properly set up opendkim
authorRalf Jung <post@ralfj.de>
Sun, 8 Apr 2018 09:58:45 +0000 (11:58 +0200)
committerRalf Jung <post@ralfj.de>
Sun, 8 Apr 2018 09:58:45 +0000 (11:58 +0200)
14 files changed:
ansible.cfg
roles/journalwatch/tasks/journalwatch.yml [new file with mode: 0644]
roles/journalwatch/tasks/main.yml
roles/postfix/defaults/main.yml [new file with mode: 0644]
roles/postfix/handlers/main.yml [new file with mode: 0644]
roles/postfix/tasks/main.yml
roles/postfix/tasks/opendkim.yml [new file with mode: 0644]
roles/postfix/tasks/postfix.yml [new file with mode: 0644]
roles/postfix/templates/KeyTable [new file with mode: 0644]
roles/postfix/templates/SigningTable [new file with mode: 0644]
roles/postfix/templates/main.cf
roles/postfix/templates/opendkim.conf [new file with mode: 0644]
roles/postfix/templates/opendkim.env [new file with mode: 0644]
site.yml [moved from all.yml with 100% similarity]

index 64ab4cf..d6bbf37 100644 (file)
@@ -1,6 +1,7 @@
 [defaults]
 inventory = hosts
 stdout_callback = debug
+hash_behaviour = merge
 
 [diff]
 always = True
diff --git a/roles/journalwatch/tasks/journalwatch.yml b/roles/journalwatch/tasks/journalwatch.yml
new file mode 100644 (file)
index 0000000..c9a5375
--- /dev/null
@@ -0,0 +1,23 @@
+- name: install journalwatch dependencies
+  apt: name=python3-systemd state=latest
+- name: install journalwatch
+  git:
+    dest: /root/journalwatch
+    repo: 'https://github.com/The-Compiler/journalwatch.git'
+    version: b62f223bc36eabc193cfcf0d309d284da4f66463
+- name: create journalwatch config dir
+  file: path=/root/.config/journalwatch state=directory
+- name: install journalwatch config files
+  template:
+    src: templates/{{item}}
+    dest: /root/.config/journalwatch/{{item}}
+  loop:
+  - config
+  - patterns
+- name: delete old journalwatch crontab entry
+  file: path=/etc/cron.d/journalwatch state=absent
+- name: create journalwatch crontab entry
+  cron:
+    name: "journalwatch"
+    minute: "*/10"
+    job: "/root/journalwatch/journalwatch.py mail"
index 3a7afcb..5621a8f 100644 (file)
@@ -1,23 +1,2 @@
-- name: install journalwatch dependencies
-  apt: name=python3-systemd state=latest
-- name: install journalwatch
-  git:
-    dest: /root/journalwatch
-    repo: 'https://github.com/The-Compiler/journalwatch.git'
-    version: b62f223bc36eabc193cfcf0d309d284da4f66463
-- name: create journalwatch config dir
-  file: path=/root/.config/journalwatch state=directory
-- name: install journalwatch config files
-  template:
-    src: templates/{{item}}
-    dest: /root/.config/journalwatch/{{item}}
-  with_items:
-  - config
-  - patterns
-- name: delete old journalwatch crontab entry
-  file: path=/etc/cron.d/journalwatch state=absent
-- name: create journalwatch crontab entry
-  cron:
-    name: "journalwatch"
-    minute: "*/10"
-    job: "/root/journalwatch/journalwatch.py mail"
+- import_tasks: journalwatch.yml
+  tags: journalwatch
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml
new file mode 100644 (file)
index 0000000..b05f8de
--- /dev/null
@@ -0,0 +1,3 @@
+postfix:
+  paths:
+    dh2048: /etc/ssl/dh2048.pem
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
new file mode 100644 (file)
index 0000000..d0865b9
--- /dev/null
@@ -0,0 +1,4 @@
+- name: opendkim
+  service: name=opendkim state=restarted enabled=yes
+- name: postfix
+  service: name=postfix state=restarted enabled=yes
index 3343f33..f71486e 100644 (file)
@@ -1,44 +1,11 @@
-- name: install postfix
-  apt: name=postfix,bsd-mailx state=latest
-- name: install postfix-mysql
-  apt: name=postfix-mysql state=latest
-  when: postfix.vmail_mysql_password is defined
-- name: install postfix config
-  register: postfix_config
-  template:
-    dest: /etc/postfix/{{ item }}
-    src: templates/{{ item }}
-  with_items:
-  - main.cf
-  - master.cf
-- name: install postfix mysql config
-  register: postfix_mysql
-  template:
-    dest: /etc/postfix/{{ item }}
-    src: templates/{{ item }}
-    mode: u=rw,g=r,o=
-    group: postfix
-  with_items:
-  - mysql_vmail_aliases.cf
-  - mysql_vmail_senders.cf
-  - mysql_vmail_users.cf
-  when: postfix.vmail_mysql_password is defined
-- name: create empty maps
-  copy:
-    dest: /etc/postfix/{{ item }}
-    content: ""
-    force: no
-  with_items:
-  - virtual_alias_map
-  - transport_map
-  when: postfix.virtual_mailbox_domains is defined
-- name: reload postfix
-  service: name=postfix state=restarted enabled=yes
-  when: postfix_config.changed or postfix_mysql.changed
-- name: delete old local-mail cronjob
-  file: path=/etc/cron.daily/local-mail state=absent
-- name: install check-for-local-mail cronjob
-  copy:
-    dest: /etc/cron.daily/check-for-local-mail
-    src: files/check-for-local-mail
-    mode: u=rwx,g=rx,o=rx
+# base
+- name: create dh2048 file
+  command: openssl dhparam -out {{ postfix.paths.dh2048 }} 2048
+  args:
+    creates: "{{ postfix.paths.dh2048 }}"
+# daemons
+- import_tasks: opendkim.yml
+  tags: opendkim
+  when: postfix.opendkim is defined
+- import_tasks: postfix.yml
+  tags: postfix
diff --git a/roles/postfix/tasks/opendkim.yml b/roles/postfix/tasks/opendkim.yml
new file mode 100644 (file)
index 0000000..49543af
--- /dev/null
@@ -0,0 +1,35 @@
+- name: install opendkim
+  apt: name=opendkim,opendkim-tools state=latest
+- name: enable opendkim
+  service: name=opendkim enabled=yes
+# env
+- name: install opendkim env
+  register: opendkim_env
+  template:
+    dest: /etc/default/opendkim
+    src: templates/opendkim.env
+- name: regenerate opendkim service
+  shell: /lib/opendkim/opendkim.service.generate && systemctl daemon-reload
+  when: opendkim_env.changed
+  notify: opendkim
+# tables
+- name: generate opendkim keys
+  shell: mkdir /etc/opendkim/{{ item }}/ && opendkim-genkey --bits=2048 -s mail -d {{ item }} -D /etc/opendkim/{{ item }}/
+  args:
+    creates: /etc/opendkim/{{ item }}/mail.private
+    warn: False
+  loop: "{{ postfix.opendkim.private_keys }}"
+- name: generate opendkim tables
+  template:
+    dest: /etc/opendkim/{{ item }}
+    src: templates/{{ item }}
+  loop:
+  - KeyTable
+  - SigningTable
+  notify: opendkim
+# config
+- name: install opendkim config
+  template:
+    dest: /etc/opendkim.conf
+    src: templates/opendkim.conf
+  notify: opendkim
diff --git a/roles/postfix/tasks/postfix.yml b/roles/postfix/tasks/postfix.yml
new file mode 100644 (file)
index 0000000..eac650c
--- /dev/null
@@ -0,0 +1,45 @@
+- name: install postfix
+  apt: name=postfix,bsd-mailx state=latest
+- name: install postfix-mysql
+  apt: name=postfix-mysql state=latest
+  when: postfix.vmail_mysql_password is defined
+- name: enable postfix
+  service: name=postfix enabled=yes
+# config
+- name: install postfix config
+  template:
+    dest: /etc/postfix/{{ item }}
+    src: templates/{{ item }}
+  loop:
+  - main.cf
+  - master.cf
+  notify: postfix
+- name: install postfix mysql config
+  template:
+    dest: /etc/postfix/{{ item }}
+    src: templates/{{ item }}
+    mode: u=rw,g=r,o=
+    group: postfix
+  loop:
+  - mysql_vmail_aliases.cf
+  - mysql_vmail_senders.cf
+  - mysql_vmail_users.cf
+  notify: postfix
+  when: postfix.vmail_mysql_password is defined
+- name: create empty maps
+  copy:
+    dest: /etc/postfix/{{ item }}
+    content: ""
+    force: no
+  loop:
+  - virtual_alias_map
+  - transport_map
+  when: postfix.virtual_mailbox_domains is defined
+# cronjob
+- name: delete old local-mail cronjob
+  file: path=/etc/cron.daily/local-mail state=absent
+- name: install check-for-local-mail cronjob
+  copy:
+    dest: /etc/cron.daily/check-for-local-mail
+    src: files/check-for-local-mail
+    mode: u=rwx,g=rx,o=rx
diff --git a/roles/postfix/templates/KeyTable b/roles/postfix/templates/KeyTable
new file mode 100644 (file)
index 0000000..7e622af
--- /dev/null
@@ -0,0 +1,3 @@
+{% for item in postfix.opendkim.private_keys %}
+{{ item }}      {{ item }}:mail:/etc/opendkim/{{ item }}/mail.private
+{% endfor %}
diff --git a/roles/postfix/templates/SigningTable b/roles/postfix/templates/SigningTable
new file mode 100644 (file)
index 0000000..ca685e7
--- /dev/null
@@ -0,0 +1,3 @@
+{% for item in postfix.opendkim.signing_table.items() %}
+{{ item[0] }}   {{ item[1] }}
+{% endfor %}
index dc56a85..fa2082c 100644 (file)
@@ -13,7 +13,7 @@ smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_security_level = may
 smtpd_tls_loglevel = 1
-smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem
+smtpd_tls_dh1024_param_file = {{ postfix.paths.dh2048 }}
 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
 smtpd_tls_ciphers = low
 smtpd_tls_mandatory_ciphers = high
@@ -110,9 +110,10 @@ transport_maps = hash:/etc/postfix/transport_map
 mailman_destination_recipient_limit = 1
 {% endif %}
 
-{% if postfix.opendkim | default(False) %}
+{% if postfix.opendkim is defined %}
 # DKIM & Milter
 milter_default_action = accept
+# Path must match opendkim.env
 smtpd_milters = unix:opendkim/sock
 non_smtpd_milters = $smtpd_milters
 {% endif %}
diff --git a/roles/postfix/templates/opendkim.conf b/roles/postfix/templates/opendkim.conf
new file mode 100644 (file)
index 0000000..06203ea
--- /dev/null
@@ -0,0 +1,30 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog                 yes
+
+# Access control
+UMask                  007
+UserID                 opendkim
+
+# domains and keys are in table files
+KeyTable               /etc/opendkim/KeyTable
+SigningTable           /etc/opendkim/SigningTable
+
+# Commonly-used options; the commented-out versions show the defaults.
+#Canonicalization      simple
+#Mode                  sv
+#SubDomains            no
+#ADSPAction            continue
+
+# use both Sender and From to check for which domain to sign
+SenderHeaders          Sender,From
+
+# Always oversign From (sign using actual From and a null From) to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders                From
diff --git a/roles/postfix/templates/opendkim.env b/roles/postfix/templates/opendkim.env
new file mode 100644 (file)
index 0000000..02fadef
--- /dev/null
@@ -0,0 +1,13 @@
+# Command-line options specified here will override the contents of
+# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
+#DAEMON_OPTS=""
+
+RUNDIR=/var/spool/postfix/opendkim
+
+# Path must match main.cf
+SOCKET=local:$RUNDIR/sock
+
+USER=opendkim
+GROUP=opendkim
+PIDFILE=$RUNDIR/$NAME.pid
+EXTRAAFTER=
similarity index 100%
rename from all.yml
rename to site.yml