From b860cf603e1bbda1db0c4256c006bc085f50a788 Mon Sep 17 00:00:00 2001
From: Hinrikus Wolf <mail@hinrikus-wolf.de>
Date: Sun, 21 Jul 2019 11:16:14 +0200
Subject: [PATCH] add basic config for opendkim (work in progress)

---
 dkim/defaults/main.yml          | 20 +++++++++
 dkim/tasks/main.yml             | 22 ++++++++++
 dkim/templates/dns_records.j2   |  1 +
 dkim/templates/key_table.j2     |  4 ++
 dkim/templates/opendkim.conf.j2 | 77 +++++++++++++++++++++++++++++++++
 dkim/templates/opendkim.service | 15 +++++++
 dkim/templates/signing_table.j2 |  4 ++
 dkim/templates/trusted_hosts.j2 | 12 +++++
 8 files changed, 155 insertions(+)
 create mode 100644 dkim/defaults/main.yml
 create mode 100644 dkim/tasks/main.yml
 create mode 100644 dkim/templates/dns_records.j2
 create mode 100644 dkim/templates/key_table.j2
 create mode 100644 dkim/templates/opendkim.conf.j2
 create mode 100644 dkim/templates/opendkim.service
 create mode 100644 dkim/templates/signing_table.j2
 create mode 100644 dkim/templates/trusted_hosts.j2

diff --git a/dkim/defaults/main.yml b/dkim/defaults/main.yml
new file mode 100644
index 0000000..518de5e
--- /dev/null
+++ b/dkim/defaults/main.yml
@@ -0,0 +1,20 @@
+---
+
+dkim_canonicalization: "simple"
+dkim_mode: "sv"
+dkim_subdomains: "no"
+dkim_temp_dir: "/var/run/opendkim"
+dkim_base_dir: "/var/run/opendkim"
+
+dkim_must_be_signed: "From"
+dkim_on_bad_signature: "accept"  # TODO: evaluate after test phase
+
+dkim_query_cache: "yes"
+dkim_remove_old_signatures: "no"  # TODO: evaluate for RWTH Servers
+dkim_report_address: "{{ dovecot_admin_mail }}"
+dkim_send_reports: "no"  # TODO: evaluate after test phase
+dkim_software_headers: "yes" 
+
+dkim_signature_ttl: 0
+
+dkim_oversign_headers: "From"
diff --git a/dkim/tasks/main.yml b/dkim/tasks/main.yml
new file mode 100644
index 0000000..4a5f6c2
--- /dev/null
+++ b/dkim/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+
+- name: ensure opendkim is installed
+  apt:
+    name:
+      - opendkim
+      - opendkim-tools
+    state: present
+  
+
+- name: ensure opendkim config is present
+  template:
+    src: opendkim.conf.j2
+    dest: /etc/opendkim.conf
+    mode: "0640"
+
+- name: ensure domain files are present
+  template:
+    src: "{{item}}.j2"
+    dest: "/etc/opendkim/{{item}}"
+    with_items: 
+    
diff --git a/dkim/templates/dns_records.j2 b/dkim/templates/dns_records.j2
new file mode 100644
index 0000000..8d1c8b6
--- /dev/null
+++ b/dkim/templates/dns_records.j2
@@ -0,0 +1 @@
+ 
diff --git a/dkim/templates/key_table.j2 b/dkim/templates/key_table.j2
new file mode 100644
index 0000000..3c8b4ad
--- /dev/null
+++ b/dkim/templates/key_table.j2
@@ -0,0 +1,4 @@
+{% for domain in dkim_domains %}
+{% set selector = domain.selector|default(ansible_nodename) %}
+{{ selector }}._domainkey.{{ domain.name }}  {{ domain.name }}:{{ selector }}:/etc/dkimkeys/{{ selector }}.private
+{% endfor %}
diff --git a/dkim/templates/opendkim.conf.j2 b/dkim/templates/opendkim.conf.j2
new file mode 100644
index 0000000..aed3eda
--- /dev/null
+++ b/dkim/templates/opendkim.conf.j2
@@ -0,0 +1,77 @@
+# Log to syslog
+Syslog			yes
+Background      no
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask			007
+
+# Sign for example.com with key in /etc/dkimkeys/dkim.key using
+# selector '2007' (e.g. 2007._domainkey.example.com)
+
+KeyTable file:/etc/opendkim/key_table
+SigningTable file:/etc/opendkim/signing_table
+ExternalIgnoreList file:/etc/opendkim/trusted_hosts
+InternalHosts file:/etc/opendkim/trusted_hosts
+
+
+# Commonly-used options; the commented-out versions show the defaults.
+
+Canonicalization	{{ dkim_canonicalization }}
+Mode			{{ dkim_mode }}
+SubDomains		{{ dkim_subdomains }}
+
+Socket			local:/var/run/opendkim/opendkim.sock
+PidFile               /var/run/opendkim/opendkim.pid
+
+TemporaryDirectory {{ dkim_temp_dir}}
+BaseDirectory {{ dkim_base_dir }}
+
+MustBeSigned {{ dkim_must_be_signed }}
+
+On-BadSignature {{ dkim_on_bad_signature }}
+
+QueryCache {{ dkim_query_cache }}
+RemoveOldSignatures {{ dkim_remove_old_signatures }}
+ReportAddress {{ dkim_report_address }}
+SendReports {{ dkim_send_reports }}
+SoftwareHeader {{ dkim_software_headers }}
+
+SignatureTTL {{ dkim_signature_ttl }}
+
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders		{{ dkim_oversign_headers }}
+
+##  ResolverConfiguration filename
+##      default (none)
+##
+##  Specifies a configuration file to be passed to the Unbound library that
+##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
+##  documentation at http://unbound.net for the expected content of this file.
+##  The results of using this and the TrustAnchorFile setting at the same
+##  time are undefined.
+##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
+##  unbound package
+
+# ResolverConfiguration     /etc/unbound/unbound.conf
+
+##  TrustAnchorFile filename
+##      default (none)
+##
+## Specifies a file from which trust anchor data should be read when doing
+## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
+## at http://unbound.net for the expected format of this file.
+
+TrustAnchorFile       /usr/share/dns/root.key
+
+##  Userid userid
+###      default (none)
+###
+###  Change to user "userid" before starting normal operation?  May include
+###  a group ID as well, separated from the userid by a colon.
+#
+UserID                opendkim
diff --git a/dkim/templates/opendkim.service b/dkim/templates/opendkim.service
new file mode 100644
index 0000000..179b26f
--- /dev/null
+++ b/dkim/templates/opendkim.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter
+Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
+After=network.target nss-lookup.target 
+
+[Service]
+Type=forking
+PIDFile=/var/run/opendkim/opendkim.pid
+UMask=0007
+ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf
+Restart=on-failure
+ExecReload=/bin/kill -USR1 $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/dkim/templates/signing_table.j2 b/dkim/templates/signing_table.j2
new file mode 100644
index 0000000..0a579eb
--- /dev/null
+++ b/dkim/templates/signing_table.j2
@@ -0,0 +1,4 @@
+{% for domain in dkim_domains %}
+{% set selector = domain.selector|default(ansible_nodename) %}
+{{ domain.name }} {{ selector }}._domainkey.{{ domain.name }}
+{% endfor %}
diff --git a/dkim/templates/trusted_hosts.j2 b/dkim/templates/trusted_hosts.j2
new file mode 100644
index 0000000..caaba14
--- /dev/null
+++ b/dkim/templates/trusted_hosts.j2
@@ -0,0 +1,12 @@
+127.0.0.1
+::1
+localhost
+{{ ansible_all_ipv4_addresses | join("\n") }}
+{{ ansible_all_ipv6_addresses | join("\n") }}
+{{ ansible_fqdn }}
+{% for domain in dkim_domains %}
+{{ domain.name }}
+{% endfor %}
+{% for host in groups["all"] %}
+{{ hostvars[host]["ansible_fqdn"] }}
+{% endfor %}
-- 
GitLab