
-# Antivirus solution (value: clamav, none)
-ANTIVIRUS=none
+# Authentication token for API requests
+API=false
+#API_TOKEN=
 
-# Scan Macros solution (value: true, false)
-SCAN_MACROS=true
-
-###################################
 # Mail settings
-###################################
+# -------------
 
 # Message size limit in bytes
 # Default: accept messages up to 50MB
@@ -83,7 +89,7 @@ FETCHMAIL_ENABLED=False
 # Fetchmail delay
 FETCHMAIL_DELAY=600
 
-# Recipient delimiter, character used to delimiter localpart from custom address part
+# Recipient delimiter, character used to delimit localpart from custom address part
 RECIPIENT_DELIMITER=+
 
 # DMARC rua and ruf email
@@ -103,11 +109,58 @@ COMPRESSION=
 COMPRESSION_LEVEL=
 
 # IMAP full-text search is enabled by default. Set the following variable to off in order to disable the feature.
-# FULL_TEXT_SEARCH=off
+#FULL_TEXT_SEARCH=off
+
+# Co-op Cloud settings
+# -------------
+
+# Mailman settings
+# NOTE(3wc): remember to also set RELAYNETS
+#COMPOSE_FILE="compose.yml:compose.mailman.yml"
+#MAILMAN_POSTFIX_OVERRIDES=1
+#MAILMAN_CORE_VOLUME=lists_example_com_mailman-core
+#MAILMAN_CORE_NETWORK=lists_example_com_internal
+
+# NOTE(3wc): think this is no longer needed, see https://github.com/Mailu/Mailu/pull/1904
+# SASL account -> MAIL FROM mappings for more liberal MAIL FROM relaying
+# return-path: https://www.rubydoc.info/gems/actionmailer-rack-upgrade-2/2.3.15/ActionMailer/Base
+# logins and MAIL FROM ownership: http://www.postfix.com/postconf.5.html#smtpd_relay_restrictions
+# there is an open ticket with a further discussion also https://github.com/Mailu/Mailu/issues/1096
+#COMPOSE_FILE="compose.yml:compose.senderlogins.yml"
+#SENDER_LOGINS_POSTFIX_OVERRIDES=1
+
+SECRET_SECRET_KEY_VERSION=v1
+
+###############################################################################
+# INFINITE NERD DEPTH SETTINGS (rarely needed)                                #
+###############################################################################
+
+# Traefik certificates filename, used by certdumper
+ACME_JSON=${LETS_ENCRYPT_ENV}-acme.json
+
+TLS_CERT_FILENAME=$DOMAIN/certificate.crt
+TLS_KEYPAIR_FILENAME=$DOMAIN/privatekey.key
+
+# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
+# NOTE(3wc): changing this to "letsencrypt" might (but probably won't) allow
+# this recipe to be deployed standalone without Traefik. "notls" might (but
+# might not) disable encryption for everything except the web interfaces.
+TLS_FLAVOR=mail
+
+# Optional features
+# -------------
+
+# Dav server implementation (value: radicale, none)
+WEBDAV=none
+
+# Antivirus solution (value: clamav, none)
+ANTIVIRUS=none
+
+# Scan Macros solution (value: true, false)
+SCAN_MACROS=true
 
-###################################
 # Web settings
-###################################
+# -------------
 
 # Path to redirect / to
 WEBROOT_REDIRECT=/webmail
@@ -118,24 +171,14 @@ WEB_ADMIN=/admin
 # Path to the webmail if enabled
 WEB_WEBMAIL=/webmail
 
-# Website name
-SITENAME=mymail
-
-# Linked Website URL
-WEBSITE=https://$DOMAIN
-
-###################################
 # Advanced settings
-###################################
+# -------------
 
 # Log driver for front service. Possible values:
 # json-file (default)
 # journald (On systemd platforms, useful for Fail2Ban integration)
 # syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
-# LOG_DRIVER=json-file
-
-# Docker-compose project name, this will prepended to containers names.
-COMPOSE_PROJECT_NAME=mailu
+#LOG_DRIVER=json-file
 
 # Number of rounds used by the password hashing scheme
 CREDENTIAL_ROUNDS=12
@@ -149,33 +192,6 @@ REAL_IP_FROM=
 # choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
 REJECT_UNLISTED_RECIPIENT=
 
-# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
-LOG_LEVEL=WARNING
-
-# Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
-TZ=Etc/UTC
-
-# Authentication token for API requests
-#API_TOKEN=
-
-###################################
-# Database settings
-###################################
+# NOTE(3wc): Other values are not supported, as compose.yml does not contain
+# configuration for them. Pull requests welcome!
 DB_FLAVOR=sqlite
-
-###################################
-# Mailman settings
-###################################
-# COMPOSE_FILE="compose.yml:compose.mailman.yml"
-# MAILMAN_POSTFIX_OVERRIDES=1
-# MAILMAN_CORE_VOLUME=lists_example_com_mailman-core
-# MAILMAN_CORE_NETWORK=lists_example_com_internal
-
-###################################
-# SASL account -> MAIL FROM mappings for more liberal MAIL FROM relaying
-# return-path: https://www.rubydoc.info/gems/actionmailer-rack-upgrade-2/2.3.15/ActionMailer/Base
-# logins and MAIL FROM ownership: http://www.postfix.com/postconf.5.html#smtpd_relay_restrictions
-# there is an open ticket with a further discussion also https://github.com/Mailu/Mailu/issues/1096
-###################################
-# COMPOSE_FILE="compose.yml:compose.senderlogins.yml"
-# SENDER_LOGINS_POSTFIX_OVERRIDES=1

abra.sh

@@ -1,3 +1,5 @@
 export CERTDUMPER_POST_VERSION=v1
 export POSTFIX_OVERRIDE_VERSION=v15
 export SENDER_LOGIN_VERSIONS=v2
+export ARC_OVERRIDE_VERSION=v8
+export DKIM_IP_MAP_OVERRIDE_VERSION=v2

compose.mailman.yml

@@ -16,6 +16,14 @@ services:
     configs:
       - source: postfix_override
         target: /overrides/postfix.cf
+  antispam:
+    configs:
+      - source: arc_conf_override
+        target: /overrides/arc.conf
+      - source: dkim_ip_map_override
+        target: /overrides/dkim_ip.map
+    volumes:
+      - "rspam_overrides:/etc/rspamd/override.d"
 
 networks:
   shared_mailman_network:
@@ -27,9 +35,17 @@ volumes:
   shared-mailman-core:
     external: true
     name: ${MAILMAN_CORE_VOLUME}
+  rspam_overrides:
 
 configs:
   postfix_override:
     name: ${STACK_NAME}_postfix_overrides_${POSTFIX_OVERRIDE_VERSION}
-    file: postfix.cf.tmpl
+    file: mailman-postfix.cf.tmpl
+    template_driver: golang
+  arc_conf_override:
+    name: ${STACK_NAME}_arc_conf_override_${ARC_OVERRIDE_VERSION}
+    file: mailman-arc.conf
+  dkim_ip_map_override:
+    name: ${STACK_NAME}_dkim_ip_map_${DKIM_IP_MAP_OVERRIDE_VERSION}
+    file: mailman-dkim_ip.map.tmpl
     template_driver: golang

compose.yml

@@ -5,6 +5,7 @@ x-environment:
   - FRONT_ADDRESS=${STACK_NAME}_app
   - ADMIN
   - ANTIVIRUS
+  - API
   - API_TOKEN
   - AUTH_RATELIMIT_IP
   - MESSAGE_RATELIMIT
@@ -29,13 +30,13 @@ x-environment:
   - REAL_IP_FROM
   - REAL_IP_HEADER
   - RECIPIENT_DELIMITER
-  - REDIS_ADDRESS
+  - REDIS_ADDRESS=db
   - REJECT_UNLISTED_RECIPIENT
   - RELAYHOST
   - RELAYNETS
-  - SECRET_KEY
+  - SECRET_KEY_FILE=/run/secrets/secret_key
   - SITENAME
-  - SUBNET
+  - SUBNET=192.168.203.0/24
   - TLS_CERT_FILENAME
   - TLS_FLAVOR
   - TLS_KEYPAIR_FILENAME
@@ -45,6 +46,7 @@ x-environment:
   - WEBROOT_REDIRECT
   - WEBSITE
   - WEB_WEBMAIL
+  - WEB_API=/api
   - WELCOME
   - WELCOME_BODY
   - WELCOME_SUBJECT
@@ -83,12 +85,14 @@ services:
         mode: host
     volumes:
       - "certs:/certs"
+    secrets:
+      - secret_key
     deploy:
       labels:
         - "traefik.enable=true"
         - "traefik.docker.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${WEB_DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "coop-cloud.${STACK_NAME}.version=1.0.2+2.0.23"
@@ -103,6 +107,8 @@ services:
     environment: *default-env
     healthcheck:
       disable: true
+    secrets:
+      - secret_key
     volumes:
       - "dkim:/dkim"
       - "mailu:/data"
@@ -112,6 +118,8 @@ services:
   imap:
     image: ghcr.io/mailu/dovecot:2.0.23
     environment: *default-env
+    secrets:
+      - secret_key
     volumes:
       - "mail:/mail"
     healthcheck:
@@ -124,6 +132,8 @@ services:
   smtp:
     image: ghcr.io/mailu/postfix:2.0.23
     environment: *default-env
+    secrets:
+      - secret_key
     volumes:
       - "mailqueue:/queue"
     healthcheck:
@@ -134,6 +144,8 @@ services:
   antispam:
     image: ghcr.io/mailu/rspamd:2.0.23
     environment: *default-env
+    secrets:
+      - secret_key
     volumes:
       - "rspamd:/var/lib/rspamd"
       - "dkim:/dkim:ro"
@@ -147,6 +159,8 @@ services:
       - default
     volumes:
       - "webmail:/data"
+    secrets:
+      - secret_key
     deploy:
       replicas: 1
     healthcheck:
@@ -156,15 +170,15 @@ services:
     image: ldez/traefik-certs-dumper:v2.8.1
     entrypoint: sh -c '
       apk add jq
-      ; while ! [ -e /traefik/production-acme.json ]
-        || ! [ `jq ".production.Certificates | length" /traefik/production-acme.json` != 0 ]; do
+      ; while ! [ -e /traefik/${ACME_JSON} ]
+        || ! [ `jq ".production.Certificates | length" /traefik/${ACME_JSON}` != 0 ]; do
           sleep 1
       ; done
-      && traefik-certs-dumper file --watch --source /traefik/production-acme.json
-        --dest /output --domain-subdir=true --version v2'
+      && traefik-certs-dumper file --watch --source /traefik/${ACME_JSON}
+        --dest /output --domain-subdir=true --version v2
+        --post-hook "sh /usr/bin/certdumper_post.sh"'
     environment:
-      # Make sure this is the same as the main=-domain in traefik.toml
-      - DOMAIN=$WEB_DOMAIN
+      - DOMAIN=$DOMAIN
     volumes:
       # Folder, which contains the acme.json
       - type: volume
@@ -205,3 +219,8 @@ configs:
   certdumper_post:
     name: ${STACK_NAME}_certdumper_post_${CERTDUMPER_POST_VERSION}
     file: certdumper_post.sh
+
+secrets:
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}

logging.inc

@@ -0,0 +1,2 @@
+type=console
+debug_modules=dkim

mailman-arc.conf

@@ -0,0 +1,7 @@
+sign_networks = "/overrides/dkim_ip.map";
+path = "/dkim/$domain.$selector.key";
+use_domain = "header";
+#use_vault = false;
+#try_fallback = true;
+#selector_map = "/overrides/dkim_selectors.map";
+#selector = "dkim";

mailman-dkim_ip.map.tmpl

@@ -0,0 +1 @@
+{{ env "RELAYNETS" }}