add: opendkim/spf configuration

roles/global-handlers/handlers/main.yml

@@ -40,6 +40,11 @@
     name: ldap
     state: restarted
 
+- name: restart opendkim
+  systemd:
+    name: opendkim
+    state: restarted
+
 - name: restart slapd
   systemd:
     name: slapd-custom

roles/mail/files/opendkim/key.table

@@ -0,0 +1 @@
+atlantishq atlantishq.de:default:/etc/opendkim/keys/atlantishq.de/default.private

roles/mail/files/opendkim/opendkim.conf

@@ -0,0 +1,86 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog			yes
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask			007
+
+# Sign for example.com with key in /etc/dkimkeys/dkim.key using
+# selector '2007' (e.g. 2007._domainkey.example.com)
+#Domain			example.com
+#KeyFile		/etc/dkimkeys/dkim.key
+#Selector		2007
+
+# Commonly-used options; the commented-out versions show the defaults.
+#Canonicalization	simple
+#Mode			sv
+#SubDomains		no
+
+# Socket smtp://localhost
+#
+# ##  Socket socketspec
+# ##
+# ##  Names the socket where this filter should listen for milter connections
+# ##  from the MTA.  Required.  Should be in one of these forms:
+# ##
+# ##  inet:port@address           to listen on a specific interface
+# ##  inet:port                   to listen on all interfaces
+# ##  local:/path/to/socket       to listen on a UNIX domain socket
+#
+Socket                  inet:8892@localhost
+#Socket			local:/var/run/opendkim/opendkim.sock
+#Socket 	local:/var/spool/postfix/opendkim/opendkim.sock
+
+##  PidFile filename
+###      default (none)
+###
+###  Name of the file where the filter should write its pid before beginning
+###  normal operations.
+#
+PidFile               /var/run/opendkim/opendkim.pid
+
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders		From
+
+##  ResolverConfiguration filename
+##      default (none)
+##
+##  Specifies a configuration file to be passed to the Unbound library that
+##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
+##  documentation at http://unbound.net for the expected content of this file.
+##  The results of using this and the TrustAnchorFile setting at the same
+##  time are undefined.
+##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
+##  unbound package
+
+# ResolverConfiguration     /etc/unbound/unbound.conf
+
+##  TrustAnchorFile filename
+##      default (none)
+##
+## Specifies a file from which trust anchor data should be read when doing
+## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
+## at http://unbound.net for the expected format of this file.
+
+TrustAnchorFile       /usr/share/dns/root.key
+
+##  Userid userid
+###      default (none)
+###
+###  Change to user "userid" before starting normal operation?  May include
+###  a group ID as well, separated from the userid by a colon.
+#
+UserID                opendkim
+ExternalIgnoreList  /etc/opendkim/trusted.hosts
+InternalHosts       /etc/opendkim/trusted.hosts
+
+SigningTable            refile:/etc/opendkim/signing.table
+KeyTable                /etc/opendkim/key.table

roles/mail/files/opendkim/signing.table

@@ -0,0 +1,3 @@
+*@atlantishq.de atlantishq
+*@lantia-it.de atlantishq
+*@esports-erlangen.de atlantishq

roles/mail/files/opendkim/trusted.hosts

@@ -0,0 +1,4 @@
+127.0.0.1
+localhost
+atlantishq.de
+192.168.122.112

roles/mail/files/policy-spf/policyd-spf.conf

@@ -0,0 +1,16 @@
+#  For a fully commented sample config file see policyd-spf.conf.commented
+
+debugLevel = 1 
+TestOnly = 1
+
+#HELO_reject = Fail
+#Mail_From_reject = Fail
+
+HELO_reject = False
+Mail_From_reject = False
+
+PermError_reject = False
+TempError_Defer = False
+
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,192.168.122.112
+

roles/mail/tasks/main.yaml

@@ -6,6 +6,9 @@
       - dovecot-imapd
       - spamassassin
       - nginx
+      - postfix-policyd-spf-python
+      - opendkim
+      - opendkim-tools
     state: present
 
 - name: Deploy Postfix config
@@ -25,6 +28,37 @@
     - header_checks
   notify: restart postfix
 
+- name: Deploy dmark/opendkim config (main)
+  copy:
+    src: "opendkim/opendkim.conf"
+    dest: "/etc/opendkim.conf"
+  notify: restart opendkim
+
+- name: Deploy dmark/opendkim config (config dir)
+  copy:
+    src: "opendkim/{{ item }}"
+    dest: "/etc/opendkim/"
+  with_items:
+    - key.table
+    - signing.table
+    - trusted.hosts
+  notify: restart opendkim
+
+- name: Deploy policy spf config
+  copy:
+    src: "policy-spf/policyd-spf.conf"
+    dest: "/etc/postfix-policyd-spf-python/"
+  notify: restart postfix
+
+- name: Deploy dmark/opendkim config (config dir)
+  copy:
+    src: "opendkim/{{ item }}"
+    dest: "/etc/opendkim/"
+  with_items:
+    - key.table
+    - signing.table
+  notify: restart postfix
+
 - name: Deploy Dovecot config
   copy:
     src: "{{ item }}"