Add OPENDKIM env config support #18
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Closed
hemberger
approved these changes
Jun 5, 2020
| volume permission in way that does not work with OpenDKIM default behavior of | ||
| ensuing safe permissions on private keys. | ||
|
|
||
| A workaround is to disable the check using a `OPENDKIM_RequireSafeKeys=no` environment variable. |
There was a problem hiding this comment.
It may be worth noting here (at whatever level of detail you deem appropriate) that this workaround is strongly discouraged from a security perspective.
There was a problem hiding this comment.
Maybe should be even clear or is "... does not work with OpenDKIM default behavior of
ensuing safe permissions on private keys." enough?
|
@hemberger @Hamsterman please review and test if you have time |
|
Do I just get latest ? |
wader
force-pushed
the
opendkim-conf
branch
2 times, most recently
from
ded9061
to
e7558f1
Compare
|
No not merged to master yet. But I changed docker hub to build all branches so hopefully there will be a |
This was referenced Jun 11, 2020
|
Sorry for the delay - I have now tested and it works my my Docker Desktop on Windows! |
Add note about know issue with volume permissions.
|
@Hamsterman Thanks for testing |
|
I tried to get the image without the opendkim-conf tag, but that didn't work. I thought it was merged into the stable version? |
|
Hmm strange, it should... thought saw docker hub build master after merge, will have a look |
|
Commit hash is the merge commit, could it be some cache somewhere?
Running latest with bogus opendir config gives error at least $ docker run --rm -e OPENDKIM_Bla=bla mwader/postfix-relay
Unable to find image 'mwader/postfix-relay:latest' locally
latest: Pulling from mwader/postfix-relay
8559a31e96f4: Pull complete
4b29b3278649: Pull complete
b09c0820d21d: Pull complete
dcd3e7a600be: Pull complete
894039c51c76: Pull complete
Digest: sha256:09eb879b9f47ad0a5b1260a065790c34e2e83555620429e28b3616626c3e54b3
Status: Downloaded newer image for mwader/postfix-relay:latest
DNS records:
No DKIM private key found for selector 'mail' in domain 'bla'. Generating one now...
mail._domainkey.bla. IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyk/sLek2kzReNz19+IEf+2HrLCzC9UN0nXnk3Oi+4kklW9GrDgzUXSF7n5zALaoRp96tiE/So4w9M2vwV9GRaW8VoZGsXqPhn4E0Vez4zYPce07nQbfbc/wDoeUzItT1KGVC91UI+rkoCd30AQeVMV5vP2vi51AeiYojMIMY0ci9HiZmND/VuTwGujnA2FlfgxozJ71qxiDP18"
"pEVJjX3/Ijtl1FOoAyGtdZAfUxwgG5tXQd27ZWY4rg26DdWiZkkuCBvGfe2gzey/hsnGn1Rxc4/Bxoq+V61QfmsP53vaudbYLoK/SAMVMavZ2zuyG0QHV43NyxsW5DjO8Zyn9wbwIDAQAB" ) ; ----- DKIM key mail for bla
Starting OpenDKIM: opendkim: /etc/opendkim.conf: configuration error at line 1: unrecognized parameter
Starting Postfix Mail Transport Agent: postfix.
rsyslogd: [origin software="rsyslogd" swVersion="8.1901.0" x-pid="154" x-info="https://www.rsyslog.com"] start
^Cpostfix/master[153]: daemon started -- version 3.4.10, configuration /etc/postfix
Stopping Postfix Mail Transport Agent: postfixpostfix/master[153]: terminating on signal 15
.
Stopping OpenDKIM: No /usr/sbin/opendkim found running; none killed.
opendkim. |
|
I think it was a cache issue as well. I got it working now. Thanks! |
ar9708
added a commit
to ar9708/pt.mabl.se
that referenced
this pull request
Feb 6, 2023
Along with this Nginx provisioning code change, PT is built and deployed per the [instruction here](https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/docker.md) using Docker. My `/opt/pt/PeerTube/docker-compose.yml`: ```yaml version: "3.3" services: # You can comment this webserver section if you want to use another webserver/proxy or test PeerTube in local #webserver: # image: chocobozzz/peertube-webserver:latest # # If you don't want to use the official image and build one from sources: # # build: # # context: . # # dockerfile: Dockerfile.nginx # env_file: # - .env # ports: # - "80:80" # - "443:443" # volumes: # - type: bind # # Switch sources if you downloaded the whole repository # #source: ../../nginx/peertube # source: ./docker-volume/nginx/peertube # target: /etc/nginx/conf.d/peertube.template # - assets:/var/www/peertube/peertube-latest/client/dist:ro # - ./docker-volume/data:/var/www/peertube/storage # - certbot-www:/var/www/certbot # - ./docker-volume/certbot/conf:/etc/letsencrypt # depends_on: # - peertube # restart: "always" # You can comment this certbot section if you want to use another webserver/proxy or test PeerTube in local #certbot: # container_name: certbot # image: certbot/certbot # volumes: # - ./docker-volume/certbot/conf:/etc/letsencrypt # - certbot-www:/var/www/certbot # restart: unless-stopped # entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;" # depends_on: # - webserver peertube: # If you don't want to use the official image and build one from sources: build: context: . dockerfile: ./support/docker/production/Dockerfile.bullseye #image: chocobozzz/peertube:production-bullseye # Use a static IP for this container because nginx does not handle proxy host change without reload # This container could be restarted on crash or until the postgresql database is ready for connection #networks: # default: # ipv4_address: 172.18.0.42 env_file: - .env ports: - "1935:1935" # Comment if you don't want to use the live feature - "9000:9000" # Uncomment if you use another webserver/proxy or test PeerTube in local, otherwise not suitable for production volumes: - assets:/app/client/dist - ./docker-volume/data:/data - ./docker-volume/config:/config depends_on: - postgres - redis - postfix restart: "always" postgres: image: postgres:13-alpine env_file: - .env volumes: - ./docker-volume/db:/var/lib/postgresql/data restart: "always" redis: image: redis:6-alpine volumes: - ./docker-volume/redis:/data restart: "always" postfix: image: mwader/postfix-relay env_file: - .env volumes: - ./docker-volume/opendkim/keys:/etc/opendkim/keys restart: "always" #networks: # default: # ipam: # driver: default # config: # - subnet: 172.18.0.0/16 volumes: assets: #certbot-www: ``` My `/opt/pt/PeerTube/.env` file: ```bash # Database / Postgres service configuration POSTGRES_USER=pt_mabl_se POSTGRES_PASSWORD=<my-very-secret-password> # Postgres database name "peertube" POSTGRES_DB=peertube # Editable only with a suffix : #POSTGRES_DB=peertube_prod #PEERTUBE_DB_SUFFIX=_prod PEERTUBE_DB_USERNAME=pt_mabl_se PEERTUBE_DB_PASSWORD=<my-very-secret-password> PEERTUBE_DB_SSL=false # Default to Postgres service name "postgres" in docker-compose.yml PEERTUBE_DB_HOSTNAME=postgres # PeerTube server configuration # If you test PeerTube in local: use "peertube.localhost" and add this domain to your host file resolving on 127.0.0.1 PEERTUBE_WEBSERVER_HOSTNAME=pt.mabl.se # If you just want to test PeerTube on local PEERTUBE_WEBSERVER_PORT=443 PEERTUBE_WEBSERVER_HTTPS=true # If you need more than one IP as trust_proxy # pass them as a comma separated array: PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback", "172.18.0.0/16"] # Generate one using `openssl rand -hex 32` PEERTUBE_SECRET=<my-secret-secret> # E-mail configuration # If you use a Custom SMTP server #PEERTUBE_SMTP_USERNAME= #PEERTUBE_SMTP_PASSWORD= # Default to Postfix service name "postfix" in docker-compose.yml # May be the hostname of your Custom SMTP server PEERTUBE_SMTP_HOSTNAME=postfix PEERTUBE_SMTP_PORT=25 [email protected] PEERTUBE_SMTP_TLS=false PEERTUBE_SMTP_DISABLE_STARTTLS=false [email protected] # Postfix service configuration [email protected] # If you need to generate a list of sub/DOMAIN keys # pass them as a whitespace separated string <DOMAIN>=<selector> #OPENDKIM_DOMAINS=pt.mabl.se=peertube # see wader/postfix-relay#18 OPENDKIM_RequireSafeKeys=no # /!\ Prefer to use the PeerTube admin interface to set the following configurations /!\ #PEERTUBE_SIGNUP_ENABLED=true #PEERTUBE_TRANSCODING_ENABLED=true #PEERTUBE_CONTACT_FORM_ENABLED=true ``` Does it make sense to you, @kontrollanten? Next we'll add some Nginx cache configurations and see if we can speed it up a bit!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add note about know issue with volume permissions.