Merge branch 'master' of https://git.oopen.de/install/mailsystem

install_opendmarc.sh: adjust konfiguration.
install_opendkim.sh: adjust konfiguration.
2026-01-06 23:22:30 +01:00 · 2026-01-06 23:21:58 +01:00 · 2026-01-06 23:21:08 +01:00
2 changed files with 305 additions and 77 deletions
--- a/install_opendkim.sh
+++ b/install_opendkim.sh
@@ -206,73 +206,208 @@ else
   cat <<EOF > $opendkim_conf_file 2> $log_file
 # Datei $opendkim_conf_file

+# AuthservID (string)
+#
 # Sets the "authserv-id" to use when generating the Authentication-Results:
 # header field after verifying a message. The default is to use the name of
 # the MTA processing the message. If the string "HOSTNAME" is provided, the
 # name of the host running the filter (as returned by the gethostname(3)
 # function) will be used.
-AuthservID              "DKIM check $(hostname -f)"
+AuthservID              HOSTNAME

+# Mode (string)
+#
 # OpenDKIM agiert als Mail Filter (= Milter) in den
 # Modi signer (s) und verifier (v) und verwendet eine
 # Socket-Datei zur Kommunikation (alternativ: lokaler Port)
 Mode                    sv

+# Socket (string)
+#
+# Specifies the socket that should be established by the filter to receive
+# connections from sendmail(8) in order to provide service. socketspec is
+# in one of two forms: local:path, which creates a UNIX domain socket at
+# the specified path, or inet:port[@host] or inet6:port[@host] which
+# creates a TCP socket on the specified port and in the specified protocol
+# family. If the host is not given as either a hostname or an IP address,
+# the socket will be listening on all interfaces. A literal IP address must
+# be enclosed in square brackets. This option is mandatory either in the
+# configuration file or on the command line.
+#
 # Socket                local:/var/run/opendkim/opendkim.sock
 # Socket                local:$opendkim_socket_file
 # Socket                inet:12345@localhost
 Socket                  local:$opendkim_socket_file

-# OpenDKIM verwendet diesen Benutzer bzw.
-# diese Gruppe
+# UserID (string)
+#
+# Attempts to become the specified userid before starting operations. The
+# value is of the form userid[:group]. The process will be assigned all of
+# the groups and primary group ID of the named userid unless an alternate
+# group is specified.
 UserID                  opendkim:opendkim
+
+# UMask (integer)
+#
+#Requests a specific permissions mask to be used for file creation. This
+# only really applies to creation of the socket when Socket specifies a UNIX
+# domain socket, and to the PidFile (if any); temporary files are created by
+# the mkstemp(3) function that enforces a specific file mode on creation
+# regardless of the process umask. See umask(2) for more information.
+#
 UMask                   002
+
+# PidFile (string)
+#
+# Specifies the path to a file that should be created at process start
+# containing the process ID.
 PidFile                 /var/run/opendkim/opendkim.pid

-# OpenDKIM bei Problemen neustarten,
-# aber max. 10 mal pro Stunde
+# AutoRestart (Boolean)
+#
+# Automatically re-start on failures. Use with caution; if the filter fails
+# instantly after it starts, this can cause a tight fork(2) loop.
 AutoRestart             yes
+
+# AutoRestartRate (string)
+#
+# Sets the maximum automatic restart rate. If the filter begins restarting
+# faster than the rate defined here, it will give up and terminate. This is
+# a string of the form n/t[u] where n is an integer limiting the count of
+# restarts in the given interval and t[u] defines the time interval through
+# which the rate is calculated; t is an integer and u defines the units thus
+# represented ("s" or "S" for seconds, the default; "m" or "M" for minutes;
+# "h" or "H" for hours; "d" or "D" for days). For example, a value of "10/1h"
+# limits the restarts to 10 in one hour. There is no default, meaning restart
+# rate is not limited.
 AutoRestartRate         10/1h

-# Logging (wenn alles funktioniert eventuell reduzieren)
+# Syslog (Boolean)
+#
+# Log via calls to syslog(3) any interesting activity.
 Syslog                  yes
+
+# SyslogSuccess (Boolean)
+#
+# Log via calls to syslog(3) additional entries indicating successful signing
+# or verification of messages.
 SyslogSuccess           yes
+
+# LogWhy (boolean)
+#
+# If logging is enabled (see Syslog below), issues very detailed logging
+# about the logic behind the filter’s decision to either sign a message or
+# verify it. The logic behind the decision is non-trivial and can be confusing
+# to administrators not familiar with its operation. A description of how the
+# decision is made can be found in the OPERATIONS section of the opendkim(8)
+# man page. This causes a large increase in the amount of log data generated
+# for each message, so it should be limited to debugging use and not enabled
+# for general operation.
 LogWhy                  yes

 # Verfahren, wie Header und Body durch
 # OpenDKIM verarbeitet werden sollen.
 Canonicalization        relaxed/simple

-# interne Mails nicht mit OpenDKIM verarbeiten
+# ExternalIgnoreList (dataset)
+#
+# Identifies a set of "external" hosts that may send mail through the server
+# as one of the signing domains without credentials as such. This has the
+# effect of suppressing the "external host (hostname) tried to send mail as
+# (domain)" log messages. Entries in the data set should be of the same form
+# as those of the PeerList option below. The set is empty by default.
 ExternalIgnoreList      refile:${opendkim_base_dir}/trusted
+
+# InternalHosts (dataset)
+#
+# Identifies a set internal hosts whose mail should be signed rather than
+# verified. Entries in this data set follow the same form as those of the
+# PeerList option below. If not specified, the default of "127.0.0.1" is applied.
+# Naturally, providing a value here overrides the default, so if mail from
+# 127.0.0.1 should be signed, the list provided here should include that address
+# explicitly.
 InternalHosts           refile:${opendkim_base_dir}/trusted

-# welche Verschlüsselungs-Keys sollen für welche
-# Domains verwendet werden
-# (refile: für Dateien mit regulären Ausdrücke)
+# SigningTable (dataset)
+#
+# Defines a table used to select one or more signatures to apply to a message
+# based on the address found in the From: header field. Keys in this table vary
+# depending on the type of table used; values in this data set should include
+# one field that contains a name found in the KeyTable (see above) that
+# identifies which key should be used in generating the signature, and an
+# optional second field naming the signer of the message that will be included
+# in the "i=" tag in the generated signature. Note that the "i=" value will not
+# be included in the signature if it conflicts with the signing domain
+# (the "d=" value).
+#
+# If the first field contains only a "%" character, it will be replaced by the
+# domain found in the From: header field. Similarly, within the optional second
+# field, any "%" character will be replaced by the domain found in the From:
+# header field.
+#
+# If this table specifies a regular expression file ("refile"), then the keys are
+# wildcard patterns that are matched against the address found in the From:
+# header field. Entries are checked in the order in which they appear in the file.
+#
+# For all other database types, the full user@host is checked first, then simply
+# host, then user@.domain (with all superdomains checked in sequence, so
+# "foo.example.com" would first check "user@foo.example.com", then "user@.example.com",
+# then "user@.com"), then .domain, then user@*, and finally *.
 SigningTable            refile:${opendkim_base_dir}/signing.table
+
+# KeyTable (dataset)
+#
+# Gives the location of a file mapping key names to signing keys. If present,
+# overrides any KeyFile setting in the configuration file. The data set named here
+# maps each key name to three values: (a) the name of the domain to use in the
+# signature's "d=" value; (b) the name of the selector to use in the signature's
+# "s=" value; and (c) either a private key or a path to a file containing a private
+# key. If the first value consists solely of a percent sign ("%") character, it
+# will be replaced by the apparent domain of the sender when generating a signature.
+# If the third value starts with a slash ("/") character, or "./" or "../", then it
+# is presumed to refer to a file from which the private key should be read, otherwise
+# it is itself a PEM-encoded private key or a base64-encoded DER private key; a "%"
+# in the third value in this case will be replaced by the apparent domain name of
+# the sender. The SigningTable (see below) is used to select records from this table
+# to be used to add signatures based on the message sender.
 KeyTable                ${opendkim_base_dir}/key.table

-# diesen Signatur-Algorithmus verwenden
+# SignatureAlgorithm (string)
+#
+# Selects the signing algorithm to use when generating signatures. Use 'opendkim -V' 
+# to see the list of supported algorithms. The default is rsa-sha256 if it is 
+# available, otherwise it will be rsa-sha1.
 SignatureAlgorithm      rsa-sha256

-# Always oversign From (sign using actual From and a null From to prevent
-# malicious signatures header fields (From and/or others) between the signer
-# and the verifier.  From is oversigned by default in the Debian pacakge
-# because it is often the identity key used by reputation systems and thus
-# somewhat security sensitive.
+# OversignHeaders (dataset)
+#
+# Specifies a set of header fields that should be included in all signature header 
+# lists (the "h=" tag) once more than the number of times they were actually present 
+# in the signed message. The set is empty by default. The purpose of this, and 
+# especially of listing an absent header field, is to prevent the addition of 
+# important fields between the signer and the verifier. Since the verifier would 
+# include that header field when performing verification if it had been added by an 
+# intermediary, the signed message and the verified message were different and the 
+# verification would fail. Note that listing a field name here and not listing it in 
+# the SignHeaders list is likely to generate invalid signatures.
 OversignHeaders         From

+# AlwaysAddARHeader (Boolean)
+#
 # Add an "Authentication-Results:" header field even to unsigned messages
 # from domains with no "signs all" policy. The reported DKIM result will be
 # "none" in such cases. Normally unsigned mail from non-strict domains does
 # not cause the results header field to be added.
 AlwaysAddARHeader       yes

+# Background (Boolean)
+#
 # Causes opendkim to fork and exits immediately, leaving the service running
 # in the background. The default is "true".
 Background              yes

+# DNSTimeout (integer)
+#
 # Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
 # default is 5. Ignored if not using an asynchronous resolver package. See
 # also the NOTES section below.
@@ -301,8 +436,8 @@ else
 fi


-# - Create the directories to hold OpenDKIM’s data files, assign 
-# - ownership to the opendkim user, and restrict the file 
+# - Create the directories to hold OpenDKIM’s data files, assign
+# - ownership to the opendkim user, and restrict the file
 # - permissions:
 # -
 echononl "   Create directory '$opendkim_base_dir'"
@@ -403,7 +538,7 @@ EOF
 fi


-# - Create the OpenDKIM socket directory in Postfix’s work area 
+# - Create the OpenDKIM socket directory in Postfix’s work area
 # - and make sure it has the correct ownership:
 # -
 echononl "   Create the OpenDKIM socket directory in Postfix’s work area.."
@@ -462,7 +597,7 @@ EOF
 fi


-# - Edit /etc/postfix/main.cf and add a section to activate 
+# - Edit /etc/postfix/main.cf and add a section to activate
 # - processing of e-mail through the OpenDKIM daemon:
 # -
 backup_date="$(date +%Y-%m-%d-%H%M)"
@@ -554,15 +689,15 @@ fi
 # - Prevent Postfix from setting the DKIM Header twice (one befor
 # - and one after processing amavis
 # -
-# - To disable milter processing after amavis, add to your master.cf in 
+# - To disable milter processing after amavis, add to your master.cf in
 # - the after-amavis section:
 # -    127.0.0.1:10025 inet    n       -       -       -       -       smtpd
 # -       [...]
 # -       -o smtpd_milters=
 # -
 # - If you want to run the milter after amavis, set in main.cf
-# -    smtpd_milters= 
-# - to an empty string and add the smtpd_milters configuration to master.cf 
+# -    smtpd_milters=
+# - to an empty string and add the smtpd_milters configuration to master.cf
 # - (after-section amavis) instead:
 # -    -o smtpd_milters=local:/opendkim/opendkim.sock
 # -
@@ -629,7 +764,7 @@ rm -f $tmp_master_file
 echo ""

 # - Restart OpenDKIM
-# - 
+# -
 echononl "   Restart OpenDKIM.."
 if $opendkim_needs_restart ; then
   if $SYSTEMD_EXISTS ; then
--- a/install_opendmarc.sh
+++ b/install_opendmarc.sh
@@ -24,8 +24,8 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
 opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"

 config_file_name_value_parameters="
-   AuthservID|$(hostname -f)
-   TrustedAuthservIDs|$(hostname -f)
+   AuthservID|HOSTNAME
+   TrustedAuthservIDs|HOSTNAME
   PidFile|/run/opendmarc/opendmarc.pid
   RejectFailures|true
   Syslog|true
@@ -37,11 +37,13 @@ config_file_name_value_parameters="
   UMask|002
   FailureReports|false
   AutoRestart|true
-   HistoryFile|/run/opendmarc/opendmarc.dat
+  HistoryFile|/run/opendmarc/opendmarc.dat
   SPFIgnoreResults|false
   SPFSelfValidate|true
   Socket|${opendmarc_socket_file}
 "
+
+
 declare -a  config_file_name_value_parameter_arr=()
 for _conf in $config_file_name_value_parameters ; do
   config_file_name_value_parameter_arr+=("$_conf")
@@ -193,14 +195,39 @@ echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}

+## IgnoreHosts (string)
+##
 ## Specifies the path to a file that contains a list of hostnames, IP addresses,
 ## and/or CIDR expressions identifying hosts whose SMTP connections are to be
 ## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
 #
-IgnoreHosts 127.0.0.1
+IgnoreHosts /etc/opendmarc/ignore.hosts
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi

-# Optional - auch nach Absender-Domain ignorieren:
-IgnoreMailFrom ${opendmarc_base_dir}/ignore.mailfrom
+
+# - Add 'IgnoreMailFrom' with default value to the original opendmarc.conf file
+#
+echononl " Add 'IgnoreMailFrom' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^IgnoreMailFrom\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## IgnoreMailFrom (string)
+##
+## Gives a list of domain names whose mail (based on the From: domain)
+## is to be ignored by the filter. The list should be comma-separated.
+## Matching against this list is case-insensitive. The default is an
+## empty list, meaning no mail is ignored.
+#
+IgnoreMailFrom /etc/opendmarc/ignore.mailfrom
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -220,10 +247,12 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}

+## IgnoreAuthenticatedClients (Boolean)
+##
 ## If set, causes mail from authenticated clients (i.e., those that used
 ## SMTP AUTH) to be ignored by the filter. The default is "false".
 #
-IgnoreAuthenticatedClients false
+IgnoreAuthenticatedClients true
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -250,30 +279,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
 # will be used. Matching against this list is case-insensitive. The default is to use the
 # value of AuthservID.
 #
-TrustedAuthservIDs OpenDMARC
-EOF
-   if [[ $? -eq 0 ]] ; then
-      echo_ok
-   else
-      echo_failed
-      error "$(cat $log_file)"
-   fi
-else
-   echo_skipped
-fi
-
-
-# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
-#
-_param="IgnoreAuthenticatedClients"
-echononl " Add '${_param}' with default value to the opendmarc.conf file.."
-if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
-   cat << EOF >> ${opendmarc_conf_file}
-
-## If set, causes mail from authenticated clients (i.e., those that used
-## SMTP AUTH) to be ignored by the filter. The default is "false".
-#
-IgnoreAuthenticatedClients false
+TrustedAuthservIDs HOSTNAME
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -293,6 +299,8 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}

+## RequiredHeaders (Boolean)
+##
 ## If set, the filter will ensure the header of the message conforms to the basic
 ## header field count restrictions laid out in RFC5322, Section 3.6. Messages
 ## failing this test are rejected without further processing. A From: field from
@@ -318,10 +326,12 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}

+## AutoRestart (Boolean)
+##
 ## Automatically re-start on failures. Use with caution; if the filter fails
 ## instantly after it starts, this can cause a tight fork(2) loop.
 #
-AutoRestart false
+AutoRestart true
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -341,6 +351,8 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}

+## HistoryFile (string)
+##
 ## If set, specifies the location of a text file to which records are written
 ## that can be used to generate DMARC aggregate reports. Records are batches of
 ## rows containing information about a single received message, and include all
@@ -349,7 +361,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
 ## imported into a relational database from which the aggregate reports can be
 ## extracted using opendmarc-importstats(8).
 #
-HistoryFile /run/opendmarc/opendmarc.dat
+#HistoryFile /run/opendmarc/opendmarc.dat
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -398,7 +410,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
 ## looks for SPF results in headers and always performs the SPF check itself when
 ## this is set. The default is "false".
 #
-SPFSelfValidate false
+SPFSelfValidate true
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -432,15 +444,6 @@ for _val in "${config_file_name_value_parameter_arr[@]}" ; do
   echononl "   $opendmarc_conf_file: ${_val_arr[0]} -> ${_val_arr[1]}.."
   if $(grep -E -q "^\s*${_val_arr[0]}\s+${_val_arr[1]}\s*$" $opendmarc_conf_file 2> /dev/null) ; then
      echo_skipped
-   elif $(grep -E -q "^\s*#\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null); then
-      perl -i -n -p -e "s&^(\s*#\s*${_val_arr[0]}.*)&\1\n${_val_arr[0]} ${_val_arr[1]}&" $opendmarc_conf_file > "$log_file" 2>&1
-      if [[ $? -eq 0 ]] ; then
-         echo_ok
-         opendmarc_needs_restart=true
-      else
-         echo_failed
-         error "$(cat $log_file)"
-      fi
   elif $(grep -E -q "^\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null) ; then
      perl -i -n -p -e "s#^(\s*${_val_arr[0]}.*)#\#\1\n${_val_arr[0]} ${_val_arr[1]}#" $opendmarc_conf_file > "$log_file" 2>&1
      if [[ $? -eq 0 ]] ; then
@@ -450,11 +453,8 @@ for _val in "${config_file_name_value_parameter_arr[@]}" ; do
         echo_failed
         error "$(cat $log_file)"
      fi
-   else
-      cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
-
-${_val_arr[0]} ${_val_arr[1]}
-EOF
+   elif $(grep -E -q "^\s*#\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null); then
+      perl -i -n -p -e "s&^(\s*#\s*${_val_arr[0]}.*)&\1\n${_val_arr[0]} ${_val_arr[1]}&" $opendmarc_conf_file > "$log_file" 2>&1
      if [[ $? -eq 0 ]] ; then
         echo_ok
         opendmarc_needs_restart=true
@@ -462,6 +462,100 @@ EOF
         echo_failed
         error "$(cat $log_file)"
      fi
+   else
+      if [[ "${_val_arr[0]}" == "IgnoreHosts" ]]; then
+         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
+
+## IgnoreHosts (string)
+##
+## Specifies the path to a file that contains a list of hostnames, IP
+## addresses, and/or CIDR expressions identifying hosts whose SMTP
+## connections are to be ignored by the filter. If not specified,
+## defaults to "127.0.0.1" only.
+#
+${_val_arr[0]} ${_val_arr[1]}
+EOF
+      elif [[ "${_val_arr[0]}" == "IgnoreMailFrom" ]]; then
+         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
+
+## IgnoreMailFrom (string)
+##
+## Gives a list of domain names whose mail (based on the From: domain)
+## is to be ignored by the filter. The list should be comma-separated.
+## Matching against this list is case-insensitive. The default is an
+## empty list, meaning no mail is ignored.
+#
+${_val_arr[0]} ${_val_arr[1]}
+EOF
+      elif [[ "${_val_arr[0]}" == "IgnoreAuthenticatedClients" ]]; then
+         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
+
+## IgnoreAuthenticatedClients (Boolean)
+##
+## If set, causes mail from authenticated clients (i.e., those that used
+## SMTP AUTH) to be ignored by the filter. The default is "false".
+#
+${_val_arr[0]} ${_val_arr[1]}
+EOF
+      elif [[ "${_val_arr[0]}" == "AutoRestart" ]]; then
+         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
+## AutoRestart (Boolean)
+##
+## Automatically re-start on failures. Use with caution; if the filter
+## fails instantly after it starts, this can cause a tight fork(2)
+## loop.
+#
+${_val_arr[0]} ${_val_arr[1]}
+EOF
+      elif [[ "${_val_arr[0]}" == "RequiredHeaders" ]]; then
+         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
+
+## RequiredHeaders (Boolean)
+##
+## If set, the filter will ensure the header of the message conforms to
+## the basic header field count restrictions laid out in RFC5322,
+## Section 3.6. Messages failing this test are rejected without further
+## processing. A From: field from which no domain name could be
+## extracted will also be rejected.
+#
+${_val_arr[0]} ${_val_arr[1]}
+EOF
+      elif [[ "${_val_arr[0]}" == "SPFSelfValidate" ]]; then
+         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
+## SPFSelfValidate (Boolean)
+##
+## Causes the filter to perform a fallback SPF check itself when it can
+## find no SPF results in the message header. If SPFIgnoreResults is
+## also set, it never looks for SPF results in headers and always
+## performs the SPF check itself when this is set. The default is
+## "false".
+#
+${_val_arr[0]} ${_val_arr[1]}
+EOF
+      elif [[ "${_val_arr[0]}" == "SPFIgnoreResults" ]]; then
+         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
+## SPFIgnoreResults (Boolean)
+##
+## Causes the filter to ignore any SPF results in the header of the
+## message. This is useful if you want the filter to perform SPF checks
+## itself, or because you don't trust the arriving header. The default
+## is "false".
+#
+${_val_arr[0]} ${_val_arr[1]}
+EOF
+      else
+         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
+
+${_val_arr[0]} ${_val_arr[1]}
+EOF
+         if [[ $? -eq 0 ]] ; then
+            echo_ok
+            opendmarc_needs_restart=true
+         else
+            echo_failed
+            error "$(cat $log_file)"
+         fi
+      fi
   fi
 done

@@ -694,7 +788,7 @@ fi
 echo ""


-# - Edit /etc/postfix/main.cf and add a section to activate 
+# - Edit /etc/postfix/main.cf and add a section to activate
 # - processing of e-mail through the OpenDKIM daemon:
 # -
 backup_date="$(date +%Y-%m-%d-%H%M)"
@@ -740,8 +834,7 @@ milter_protocol = 6
 #    'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
 #    localhost:10025 section in master.cf: 'smtpd_milters='
 #
-#smtpd_milters = local:/opendkim/opendkim.sock
-smtpd_milters =
+smtpd_milters = local:/opendkim/opendkim.sock, local:/opendmarc/opendmarc.sock

 # Was sind non_smtpd_milters?
 #
@@ -771,7 +864,7 @@ smtpd_milters =
 #
 #
 # DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
-non_smtpd_milters = local:/opendkim/opendkim.sock
+non_smtpd_milters = local:/opendkim/opendkim.sock, local:/opendmarc/opendmarc.sock
 EOF
   postfix_needs_restart=true
   if [[ $? -eq 0 ]] ; then
@@ -830,7 +923,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
         _changed=true
         continue
      fi
-         
+
   fi

   if echo "$_line" | grep -i -q -E "^\s*(localhost|127.0.0.1):10025\s+inet\s+" 2> /dev/null ; then
Author	SHA1	Message	Date
Christoph	548c4015e8	Merge branch 'master' of https://git.oopen.de/install/mailsystem	2026-01-06 23:22:30 +01:00
Christoph	e91c9f1b04	install_opendmarc.sh: adjust konfiguration.	2026-01-06 23:21:58 +01:00
Christoph	4bb27992d8	install_opendkim.sh: adjust konfiguration.	2026-01-06 23:21:08 +01:00