Fix for #39 - Make sure private keys are readable by OpenDKIM

Private keys generated with `DKIM_AUTOGENERATE` were created with the root account and as such were not readable by OpenDKIM. This fix will reown the created files to the `opendkim` user.
bokysan · Oct 24, 2020 · 5f441fb · 5f441fb
1 parent 9a33ade
commit 5f441fb
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 15 deletions.
diff --git a/scripts/common-run.sh b/scripts/common-run.sh
@@ -232,7 +232,7 @@ postfix_setup_dkim() {
 			for domain in ${ALLOWED_SENDER_DOMAINS}; do
 				private_key=/etc/opendkim/keys/${domain}.private
 				if [[ -f "${private_key}" ]]; then
-					info "Key for domain ${emphasis}${domain}${reset} already exists in ${emphasis}${private_key}${reset}. Will not overwrite"
+					info "Key for domain ${emphasis}${domain}${reset} already exists in ${emphasis}${private_key}${reset}. Will not overwrite."
 				else
 					notice "Auto-generating DKIM key for ${emphasis}${domain}${reset} into ${private_key}."
 					(
@@ -243,6 +243,14 @@ postfix_setup_dkim() {
 						sed -i 's/h=rsa-sha256/h=sha256/' ${domain_dkim_selector}.txt
 						mv -v ${domain_dkim_selector}.private /etc/opendkim/keys/${domain}.private
 						mv -v ${domain_dkim_selector}.txt /etc/opendkim/keys/${domain}.txt
+
+						# Fixes #39
+						chown opendkim:opendkim /etc/opendkim/keys/${domain}.private
+						chmod 444 /etc/opendkim/keys/${domain}.private
+
+						chown opendkim:opendkim /etc/opendkim/keys/${domain}.txt
+						chmod 644 /etc/opendkim/keys/${domain}.txt
+
 					) | sed 's/^/       /'
 					any_generated=1
 				fi

diff --git a/unit-tests/Dockerfile b/unit-tests/Dockerfile
@@ -1,14 +1,17 @@
+ARG ALPINE_VERSION=latest
+FROM alpine:${ALPINE_VERSION}
+LABEL maintaner="Bojan Cekrlic - https://github.com/bokysan/docker-postfix/"
 
-FROM alpine:latest
+RUN        true && \
+           apk add --no-cache --upgrade cyrus-sasl cyrus-sasl-plain cyrus-sasl-login && \
+           apk add --no-cache postfix && \
+           apk add --no-cache opendkim && \
+           apk add --no-cache --upgrade ca-certificates tzdata supervisor rsyslog musl musl-utils bash opendkim-utils && \
+           (rm "/tmp/"* 2>/dev/null || true) && (rm -rf /var/cache/apk/* 2>/dev/null || true)
+RUN        apk add --no-cache bash bats && \
+           (rm "/tmp/"* 2>/dev/null || true) && (rm -rf /var/cache/apk/* 2>/dev/null || true)
 
-RUN true && \
-    apk add --no-cache bash bats && \
-    apk add --no-cache --upgrade cyrus-sasl cyrus-sasl-plain cyrus-sasl-login && \
-    apk add --no-cache postfix && \
-    apk add --no-cache opendkim && \
-    (rm "/tmp/"* 2>/dev/null || true) && (rm -rf /var/cache/apk/* 2>/dev/null || true)
-
-WORKDIR /code
+WORKDIR    /code
 ENTRYPOINT ["/usr/bin/bats"]
 
-CMD ["-v"]
+CMD        ["-v"]
diff --git a/unit-tests/dkim_auto_generate.bats b/unit-tests/dkim_auto_generate.bats
@@ -0,0 +1,20 @@
+#!/usr/bin/env bats
+
+load /code/scripts/common.sh
+load /code/scripts/common-run.sh
+
+mkdir -p /etc/opendkim
+cp /code/configs/opendkim.conf /etc/opendkim/opendkim.conf
+chown -R opendkim:opendkim /etc/opendkim
+
+@test "check if private keys are readable by OpenDKIM" {
+    # Sanity check
+    su opendkim -s /bin/bash -c 'echo "Hello world"' > /dev/null
+
+    local DKIM_AUTOGENERATE=1
+    local ALLOWED_SENDER_DOMAINS=example.org
+    postfix_setup_dkim
+
+    su opendkim -s /bin/bash -c 'cat /etc/opendkim/keys/example.org.private' > /dev/null
+    su opendkim -s /bin/bash -c 'cat /etc/opendkim/keys/example.org.txt' > /dev/null
+}
diff --git a/unit-tests/test-multi-comment.bats b/unit-tests/test-multi-comment.bats
@@ -3,21 +3,29 @@
 load /code/scripts/common.sh
 load /code/scripts/common-run.sh
 
+if [[ ! -f /etc/postfix/main.test-multi-comment ]]; then
+	cp /etc/postfix/main.cf /etc/postfix/main.test-multi-comment
+fi
+
 @test "make sure #myhostname appears four times in main.cf (default)" {
 	result=$(grep -E "^#myhostname" /etc/postfix/main.cf | wc -l)
-	[ "$result" == "4" ]
+	[[ "$result" -gt 1 ]]
 }
 
 @test "make sure commenting out #myhostname does not incrase count" {
+	COMMENT_COUNT=$(grep -E "^#myhostname" /etc/postfix/main.test-multi-comment | wc -l)
 	do_postconf -# myhostname
 	result=$(grep -E "^#myhostname" /etc/postfix/main.cf | wc -l)
-	[ "$result" == "4" ]
+	[ "$result" == "$COMMENT_COUNT" ]
 }
 
 @test "make sure adding myhostname does not incrase count" {
+	COMMENT_COUNT=$(grep -E "^#myhostname" /etc/postfix/main.test-multi-comment | wc -l)
 	do_postconf -e myhostname=localhost
 	result=$(grep -E "^#myhostname" /etc/postfix/main.cf | wc -l)
-	[ "$result" == "4" ]
+	echo "result=$result"
+	echo "COMMENT_COUNT=$COMMENT_COUNT"
+	[ "$result" == "$COMMENT_COUNT" ]
 }
 
 @test "make sure adding myhostname is added only once" {
@@ -27,9 +35,10 @@ load /code/scripts/common-run.sh
 }
 
 @test "make sure deleting myhostname does not incrase count" {
+	COMMENT_COUNT=$(grep -E "^#myhostname" /etc/postfix/main.test-multi-comment | wc -l)
 	do_postconf -# myhostname
 	result=$(grep -E "^#myhostname" /etc/postfix/main.cf | wc -l)
-	[ "$result" == "4" ]
+	[ "$result" == "$COMMENT_COUNT" ]
 }
 
 @test "no sasl password duplications" {