Attempt at ARC/DKIM signing for mailman

README.md

@@ -27,7 +27,7 @@ host.
 5. `abra app deploy YOURAPPDOMAIN`
 9. Create initial user:
 ```
-abra app run YOURDOMAIN admin flask mailu admin admin YOURDOMAIN YOURPASSWORD
+abra app YOURAPPDOMAIN run admin flask mailu admin admin YOURDOMAIN YOURPASSWORD
 ```
 
 [Mailu]: https://mailu.io/

abra.sh

@@ -1,3 +1,5 @@
 export CERTDUMPER_POST_VERSION=v1
-export POSTFIX_OVERRIDE_VERSION=v17
+export POSTFIX_OVERRIDE_VERSION=v15
 export SENDER_LOGIN_VERSIONS=v2
+export ARC_OVERRIDE_VERSION=v8
+export DKIM_IP_MAP_OVERRIDE_VERSION=v2

compose.mailman.yml

@@ -10,20 +10,42 @@ services:
       - MAILMAN_POSTFIX_OVERRIDES
     networks:
       - default
+      - shared_mailman_network
     volumes:
       - "shared-mailman-core:/opt/mailman/"
     configs:
       - source: postfix_override
         target: /overrides/postfix.cf
+  antispam:
+    configs:
+      - source: arc_conf_override
+        target: /overrides/arc.conf
+      - source: dkim_ip_map_override
+        target: /overrides/dkim_ip.map
+    volumes:
+      - "rspam_overrides:/etc/rspamd/override.d"
+
+networks:
+  shared_mailman_network:
+    external: true
+    name: ${MAILMAN_CORE_NETWORK}
 
 volumes:
   # https://git.autonomic.zone/coop-cloud/mailman3/src/branch/master/compose.yml
   shared-mailman-core:
     external: true
     name: ${MAILMAN_CORE_VOLUME}
+  rspam_overrides:
 
 configs:
   postfix_override:
     name: ${STACK_NAME}_postfix_overrides_${POSTFIX_OVERRIDE_VERSION}
-    file: postfix.cf.tmpl
+    file: mailman-postfix.cf.tmpl
+    template_driver: golang
+  arc_conf_override:
+    name: ${STACK_NAME}_arc_conf_override_${ARC_OVERRIDE_VERSION}
+    file: mailman-arc.conf
+  dkim_ip_map_override:
+    name: ${STACK_NAME}_dkim_ip_map_${DKIM_IP_MAP_OVERRIDE_VERSION}
+    file: mailman-dkim_ip.map.tmpl
     template_driver: golang

compose.yml

@@ -54,7 +54,7 @@ x-environment:
 
 services:
   app:
-    image: ghcr.io/mailu/nginx:2.0.41
+    image: ghcr.io/mailu/nginx:2.0.23
     logging:
       driver: json-file
     networks:
@@ -95,15 +95,15 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "coop-cloud.${STACK_NAME}.version=1.1.1+2.0.41"
+        - "coop-cloud.${STACK_NAME}.version=1.0.2+2.0.23"
   
   db:
-    image: redis:7.2.4-alpine
+    image: redis:7.2.0-alpine
     volumes:
       - "redis:/data"
 
   admin:
-    image: ghcr.io/mailu/admin:2.0.41
+    image: ghcr.io/mailu/admin:2.0.23
     environment: *default-env
     healthcheck:
       disable: true
@@ -116,7 +116,7 @@ services:
       - default
 
   imap:
-    image: ghcr.io/mailu/dovecot:2.0.41
+    image: ghcr.io/mailu/dovecot:2.0.23
     environment: *default-env
     secrets:
       - secret_key
@@ -130,7 +130,7 @@ services:
       - default
 
   smtp:
-    image: ghcr.io/mailu/postfix:2.0.41
+    image: ghcr.io/mailu/postfix:2.0.23
     environment: *default-env
     secrets:
       - secret_key
@@ -142,7 +142,7 @@ services:
       - app
 
   antispam:
-    image: ghcr.io/mailu/rspamd:2.0.41
+    image: ghcr.io/mailu/rspamd:2.0.23
     environment: *default-env
     secrets:
       - secret_key
@@ -153,7 +153,7 @@ services:
       disable: true
 
   webmail:
-    image: ghcr.io/mailu/webmail:2.0.41
+    image: ghcr.io/mailu/webmail:2.0.23
     environment: *default-env
     networks:
       - default
@@ -167,7 +167,7 @@ services:
       disable: true
 
   certdumper:
-    image: ldez/traefik-certs-dumper:v2.8.3
+    image: ldez/traefik-certs-dumper:v2.8.1
     entrypoint: sh -c '
       apk add jq
       ; while ! [ -e /traefik/${ACME_JSON} ]

logging.inc

@@ -0,0 +1,2 @@
+type=console
+debug_modules=dkim

mailman-arc.conf

@@ -0,0 +1,7 @@
+sign_networks = "/overrides/dkim_ip.map";
+path = "/dkim/$domain.$selector.key";
+use_domain = "header";
+#use_vault = false;
+#try_fallback = true;
+#selector_map = "/overrides/dkim_selectors.map";
+#selector = "dkim";

mailman-dkim_ip.map.tmpl

@@ -0,0 +1 @@
+{{ env "RELAYNETS" }}

mailman-postfix.cf.tmpl

@@ -10,9 +10,9 @@
 
 unknown_local_recipient_reject_code = 550
 owner_request_special = no
-virtual_mailbox_maps = regexp:/opt/mailman/var/data/postfix_lmtp, \${podop}mailbox
 transport_maps = regexp:/opt/mailman/var/data/postfix_lmtp \${podop}transport
 local_recipient_maps = regexp:/opt/mailman/var/data/postfix_lmtp
+relay_domains = regexp:/opt/mailman/var/data/postfix_domains \${podop}transport
 {{ end }}
 {{ if eq (env "SENDER_LOGINS_POSTFIX_OVERRIDES") "1" }}
 # https://github.com/Mailu/Mailu/issues/1096

release/1.1.0+2.0.34

@@ -1,18 +0,0 @@
-# Secret key
-
-The secret key is now stored as a docker secret instead of a variable in the
-env file. You need to insert it by running:
-`abra app secret insert <your mailu app> secret_key v1 <SECRETKEYHERE>`
-and you can remove `SECRET_KEY` from your config file.
-
-# `DOMAIN` is now `MAIL_DOMAIN`
-
-This is important! If your main e-mail domain is something else than the
-domain you are reaching the web interface at, you need to make changes.
-I.e. in our setup we have `autonomic.zone` pointing an A record at some server
-and `mail.autonomic.zone` is a separate server, and MX records are pointing
-to the server at `mail.autonomic.zone`.
-In this case:
-  - `DOMAIN` should be `mail.autonomic.zone` - this is what traefik will use to
-  provision a certificate
-  - `MAIL_DOMAIN` should be `autonomic.zone`