[opendkim] Install and configure opendkim
parent
fa4a78751b
commit
20effc46e7
|
|
@ -11,6 +11,9 @@
|
|||
domains: "*.crans.org"
|
||||
bind:
|
||||
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
|
||||
opendkim:
|
||||
private_key: "{{ vault_opendkim_private_key }}"
|
||||
roles:
|
||||
- certbot
|
||||
- postfix
|
||||
- opendkim
|
||||
|
|
|
|||
|
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
- name: Install opendkim
|
||||
apt:
|
||||
update_cache: true
|
||||
name:
|
||||
- opendkim
|
||||
- opendkim-tools
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Ensure opendkim directories are here
|
||||
file:
|
||||
path: /etc/opendkim/keys/crans.org
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: opendkim
|
||||
group: opendkim
|
||||
when: not ansible_check_mode
|
||||
|
||||
- name: Deploy opendkim configuration
|
||||
template:
|
||||
src: opendkim.conf.j2
|
||||
dest: /etc/opendkim.conf
|
||||
mode: 644
|
||||
owner: opendkim
|
||||
group: opendkim
|
||||
|
||||
- name: Deploy opendkim configuration
|
||||
template:
|
||||
src: opendkim/{{ item }}.j2
|
||||
dest: /etc/opendkim/{{ item }}
|
||||
mode: 0644
|
||||
owner: opendkim
|
||||
group: opendkim
|
||||
loop:
|
||||
- KeyTable
|
||||
- SigningTable
|
||||
- TrustedHosts
|
||||
|
||||
- name: Deploy opendkim key
|
||||
template:
|
||||
src: opendkim/keys/crans.org/{{ item }}.j2
|
||||
dest: /etc/opendkim/keys/crans.org/{{ item }}
|
||||
mode: 0600
|
||||
owner: opendkim
|
||||
group: opendkim
|
||||
loop:
|
||||
- mail.private
|
||||
- mail.txt
|
||||
|
|
@ -0,0 +1,110 @@
|
|||
{{ ansible_header | comment }}
|
||||
|
||||
# This is a basic configuration that can easily be adapted to suit a standard
|
||||
# installation. For more advanced options, see opendkim.conf(5) and/or
|
||||
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
|
||||
|
||||
AutoRestart Yes
|
||||
AutoRestartRate 10/1h
|
||||
|
||||
# Log to syslog
|
||||
Syslog yes
|
||||
SyslogSuccess Yes
|
||||
LogWhy Yes
|
||||
# Required to use local socket with MTAs that access the socket as a non-
|
||||
# privileged user (e.g. Postfix)
|
||||
UMask 002
|
||||
|
||||
# Sign for example.com with key in /etc/mail/dkim.key using
|
||||
# selector '2007' (e.g. 2007._domainkey.example.com)
|
||||
#Domain example.com
|
||||
#KeyFile /etc/mail/dkim.key
|
||||
#Selector 2007
|
||||
|
||||
# Commonly-used options; the commented-out versions show the defaults.
|
||||
Canonicalization relaxed/simple
|
||||
|
||||
#mode sv
|
||||
#subdomains no
|
||||
|
||||
# socket smtp://localhost
|
||||
#
|
||||
# ## socket socketspec
|
||||
# ##
|
||||
# ## names the socket where this filter should listen for milter connections
|
||||
# ## from the mta. required. should be in one of these forms:
|
||||
# ##
|
||||
# ## inet:port@address to listen on a specific interface
|
||||
# ## inet:port to listen on all interfaces
|
||||
# ## local:/path/to/socket to listen on a unix domain socket
|
||||
#
|
||||
#socket inet:8892@localhost
|
||||
socket inet:12301@localhost
|
||||
|
||||
|
||||
## pidfile filename
|
||||
### default (none)
|
||||
###
|
||||
### name of the file where the filter should write its pid before beginning
|
||||
### normal operations.
|
||||
#
|
||||
pidfile /var/run/opendkim/opendkim.pid
|
||||
|
||||
|
||||
# list domains to use for rfc 6541 dkim authorized third-party signatures
|
||||
# (atps) (experimental)
|
||||
|
||||
#atpsdomains example.com
|
||||
|
||||
signaturealgorithm rsa-sha256
|
||||
|
||||
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
|
||||
InternalHosts refile:/etc/opendkim/TrustedHosts
|
||||
KeyTable refile:/etc/opendkim/KeyTable
|
||||
SigningTable refile:/etc/opendkim/SigningTable
|
||||
|
||||
Mode sv
|
||||
#SubDomains no
|
||||
#ADSPDiscard no
|
||||
|
||||
# Always oversign From (sign using actual From and a null From to prevent
|
||||
# malicious signatures header fields (From and/or others) between the signer
|
||||
# and the verifier. From is oversigned by default in the Debian pacakge
|
||||
# because it is often the identity key used by reputation systems and thus
|
||||
# somewhat security sensitive.
|
||||
OversignHeaders From
|
||||
|
||||
## resolverconfiguration filename
|
||||
## default (none)
|
||||
##
|
||||
## specifies a configuration file to be passed to the unbound library that
|
||||
## performs dns queries applying the dnssec protocol. see the unbound
|
||||
## documentation at http://unbound.net for the expected content of this file.
|
||||
## the results of using this and the trustanchorfile setting at the same
|
||||
## time are undefined.
|
||||
## in debian, /etc/unbound/unbound.conf is shipped as part of the suggested
|
||||
## unbound package
|
||||
|
||||
# resolverconfiguration /etc/unbound/unbound.conf
|
||||
|
||||
## trustanchorfile filename
|
||||
## default (none)
|
||||
##
|
||||
## specifies a file from which trust anchor data should be read when doing
|
||||
## dns queries and applying the dnssec protocol. see the unbound documentation
|
||||
## at http://unbound.net for the expected format of this file.
|
||||
|
||||
trustanchorfile /usr/share/dns/root.key
|
||||
|
||||
## userid userid
|
||||
### default (none)
|
||||
###
|
||||
### change to user "userid" before starting normal operation? may include
|
||||
### a group id as well, separated from the userid by a colon.
|
||||
#
|
||||
userid opendkim:opendkim
|
||||
|
||||
# Whether to decode non- UTF-8 and non-ASCII textual parts and recode
|
||||
# them to UTF-8 before the text is given over to rules processing.
|
||||
#
|
||||
# normalize_charset 1
|
||||
|
|
@ -0,0 +1 @@
|
|||
mail._domainkey.crans.org crans.org:mail:/etc/opendkim/keys/crans.org/mail.private
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
*@crans.org mail._domainkey.crans.org
|
||||
*@crans.eu mail._domainkey.crans.org
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
127.0.0.1
|
||||
localhost
|
||||
::1
|
||||
|
||||
138.231.136.0/21
|
||||
138.231.144.0/21
|
||||
|
||||
10.231.136.0/24
|
||||
10.2.9.0/24
|
||||
|
||||
2a0c:700:0:1::/64
|
||||
2a0c:700:0:2::/64
|
||||
2a0c:700:0:21::/64
|
||||
2a0c:700:0:22::/64
|
||||
2a0c:700:0:23::/64
|
||||
|
||||
*.crans.org
|
||||
*.crans.fr
|
||||
*.crans.eu
|
||||
|
|
@ -0,0 +1 @@
|
|||
{{ opendkim.private_key }}
|
||||
|
|
@ -0,0 +1 @@
|
|||
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtwkNVd9Mmz8S4WcfuPk0X2drG39gS8+uxAv8igRILgzWeN8j2hjeZesl8pm/1UTVU87bYcdfUgXiGfQy9nR5p/Vmt2kS7sXk9nsJ/VYENgb3IJQ6paWupSTFMyeKycJ4ZHCEZB/bVvifoG6vLKqW5jpsfCiOcfdcgXATn0UPuVx9t93yRrhoEMntMv9TSodjqd3FKCtJUoh5cNQHo0T6dWKtxoIgNi/mvZ92D/IACwu/XOU+Rq9fnoEI8GukBQUR5AkP0B/JrvwWXWX/3EjY8X37ljEX0XUdq/ShzTl5iK+CM83stgkFUQh/rpww5mnxYEW3X4uirJ7VJHmY4KPoIU+2DPjLQj9Hz63CMWY3Ks2pXWzxD3V+GI1aJTMFOv2LeHnI3ScqFaKj9FR4ZKMb0OW2BEFBIY3J3aeo/paRwdbVCMM7twDtZY9uInR/NhVa1v9hlOxwp4/2pGSKQYoN2CkAZ1Alzwf8M3EONLKeiC43JLYwKH1uBB1oikSVhMnLjG0219XvfG/tphyoOqJR/bCc2rdv5pLwKUl4wVuygfpvOw12bcvnTfYuk/BXzVHg9t4H8k/DJR6GAoeNAapXIS8AfAScF8QdKfplhKLJyQGJ6lQ75YD9IwRAN0oV+8NTjl46lI/C+b7mpfXCew+p6YPwfNvV2shiR0Ez8ZGUQIcCAwEAAQ==" ; ----- DKIM key mail for crans.org
|
||||
Loading…
Reference in New Issue