From 8e920fa2b32ab97ee83da9fb711b7e287b7e481e Mon Sep 17 00:00:00 2001 From: Andrey Arapov Date: Mon, 17 Dec 2018 13:53:15 +0100 Subject: [PATCH] first commit --- Dockerfile | 11 +++++ Dockerfile.debian | 35 +++++++++++++++ opendkim/opendkim.conf | 29 +++++++++++++ opendkim/opendkim.conf.debian | 80 +++++++++++++++++++++++++++++++++++ service/logger/finish | 4 ++ service/logger/run | 10 +++++ service/opendkim/finish | 4 ++ service/opendkim/run | 6 +++ start.sh | 12 ++++++ 9 files changed, 191 insertions(+) create mode 100644 Dockerfile create mode 100644 Dockerfile.debian create mode 100644 opendkim/opendkim.conf create mode 100644 opendkim/opendkim.conf.debian create mode 100755 service/logger/finish create mode 100755 service/logger/run create mode 100755 service/opendkim/finish create mode 100755 service/opendkim/run create mode 100755 start.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..c9de725 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,11 @@ +FROM alpine:3.8 +MAINTAINER Andrey Arapov + +RUN apk update && \ + apk upgrade && \ + apk add opendkim runit socklog && \ + rm -rf /etc/service + +COPY service /etc/service/ +# RUN find /etc/service -xdev -type f -name "run" -exec chmod +x '{}' \; +ENTRYPOINT runsvdir -P /etc/service diff --git a/Dockerfile.debian b/Dockerfile.debian new file mode 100644 index 0000000..9039cad --- /dev/null +++ b/Dockerfile.debian @@ -0,0 +1,35 @@ +FROM debian:stretch +MAINTAINER Andrey Arapov + +# To avoid problems with Dialog and curses wizards +ENV DEBIAN_FRONTEND noninteractive + +# Workaround the apt-get slowness when running grsecurity kernel +# ulimit -n 1024 +RUN apt-get update && \ + apt-get -y install opendkim runit curl make gcc + +# Compile socklog +ENV SOCKLOG_NAME "socklog-2.1.0" +ENV SOCKLOG_HASH "aa869a787ee004da4e5509b5a0031bcc17a4ab4ac650c2ce8d4e488123acb455" + +RUN cd /opt && \ + curl -#L -o $SOCKLOG_NAME.tar.gz http://smarden.org/socklog/$SOCKLOG_NAME.tar.gz && \ + sha256sum $SOCKLOG_NAME.tar.gz |grep -qw $SOCKLOG_HASH && \ + tar xf $SOCKLOG_NAME.tar.gz && \ + rm -f $SOCKLOG_NAME.tar.gz && \ + cd admin/$SOCKLOG_NAME && \ + package/install && \ + package/install-man + +RUN rm -vf /etc/service/socklog-klog /etc/service/socklog-unix + +#RUN useradd -r -m -d /var/run/opendkim -s /bin/false opendkim + +# tzdata - so that TZ environment variable gets processed +# rsyslog - to log postfix service into /var/log/mail.log file + +COPY service /etc/service/ +RUN find /etc/service -xdev -type f -name "run" -exec chmod +x '{}' \; + +ENTRYPOINT runsvdir -P /etc/service diff --git a/opendkim/opendkim.conf b/opendkim/opendkim.conf new file mode 100644 index 0000000..1711d97 --- /dev/null +++ b/opendkim/opendkim.conf @@ -0,0 +1,29 @@ +#BaseDirectory /run/opendkim + +#LogWhy yes +Syslog yes +SyslogSuccess yes + +Canonicalization relaxed/simple + +#Domain example.com +#Selector default +#KeyFile /var/db/dkim/example.com.private + +Socket inet:8891@localhost +#Socket local:opendkim.sock + +#ReportAddress postmaster@example.com +#SendReports yes + +## Hosts to sign email for - 127.0.0.1 is default +## See the OPERATION section of opendkim(8) for more information +# +# InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 + +## For secondary mailservers - indicates not to sign or verify messages +## from these hosts +# +# PeerList X.X.X.X + +# PidFile /var/run/opendkim/opendkim.pid diff --git a/opendkim/opendkim.conf.debian b/opendkim/opendkim.conf.debian new file mode 100644 index 0000000..afc808c --- /dev/null +++ b/opendkim/opendkim.conf.debian @@ -0,0 +1,80 @@ +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +# Log to syslog +Syslog yes +# Required to use local socket with MTAs that access the socket as a non- +# privileged user (e.g. Postfix) +UMask 007 + +# Sign for example.com with key in /etc/dkimkeys/dkim.key using +# selector '2007' (e.g. 2007._domainkey.example.com) +#Domain example.com +#KeyFile /etc/dkimkeys/dkim.key +#Selector 2007 + +# Commonly-used options; the commented-out versions show the defaults. +#Canonicalization simple +#Mode sv +#SubDomains no + +# Socket smtp://localhost +# +# ## Socket socketspec +# ## +# ## Names the socket where this filter should listen for milter connections +# ## from the MTA. Required. Should be in one of these forms: +# ## +# ## inet:port@address to listen on a specific interface +# ## inet:port to listen on all interfaces +# ## local:/path/to/socket to listen on a UNIX domain socket +# +#Socket inet:8892@localhost +Socket local:/var/run/opendkim/opendkim.sock + +## PidFile filename +### default (none) +### +### Name of the file where the filter should write its pid before beginning +### normal operations. +# +PidFile /var/run/opendkim/opendkim.pid + + +# Always oversign From (sign using actual From and a null From to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From + +## ResolverConfiguration filename +## default (none) +## +## Specifies a configuration file to be passed to the Unbound library that +## performs DNS queries applying the DNSSEC protocol. See the Unbound +## documentation at http://unbound.net for the expected content of this file. +## The results of using this and the TrustAnchorFile setting at the same +## time are undefined. +## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested +## unbound package + +# ResolverConfiguration /etc/unbound/unbound.conf + +## TrustAnchorFile filename +## default (none) +## +## Specifies a file from which trust anchor data should be read when doing +## DNS queries and applying the DNSSEC protocol. See the Unbound documentation +## at http://unbound.net for the expected format of this file. + +TrustAnchorFile /usr/share/dns/root.key + +## Userid userid +### default (none) +### +### Change to user "userid" before starting normal operation? May include +### a group ID as well, separated from the userid by a colon. +# +UserID opendkim diff --git a/service/logger/finish b/service/logger/finish new file mode 100755 index 0000000..6a83bc5 --- /dev/null +++ b/service/logger/finish @@ -0,0 +1,4 @@ +#!/bin/sh + +echo "${PWD##*/}: Exitted with $1 (signal: $2)" +[ $1 -ne 0 ] && ( echo "${PWD##*/}: rc != 0, sleeping for 5 seconds ..."; sleep 5 ) diff --git a/service/logger/run b/service/logger/run new file mode 100755 index 0000000..202f60a --- /dev/null +++ b/service/logger/run @@ -0,0 +1,10 @@ +#!/bin/sh +# Collect all logs which come to /dev/log +exec 2>&1 + +echo "${PWD##*/}: started." + +set -x +exec chpst -Unobody socklog unix /dev/log +# exec socklog unix /dev/log +# exec socat UNIX-LISTEN:/dev/log,reuseaddr,fork - diff --git a/service/opendkim/finish b/service/opendkim/finish new file mode 100755 index 0000000..6a83bc5 --- /dev/null +++ b/service/opendkim/finish @@ -0,0 +1,4 @@ +#!/bin/sh + +echo "${PWD##*/}: Exitted with $1 (signal: $2)" +[ $1 -ne 0 ] && ( echo "${PWD##*/}: rc != 0, sleeping for 5 seconds ..."; sleep 5 ) diff --git a/service/opendkim/run b/service/opendkim/run new file mode 100755 index 0000000..79eeca5 --- /dev/null +++ b/service/opendkim/run @@ -0,0 +1,6 @@ +#!/bin/sh +echo "${PWD##*/}: started." + +#chown -Rh opendkim:opendkim -- /etc/opendkim +#exec su -s /bin/sh opendkim -c "/usr/sbin/opendkim -f -x /etc/opendkim/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid" 2>&1 +exec /usr/sbin/opendkim -f -x /etc/opendkim/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid 2>&1 diff --git a/start.sh b/start.sh new file mode 100755 index 0000000..4b1443a --- /dev/null +++ b/start.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +IMAGE=opendkim + +docker build -t $IMAGE . +docker rm -f $IMAGE +docker run -d \ + -h $(hostname -f) \ + --name $IMAGE \ + -v /etc/localtime:/etc/localtime:ro \ + -v $PWD/opendkim:/etc/opendkim:ro \ + $IMAGE