diff options
Diffstat (limited to 'roles/mail/opendkim')
| -rw-r--r-- | roles/mail/opendkim/defaults/main.yml | 26 | ||||
| -rw-r--r-- | roles/mail/opendkim/handlers/main.yml | 9 | ||||
| -rw-r--r-- | roles/mail/opendkim/tasks/dkim-key.yml | 37 | ||||
| -rw-r--r-- | roles/mail/opendkim/tasks/main.yml | 105 | ||||
| -rw-r--r-- | roles/mail/opendkim/templates/KeyTable.j2 | 5 | ||||
| -rw-r--r-- | roles/mail/opendkim/templates/SigningTable.j2 | 3 |
6 files changed, 185 insertions, 0 deletions
diff --git a/roles/mail/opendkim/defaults/main.yml b/roles/mail/opendkim/defaults/main.yml new file mode 100644 index 00000000..22636720 --- /dev/null +++ b/roles/mail/opendkim/defaults/main.yml @@ -0,0 +1,26 @@ +--- +opendkim_sign: yes +opendkim_verify: no + +opendkim_socket_for_postfix: yes + +# opendkim_admin_mail: + +# opendkim_internal_hosts: +# - 127.0.0.1/8 +# - 192.168.0.0/24 + +# opendkim_domains: +# example.com: +# keys: +# test-2022-07: +# keylength: 2048 +# test-2021-03: +# keylength: 2048 +# example.foo: +# keys: +# bar: +# content: | +# -----BEGIN RSA PRIVATE KEY----- +# .... +# -----END RSA PRIVATE KEY----- diff --git a/roles/mail/opendkim/handlers/main.yml b/roles/mail/opendkim/handlers/main.yml new file mode 100644 index 00000000..5d328ca3 --- /dev/null +++ b/roles/mail/opendkim/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: restart opendkim + service: + name: opendkim + state: restarted diff --git a/roles/mail/opendkim/tasks/dkim-key.yml b/roles/mail/opendkim/tasks/dkim-key.yml new file mode 100644 index 00000000..02ac34db --- /dev/null +++ b/roles/mail/opendkim/tasks/dkim-key.yml @@ -0,0 +1,37 @@ +--- +- name: create sub directory for keys + file: + path: "/etc/opendkim/keys/{{ opendkim_domain.key }}" + state: directory + mode: 0700 + owner: opendkim + group: opendkim + +- name: install precomputed keys + loop: "{{ opendkim_domain.value['keys'] | dict2items | selectattr('value.content', 'defined') }}" + loop_control: + label: "{{ item.key }}@{{ opendkim_domain.key }}" + copy: + dest: "/etc/opendkim/keys/{{ opendkim_domain.key }}/{{ item.key }}.private" + content: "{{ item.value.content }}" + mode: 0600 + owner: opendkim + group: opendkim + +- name: generate DKIM keys + loop: "{{ opendkim_domain.value['keys'] | dict2items | rejectattr('value.content', 'defined') }}" + loop_control: + label: "{{ item.key }}@{{ opendkim_domain.key }}" + command: "opendkim-genkey -b {{ item.value.keylength }} -s {{ item.key }} -d {{ opendkim_domain.key }} -D '/etc/opendkim/keys/{{ opendkim_domain.key }}'" + args: + creates: "/etc/opendkim/keys/{{ opendkim_domain.key }}/{{ item.key }}.private" + +- name: fix permission for generated DKIM keys + loop: "{{ opendkim_domain.value['keys'] | dict2items | rejectattr('value.content', 'defined') }}" + loop_control: + label: "{{ item.key }}@{{ opendkim_domain.key }}" + file: + path: "/etc/opendkim/keys/{{ opendkim_domain.key }}/{{ item.key }}.private" + mode: 0600 + owner: opendkim + group: opendkim diff --git a/roles/mail/opendkim/tasks/main.yml b/roles/mail/opendkim/tasks/main.yml new file mode 100644 index 00000000..615b45e0 --- /dev/null +++ b/roles/mail/opendkim/tasks/main.yml @@ -0,0 +1,105 @@ +--- +- name: install opendkim packages + apt: + name: + - opendkim + - opendkim-tools + state: present + +- name: create configure sub directory + file: + path: /etc/opendkim + state: directory + mode: 0700 + owner: opendkim + group: opendkim + +- name: remove annoying sample Socket options + lineinfile: + regexp: "^#Socket\\s+" + state: absent + dest: /etc/opendkim.conf + notify: restart opendkim + +- name: set opendkim default options + set_fact: + opendkim_options_default: + Mode: "{{ opendkim_sign | ternary('s','') }}{{ opendkim_verify | ternary('v','') }}" + ReportAddress: "{{ opendkim_admin_mail }}" + LogWhy: "yes" + opendkim_options_postfix: {} + opendkim_options_sign: {} + opendkim_options_verify: {} + +- name: prepare opendkim to be used with chrooted postfix + when: opendkim_socket_for_postfix + block: + - name: set opendkim postfix options + set_fact: + opendkim_options_postfix: + Socket: "local:/var/spool/postfix/opendkim/opendkim.sock" + + - name: create systemd override directory + file: + path: /etc/systemd/system/opendkim.service.d + state: directory + + - name: add systemd service override + copy: + content: | + [Service] + ExecStartPre=+/usr/bin/install -d /var/spool/postfix/opendkim -o opendkim -g opendkim -m 0750 + dest: /etc/systemd/system/opendkim.service.d/postfix-chroot.conf + notify: reload systemd + + - name: configure opendkim listen socket for legacy init + lineinfile: + dest: /etc/default/opendkim + regexp: '^SOCKET=' + line: 'SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"' + notify: restart opendkim + +- name: prepare opendkim for signing + when: opendkim_sign + block: + - name: set opendkim sign options + set_fact: + opendkim_options_sign: + InternalHosts: "{{ opendkim_internal_hosts | join(', ') }}" + KeyTable: "refile:/etc/opendkim/KeyTable" + SigningTable: "refile:/etc/opendkim/SigningTable" + + - name: generate/install dkim keys + loop: "{{ opendkim_domains | dict2items }}" + loop_control: + loop_var: opendkim_domain + label: "{{ opendkim_domain.key }}" + include_tasks: dkim-key.yml + + - name: install KeyTable and SingingTable + loop: + - KeyTable + - SigningTable + template: + src: "{{ item }}.j2" + dest: "/etc/opendkim/{{ item }}" + notify: restart opendkim + +## TODO: implement this +# - name: prepare opendkim for verifying +# when: opendkim_verify +# block: +# - name: set opendkim verify options +# set_fact: +# opendkim_options_verify: +# option: "value" + +- name: configure opendkim + loop: "{{ opendkim_options_default | combine(opendkim_options_postfix) | combine(opendkim_options_sign) | combine(opendkim_options_verify) | dict2items }}" + loop_control: + label: "{{ item.key }} = {{ item.value }}" + lineinfile: + regexp: "^#?\\s*{{ item.key }}\\s+" + line: "{{ item.key }}\t\t\t{{ item.value }}" + dest: /etc/opendkim.conf + notify: restart opendkim diff --git a/roles/mail/opendkim/templates/KeyTable.j2 b/roles/mail/opendkim/templates/KeyTable.j2 new file mode 100644 index 00000000..99061267 --- /dev/null +++ b/roles/mail/opendkim/templates/KeyTable.j2 @@ -0,0 +1,5 @@ +{% for domain in opendkim_domains %} +{% for selector in opendkim_domains[domain]['keys'] %} +{{ selector }}._domainkey.{{ domain }} {{ domain }}:{{ selector }}:/etc/opendkim/keys/{{ domain }}/{{ selector }}.private +{% endfor %} +{% endfor %} diff --git a/roles/mail/opendkim/templates/SigningTable.j2 b/roles/mail/opendkim/templates/SigningTable.j2 new file mode 100644 index 00000000..bfadaac5 --- /dev/null +++ b/roles/mail/opendkim/templates/SigningTable.j2 @@ -0,0 +1,3 @@ +{% for domain in opendkim_domains %} +*@{{ domain }} {{ opendkim_domains[domain]['keys'] | first }}._domainkey.{{ domain }} +{% endfor %} |