Updated opendkim to be built from source.

2026-03-28 03:38:03 +01:00
parent e6fa15d9ec
commit 47f55ce96d
4 changed files with 401 additions and 108 deletions
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,25 +1,125 @@
 #!/bin/bash

-# Misc default variables.
-export OPENDKIM_USERID=${OPENDKIM_USERID:-opendkim}
-export OPENDKIM_SOCKET=${OPENDKIM_SOCKET:-inet:8892@0.0.0.0}
-export OPENDKIM_DOMAIN=${OPENDKIM_DOMAIN:-*}
-export OPENDKIM_KEYFILE=${OPENDKIM_KEYFILE:-/opt/opendkim/keys/dkim.private}
-export OPENDKIM_SELECTOR=${OPENDKIM_SELECTOR:-dkim}
-export OPENDKIM_CANONICALIZATION=${OPENDKIM_CANONICALIZATION:-relaxed/simple}
-export OPENDKIM_MODE=${OPENDKIM_MODE:-sv}
-export OPENDKIM_SUBDOMAINS=${OPENDKIM_SUBDOMAINS:-true}
-export OPENDKIM_OVERSIGNHEADERS=${OPENDKIM_OVERSIGNHEADERS:-From}
-export OPENDKIM_TRUSTANCHORFILE=${OPENDKIM_TRUSTANCHORFILE:-/usr/share/dns/root.key}
-export OPENDKIM_INTERNALHOSTS=${OPENDKIM_INTERNALHOSTS:-127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}
+# Core defaults.
+: "${OPENDKIM_USER:=opendkim}"
+: "${OPENDKIM_GROUP:=opendkim}"
+: "${OPENDKIM_USERID:=${OPENDKIM_USER}:${OPENDKIM_GROUP}}"
+: "${OPENDKIM_SOCKET:=inet:8892@0.0.0.0}"

-# Configuration templates.
-gomplate -f opendkim.conf.tpl > /opt/opendkim/opendkim.conf
+# Signing defaults.
+: "${OPENDKIM_DOMAIN:=*}"
+: "${OPENDKIM_SELECTOR:=dkim}"
+: "${OPENDKIM_KEYFILE:=/opt/opendkim/keys/dkim.private}"
+: "${OPENDKIM_CANONICALIZATION:=relaxed/simple}"
+: "${OPENDKIM_MODE:=sv}"
+: "${OPENDKIM_SUBDOMAINS:=true}"
+: "${OPENDKIM_OVERSIGNHEADERS:=From}"

-mkdir -p /var/opendkim
-cp $OPENDKIM_KEYFILE /var/opendkim/dkim.private
-chown opendkim:opendkim /var/opendkim/dkim.private
-chmod 0600 /var/opendkim/dkim.private
+# DNS / trust defaults.
+: "${OPENDKIM_TRUSTANCHORFILE:=}"
+: "${OPENDKIM_INTERNALHOSTS:=127.0.0.1,localhost,127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8}"
+: "${OPENDKIM_EXTERNALIGNORELIST:=refile:/etc/opendkim/TrustedHosts}"
+: "${OPENDKIM_INTERNALHOSTS_FILE:=/etc/opendkim/TrustedHosts}"

-opendkim -x /opt/opendkim/opendkim.conf
-syslogd -n -f /etc/rsyslog.d/stdout.conf
+# Table files.
+: "${OPENDKIM_KEYTABLE:=/etc/opendkim/KeyTable}"
+: "${OPENDKIM_SIGNINGTABLE:=refile:/etc/opendkim/SigningTable}"
+: "${OPENDKIM_PIDFILE:=/run/opendkim/opendkim.pid}"
+
+# Behavior.
+: "${OPENDKIM_UMASK:=002}"
+: "${OPENDKIM_BACKGROUND:=no}"
+: "${OPENDKIM_AUTO_RESTART:=no}"
+: "${OPENDKIM_AUTO_RESTART_RATE:=10/1h}"
+: "${OPENDKIM_DNS_TIMEOUT:=5}"
+: "${OPENDKIM_SIGNATURE_ALGORITHM:=rsa-sha256}"
+
+# Optional extras.
+: "${OPENDKIM_REQUIRE_SAFE_KEYS:=yes}"
+: "${OPENDKIM_REMOVE_OLD_SIGNATURES:=no}"
+: "${OPENDKIM_LOGRESULTS:=yes}"
+: "${OPENDKIM_MILTER_DEBUG:=6}"
+: "${OPENDKIM_NAMESERVERS:=}"
+
+mkdir -p \
+  /etc/opendkim \
+  /run/opendkim \
+  /var/lib/opendkim \
+  /var/opendkim
+
+touch /etc/opendkim/TrustedHosts /etc/opendkim/KeyTable /etc/opendkim/SigningTable
+
+chown -R "${OPENDKIM_USER}:${OPENDKIM_GROUP}" /run/opendkim /var/lib/opendkim /var/opendkim
+chmod 0755 /run/opendkim /var/lib/opendkim /var/opendkim
+
+# Copy private key to runtime location with safe permissions.
+if [ -f "${OPENDKIM_KEYFILE}" ]; then
+  cp "${OPENDKIM_KEYFILE}" /var/opendkim/dkim.private
+  chown "${OPENDKIM_USER}:${OPENDKIM_GROUP}" /var/opendkim/dkim.private
+  chmod 0600 /var/opendkim/dkim.private
+fi
+
+# Generate TrustedHosts from env if file is empty.
+if [ ! -s /etc/opendkim/TrustedHosts ]; then
+  printf '%s\n' "${OPENDKIM_INTERNALHOSTS}" | tr ',' '\n' > /etc/opendkim/TrustedHosts
+fi
+
+# Generate KeyTable from env if file is empty.
+if [ ! -s /etc/opendkim/KeyTable ]; then
+  printf '%s._domainkey.%s %s:%s:/var/opendkim/dkim.private\n' \
+    "${OPENDKIM_SELECTOR}" \
+    "${OPENDKIM_DOMAIN}" \
+    "${OPENDKIM_DOMAIN}" \
+    "${OPENDKIM_SELECTOR}" \
+    > /etc/opendkim/KeyTable
+fi
+
+# Generate SigningTable from env if file is empty.
+if [ ! -s /etc/opendkim/SigningTable ]; then
+  printf '*@%s %s._domainkey.%s\n' \
+    "${OPENDKIM_DOMAIN}" \
+    "${OPENDKIM_SELECTOR}" \
+    "${OPENDKIM_DOMAIN}" \
+    > /etc/opendkim/SigningTable
+fi
+
+chown "${OPENDKIM_USER}:${OPENDKIM_GROUP}" /etc/opendkim/TrustedHosts /etc/opendkim/KeyTable /etc/opendkim/SigningTable
+
+cat > /etc/opendkim.conf <<EOF
+Syslog                  yes
+LogWhy                  yes
+UMask                   ${OPENDKIM_UMASK}
+Canonicalization        ${OPENDKIM_CANONICALIZATION}
+Mode                    ${OPENDKIM_MODE}
+SubDomains              ${OPENDKIM_SUBDOMAINS}
+OversignHeaders         ${OPENDKIM_OVERSIGNHEADERS}
+UserID                  ${OPENDKIM_USERID}
+Socket                  ${OPENDKIM_SOCKET}
+PidFile                 ${OPENDKIM_PIDFILE}
+KeyTable                ${OPENDKIM_KEYTABLE}
+SigningTable            ${OPENDKIM_SIGNINGTABLE}
+ExternalIgnoreList      ${OPENDKIM_EXTERNALIGNORELIST}
+InternalHosts           refile:${OPENDKIM_INTERNALHOSTS_FILE}
+AutoRestart             ${OPENDKIM_AUTO_RESTART}
+AutoRestartRate         ${OPENDKIM_AUTO_RESTART_RATE}
+DNSTimeout              ${OPENDKIM_DNS_TIMEOUT}
+SignatureAlgorithm      ${OPENDKIM_SIGNATURE_ALGORITHM}
+RequireSafeKeys         ${OPENDKIM_REQUIRE_SAFE_KEYS}
+RemoveOldSignatures     ${OPENDKIM_REMOVE_OLD_SIGNATURES}
+MilterDebug             ${OPENDKIM_MILTER_DEBUG}
+EOF
+
+if [ -n "${OPENDKIM_TRUSTANCHORFILE}" ] && [ -f "${OPENDKIM_TRUSTANCHORFILE}" ]; then
+  echo "TrustAnchorFile         ${OPENDKIM_TRUSTANCHORFILE}" >> /etc/opendkim.conf
+fi
+
+if [ "${OPENDKIM_LOGRESULTS}" = "yes" ]; then
+  echo "SoftwareHeader          yes" >> /etc/opendkim.conf
+fi
+
+if [ -n "${OPENDKIM_NAMESERVERS}" ]; then
+  echo "Nameservers             ${OPENDKIM_NAMESERVERS}" >> /etc/opendkim.conf
+fi
+
+./usr/sbin/opendkim -x /etc/opendkim.conf
+syslogd -n -f /etc/rsyslog.d/stdout.conf