Merge branch 'master' of https://git.oopen.de/install/mailsystem

install_opendmarc.sh: adjust konfiguration.
install_opendkim.sh: adjust konfiguration.
2026-01-06 23:22:30 +01:00 · 2026-01-06 23:21:58 +01:00 · 2026-01-06 23:21:08 +01:00
2 changed files with 305 additions and 77 deletions
--- a/install_opendkim.sh
+++ b/install_opendkim.sh
@@ -206,73 +206,208 @@ else
   cat <<EOF > $opendkim_conf_file 2> $log_file
 # Datei $opendkim_conf_file
 # AuthservID (string)
 #
 # Sets the "authserv-id" to use when generating the Authentication-Results:
 # header field after verifying a message. The default is to use the name of
 # the MTA processing the message. If the string "HOSTNAME" is provided, the
 # name of the host running the filter (as returned by the gethostname(3)
 # function) will be used.
-AuthservID              "DKIM check $(hostname -f)"
+AuthservID              HOSTNAME
 # Mode (string)
 #
 # OpenDKIM agiert als Mail Filter (= Milter) in den
 # Modi signer (s) und verifier (v) und verwendet eine
 # Socket-Datei zur Kommunikation (alternativ: lokaler Port)
 Mode                    sv
 # Socket (string)
 #
 # Specifies the socket that should be established by the filter to receive
 # connections from sendmail(8) in order to provide service. socketspec is
 # in one of two forms: local:path, which creates a UNIX domain socket at
 # the specified path, or inet:port[@host] or inet6:port[@host] which
 # creates a TCP socket on the specified port and in the specified protocol
 # family. If the host is not given as either a hostname or an IP address,
 # the socket will be listening on all interfaces. A literal IP address must
 # be enclosed in square brackets. This option is mandatory either in the
 # configuration file or on the command line.
 #
 # Socket                local:/var/run/opendkim/opendkim.sock
 # Socket                local:$opendkim_socket_file
 # Socket                inet:12345@localhost
 Socket                  local:$opendkim_socket_file
-# OpenDKIM verwendet diesen Benutzer bzw.
+# UserID (string)
-# diese Gruppe
+#
 # Attempts to become the specified userid before starting operations. The
 # value is of the form userid[:group]. The process will be assigned all of
 # the groups and primary group ID of the named userid unless an alternate
 # group is specified.
 UserID                  opendkim:opendkim
 # UMask (integer)
 #
 #Requests a specific permissions mask to be used for file creation. This
 # only really applies to creation of the socket when Socket specifies a UNIX
 # domain socket, and to the PidFile (if any); temporary files are created by
 # the mkstemp(3) function that enforces a specific file mode on creation
 # regardless of the process umask. See umask(2) for more information.
 #
 UMask                   002
 # PidFile (string)
 #
 # Specifies the path to a file that should be created at process start
 # containing the process ID.
 PidFile                 /var/run/opendkim/opendkim.pid
-# OpenDKIM bei Problemen neustarten,
+# AutoRestart (Boolean)
-# aber max. 10 mal pro Stunde
+#
 # Automatically re-start on failures. Use with caution; if the filter fails
 # instantly after it starts, this can cause a tight fork(2) loop.
 AutoRestart             yes
 # AutoRestartRate (string)
 #
 # Sets the maximum automatic restart rate. If the filter begins restarting
 # faster than the rate defined here, it will give up and terminate. This is
 # a string of the form n/t[u] where n is an integer limiting the count of
 # restarts in the given interval and t[u] defines the time interval through
 # which the rate is calculated; t is an integer and u defines the units thus
 # represented ("s" or "S" for seconds, the default; "m" or "M" for minutes;
 # "h" or "H" for hours; "d" or "D" for days). For example, a value of "10/1h"
 # limits the restarts to 10 in one hour. There is no default, meaning restart
 # rate is not limited.
 AutoRestartRate         10/1h
-# Logging (wenn alles funktioniert eventuell reduzieren)
+# Syslog (Boolean)
 #
 # Log via calls to syslog(3) any interesting activity.
 Syslog                  yes
 # SyslogSuccess (Boolean)
 #
 # Log via calls to syslog(3) additional entries indicating successful signing
 # or verification of messages.
 SyslogSuccess           yes
 # LogWhy (boolean)
 #
 # If logging is enabled (see Syslog below), issues very detailed logging
 # about the logic behind the filter’s decision to either sign a message or
 # verify it. The logic behind the decision is non-trivial and can be confusing
 # to administrators not familiar with its operation. A description of how the
 # decision is made can be found in the OPERATIONS section of the opendkim(8)
 # man page. This causes a large increase in the amount of log data generated
 # for each message, so it should be limited to debugging use and not enabled
 # for general operation.
 LogWhy                  yes
 # Verfahren, wie Header und Body durch
 # OpenDKIM verarbeitet werden sollen.
 Canonicalization        relaxed/simple
-# interne Mails nicht mit OpenDKIM verarbeiten
+# ExternalIgnoreList (dataset)
 #
 # Identifies a set of "external" hosts that may send mail through the server
 # as one of the signing domains without credentials as such. This has the
 # effect of suppressing the "external host (hostname) tried to send mail as
 # (domain)" log messages. Entries in the data set should be of the same form
 # as those of the PeerList option below. The set is empty by default.
 ExternalIgnoreList      refile:${opendkim_base_dir}/trusted
 # InternalHosts (dataset)
 #
 # Identifies a set internal hosts whose mail should be signed rather than
 # verified. Entries in this data set follow the same form as those of the
 # PeerList option below. If not specified, the default of "127.0.0.1" is applied.
 # Naturally, providing a value here overrides the default, so if mail from
 # 127.0.0.1 should be signed, the list provided here should include that address
 # explicitly.
 InternalHosts           refile:${opendkim_base_dir}/trusted
-# welche Verschlüsselungs-Keys sollen für welche
+# SigningTable (dataset)
-# Domains verwendet werden
+#
-# (refile: für Dateien mit regulären Ausdrücke)
+# Defines a table used to select one or more signatures to apply to a message
 # based on the address found in the From: header field. Keys in this table vary
 # depending on the type of table used; values in this data set should include
 # one field that contains a name found in the KeyTable (see above) that
 # identifies which key should be used in generating the signature, and an
 # optional second field naming the signer of the message that will be included
 # in the "i=" tag in the generated signature. Note that the "i=" value will not
 # be included in the signature if it conflicts with the signing domain
 # (the "d=" value).
 #
 # If the first field contains only a "%" character, it will be replaced by the
 # domain found in the From: header field. Similarly, within the optional second
 # field, any "%" character will be replaced by the domain found in the From:
 # header field.
 #
 # If this table specifies a regular expression file ("refile"), then the keys are
 # wildcard patterns that are matched against the address found in the From:
 # header field. Entries are checked in the order in which they appear in the file.
 #
 # For all other database types, the full user@host is checked first, then simply
 # host, then user@.domain (with all superdomains checked in sequence, so
 # "foo.example.com" would first check "user@foo.example.com", then "user@.example.com",
 # then "user@.com"), then .domain, then user@*, and finally *.
 SigningTable            refile:${opendkim_base_dir}/signing.table
 # KeyTable (dataset)
 #
 # Gives the location of a file mapping key names to signing keys. If present,
 # overrides any KeyFile setting in the configuration file. The data set named here
 # maps each key name to three values: (a) the name of the domain to use in the
 # signature's "d=" value; (b) the name of the selector to use in the signature's
 # "s=" value; and (c) either a private key or a path to a file containing a private
 # key. If the first value consists solely of a percent sign ("%") character, it
 # will be replaced by the apparent domain of the sender when generating a signature.
 # If the third value starts with a slash ("/") character, or "./" or "../", then it
 # is presumed to refer to a file from which the private key should be read, otherwise
 # it is itself a PEM-encoded private key or a base64-encoded DER private key; a "%"
 # in the third value in this case will be replaced by the apparent domain name of
 # the sender. The SigningTable (see below) is used to select records from this table
 # to be used to add signatures based on the message sender.
 KeyTable                ${opendkim_base_dir}/key.table
-# diesen Signatur-Algorithmus verwenden
+# SignatureAlgorithm (string)
 #
 # Selects the signing algorithm to use when generating signatures. Use 'opendkim -V' 
 # to see the list of supported algorithms. The default is rsa-sha256 if it is 
 # available, otherwise it will be rsa-sha1.
 SignatureAlgorithm      rsa-sha256
-# Always oversign From (sign using actual From and a null From to prevent
+# OversignHeaders (dataset)
-# malicious signatures header fields (From and/or others) between the signer
+#
-# and the verifier.  From is oversigned by default in the Debian pacakge
+# Specifies a set of header fields that should be included in all signature header 
-# because it is often the identity key used by reputation systems and thus
+# lists (the "h=" tag) once more than the number of times they were actually present 
-# somewhat security sensitive.
+# in the signed message. The set is empty by default. The purpose of this, and 
 # especially of listing an absent header field, is to prevent the addition of 
 # important fields between the signer and the verifier. Since the verifier would 
 # include that header field when performing verification if it had been added by an 
 # intermediary, the signed message and the verified message were different and the 
 # verification would fail. Note that listing a field name here and not listing it in 
 # the SignHeaders list is likely to generate invalid signatures.
 OversignHeaders         From
 # AlwaysAddARHeader (Boolean)
 #
 # Add an "Authentication-Results:" header field even to unsigned messages
 # from domains with no "signs all" policy. The reported DKIM result will be
 # "none" in such cases. Normally unsigned mail from non-strict domains does
 # not cause the results header field to be added.
 AlwaysAddARHeader       yes
 # Background (Boolean)
 #
 # Causes opendkim to fork and exits immediately, leaving the service running
 # in the background. The default is "true".
 Background              yes
 # DNSTimeout (integer)
 #
 # Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
 # default is 5. Ignored if not using an asynchronous resolver package. See
 # also the NOTES section below.
@@ -301,8 +436,8 @@ else
 fi
-# - Create the directories to hold OpenDKIM’s data files, assign 
+# - Create the directories to hold OpenDKIM’s data files, assign
-# - ownership to the opendkim user, and restrict the file 
+# - ownership to the opendkim user, and restrict the file
 # - permissions:
 # -
 echononl "   Create directory '$opendkim_base_dir'"
@@ -403,7 +538,7 @@ EOF
 fi
-# - Create the OpenDKIM socket directory in Postfix’s work area 
+# - Create the OpenDKIM socket directory in Postfix’s work area
 # - and make sure it has the correct ownership:
 # -
 echononl "   Create the OpenDKIM socket directory in Postfix’s work area.."
@@ -462,7 +597,7 @@ EOF
 fi
-# - Edit /etc/postfix/main.cf and add a section to activate 
+# - Edit /etc/postfix/main.cf and add a section to activate
 # - processing of e-mail through the OpenDKIM daemon:
 # -
 backup_date="$(date +%Y-%m-%d-%H%M)"
@@ -554,15 +689,15 @@ fi
 # - Prevent Postfix from setting the DKIM Header twice (one befor
 # - and one after processing amavis
 # -
-# - To disable milter processing after amavis, add to your master.cf in 
+# - To disable milter processing after amavis, add to your master.cf in
 # - the after-amavis section:
 # -    127.0.0.1:10025 inet    n       -       -       -       -       smtpd
 # -       [...]
 # -       -o smtpd_milters=
 # -
 # - If you want to run the milter after amavis, set in main.cf
-# -    smtpd_milters= 
+# -    smtpd_milters=
-# - to an empty string and add the smtpd_milters configuration to master.cf 
+# - to an empty string and add the smtpd_milters configuration to master.cf
 # - (after-section amavis) instead:
 # -    -o smtpd_milters=local:/opendkim/opendkim.sock
 # -
@@ -629,7 +764,7 @@ rm -f $tmp_master_file
 echo ""
 # - Restart OpenDKIM
-# - 
+# -
 echononl "   Restart OpenDKIM.."
 if $opendkim_needs_restart ; then
   if $SYSTEMD_EXISTS ; then
--- a/install_opendmarc.sh
+++ b/install_opendmarc.sh
@@ -24,8 +24,8 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
 opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
 config_file_name_value_parameters="
-   AuthservID|$(hostname -f)
+   AuthservID|HOSTNAME
-   TrustedAuthservIDs|$(hostname -f)
+   TrustedAuthservIDs|HOSTNAME
   PidFile|/run/opendmarc/opendmarc.pid
   RejectFailures|true
   Syslog|true
@@ -37,11 +37,13 @@ config_file_name_value_parameters="
   UMask|002
   FailureReports|false
   AutoRestart|true
-   HistoryFile|/run/opendmarc/opendmarc.dat
+  HistoryFile|/run/opendmarc/opendmarc.dat
   SPFIgnoreResults|false
   SPFSelfValidate|true
   Socket|${opendmarc_socket_file}
 "
 declare -a  config_file_name_value_parameter_arr=()
 for _conf in $config_file_name_value_parameters ; do
   config_file_name_value_parameter_arr+=("$_conf")
@@ -193,14 +195,39 @@ echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}
 ## IgnoreHosts (string)
 ##
 ## Specifies the path to a file that contains a list of hostnames, IP addresses,
 ## and/or CIDR expressions identifying hosts whose SMTP connections are to be
 ## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
 #
-IgnoreHosts 127.0.0.1
+IgnoreHosts /etc/opendmarc/ignore.hosts
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
   else
      echo_failed
      error "$(cat $log_file)"
   fi
 else
   echo_skipped
 fi
-# Optional - auch nach Absender-Domain ignorieren:
+
-IgnoreMailFrom ${opendmarc_base_dir}/ignore.mailfrom
+# - Add 'IgnoreMailFrom' with default value to the original opendmarc.conf file
 #
 echononl " Add 'IgnoreMailFrom' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^IgnoreMailFrom\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}
 ## IgnoreMailFrom (string)
 ##
 ## Gives a list of domain names whose mail (based on the From: domain)
 ## is to be ignored by the filter. The list should be comma-separated.
 ## Matching against this list is case-insensitive. The default is an
 ## empty list, meaning no mail is ignored.
 #
 IgnoreMailFrom /etc/opendmarc/ignore.mailfrom
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -220,10 +247,12 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}
 ## IgnoreAuthenticatedClients (Boolean)
 ##
 ## If set, causes mail from authenticated clients (i.e., those that used
 ## SMTP AUTH) to be ignored by the filter. The default is "false".
 #
-IgnoreAuthenticatedClients false
+IgnoreAuthenticatedClients true
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -250,30 +279,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
 # will be used. Matching against this list is case-insensitive. The default is to use the
 # value of AuthservID.
 #
-TrustedAuthservIDs OpenDMARC
+TrustedAuthservIDs HOSTNAME
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
   else
      echo_failed
      error "$(cat $log_file)"
   fi
 else
   echo_skipped
 fi
 # - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
 #
 _param="IgnoreAuthenticatedClients"
 echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}
 ## If set, causes mail from authenticated clients (i.e., those that used
 ## SMTP AUTH) to be ignored by the filter. The default is "false".
 #
 IgnoreAuthenticatedClients false
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -293,6 +299,8 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}
 ## RequiredHeaders (Boolean)
 ##
 ## If set, the filter will ensure the header of the message conforms to the basic
 ## header field count restrictions laid out in RFC5322, Section 3.6. Messages
 ## failing this test are rejected without further processing. A From: field from
@@ -318,10 +326,12 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}
 ## AutoRestart (Boolean)
 ##
 ## Automatically re-start on failures. Use with caution; if the filter fails
 ## instantly after it starts, this can cause a tight fork(2) loop.
 #
-AutoRestart false
+AutoRestart true
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -341,6 +351,8 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
 if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
   cat << EOF >> ${opendmarc_conf_file}
 ## HistoryFile (string)
 ##
 ## If set, specifies the location of a text file to which records are written
 ## that can be used to generate DMARC aggregate reports. Records are batches of
 ## rows containing information about a single received message, and include all
@@ -349,7 +361,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
 ## imported into a relational database from which the aggregate reports can be
 ## extracted using opendmarc-importstats(8).
 #
-HistoryFile /run/opendmarc/opendmarc.dat
+#HistoryFile /run/opendmarc/opendmarc.dat
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -398,7 +410,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
 ## looks for SPF results in headers and always performs the SPF check itself when
 ## this is set. The default is "false".
 #
-SPFSelfValidate false
+SPFSelfValidate true
 EOF
   if [[ $? -eq 0 ]] ; then
      echo_ok
@@ -432,15 +444,6 @@ for _val in "${config_file_name_value_parameter_arr[@]}" ; do
   echononl "   $opendmarc_conf_file: ${_val_arr[0]} -> ${_val_arr[1]}.."
   if $(grep -E -q "^\s*${_val_arr[0]}\s+${_val_arr[1]}\s*$" $opendmarc_conf_file 2> /dev/null) ; then
      echo_skipped
   elif $(grep -E -q "^\s*#\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null); then
      perl -i -n -p -e "s&^(\s*#\s*${_val_arr[0]}.*)&\1\n${_val_arr[0]} ${_val_arr[1]}&" $opendmarc_conf_file > "$log_file" 2>&1
      if [[ $? -eq 0 ]] ; then
         echo_ok
         opendmarc_needs_restart=true
      else
         echo_failed
         error "$(cat $log_file)"
      fi
   elif $(grep -E -q "^\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null) ; then
      perl -i -n -p -e "s#^(\s*${_val_arr[0]}.*)#\#\1\n${_val_arr[0]} ${_val_arr[1]}#" $opendmarc_conf_file > "$log_file" 2>&1
      if [[ $? -eq 0 ]] ; then
@@ -450,11 +453,8 @@ for _val in "${config_file_name_value_parameter_arr[@]}" ; do
         echo_failed
         error "$(cat $log_file)"
      fi
-   else
+   elif $(grep -E -q "^\s*#\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null); then
-      cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
+      perl -i -n -p -e "s&^(\s*#\s*${_val_arr[0]}.*)&\1\n${_val_arr[0]} ${_val_arr[1]}&" $opendmarc_conf_file > "$log_file" 2>&1
 ${_val_arr[0]} ${_val_arr[1]}
 EOF
      if [[ $? -eq 0 ]] ; then
         echo_ok
         opendmarc_needs_restart=true
@@ -462,6 +462,100 @@ EOF
         echo_failed
         error "$(cat $log_file)"
      fi
   else
      if [[ "${_val_arr[0]}" == "IgnoreHosts" ]]; then
         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
 ## IgnoreHosts (string)
 ##
 ## Specifies the path to a file that contains a list of hostnames, IP
 ## addresses, and/or CIDR expressions identifying hosts whose SMTP
 ## connections are to be ignored by the filter. If not specified,
 ## defaults to "127.0.0.1" only.
 #
 ${_val_arr[0]} ${_val_arr[1]}
 EOF
      elif [[ "${_val_arr[0]}" == "IgnoreMailFrom" ]]; then
         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
 ## IgnoreMailFrom (string)
 ##
 ## Gives a list of domain names whose mail (based on the From: domain)
 ## is to be ignored by the filter. The list should be comma-separated.
 ## Matching against this list is case-insensitive. The default is an
 ## empty list, meaning no mail is ignored.
 #
 ${_val_arr[0]} ${_val_arr[1]}
 EOF
      elif [[ "${_val_arr[0]}" == "IgnoreAuthenticatedClients" ]]; then
         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
 ## IgnoreAuthenticatedClients (Boolean)
 ##
 ## If set, causes mail from authenticated clients (i.e., those that used
 ## SMTP AUTH) to be ignored by the filter. The default is "false".
 #
 ${_val_arr[0]} ${_val_arr[1]}
 EOF
      elif [[ "${_val_arr[0]}" == "AutoRestart" ]]; then
         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
 ## AutoRestart (Boolean)
 ##
 ## Automatically re-start on failures. Use with caution; if the filter
 ## fails instantly after it starts, this can cause a tight fork(2)
 ## loop.
 #
 ${_val_arr[0]} ${_val_arr[1]}
 EOF
      elif [[ "${_val_arr[0]}" == "RequiredHeaders" ]]; then
         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
 ## RequiredHeaders (Boolean)
 ##
 ## If set, the filter will ensure the header of the message conforms to
 ## the basic header field count restrictions laid out in RFC5322,
 ## Section 3.6. Messages failing this test are rejected without further
 ## processing. A From: field from which no domain name could be
 ## extracted will also be rejected.
 #
 ${_val_arr[0]} ${_val_arr[1]}
 EOF
      elif [[ "${_val_arr[0]}" == "SPFSelfValidate" ]]; then
         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
 ## SPFSelfValidate (Boolean)
 ##
 ## Causes the filter to perform a fallback SPF check itself when it can
 ## find no SPF results in the message header. If SPFIgnoreResults is
 ## also set, it never looks for SPF results in headers and always
 ## performs the SPF check itself when this is set. The default is
 ## "false".
 #
 ${_val_arr[0]} ${_val_arr[1]}
 EOF
      elif [[ "${_val_arr[0]}" == "SPFIgnoreResults" ]]; then
         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
 ## SPFIgnoreResults (Boolean)
 ##
 ## Causes the filter to ignore any SPF results in the header of the
 ## message. This is useful if you want the filter to perform SPF checks
 ## itself, or because you don't trust the arriving header. The default
 ## is "false".
 #
 ${_val_arr[0]} ${_val_arr[1]}
 EOF
      else
         cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
 ${_val_arr[0]} ${_val_arr[1]}
 EOF
         if [[ $? -eq 0 ]] ; then
            echo_ok
            opendmarc_needs_restart=true
         else
            echo_failed
            error "$(cat $log_file)"
         fi
      fi
   fi
 done
@@ -694,7 +788,7 @@ fi
 echo ""
-# - Edit /etc/postfix/main.cf and add a section to activate 
+# - Edit /etc/postfix/main.cf and add a section to activate
 # - processing of e-mail through the OpenDKIM daemon:
 # -
 backup_date="$(date +%Y-%m-%d-%H%M)"
@@ -740,8 +834,7 @@ milter_protocol = 6
 #    'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
 #    localhost:10025 section in master.cf: 'smtpd_milters='
 #
-#smtpd_milters = local:/opendkim/opendkim.sock
+smtpd_milters = local:/opendkim/opendkim.sock, local:/opendmarc/opendmarc.sock
 smtpd_milters =
 # Was sind non_smtpd_milters?
 #
@@ -771,7 +864,7 @@ smtpd_milters =
 #
 #
 # DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
-non_smtpd_milters = local:/opendkim/opendkim.sock
+non_smtpd_milters = local:/opendkim/opendkim.sock, local:/opendmarc/opendmarc.sock
 EOF
   postfix_needs_restart=true
   if [[ $? -eq 0 ]] ; then
@@ -830,7 +923,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
         _changed=true
         continue
      fi
-         
+
   fi
   if echo "$_line" | grep -i -q -E "^\s*(localhost|127.0.0.1):10025\s+inet\s+" 2> /dev/null ; then
Author	SHA1	Message	Date
Christoph	548c4015e8	Merge branch 'master' of https://git.oopen.de/install/mailsystem	2026-01-06 23:22:30 +01:00
Christoph	e91c9f1b04	install_opendmarc.sh: adjust konfiguration.	2026-01-06 23:21:58 +01:00
Christoph	4bb27992d8	install_opendkim.sh: adjust konfiguration.	2026-01-06 23:21:08 +01:00