[opendkim] Install and configure opendkim
parent
fa4a78751b
commit
20effc46e7
|
|
@ -11,6 +11,9 @@
|
||||||
domains: "*.crans.org"
|
domains: "*.crans.org"
|
||||||
bind:
|
bind:
|
||||||
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
|
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
|
||||||
|
opendkim:
|
||||||
|
private_key: "{{ vault_opendkim_private_key }}"
|
||||||
roles:
|
roles:
|
||||||
- certbot
|
- certbot
|
||||||
- postfix
|
- postfix
|
||||||
|
- opendkim
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,50 @@
|
||||||
|
---
|
||||||
|
- name: Install opendkim
|
||||||
|
apt:
|
||||||
|
update_cache: true
|
||||||
|
name:
|
||||||
|
- opendkim
|
||||||
|
- opendkim-tools
|
||||||
|
register: apt_result
|
||||||
|
retries: 3
|
||||||
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Ensure opendkim directories are here
|
||||||
|
file:
|
||||||
|
path: /etc/opendkim/keys/crans.org
|
||||||
|
state: directory
|
||||||
|
mode: 0750
|
||||||
|
owner: opendkim
|
||||||
|
group: opendkim
|
||||||
|
when: not ansible_check_mode
|
||||||
|
|
||||||
|
- name: Deploy opendkim configuration
|
||||||
|
template:
|
||||||
|
src: opendkim.conf.j2
|
||||||
|
dest: /etc/opendkim.conf
|
||||||
|
mode: 644
|
||||||
|
owner: opendkim
|
||||||
|
group: opendkim
|
||||||
|
|
||||||
|
- name: Deploy opendkim configuration
|
||||||
|
template:
|
||||||
|
src: opendkim/{{ item }}.j2
|
||||||
|
dest: /etc/opendkim/{{ item }}
|
||||||
|
mode: 0644
|
||||||
|
owner: opendkim
|
||||||
|
group: opendkim
|
||||||
|
loop:
|
||||||
|
- KeyTable
|
||||||
|
- SigningTable
|
||||||
|
- TrustedHosts
|
||||||
|
|
||||||
|
- name: Deploy opendkim key
|
||||||
|
template:
|
||||||
|
src: opendkim/keys/crans.org/{{ item }}.j2
|
||||||
|
dest: /etc/opendkim/keys/crans.org/{{ item }}
|
||||||
|
mode: 0600
|
||||||
|
owner: opendkim
|
||||||
|
group: opendkim
|
||||||
|
loop:
|
||||||
|
- mail.private
|
||||||
|
- mail.txt
|
||||||
|
|
@ -0,0 +1,110 @@
|
||||||
|
{{ ansible_header | comment }}
|
||||||
|
|
||||||
|
# This is a basic configuration that can easily be adapted to suit a standard
|
||||||
|
# installation. For more advanced options, see opendkim.conf(5) and/or
|
||||||
|
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
|
||||||
|
|
||||||
|
AutoRestart Yes
|
||||||
|
AutoRestartRate 10/1h
|
||||||
|
|
||||||
|
# Log to syslog
|
||||||
|
Syslog yes
|
||||||
|
SyslogSuccess Yes
|
||||||
|
LogWhy Yes
|
||||||
|
# Required to use local socket with MTAs that access the socket as a non-
|
||||||
|
# privileged user (e.g. Postfix)
|
||||||
|
UMask 002
|
||||||
|
|
||||||
|
# Sign for example.com with key in /etc/mail/dkim.key using
|
||||||
|
# selector '2007' (e.g. 2007._domainkey.example.com)
|
||||||
|
#Domain example.com
|
||||||
|
#KeyFile /etc/mail/dkim.key
|
||||||
|
#Selector 2007
|
||||||
|
|
||||||
|
# Commonly-used options; the commented-out versions show the defaults.
|
||||||
|
Canonicalization relaxed/simple
|
||||||
|
|
||||||
|
#mode sv
|
||||||
|
#subdomains no
|
||||||
|
|
||||||
|
# socket smtp://localhost
|
||||||
|
#
|
||||||
|
# ## socket socketspec
|
||||||
|
# ##
|
||||||
|
# ## names the socket where this filter should listen for milter connections
|
||||||
|
# ## from the mta. required. should be in one of these forms:
|
||||||
|
# ##
|
||||||
|
# ## inet:port@address to listen on a specific interface
|
||||||
|
# ## inet:port to listen on all interfaces
|
||||||
|
# ## local:/path/to/socket to listen on a unix domain socket
|
||||||
|
#
|
||||||
|
#socket inet:8892@localhost
|
||||||
|
socket inet:12301@localhost
|
||||||
|
|
||||||
|
|
||||||
|
## pidfile filename
|
||||||
|
### default (none)
|
||||||
|
###
|
||||||
|
### name of the file where the filter should write its pid before beginning
|
||||||
|
### normal operations.
|
||||||
|
#
|
||||||
|
pidfile /var/run/opendkim/opendkim.pid
|
||||||
|
|
||||||
|
|
||||||
|
# list domains to use for rfc 6541 dkim authorized third-party signatures
|
||||||
|
# (atps) (experimental)
|
||||||
|
|
||||||
|
#atpsdomains example.com
|
||||||
|
|
||||||
|
signaturealgorithm rsa-sha256
|
||||||
|
|
||||||
|
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
|
||||||
|
InternalHosts refile:/etc/opendkim/TrustedHosts
|
||||||
|
KeyTable refile:/etc/opendkim/KeyTable
|
||||||
|
SigningTable refile:/etc/opendkim/SigningTable
|
||||||
|
|
||||||
|
Mode sv
|
||||||
|
#SubDomains no
|
||||||
|
#ADSPDiscard no
|
||||||
|
|
||||||
|
# Always oversign From (sign using actual From and a null From to prevent
|
||||||
|
# malicious signatures header fields (From and/or others) between the signer
|
||||||
|
# and the verifier. From is oversigned by default in the Debian pacakge
|
||||||
|
# because it is often the identity key used by reputation systems and thus
|
||||||
|
# somewhat security sensitive.
|
||||||
|
OversignHeaders From
|
||||||
|
|
||||||
|
## resolverconfiguration filename
|
||||||
|
## default (none)
|
||||||
|
##
|
||||||
|
## specifies a configuration file to be passed to the unbound library that
|
||||||
|
## performs dns queries applying the dnssec protocol. see the unbound
|
||||||
|
## documentation at http://unbound.net for the expected content of this file.
|
||||||
|
## the results of using this and the trustanchorfile setting at the same
|
||||||
|
## time are undefined.
|
||||||
|
## in debian, /etc/unbound/unbound.conf is shipped as part of the suggested
|
||||||
|
## unbound package
|
||||||
|
|
||||||
|
# resolverconfiguration /etc/unbound/unbound.conf
|
||||||
|
|
||||||
|
## trustanchorfile filename
|
||||||
|
## default (none)
|
||||||
|
##
|
||||||
|
## specifies a file from which trust anchor data should be read when doing
|
||||||
|
## dns queries and applying the dnssec protocol. see the unbound documentation
|
||||||
|
## at http://unbound.net for the expected format of this file.
|
||||||
|
|
||||||
|
trustanchorfile /usr/share/dns/root.key
|
||||||
|
|
||||||
|
## userid userid
|
||||||
|
### default (none)
|
||||||
|
###
|
||||||
|
### change to user "userid" before starting normal operation? may include
|
||||||
|
### a group id as well, separated from the userid by a colon.
|
||||||
|
#
|
||||||
|
userid opendkim:opendkim
|
||||||
|
|
||||||
|
# Whether to decode non- UTF-8 and non-ASCII textual parts and recode
|
||||||
|
# them to UTF-8 before the text is given over to rules processing.
|
||||||
|
#
|
||||||
|
# normalize_charset 1
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
mail._domainkey.crans.org crans.org:mail:/etc/opendkim/keys/crans.org/mail.private
|
||||||
|
|
@ -0,0 +1,2 @@
|
||||||
|
*@crans.org mail._domainkey.crans.org
|
||||||
|
*@crans.eu mail._domainkey.crans.org
|
||||||
|
|
@ -0,0 +1,19 @@
|
||||||
|
127.0.0.1
|
||||||
|
localhost
|
||||||
|
::1
|
||||||
|
|
||||||
|
138.231.136.0/21
|
||||||
|
138.231.144.0/21
|
||||||
|
|
||||||
|
10.231.136.0/24
|
||||||
|
10.2.9.0/24
|
||||||
|
|
||||||
|
2a0c:700:0:1::/64
|
||||||
|
2a0c:700:0:2::/64
|
||||||
|
2a0c:700:0:21::/64
|
||||||
|
2a0c:700:0:22::/64
|
||||||
|
2a0c:700:0:23::/64
|
||||||
|
|
||||||
|
*.crans.org
|
||||||
|
*.crans.fr
|
||||||
|
*.crans.eu
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ opendkim.private_key }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtwkNVd9Mmz8S4WcfuPk0X2drG39gS8+uxAv8igRILgzWeN8j2hjeZesl8pm/1UTVU87bYcdfUgXiGfQy9nR5p/Vmt2kS7sXk9nsJ/VYENgb3IJQ6paWupSTFMyeKycJ4ZHCEZB/bVvifoG6vLKqW5jpsfCiOcfdcgXATn0UPuVx9t93yRrhoEMntMv9TSodjqd3FKCtJUoh5cNQHo0T6dWKtxoIgNi/mvZ92D/IACwu/XOU+Rq9fnoEI8GukBQUR5AkP0B/JrvwWXWX/3EjY8X37ljEX0XUdq/ShzTl5iK+CM83stgkFUQh/rpww5mnxYEW3X4uirJ7VJHmY4KPoIU+2DPjLQj9Hz63CMWY3Ks2pXWzxD3V+GI1aJTMFOv2LeHnI3ScqFaKj9FR4ZKMb0OW2BEFBIY3J3aeo/paRwdbVCMM7twDtZY9uInR/NhVa1v9hlOxwp4/2pGSKQYoN2CkAZ1Alzwf8M3EONLKeiC43JLYwKH1uBB1oikSVhMnLjG0219XvfG/tphyoOqJR/bCc2rdv5pLwKUl4wVuygfpvOw12bcvnTfYuk/BXzVHg9t4H8k/DJR6GAoeNAapXIS8AfAScF8QdKfplhKLJyQGJ6lQ75YD9IwRAN0oV+8NTjl46lI/C+b7mpfXCew+p6YPwfNvV2shiR0Ez8ZGUQIcCAwEAAQ==" ; ----- DKIM key mail for crans.org
|
||||||
Loading…
Reference in New Issue