From 3d166860179a3ae3ec215b58e33d90b0ffa37ec8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Lo=C5=A1=C5=A5=C3=A1k?= <xlostak@gmail.com>
Date: Fri, 27 Mar 2026 04:16:00 +0100
Subject: [PATCH] Initial commit

---
 Dockerfile        | 19 +++++++++++++++
 README.md         | 59 +++++++++++++++++++++++++++++++++++++++++++++--
 entrypoint.sh     | 25 ++++++++++++++++++++
 opendkim.conf.tpl | 47 +++++++++++++++++++++++++++++++++++++
 4 files changed, 148 insertions(+), 2 deletions(-)
 create mode 100644 Dockerfile
 create mode 100644 entrypoint.sh
 create mode 100644 opendkim.conf.tpl

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..2a98e48
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,19 @@
+FROM ubuntu:22.04
+
+WORKDIR /opt/opendkim
+
+RUN apt update && \
+  apt upgrade -y && \
+  apt install -y opendkim inetutils-syslogd curl
+
+RUN curl -SsfL -o /usr/bin/gomplate "https://github.com/hairyhenderson/gomplate/releases/download/v3.11.5/gomplate_linux-amd64-slim" && \
+  chmod 755 /usr/bin/gomplate && \
+  mkdir -p /etc/rsyslog.d/ && \
+  touch /etc/rsyslog.d/stdout.conf && \
+  echo "*.*    /dev/stdout" > /etc/rsyslog.d/stdout.conf
+
+COPY entrypoint.sh .
+COPY opendkim.conf.tpl .
+
+EXPOSE 8892/tcp
+CMD ["/bin/bash", "entrypoint.sh"]
\ No newline at end of file
diff --git a/README.md b/README.md
index 693225e..20cf604 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,58 @@
-# opendkim-docker
+# Building the image
+```sh
+docker build --rm -t opendkim:latest .
+```
 
-Dockerized OpenDKIM service for signing outgoing mail with DKIM.
\ No newline at end of file
+# Generating private key
+Before running the private key must be generated using opendkim-keygen or supplied.
+```sh
+# Generate private key.
+opendkim-genkey --bits=2048 --selector=dkim --restrict --verbose
+
+# Getting publickey for DNS record.
+cat dkim.txt | tr -d "\"\n\" \t" | sed -r "s/.*\((.*)\).*/\\1\n/"
+```
+
+# Running the image
+```sh
+docker run -it --rm --name opendkim -p 8892:8892 -v /path/dkim.private:/opt/opendkim/keys/dkim.private opendkim:latest
+```
+
+# Environment variables
+These values are default and can be overriden by declaring environment variable with naother value.
+```sh
+# Attempts to become the specified userid before starting operations. The value is of the form userid[:group].
+OPENDKIM_USERID="opendkim"
+
+# Specifies the socket that should be established by the filter to receive connections.
+OPENDKIM_SOCKET="inet:8892@0.0.0.0"
+
+# A set of domains whose mail should be signed by this filter.
+OPENDKIM_DOMAIN="*"
+
+# Gives the location of a PEM-formatted private key to be used for signing all messages. Ignored if a KeyTable is defined.
+OPENDKIM_KEYFILE="/opt/opendkim/keys/dkim.private"
+
+# Defines the name of the selector to be used when signing messages.
+OPENDKIM_SELECTOR="dkim"
+
+# Selects the canonicalization method(s) to be used when signing messages.
+OPENDKIM_CANONICALIZATION="relaxed/simple"
+
+# Selects operating modes. The string is a concatenation of characters
+# that indicate which mode(s) of operation are desired. Valid modes are s (signer) and v (verifier).
+OPENDKIM_MODE="sv"
+
+# Sign subdomains of those listed by the Domain parameter as well as the actual domains.
+OPENDKIM_SUBDOMAINS="true"
+
+# Specifies a set of header fields that should be included in all signature header lists (the "h=" tag) 
+# once more than the number of times they were actually present in the signed message.
+OPENDKIM_OVERSIGNHEADERS="From"
+
+# Specifies a file from which trust anchor data should be read when doing DNS queries and applying the DNSSEC protocol.
+OPENDKIM_TRUSTANCHORFILE="/usr/share/dns/root.key"
+
+# Identifies a set internal hosts whose mail should be signed rather than verified.
+OPENDKIM_INTERNALHOSTS="127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8"
+```
\ No newline at end of file
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..aa97a36
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Misc default variables.
+export OPENDKIM_USERID=${OPENDKIM_USERID:-opendkim}
+export OPENDKIM_SOCKET=${OPENDKIM_SOCKET:-inet:8892@0.0.0.0}
+export OPENDKIM_DOMAIN=${OPENDKIM_DOMAIN:-*}
+export OPENDKIM_KEYFILE=${OPENDKIM_KEYFILE:-/opt/opendkim/keys/dkim.private}
+export OPENDKIM_SELECTOR=${OPENDKIM_SELECTOR:-dkim}
+export OPENDKIM_CANONICALIZATION=${OPENDKIM_CANONICALIZATION:-relaxed/simple}
+export OPENDKIM_MODE=${OPENDKIM_MODE:-sv}
+export OPENDKIM_SUBDOMAINS=${OPENDKIM_SUBDOMAINS:-true}
+export OPENDKIM_OVERSIGNHEADERS=${OPENDKIM_OVERSIGNHEADERS:-From}
+export OPENDKIM_TRUSTANCHORFILE=${OPENDKIM_TRUSTANCHORFILE:-/usr/share/dns/root.key}
+export OPENDKIM_INTERNALHOSTS=${OPENDKIM_INTERNALHOSTS:-127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}
+
+# Configuration templates.
+gomplate -f opendkim.conf.tpl > /opt/opendkim/opendkim.conf
+
+mkdir -p /var/opendkim
+cp $OPENDKIM_KEYFILE /var/opendkim/dkim.private
+chown opendkim:opendkim /var/opendkim/dkim.private
+chmod 0600 /var/opendkim/dkim.private
+
+opendkim -x /opt/opendkim/opendkim.conf
+syslogd -n -f /etc/rsyslog.d/stdout.conf
\ No newline at end of file
diff --git a/opendkim.conf.tpl b/opendkim.conf.tpl
new file mode 100644
index 0000000..550adb4
--- /dev/null
+++ b/opendkim.conf.tpl
@@ -0,0 +1,47 @@
+# Disable log to syslog because we want to log in stdout.
+Syslog                true
+
+# Log via calls to syslog(3) additional entries indicating successful signing or verification of messages.
+SyslogSuccess         true
+
+# If logging is enabled (see Syslog below), issues very detailed logging about the
+# logic behind the filter’s decision to either sign a message or verify it.
+LogWhy                true
+
+# Specifies the path to a file that should be created at process start containing the process ID.
+PidFile               /var/run/opendkim/opendkim.pid
+
+# Attempts to become the specified userid before starting operations. The value is of the form userid[:group].
+UserID                {{ .Env.OPENDKIM_USERID }}
+
+# Specifies the socket that should be established by the filter to receive connections.
+Socket                {{ .Env.OPENDKIM_SOCKET }}
+
+# A set of domains whose mail should be signed by this filter.
+Domain                {{ .Env.OPENDKIM_DOMAIN }}
+
+# Gives the location of a PEM-formatted private key to be used for signing all messages. Ignored if a KeyTable is defined.
+KeyFile               /var/opendkim/dkim.private
+
+# Defines the name of the selector to be used when signing messages.
+Selector              {{ .Env.OPENDKIM_SELECTOR }}
+
+# Selects the canonicalization method(s) to be used when signing messages.
+Canonicalization      {{ .Env.OPENDKIM_CANONICALIZATION }}
+
+# Selects operating modes. The string is a concatenation of characters
+# that indicate which mode(s) of operation are desired. Valid modes are s (signer) and v (verifier).
+Mode                  {{ .Env.OPENDKIM_MODE }}
+
+# Sign subdomains of those listed by the Domain parameter as well as the actual domains.
+SubDomains            {{ .Env.OPENDKIM_SUBDOMAINS }}
+
+# Specifies a set of header fields that should be included in all signature header lists (the "h=" tag) 
+# once more than the number of times they were actually present in the signed message.
+OversignHeaders       {{ .Env.OPENDKIM_OVERSIGNHEADERS }}
+
+# Specifies a file from which trust anchor data should be read when doing DNS queries and applying the DNSSEC protocol.
+TrustAnchorFile       {{ .Env.OPENDKIM_TRUSTANCHORFILE }}
+
+# Identifies a set internal hosts whose mail should be signed rather than verified.
+InternalHosts {{ .Env.OPENDKIM_INTERNALHOSTS }}
\ No newline at end of file