Skip to content
Snippets Groups Projects
Commit b860cf60 authored by Hinrikus Wolf's avatar Hinrikus Wolf Committed by Lars Beckers
Browse files

add basic config for opendkim (work in progress)

parent 2475e025
Branches
No related tags found
No related merge requests found
---
dkim_canonicalization: "simple"
dkim_mode: "sv"
dkim_subdomains: "no"
dkim_temp_dir: "/var/run/opendkim"
dkim_base_dir: "/var/run/opendkim"
dkim_must_be_signed: "From"
dkim_on_bad_signature: "accept" # TODO: evaluate after test phase
dkim_query_cache: "yes"
dkim_remove_old_signatures: "no" # TODO: evaluate for RWTH Servers
dkim_report_address: "{{ dovecot_admin_mail }}"
dkim_send_reports: "no" # TODO: evaluate after test phase
dkim_software_headers: "yes"
dkim_signature_ttl: 0
dkim_oversign_headers: "From"
---
- name: ensure opendkim is installed
apt:
name:
- opendkim
- opendkim-tools
state: present
- name: ensure opendkim config is present
template:
src: opendkim.conf.j2
dest: /etc/opendkim.conf
mode: "0640"
- name: ensure domain files are present
template:
src: "{{item}}.j2"
dest: "/etc/opendkim/{{item}}"
with_items:
{% for domain in dkim_domains %}
{% set selector = domain.selector|default(ansible_nodename) %}
{{ selector }}._domainkey.{{ domain.name }} {{ domain.name }}:{{ selector }}:/etc/dkimkeys/{{ selector }}.private
{% endfor %}
# Log to syslog
Syslog yes
Background no
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 007
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
KeyTable file:/etc/opendkim/key_table
SigningTable file:/etc/opendkim/signing_table
ExternalIgnoreList file:/etc/opendkim/trusted_hosts
InternalHosts file:/etc/opendkim/trusted_hosts
# Commonly-used options; the commented-out versions show the defaults.
Canonicalization {{ dkim_canonicalization }}
Mode {{ dkim_mode }}
SubDomains {{ dkim_subdomains }}
Socket local:/var/run/opendkim/opendkim.sock
PidFile /var/run/opendkim/opendkim.pid
TemporaryDirectory {{ dkim_temp_dir}}
BaseDirectory {{ dkim_base_dir }}
MustBeSigned {{ dkim_must_be_signed }}
On-BadSignature {{ dkim_on_bad_signature }}
QueryCache {{ dkim_query_cache }}
RemoveOldSignatures {{ dkim_remove_old_signatures }}
ReportAddress {{ dkim_report_address }}
SendReports {{ dkim_send_reports }}
SoftwareHeader {{ dkim_software_headers }}
SignatureTTL {{ dkim_signature_ttl }}
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders {{ dkim_oversign_headers }}
## ResolverConfiguration filename
## default (none)
##
## Specifies a configuration file to be passed to the Unbound library that
## performs DNS queries applying the DNSSEC protocol. See the Unbound
## documentation at http://unbound.net for the expected content of this file.
## The results of using this and the TrustAnchorFile setting at the same
## time are undefined.
## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
## unbound package
# ResolverConfiguration /etc/unbound/unbound.conf
## TrustAnchorFile filename
## default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
## at http://unbound.net for the expected format of this file.
TrustAnchorFile /usr/share/dns/root.key
## Userid userid
### default (none)
###
### Change to user "userid" before starting normal operation? May include
### a group ID as well, separated from the userid by a colon.
#
UserID opendkim
[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target
[Service]
Type=forking
PIDFile=/var/run/opendkim/opendkim.pid
UMask=0007
ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID
[Install]
WantedBy=multi-user.target
{% for domain in dkim_domains %}
{% set selector = domain.selector|default(ansible_nodename) %}
{{ domain.name }} {{ selector }}._domainkey.{{ domain.name }}
{% endfor %}
127.0.0.1
::1
localhost
{{ ansible_all_ipv4_addresses | join("\n") }}
{{ ansible_all_ipv6_addresses | join("\n") }}
{{ ansible_fqdn }}
{% for domain in dkim_domains %}
{{ domain.name }}
{% endfor %}
{% for host in groups["all"] %}
{{ hostvars[host]["ansible_fqdn"] }}
{% endfor %}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment