# Script to set up SPF and DKIM
domain_name=tuxmail.io
# Create a new SPF record
cat << EOF >> "/etc/bind/db.$domain_name"
; TXT records (SPF, DKIM, DMARC, etc)
@ IN TXT "v=spf1 mx ~all"
EOF
# Install software needed for configuring SPF policy agent
apt install -y postfix-policyd-spf-python
# Tells Postfix to start the SPF policy daemon when it’s starting itself
cat << EOF >> "/etc/postfix/master.cf"
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
EOF
# The first line specifies the Postfix policy agent timeout setting
# The following lines impose a restriction on incoming emails by rejecting unauthorized email and checking SPF records
cat << EOF >> "/etc/postfix/main.cf"
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf
EOF
# Restart postfix
systemctl restart postfix
# Install OpenDKIM
apt install -y opendkim opendkim-tools
# Add postfix user to the opendkim group
gpasswd -a postfix opendkim
# Add the following line so OpenDKIM will generate more detailed logs for debugging
sed '/#LogWhy/a\LogWhy yes' /etc/opendkim.conf > /tmp/opendkim.conf-2
mv /tmp/opendkim.conf-2 /etc/opendkim.conf
# Uncomment #SubDomains
sed '/#SubDomains/a\SubDomains no' /etc/opendkim.conf > /tmp/opendkim.conf-2
mv /tmp/opendkim.conf-2 /etc/opendkim.conf
# Uncomment #Mode
sed '/#Mode/a\Mode sv' /etc/opendkim.conf > /tmp/opendkim.conf-2
mv /tmp/opendkim.conf-2 /etc/opendkim.conf
# Add the following lines below SubDomains
sed '/^SubDomains/a\AutoRestart yes' /etc/opendkim.conf > /tmp/opendkim.conf-2
mv /tmp/opendkim.conf-2 /etc/opendkim.conf
sed '/^AutoRestart/a\AutoRestartRate 10/1M' /etc/opendkim.conf > /tmp/opendkim.conf-2
mv /tmp/opendkim.conf-2 /etc/opendkim.conf
sed '/^AutoRestartRate/a\Background yes' /etc/opendkim.conf > /tmp/opendkim.conf-2
mv /tmp/opendkim.conf-2 /etc/opendkim.conf
sed '/^Background/a\DNSTimeout 5' /etc/opendkim.conf > /tmp/opendkim.conf-2
mv /tmp/opendkim.conf-2 /etc/opendkim.conf
sed '/^DNSTimeout/a\SignatureAlgorithm rsa-sha256' /etc/opendkim.conf > /tmp/opendkim.conf-2
mv /tmp/opendkim.conf-2 /etc/opendkim.conf
# Add the following lines at the end of the /etc/opendkim.conf file
cat << EOF >> "/etc/opendkim.conf"
#OpenDKIM user
# Remember to add user postfix to group opendkim
UserID opendkim
# Map domains in From addresses to keys used to sign messages
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
# Hosts to ignore when verifying signatures
ExternalIgnoreList /etc/opendkim/trusted.hosts
# A set of internal hosts whose mail should be signed
InternalHosts /etc/opendkim/trusted.hosts
EOF
# Create a directory structure for OpenDKIM
mkdir /etc/opendkim
mkdir /etc/opendkim/keys
# Change the owner from root to opendkim and make sure only opendkim user can read and write to the keys directory
chown -R opendkim:opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keys
# Add the following two lines to /etc/opendkim/signing.table
# This tells OpenDKIM that if a sender on your server is using a @your-domain.com address,
# then it should be signed with the private key identified by default._domainkey.your-domain.com.
# The second line tells that your sub-domains will be signed by the private key as well.
cat << EOF >> "/etc/opendkim/signing.table"
*@$domain_name default._domainkey.$domain_name
*@*.$domain_name default._domainkey.$domain_name
EOF
# Create the key table
cat << EOF >> "/etc/opendkim/key.table"
default._domainkey.$domain_name $domain_name:default:/etc/opendkim/keys/$domain_name/default.private
EOF
# Create the trusted hosts file
# This tells OpenDKIM that if an email is coming from localhost or from the same domain,
# then OpenDKIM should only sign the email but not perform DKIM verification on the email.
cat << EOF >> "/etc/opendkim/trusted.hosts"
127.0.0.1
localhost
.$domain_name
EOF
# Generate a private key for signing and a public key for remote verifier
# Public key will be published in DNS
# The command below will create 2048 bits keys
mkdir /etc/opendkim/keys/$domain_name
opendkim-genkey -b 2048 -d $domain_name -D /etc/opendkim/keys/$domain_name -s default -v
# Make opendkim the owner of the private key
chown opendkim:opendkim /etc/opendkim/keys/$domain_name/default.private
# And change the permission, so only the opendkim user has read and write access to the file
chmod 600 /etc/opendkim/keys/$domain_name/default.private
cat /etc/opendkim/keys/your-domain.com/default.txt
# Add the dkim key
cat << EOF >> "/etc/bind/db.$domain_name"
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p="
EOF
# Grab the last two lines containing the dkim key
tail -n 2 /etc/opendkim/keys/$domain_name/default.txt > /tmp/default.txt-2
# Delete whitespace
tr -d ' ' < /tmp/default.txt-2 > /tmp/default.txt-3
# Delete p= as we already have it
sed -i "s/p=//g" /tmp/default.txt-3
# Cat output to our bind domain config file
cat /tmp/default.txt-3 >> /etc/bind/db.$domain_name
# Restart bind9
systemctl restart bind9
# The Postfix SMTP daemon runs in a chroot jail, which means the SMTP daemon resolves all filenames relative to the Postfix queue directory
# We need to change the OpenDKIM Unix socket file
mkdir /var/spool/postfix/opendkim
chown opendkim:opendkim /var/spool/postfix/opendkim
# Replace Socket local:/run/opendkim/opendkim.sock with Socket local:/var/spool/postfix/opendkim/opendkim.sock
sed -i "s/local:\/run\/opendkim\/opendkim.sock/local:\/var\/spool\/postfix\/opendkim\/opendkim.sock/g" /etc/opendkim.conf
# Change SOCKET=local:$RUNDIR/opendkim.sock to SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock" in /etc/default/opendkim
sed -i "s/SOCKET=local:\$RUNDIR\/opendkim.sock/SOCKET=\"local:\/var\/spool\/postfix\/opendkim\/opendkim.sock\" /g" /etc/default/opendkim
# Add the following to the end of the /etc/postfix/main.cf file
cat << EOF >> "/etc/postfix/main.cf"
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = \$smtpd_milters
EOF
# Restart opendkim and postfix
systemctl restart opendkim postfix