diff --git a/roles/global-handlers/handlers/main.yml b/roles/global-handlers/handlers/main.yml index c83c0e9..8e3cd87 100644 --- a/roles/global-handlers/handlers/main.yml +++ b/roles/global-handlers/handlers/main.yml @@ -40,6 +40,11 @@ name: ldap state: restarted +- name: restart opendkim + systemd: + name: opendkim + state: restarted + - name: restart slapd systemd: name: slapd-custom diff --git a/roles/mail/files/opendkim/key.table b/roles/mail/files/opendkim/key.table new file mode 100644 index 0000000..ebf3730 --- /dev/null +++ b/roles/mail/files/opendkim/key.table @@ -0,0 +1 @@ +atlantishq atlantishq.de:default:/etc/opendkim/keys/atlantishq.de/default.private diff --git a/roles/mail/files/opendkim/opendkim.conf b/roles/mail/files/opendkim/opendkim.conf new file mode 100644 index 0000000..eeb53e5 --- /dev/null +++ b/roles/mail/files/opendkim/opendkim.conf @@ -0,0 +1,86 @@ +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +# Log to syslog +Syslog yes +# Required to use local socket with MTAs that access the socket as a non- +# privileged user (e.g. Postfix) +UMask 007 + +# Sign for example.com with key in /etc/dkimkeys/dkim.key using +# selector '2007' (e.g. 2007._domainkey.example.com) +#Domain example.com +#KeyFile /etc/dkimkeys/dkim.key +#Selector 2007 + +# Commonly-used options; the commented-out versions show the defaults. +#Canonicalization simple +#Mode sv +#SubDomains no + +# Socket smtp://localhost +# +# ## Socket socketspec +# ## +# ## Names the socket where this filter should listen for milter connections +# ## from the MTA. Required. Should be in one of these forms: +# ## +# ## inet:port@address to listen on a specific interface +# ## inet:port to listen on all interfaces +# ## local:/path/to/socket to listen on a UNIX domain socket +# +Socket inet:8892@localhost +#Socket local:/var/run/opendkim/opendkim.sock +#Socket local:/var/spool/postfix/opendkim/opendkim.sock + +## PidFile filename +### default (none) +### +### Name of the file where the filter should write its pid before beginning +### normal operations. +# +PidFile /var/run/opendkim/opendkim.pid + + +# Always oversign From (sign using actual From and a null From to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From + +## ResolverConfiguration filename +## default (none) +## +## Specifies a configuration file to be passed to the Unbound library that +## performs DNS queries applying the DNSSEC protocol. See the Unbound +## documentation at http://unbound.net for the expected content of this file. +## The results of using this and the TrustAnchorFile setting at the same +## time are undefined. +## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested +## unbound package + +# ResolverConfiguration /etc/unbound/unbound.conf + +## TrustAnchorFile filename +## default (none) +## +## Specifies a file from which trust anchor data should be read when doing +## DNS queries and applying the DNSSEC protocol. See the Unbound documentation +## at http://unbound.net for the expected format of this file. + +TrustAnchorFile /usr/share/dns/root.key + +## Userid userid +### default (none) +### +### Change to user "userid" before starting normal operation? May include +### a group ID as well, separated from the userid by a colon. +# +UserID opendkim +ExternalIgnoreList /etc/opendkim/trusted.hosts +InternalHosts /etc/opendkim/trusted.hosts + +SigningTable refile:/etc/opendkim/signing.table +KeyTable /etc/opendkim/key.table diff --git a/roles/mail/files/opendkim/signing.table b/roles/mail/files/opendkim/signing.table new file mode 100644 index 0000000..9467817 --- /dev/null +++ b/roles/mail/files/opendkim/signing.table @@ -0,0 +1,3 @@ +*@atlantishq.de atlantishq +*@lantia-it.de atlantishq +*@esports-erlangen.de atlantishq diff --git a/roles/mail/files/opendkim/trusted.hosts b/roles/mail/files/opendkim/trusted.hosts new file mode 100644 index 0000000..c41ec31 --- /dev/null +++ b/roles/mail/files/opendkim/trusted.hosts @@ -0,0 +1,4 @@ +127.0.0.1 +localhost +atlantishq.de +192.168.122.112 diff --git a/roles/mail/files/policy-spf/policyd-spf.conf b/roles/mail/files/policy-spf/policyd-spf.conf new file mode 100644 index 0000000..90f0b52 --- /dev/null +++ b/roles/mail/files/policy-spf/policyd-spf.conf @@ -0,0 +1,16 @@ +# For a fully commented sample config file see policyd-spf.conf.commented + +debugLevel = 1 +TestOnly = 1 + +#HELO_reject = Fail +#Mail_From_reject = Fail + +HELO_reject = False +Mail_From_reject = False + +PermError_reject = False +TempError_Defer = False + +skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,192.168.122.112 + diff --git a/roles/mail/tasks/main.yaml b/roles/mail/tasks/main.yaml index fb0350a..a582802 100644 --- a/roles/mail/tasks/main.yaml +++ b/roles/mail/tasks/main.yaml @@ -6,6 +6,9 @@ - dovecot-imapd - spamassassin - nginx + - postfix-policyd-spf-python + - opendkim + - opendkim-tools state: present - name: Deploy Postfix config @@ -25,6 +28,37 @@ - header_checks notify: restart postfix +- name: Deploy dmark/opendkim config (main) + copy: + src: "opendkim/opendkim.conf" + dest: "/etc/opendkim.conf" + notify: restart opendkim + +- name: Deploy dmark/opendkim config (config dir) + copy: + src: "opendkim/{{ item }}" + dest: "/etc/opendkim/" + with_items: + - key.table + - signing.table + - trusted.hosts + notify: restart opendkim + +- name: Deploy policy spf config + copy: + src: "policy-spf/policyd-spf.conf" + dest: "/etc/postfix-policyd-spf-python/" + notify: restart postfix + +- name: Deploy dmark/opendkim config (config dir) + copy: + src: "opendkim/{{ item }}" + dest: "/etc/opendkim/" + with_items: + - key.table + - signing.table + notify: restart postfix + - name: Deploy Dovecot config copy: src: "{{ item }}"