diff --git a/postfix.yml b/postfix.yml index 10ddf47a..3487bc2d 100755 --- a/postfix.yml +++ b/postfix.yml @@ -11,6 +11,9 @@ domains: "*.crans.org" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" + opendkim: + private_key: "{{ vault_opendkim_private_key }}" roles: - certbot - postfix + - opendkim diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml new file mode 100644 index 00000000..6488bdb7 --- /dev/null +++ b/roles/opendkim/tasks/main.yml @@ -0,0 +1,50 @@ +--- +- name: Install opendkim + apt: + update_cache: true + name: + - opendkim + - opendkim-tools + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Ensure opendkim directories are here + file: + path: /etc/opendkim/keys/crans.org + state: directory + mode: 0750 + owner: opendkim + group: opendkim + when: not ansible_check_mode + +- name: Deploy opendkim configuration + template: + src: opendkim.conf.j2 + dest: /etc/opendkim.conf + mode: 644 + owner: opendkim + group: opendkim + +- name: Deploy opendkim configuration + template: + src: opendkim/{{ item }}.j2 + dest: /etc/opendkim/{{ item }} + mode: 0644 + owner: opendkim + group: opendkim + loop: + - KeyTable + - SigningTable + - TrustedHosts + +- name: Deploy opendkim key + template: + src: opendkim/keys/crans.org/{{ item }}.j2 + dest: /etc/opendkim/keys/crans.org/{{ item }} + mode: 0600 + owner: opendkim + group: opendkim + loop: + - mail.private + - mail.txt diff --git a/roles/opendkim/templates/opendkim.conf.j2 b/roles/opendkim/templates/opendkim.conf.j2 new file mode 100644 index 00000000..dd86771a --- /dev/null +++ b/roles/opendkim/templates/opendkim.conf.j2 @@ -0,0 +1,110 @@ +{{ ansible_header | comment }} + +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +AutoRestart Yes +AutoRestartRate 10/1h + +# Log to syslog +Syslog yes +SyslogSuccess Yes +LogWhy Yes +# Required to use local socket with MTAs that access the socket as a non- +# privileged user (e.g. Postfix) +UMask 002 + +# Sign for example.com with key in /etc/mail/dkim.key using +# selector '2007' (e.g. 2007._domainkey.example.com) +#Domain example.com +#KeyFile /etc/mail/dkim.key +#Selector 2007 + +# Commonly-used options; the commented-out versions show the defaults. +Canonicalization relaxed/simple + +#mode sv +#subdomains no + +# socket smtp://localhost +# +# ## socket socketspec +# ## +# ## names the socket where this filter should listen for milter connections +# ## from the mta. required. should be in one of these forms: +# ## +# ## inet:port@address to listen on a specific interface +# ## inet:port to listen on all interfaces +# ## local:/path/to/socket to listen on a unix domain socket +# +#socket inet:8892@localhost +socket inet:12301@localhost + + +## pidfile filename +### default (none) +### +### name of the file where the filter should write its pid before beginning +### normal operations. +# +pidfile /var/run/opendkim/opendkim.pid + + +# list domains to use for rfc 6541 dkim authorized third-party signatures +# (atps) (experimental) + +#atpsdomains example.com + +signaturealgorithm rsa-sha256 + +ExternalIgnoreList refile:/etc/opendkim/TrustedHosts +InternalHosts refile:/etc/opendkim/TrustedHosts +KeyTable refile:/etc/opendkim/KeyTable +SigningTable refile:/etc/opendkim/SigningTable + +Mode sv +#SubDomains no +#ADSPDiscard no + +# Always oversign From (sign using actual From and a null From to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From + +## resolverconfiguration filename +## default (none) +## +## specifies a configuration file to be passed to the unbound library that +## performs dns queries applying the dnssec protocol. see the unbound +## documentation at http://unbound.net for the expected content of this file. +## the results of using this and the trustanchorfile setting at the same +## time are undefined. +## in debian, /etc/unbound/unbound.conf is shipped as part of the suggested +## unbound package + +# resolverconfiguration /etc/unbound/unbound.conf + +## trustanchorfile filename +## default (none) +## +## specifies a file from which trust anchor data should be read when doing +## dns queries and applying the dnssec protocol. see the unbound documentation +## at http://unbound.net for the expected format of this file. + +trustanchorfile /usr/share/dns/root.key + +## userid userid +### default (none) +### +### change to user "userid" before starting normal operation? may include +### a group id as well, separated from the userid by a colon. +# +userid opendkim:opendkim + +# Whether to decode non- UTF-8 and non-ASCII textual parts and recode +# them to UTF-8 before the text is given over to rules processing. +# +# normalize_charset 1 diff --git a/roles/opendkim/templates/opendkim/KeyTable.j2 b/roles/opendkim/templates/opendkim/KeyTable.j2 new file mode 100644 index 00000000..86ffcee4 --- /dev/null +++ b/roles/opendkim/templates/opendkim/KeyTable.j2 @@ -0,0 +1 @@ +mail._domainkey.crans.org crans.org:mail:/etc/opendkim/keys/crans.org/mail.private diff --git a/roles/opendkim/templates/opendkim/SigningTable.j2 b/roles/opendkim/templates/opendkim/SigningTable.j2 new file mode 100644 index 00000000..d845dc68 --- /dev/null +++ b/roles/opendkim/templates/opendkim/SigningTable.j2 @@ -0,0 +1,2 @@ +*@crans.org mail._domainkey.crans.org +*@crans.eu mail._domainkey.crans.org diff --git a/roles/opendkim/templates/opendkim/TrustedHosts.j2 b/roles/opendkim/templates/opendkim/TrustedHosts.j2 new file mode 100644 index 00000000..73c84818 --- /dev/null +++ b/roles/opendkim/templates/opendkim/TrustedHosts.j2 @@ -0,0 +1,19 @@ +127.0.0.1 +localhost +::1 + +138.231.136.0/21 +138.231.144.0/21 + +10.231.136.0/24 +10.2.9.0/24 + +2a0c:700:0:1::/64 +2a0c:700:0:2::/64 +2a0c:700:0:21::/64 +2a0c:700:0:22::/64 +2a0c:700:0:23::/64 + +*.crans.org +*.crans.fr +*.crans.eu diff --git a/roles/opendkim/templates/opendkim/keys/crans.org/mail.private.j2 b/roles/opendkim/templates/opendkim/keys/crans.org/mail.private.j2 new file mode 100644 index 00000000..6defb2bf --- /dev/null +++ b/roles/opendkim/templates/opendkim/keys/crans.org/mail.private.j2 @@ -0,0 +1 @@ +{{ opendkim.private_key }} diff --git a/roles/opendkim/templates/opendkim/keys/crans.org/mail.txt.j2 b/roles/opendkim/templates/opendkim/keys/crans.org/mail.txt.j2 new file mode 100644 index 00000000..9a787ee1 --- /dev/null +++ b/roles/opendkim/templates/opendkim/keys/crans.org/mail.txt.j2 @@ -0,0 +1 @@ +mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtwkNVd9Mmz8S4WcfuPk0X2drG39gS8+uxAv8igRILgzWeN8j2hjeZesl8pm/1UTVU87bYcdfUgXiGfQy9nR5p/Vmt2kS7sXk9nsJ/VYENgb3IJQ6paWupSTFMyeKycJ4ZHCEZB/bVvifoG6vLKqW5jpsfCiOcfdcgXATn0UPuVx9t93yRrhoEMntMv9TSodjqd3FKCtJUoh5cNQHo0T6dWKtxoIgNi/mvZ92D/IACwu/XOU+Rq9fnoEI8GukBQUR5AkP0B/JrvwWXWX/3EjY8X37ljEX0XUdq/ShzTl5iK+CM83stgkFUQh/rpww5mnxYEW3X4uirJ7VJHmY4KPoIU+2DPjLQj9Hz63CMWY3Ks2pXWzxD3V+GI1aJTMFOv2LeHnI3ScqFaKj9FR4ZKMb0OW2BEFBIY3J3aeo/paRwdbVCMM7twDtZY9uInR/NhVa1v9hlOxwp4/2pGSKQYoN2CkAZ1Alzwf8M3EONLKeiC43JLYwKH1uBB1oikSVhMnLjG0219XvfG/tphyoOqJR/bCc2rdv5pLwKUl4wVuygfpvOw12bcvnTfYuk/BXzVHg9t4H8k/DJR6GAoeNAapXIS8AfAScF8QdKfplhKLJyQGJ6lQ75YD9IwRAN0oV+8NTjl46lI/C+b7mpfXCew+p6YPwfNvV2shiR0Ez8ZGUQIcCAwEAAQ==" ; ----- DKIM key mail for crans.org