From c3cd94f6e67c1c79e62270c4427a81282dd4d9e0 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Thu, 25 Mar 2021 16:54:12 +0100 Subject: [PATCH] [opendkim] Pepcransification Signed-off-by: Yohann D'ANELLO --- group_vars/opendkim.yml | 21 +++++++++++++++++++ hosts | 18 +++++++++------- plays/mailman.yml | 2 ++ plays/postfix.yml | 3 +-- roles/opendkim/tasks/main.yml | 10 ++++----- roles/opendkim/templates/opendkim/KeyTable.j2 | 2 +- .../templates/opendkim/SigningTable.j2 | 5 +++-- .../opendkim/keys/crans.org/mail.txt.j2 | 1 - .../mail.private.j2 => key.private.j2} | 0 .../templates/opendkim/keys/key.txt.j2 | 1 + .../templates/postfix/main.cf.j2 | 4 ++++ 11 files changed, 49 insertions(+), 18 deletions(-) create mode 100644 group_vars/opendkim.yml delete mode 100644 roles/opendkim/templates/opendkim/keys/crans.org/mail.txt.j2 rename roles/opendkim/templates/opendkim/keys/{crans.org/mail.private.j2 => key.private.j2} (100%) create mode 100644 roles/opendkim/templates/opendkim/keys/key.txt.j2 diff --git a/group_vars/opendkim.yml b/group_vars/opendkim.yml new file mode 100644 index 00000000..d69a6b5d --- /dev/null +++ b/group_vars/opendkim.yml @@ -0,0 +1,21 @@ +--- +glob_opendkim: + domain: "crans.org" + selector: "mail" + signing: + - "*@crans.org" + - "*@crans.fr" + - "*@crans.eu" + trust: + - "185.230.79.0/26" + - "172.16.3.0/24" + - "172.16.10.0/24" + - "2a0c:700:0:2::/64" + - "2a0c:700:0:3::/64" + - "2a0c:700:0:10::/64" + - "*@crans.org" + - "*@crans.fr" + - "*@crans.eu" + txt_record: | + mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtwkNVd9Mmz8S4WcfuPk0X2drG39gS8+uxAv8igRILgzWeN8j2hjeZesl8pm/1UTVU87bYcdfUgXiGfQy9nR5p/Vmt2kS7sXk9nsJ/VYENgb3IJQ6paWupSTFMyeKycJ4ZHCEZB/bVvifoG6vLKqW5jpsfCiOcfdcgXATn0UPuVx9t93yRrhoEMntMv9TSodjqd3FKCtJUoh5cNQHo0T6dWKtxoIgNi/mvZ92D/IACwu/XOU+Rq9fnoEI8GukBQUR5AkP0B/JrvwWXWX/3EjY8X37ljEX0XUdq/ShzTl5iK+CM83stgkFUQh/rpww5mnxYEW3X4uirJ7VJHmY4KPoIU+2DPjLQj9Hz63CMWY3Ks2pXWzxD3V+GI1aJTMFOv2LeHnI3ScqFaKj9FR4ZKMb0OW2BEFBIY3J3aeo/paRwdbVCMM7twDtZY9uInR/NhVa1v9hlOxwp4/2pGSKQYoN2CkAZ1Alzwf8M3EONLKeiC43JLYwKH1uBB1oikSVhMnLjG0219XvfG/tphyoOqJR/bCc2rdv5pLwKUl4wVuygfpvOw12bcvnTfYuk/BXzVHg9t4H8k/DJR6GAoeNAapXIS8AfAScF8QdKfplhKLJyQGJ6lQ75YD9IwRAN0oV+8NTjl46lI/C+b7mpfXCew+p6YPwfNvV2shiR0Ez8ZGUQIcCAwEAAQ==" ; ----- DKIM key mail for crans.org + private_key: "{{ vault.opendkim_private_key }}" diff --git a/hosts b/hosts index 58e24a4a..30e139d5 100644 --- a/hosts +++ b/hosts @@ -79,13 +79,6 @@ jitsi.adm.crans.org [keepalived:children] routeurs_vm -[slapd] -tealc.adm.crans.org -sam.adm.crans.org -daniel.adm.crans.org -jack.adm.crans.org -sputnik.adm.crans.org - [linx] linx.adm.crans.org @@ -111,6 +104,10 @@ wiki charybde.adm.crans.org # silice.adm.crans.org +[opendkim:children] +mailman +postfix + [postfix] redisdead.adm.crans.org zamok.adm.crans.org @@ -143,6 +140,13 @@ routeur-daniel.adm.crans.org routeur-jack.adm.crans.org routeur-sam.adm.crans.org +[slapd] +tealc.adm.crans.org +sam.adm.crans.org +daniel.adm.crans.org +jack.adm.crans.org +sputnik.adm.crans.org + [thelounge] irc.adm.crans.org zamok.adm.crans.org diff --git a/plays/mailman.yml b/plays/mailman.yml index ae0231f6..45fb45e3 100755 --- a/plays/mailman.yml +++ b/plays/mailman.yml @@ -6,8 +6,10 @@ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}' mailman3: '{{ glob_mailman3 | default({}) | combine(loc_mailman3 | default({})) }}' nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}' + opendkim: '{{ loc_opendkim | default(glob_opendkim | default([])) }}' roles: - certbot - nginx - mailman3 - postfix-mailman3 + - opendkim diff --git a/plays/postfix.yml b/plays/postfix.yml index 0a76001c..6750239d 100755 --- a/plays/postfix.yml +++ b/plays/postfix.yml @@ -12,8 +12,7 @@ domains: "*.crans.org" bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" - opendkim: - private_key: "{{ vault.opendkim_private_key }}" + opendkim: "{{ glob_opendkim | default({}) | combine(loc_opendkim | default({})) }}" policyd: mail: root@crans.org exemptions: "{{ lookup('re2oapi', 'get_role', 'user-server')[0] }}" diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml index 6488bdb7..0278c4ef 100644 --- a/roles/opendkim/tasks/main.yml +++ b/roles/opendkim/tasks/main.yml @@ -11,7 +11,7 @@ - name: Ensure opendkim directories are here file: - path: /etc/opendkim/keys/crans.org + path: "/etc/opendkim/keys/{{ opendkim.domain }}" state: directory mode: 0750 owner: opendkim @@ -40,11 +40,11 @@ - name: Deploy opendkim key template: - src: opendkim/keys/crans.org/{{ item }}.j2 - dest: /etc/opendkim/keys/crans.org/{{ item }} + src: "opendkim/keys/key.{{ item }}.j2" + dest: "/etc/opendkim/keys/{{ opendkim.domain }}/{{ opendkim.selector }}.{{ item }}" mode: 0600 owner: opendkim group: opendkim loop: - - mail.private - - mail.txt + - "private" + - "txt" diff --git a/roles/opendkim/templates/opendkim/KeyTable.j2 b/roles/opendkim/templates/opendkim/KeyTable.j2 index 86ffcee4..f2d56ada 100644 --- a/roles/opendkim/templates/opendkim/KeyTable.j2 +++ b/roles/opendkim/templates/opendkim/KeyTable.j2 @@ -1 +1 @@ -mail._domainkey.crans.org crans.org:mail:/etc/opendkim/keys/crans.org/mail.private +{{ opendkim.selector }}._domainkey.{{ opendkim.domain }} {{ opendkim.domain }}:{{ opendkim.selector }}:/etc/opendkim/keys/{{ opendkim.domain }}/{{ opendkim.selector }}.private diff --git a/roles/opendkim/templates/opendkim/SigningTable.j2 b/roles/opendkim/templates/opendkim/SigningTable.j2 index d845dc68..fdbc834b 100644 --- a/roles/opendkim/templates/opendkim/SigningTable.j2 +++ b/roles/opendkim/templates/opendkim/SigningTable.j2 @@ -1,2 +1,3 @@ -*@crans.org mail._domainkey.crans.org -*@crans.eu mail._domainkey.crans.org +{% for pattern in opendkim.signing %} +{{ pattern }} {{ opendkim.selector }}._domainkey.{{ opendkim.domain }} +{% endfor %} diff --git a/roles/opendkim/templates/opendkim/keys/crans.org/mail.txt.j2 b/roles/opendkim/templates/opendkim/keys/crans.org/mail.txt.j2 deleted file mode 100644 index 9a787ee1..00000000 --- a/roles/opendkim/templates/opendkim/keys/crans.org/mail.txt.j2 +++ /dev/null @@ -1 +0,0 @@ -mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtwkNVd9Mmz8S4WcfuPk0X2drG39gS8+uxAv8igRILgzWeN8j2hjeZesl8pm/1UTVU87bYcdfUgXiGfQy9nR5p/Vmt2kS7sXk9nsJ/VYENgb3IJQ6paWupSTFMyeKycJ4ZHCEZB/bVvifoG6vLKqW5jpsfCiOcfdcgXATn0UPuVx9t93yRrhoEMntMv9TSodjqd3FKCtJUoh5cNQHo0T6dWKtxoIgNi/mvZ92D/IACwu/XOU+Rq9fnoEI8GukBQUR5AkP0B/JrvwWXWX/3EjY8X37ljEX0XUdq/ShzTl5iK+CM83stgkFUQh/rpww5mnxYEW3X4uirJ7VJHmY4KPoIU+2DPjLQj9Hz63CMWY3Ks2pXWzxD3V+GI1aJTMFOv2LeHnI3ScqFaKj9FR4ZKMb0OW2BEFBIY3J3aeo/paRwdbVCMM7twDtZY9uInR/NhVa1v9hlOxwp4/2pGSKQYoN2CkAZ1Alzwf8M3EONLKeiC43JLYwKH1uBB1oikSVhMnLjG0219XvfG/tphyoOqJR/bCc2rdv5pLwKUl4wVuygfpvOw12bcvnTfYuk/BXzVHg9t4H8k/DJR6GAoeNAapXIS8AfAScF8QdKfplhKLJyQGJ6lQ75YD9IwRAN0oV+8NTjl46lI/C+b7mpfXCew+p6YPwfNvV2shiR0Ez8ZGUQIcCAwEAAQ==" ; ----- DKIM key mail for crans.org diff --git a/roles/opendkim/templates/opendkim/keys/crans.org/mail.private.j2 b/roles/opendkim/templates/opendkim/keys/key.private.j2 similarity index 100% rename from roles/opendkim/templates/opendkim/keys/crans.org/mail.private.j2 rename to roles/opendkim/templates/opendkim/keys/key.private.j2 diff --git a/roles/opendkim/templates/opendkim/keys/key.txt.j2 b/roles/opendkim/templates/opendkim/keys/key.txt.j2 new file mode 100644 index 00000000..8c6fc1cf --- /dev/null +++ b/roles/opendkim/templates/opendkim/keys/key.txt.j2 @@ -0,0 +1 @@ +{{ opendkim.txt_record }} diff --git a/roles/postfix-mailman3/templates/postfix/main.cf.j2 b/roles/postfix-mailman3/templates/postfix/main.cf.j2 index 5dc3a1ec..5e1e6b36 100644 --- a/roles/postfix-mailman3/templates/postfix/main.cf.j2 +++ b/roles/postfix-mailman3/templates/postfix/main.cf.j2 @@ -22,6 +22,10 @@ smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +# OpenDKIM +smtpd_milters = inet:localhost:12301 +non_smtpd_milters = inet:localhost:12301 + # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client.