Commit b860cf60 authored by Hinrikus Wolf's avatar Hinrikus Wolf Committed by Lars Beckers
Browse files

add basic config for opendkim (work in progress)

parent 2475e025
---
dkim_canonicalization: "simple"
dkim_mode: "sv"
dkim_subdomains: "no"
dkim_temp_dir: "/var/run/opendkim"
dkim_base_dir: "/var/run/opendkim"
dkim_must_be_signed: "From"
dkim_on_bad_signature: "accept" # TODO: evaluate after test phase
dkim_query_cache: "yes"
dkim_remove_old_signatures: "no" # TODO: evaluate for RWTH Servers
dkim_report_address: "{{ dovecot_admin_mail }}"
dkim_send_reports: "no" # TODO: evaluate after test phase
dkim_software_headers: "yes"
dkim_signature_ttl: 0
dkim_oversign_headers: "From"
---
- name: ensure opendkim is installed
apt:
name:
- opendkim
- opendkim-tools
state: present
- name: ensure opendkim config is present
template:
src: opendkim.conf.j2
dest: /etc/opendkim.conf
mode: "0640"
- name: ensure domain files are present
template:
src: "{{item}}.j2"
dest: "/etc/opendkim/{{item}}"
with_items:
{% for domain in dkim_domains %}
{% set selector = domain.selector|default(ansible_nodename) %}
{{ selector }}._domainkey.{{ domain.name }} {{ domain.name }}:{{ selector }}:/etc/dkimkeys/{{ selector }}.private
{% endfor %}
# Log to syslog
Syslog yes
Background no
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 007
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
KeyTable file:/etc/opendkim/key_table
SigningTable file:/etc/opendkim/signing_table
ExternalIgnoreList file:/etc/opendkim/trusted_hosts
InternalHosts file:/etc/opendkim/trusted_hosts
# Commonly-used options; the commented-out versions show the defaults.
Canonicalization {{ dkim_canonicalization }}
Mode {{ dkim_mode }}
SubDomains {{ dkim_subdomains }}
Socket local:/var/run/opendkim/opendkim.sock
PidFile /var/run/opendkim/opendkim.pid
TemporaryDirectory {{ dkim_temp_dir}}
BaseDirectory {{ dkim_base_dir }}
MustBeSigned {{ dkim_must_be_signed }}
On-BadSignature {{ dkim_on_bad_signature }}
QueryCache {{ dkim_query_cache }}
RemoveOldSignatures {{ dkim_remove_old_signatures }}
ReportAddress {{ dkim_report_address }}
SendReports {{ dkim_send_reports }}
SoftwareHeader {{ dkim_software_headers }}
SignatureTTL {{ dkim_signature_ttl }}
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders {{ dkim_oversign_headers }}
## ResolverConfiguration filename
## default (none)
##
## Specifies a configuration file to be passed to the Unbound library that
## performs DNS queries applying the DNSSEC protocol. See the Unbound
## documentation at http://unbound.net for the expected content of this file.
## The results of using this and the TrustAnchorFile setting at the same
## time are undefined.
## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
## unbound package
# ResolverConfiguration /etc/unbound/unbound.conf
## TrustAnchorFile filename
## default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
## at http://unbound.net for the expected format of this file.
TrustAnchorFile /usr/share/dns/root.key
## Userid userid
### default (none)
###
### Change to user "userid" before starting normal operation? May include
### a group ID as well, separated from the userid by a colon.
#
UserID opendkim
[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target
[Service]
Type=forking
PIDFile=/var/run/opendkim/opendkim.pid
UMask=0007
ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID
[Install]
WantedBy=multi-user.target
{% for domain in dkim_domains %}
{% set selector = domain.selector|default(ansible_nodename) %}
{{ domain.name }} {{ selector }}._domainkey.{{ domain.name }}
{% endfor %}
127.0.0.1
::1
localhost
{{ ansible_all_ipv4_addresses | join("\n") }}
{{ ansible_all_ipv6_addresses | join("\n") }}
{{ ansible_fqdn }}
{% for domain in dkim_domains %}
{{ domain.name }}
{% endfor %}
{% for host in groups["all"] %}
{{ hostvars[host]["ansible_fqdn"] }}
{% endfor %}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment