Skip to content
Snippets Groups Projects
Commit 8b2561e3 authored by Hinrikus Wolf's avatar Hinrikus Wolf
Browse files

move over to dkimpy-milter

parent e6d391bf
Branches
No related tags found
1 merge request!22Implement dkim
Pipeline #6993 passed
Stage: test
Show whitespace changes
Inline Side-by-side
Showing
with 115 additions and 87 deletions
postfix/defaults/main.yml
+ 7
0
View file @ 8b2561e3
...@@ -75,11 +75,18 @@ postfix_verify_spf_testmode: true ...@@ -75,11 +75,18 @@ postfix_verify_spf_testmode: true
postfix_enable_srs: false postfix_enable_srs: false
# Note: This requires at least buster-backports or newer. # Note: This requires at least buster-backports or newer.
postfix_enable_mta_sts: false postfix_enable_mta_sts: false
postfix_enable_dkim: false
postfix_my_networks: [] postfix_my_networks: []
postfix_notify_classes: [] postfix_notify_classes: []
postfix_satellite_only: false postfix_satellite_only: false
postfix_dkim_internal_hosts:
- "127.0.0.1"
- "::1"
- "localhost."
- "{{ ansible_fqdn }}"
## sane defaults for postfix satellites ## sane defaults for postfix satellites
# #
# postfix_satellite_only: true # postfix_satellite_only: true
......
postfix/handlers/main.yml
+ 3
0
View file @ 8b2561e3
...@@ -23,3 +23,6 @@ ...@@ -23,3 +23,6 @@
- name: postmap transport - name: postmap transport
command: postmap cdb:/etc/postfix/transport command: postmap cdb:/etc/postfix/transport
- name: restart dkimpy-milter
service: name=dkimpy-milter state=restarted
postfix/tasks/dkim.yml
+ 41
35
View file @ 8b2561e3
--- ---
- name: ensure we have opendkim - name: ensure we have dkimpy-milter
apt: apt:
name: name:
- opendkim - dkimpy-milter
- opendkim-tools state: "{{ 'present' if postfix_enable_dkim else 'absent' }}"
state: present tags:
- mail
- postfix
- name: ensure we have keys for any domain - name: ensure we have keys for any domain
command: command:
cmd: "opendkim-genkey --directory=/etc/dkimkeys --domain={{ item }} --selector={{ item }}-{{ dkim_selector }} --nosubdomains" cmd: "dknewkey {{ ansible_hostname }}-{{ item }}-{{ dkim_selector }}"
creates: # yamllint disable-line rule:line-length
- "/etc/dkimkeys/{{ item }}-{{ dkim_selector }}.private" creates: "/etc/dkimpy-milter/{{ ansible_hostname }}-{{ item }}-{{ dkim_selector }}.*"
- "/etc/dkimkeys/{{ item }}-{{ dkim_selector }}.txt" chdir: /etc/dkimpy-milter
become: yes loop: "{{ (postfix_domains + postfix_virtual_domains)|unique }}"
become_user: opendkim when: postfix_enable_dkim
loop: "{{ postfix_domains + postfix_virtual_domains }}" tags:
- mail
- postfix
- name: ensure we have a folder for systemd overrides
file:
state: directory
path: "/etc/systemd/system/opendkim.service.d/"
mode: '0755'
owner: root
group: root
- name: ensure we run the service without root
copy:
src: "opendkim-systemd-service-override.conf"
dest: "/etc/systemd/system/opendkim.service.d/override.conf"
- name: ensure we have our config - name: ensure we have our config
template: template:
src: "opendkim.conf.j2" src: "dkimpy-milter.conf.j2"
dest: "/etc/opendkim.conf" dest: "/etc/dkimpy-milter/dkimpy-milter.conf"
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
notify: restart dkimpy-milter
when: postfix_enable_dkim
tags:
- mail
- postfix
- name: ensure we have the key and sigining table
- name: ensure we have the key table
template: template:
src: "opendkim-{{ item }}.j2" src: "dkimpy-milter-{{ item }}.j2"
dest: "/etc/dkimkeys/{{ item }}" dest: "/etc/dkimpy-milter/{{ item }}"
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
loop: loop:
- "keytable" - "keytable"
- "signingtable" - "signingtable"
- "trustedhosts" notify: restart dkimpy-milter
when: postfix_enable_dkim
tags:
- mail
- postfix
- name: ensure service is enabled and running
service:
name: dkimpy-milter
state: started
enabled: true
when: postfix_enable_dkim
tags:
- mail
- postfix
postfix/tasks/main.yml
+ 1
0
View file @ 8b2561e3
...@@ -106,6 +106,7 @@ ...@@ -106,6 +106,7 @@
- import_tasks: mta-sts.yml - import_tasks: mta-sts.yml
- import_tasks: spf.yml - import_tasks: spf.yml
- import_tasks: srs.yml - import_tasks: srs.yml
- import_tasks: dkim.yml
- name: install rt-mailgate if needed - name: install rt-mailgate if needed
apt: apt:
......
postfix/templates/dkimpy-milter-keytable.j2 0 → 100644
+ 3
0
View file @ 8b2561e3
{% for domain in (postfix_domains + postfix_virtual_domains)|unique %}
{{ domain }} {{ domain }}:{{ ansible_hostname }}-{{ domain }}-{{ dkim_selector }}:/etc/dkimpy-milter/{{ ansible_hostname }}-{{ domain }}-{{ dkim_selector }}.key
{% endfor %}
postfix/templates/dkimpy-milter-signingtable.j2 0 → 100644
+ 3
0
View file @ 8b2561e3
{% for domain in (postfix_domains + postfix_virtual_domains)|unique %}
*@{{domain}} {{ domain }}
{% endfor %}
postfix/templates/dkimpy-milter.conf.j2 0 → 100644
+ 49
0
View file @ 8b2561e3
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see dkimpy-milter.conf(5).
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 007
KeyTable /etc/dkimpy-milter/keytable
SigningTable /etc/dkimpy-milter/signingtable
InternalHosts {{ postfix_dkim_internal_hosts | join(',') }}
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization relaxed/simple
#Mode sv
# ## Socket socketspec
# ##
# ## Names the socket where this filter should listen for milter connections
# ## from the MTA. Required. Should be in one of these forms:
# ##
# ## inet:port@address to listen on a specific interface
# ## inet:port to listen on all interfaces
# ## local:/path/to/socket to listen on a UNIX domain socket
#
#
Socket inet:8892@localhost
## PidFile filename
### default /run/dkimpy-milter/dkimpy-milter.pid
###
### Name of the file where the filter should write its pid before beginning
### normal operations.
#
PidFile /run/dkimpy-milter/dkimpy-milter.pid
## Userid userid
### default dkimpy-milter
###
### Change to user "userid" before starting normal operation? May include
### a group ID as well, separated from the userid by a colon.
#
UserID dkimpy-milter
Mode sv
MacroList daemon_name|ORIGINATING
MacroListVerify daemon_name|VERIFYING
postfix/templates/master.cf.j2
+ 8
0
View file @ 8b2561e3
...@@ -16,6 +16,10 @@ smtp inet n - y - - smtpd ...@@ -16,6 +16,10 @@ smtp inet n - y - - smtpd
{% if postfix_enable_postscreen %} {% if postfix_enable_postscreen %}
smtp inet n - y - 1 postscreen smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd smtpd pass - - y - - smtpd
{% if postfix_enable_dkim %}
-o milter_macro_daemon_name=VERIFYING
-o smtpd_milters=inet:localhost:8892
{% endif %}
{% if postfix_content_filter %} {% if postfix_content_filter %}
-o content_filter={{ postfix_content_filter }} -o content_filter={{ postfix_content_filter }}
{% endif %} {% endif %}
...@@ -36,6 +40,10 @@ submission inet n - y - - smtpd ...@@ -36,6 +40,10 @@ submission inet n - y - - smtpd
{% if postfix_content_filter %} {% if postfix_content_filter %}
-o content_filter={{ postfix_content_filter }} -o content_filter={{ postfix_content_filter }}
{% endif %} {% endif %}
{% if postfix_enable_dkim %}
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_milters=inet:localhost:8892
{% endif %}
{% endif %} {% endif %}
{% if postfix_enable_smtps %} {% if postfix_enable_smtps %}
smtps inet n - y - - smtpd smtps inet n - y - - smtpd
......
postfix/templates/opendkim.conf.j2 deleted 100644 → 0
+ 0
52
View file @ e6d391bf
# This is a basic configuration for signing and verifying. It can easily be
# adapted to suit a basic installation. See opendkim.conf(5) and
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
# documentation of available configuration parameters.
Syslog yes
SyslogSuccess yes
#LogWhy no
# Common signing and verification parameters. In Debian, the "From" header is
# oversigned, because it is often the identity key used by reputation systems
# and thus somewhat security sensitive.
Canonicalization relaxed/simple
#Mode sv
#SubDomains no
OversignHeaders From
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged
# user (for example, Postfix). You may need to add user "postfix" to group
# "opendkim" in that case.
UserID opendkim
UMask 007
# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
# configured as shown on the last line below.
Socket local:/run/opendkim/opendkim.sock
#Socket inet:8891@localhost
#Socket inet:8891
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
# OPERATION section of opendkim(8) for more information.
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
TrustAnchorFile /usr/share/dns/root.key
#Nameservers 127.0.0.1
# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment