From 5e2e9470de3933fd6560eba8ee7a4fff9568ff7c Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 8 Apr 2018 11:58:45 +0200 Subject: [PATCH] properly set up opendkim --- ansible.cfg | 1 + roles/journalwatch/tasks/journalwatch.yml | 23 ++++++++++ roles/journalwatch/tasks/main.yml | 25 +---------- roles/postfix/defaults/main.yml | 3 ++ roles/postfix/handlers/main.yml | 4 ++ roles/postfix/tasks/main.yml | 55 +++++------------------ roles/postfix/tasks/opendkim.yml | 35 +++++++++++++++ roles/postfix/tasks/postfix.yml | 45 +++++++++++++++++++ roles/postfix/templates/KeyTable | 3 ++ roles/postfix/templates/SigningTable | 3 ++ roles/postfix/templates/main.cf | 5 ++- roles/postfix/templates/opendkim.conf | 30 +++++++++++++ roles/postfix/templates/opendkim.env | 13 ++++++ all.yml => site.yml | 0 14 files changed, 176 insertions(+), 69 deletions(-) create mode 100644 roles/journalwatch/tasks/journalwatch.yml create mode 100644 roles/postfix/defaults/main.yml create mode 100644 roles/postfix/handlers/main.yml create mode 100644 roles/postfix/tasks/opendkim.yml create mode 100644 roles/postfix/tasks/postfix.yml create mode 100644 roles/postfix/templates/KeyTable create mode 100644 roles/postfix/templates/SigningTable create mode 100644 roles/postfix/templates/opendkim.conf create mode 100644 roles/postfix/templates/opendkim.env rename all.yml => site.yml (100%) diff --git a/ansible.cfg b/ansible.cfg index 64ab4cf..d6bbf37 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,6 +1,7 @@ [defaults] inventory = hosts stdout_callback = debug +hash_behaviour = merge [diff] always = True diff --git a/roles/journalwatch/tasks/journalwatch.yml b/roles/journalwatch/tasks/journalwatch.yml new file mode 100644 index 0000000..c9a5375 --- /dev/null +++ b/roles/journalwatch/tasks/journalwatch.yml @@ -0,0 +1,23 @@ +- name: install journalwatch dependencies + apt: name=python3-systemd state=latest +- name: install journalwatch + git: + dest: /root/journalwatch + repo: 'https://github.com/The-Compiler/journalwatch.git' + version: b62f223bc36eabc193cfcf0d309d284da4f66463 +- name: create journalwatch config dir + file: path=/root/.config/journalwatch state=directory +- name: install journalwatch config files + template: + src: templates/{{item}} + dest: /root/.config/journalwatch/{{item}} + loop: + - config + - patterns +- name: delete old journalwatch crontab entry + file: path=/etc/cron.d/journalwatch state=absent +- name: create journalwatch crontab entry + cron: + name: "journalwatch" + minute: "*/10" + job: "/root/journalwatch/journalwatch.py mail" diff --git a/roles/journalwatch/tasks/main.yml b/roles/journalwatch/tasks/main.yml index 3a7afcb..5621a8f 100644 --- a/roles/journalwatch/tasks/main.yml +++ b/roles/journalwatch/tasks/main.yml @@ -1,23 +1,2 @@ -- name: install journalwatch dependencies - apt: name=python3-systemd state=latest -- name: install journalwatch - git: - dest: /root/journalwatch - repo: 'https://github.com/The-Compiler/journalwatch.git' - version: b62f223bc36eabc193cfcf0d309d284da4f66463 -- name: create journalwatch config dir - file: path=/root/.config/journalwatch state=directory -- name: install journalwatch config files - template: - src: templates/{{item}} - dest: /root/.config/journalwatch/{{item}} - with_items: - - config - - patterns -- name: delete old journalwatch crontab entry - file: path=/etc/cron.d/journalwatch state=absent -- name: create journalwatch crontab entry - cron: - name: "journalwatch" - minute: "*/10" - job: "/root/journalwatch/journalwatch.py mail" +- import_tasks: journalwatch.yml + tags: journalwatch diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml new file mode 100644 index 0000000..b05f8de --- /dev/null +++ b/roles/postfix/defaults/main.yml @@ -0,0 +1,3 @@ +postfix: + paths: + dh2048: /etc/ssl/dh2048.pem diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..d0865b9 --- /dev/null +++ b/roles/postfix/handlers/main.yml @@ -0,0 +1,4 @@ +- name: opendkim + service: name=opendkim state=restarted enabled=yes +- name: postfix + service: name=postfix state=restarted enabled=yes diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index 3343f33..f71486e 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -1,44 +1,11 @@ -- name: install postfix - apt: name=postfix,bsd-mailx state=latest -- name: install postfix-mysql - apt: name=postfix-mysql state=latest - when: postfix.vmail_mysql_password is defined -- name: install postfix config - register: postfix_config - template: - dest: /etc/postfix/{{ item }} - src: templates/{{ item }} - with_items: - - main.cf - - master.cf -- name: install postfix mysql config - register: postfix_mysql - template: - dest: /etc/postfix/{{ item }} - src: templates/{{ item }} - mode: u=rw,g=r,o= - group: postfix - with_items: - - mysql_vmail_aliases.cf - - mysql_vmail_senders.cf - - mysql_vmail_users.cf - when: postfix.vmail_mysql_password is defined -- name: create empty maps - copy: - dest: /etc/postfix/{{ item }} - content: "" - force: no - with_items: - - virtual_alias_map - - transport_map - when: postfix.virtual_mailbox_domains is defined -- name: reload postfix - service: name=postfix state=restarted enabled=yes - when: postfix_config.changed or postfix_mysql.changed -- name: delete old local-mail cronjob - file: path=/etc/cron.daily/local-mail state=absent -- name: install check-for-local-mail cronjob - copy: - dest: /etc/cron.daily/check-for-local-mail - src: files/check-for-local-mail - mode: u=rwx,g=rx,o=rx +# base +- name: create dh2048 file + command: openssl dhparam -out {{ postfix.paths.dh2048 }} 2048 + args: + creates: "{{ postfix.paths.dh2048 }}" +# daemons +- import_tasks: opendkim.yml + tags: opendkim + when: postfix.opendkim is defined +- import_tasks: postfix.yml + tags: postfix diff --git a/roles/postfix/tasks/opendkim.yml b/roles/postfix/tasks/opendkim.yml new file mode 100644 index 0000000..49543af --- /dev/null +++ b/roles/postfix/tasks/opendkim.yml @@ -0,0 +1,35 @@ +- name: install opendkim + apt: name=opendkim,opendkim-tools state=latest +- name: enable opendkim + service: name=opendkim enabled=yes +# env +- name: install opendkim env + register: opendkim_env + template: + dest: /etc/default/opendkim + src: templates/opendkim.env +- name: regenerate opendkim service + shell: /lib/opendkim/opendkim.service.generate && systemctl daemon-reload + when: opendkim_env.changed + notify: opendkim +# tables +- name: generate opendkim keys + shell: mkdir /etc/opendkim/{{ item }}/ && opendkim-genkey --bits=2048 -s mail -d {{ item }} -D /etc/opendkim/{{ item }}/ + args: + creates: /etc/opendkim/{{ item }}/mail.private + warn: False + loop: "{{ postfix.opendkim.private_keys }}" +- name: generate opendkim tables + template: + dest: /etc/opendkim/{{ item }} + src: templates/{{ item }} + loop: + - KeyTable + - SigningTable + notify: opendkim +# config +- name: install opendkim config + template: + dest: /etc/opendkim.conf + src: templates/opendkim.conf + notify: opendkim diff --git a/roles/postfix/tasks/postfix.yml b/roles/postfix/tasks/postfix.yml new file mode 100644 index 0000000..eac650c --- /dev/null +++ b/roles/postfix/tasks/postfix.yml @@ -0,0 +1,45 @@ +- name: install postfix + apt: name=postfix,bsd-mailx state=latest +- name: install postfix-mysql + apt: name=postfix-mysql state=latest + when: postfix.vmail_mysql_password is defined +- name: enable postfix + service: name=postfix enabled=yes +# config +- name: install postfix config + template: + dest: /etc/postfix/{{ item }} + src: templates/{{ item }} + loop: + - main.cf + - master.cf + notify: postfix +- name: install postfix mysql config + template: + dest: /etc/postfix/{{ item }} + src: templates/{{ item }} + mode: u=rw,g=r,o= + group: postfix + loop: + - mysql_vmail_aliases.cf + - mysql_vmail_senders.cf + - mysql_vmail_users.cf + notify: postfix + when: postfix.vmail_mysql_password is defined +- name: create empty maps + copy: + dest: /etc/postfix/{{ item }} + content: "" + force: no + loop: + - virtual_alias_map + - transport_map + when: postfix.virtual_mailbox_domains is defined +# cronjob +- name: delete old local-mail cronjob + file: path=/etc/cron.daily/local-mail state=absent +- name: install check-for-local-mail cronjob + copy: + dest: /etc/cron.daily/check-for-local-mail + src: files/check-for-local-mail + mode: u=rwx,g=rx,o=rx diff --git a/roles/postfix/templates/KeyTable b/roles/postfix/templates/KeyTable new file mode 100644 index 0000000..7e622af --- /dev/null +++ b/roles/postfix/templates/KeyTable @@ -0,0 +1,3 @@ +{% for item in postfix.opendkim.private_keys %} +{{ item }} {{ item }}:mail:/etc/opendkim/{{ item }}/mail.private +{% endfor %} diff --git a/roles/postfix/templates/SigningTable b/roles/postfix/templates/SigningTable new file mode 100644 index 0000000..ca685e7 --- /dev/null +++ b/roles/postfix/templates/SigningTable @@ -0,0 +1,3 @@ +{% for item in postfix.opendkim.signing_table.items() %} +{{ item[0] }} {{ item[1] }} +{% endfor %} diff --git a/roles/postfix/templates/main.cf b/roles/postfix/templates/main.cf index dc56a85..fa2082c 100644 --- a/roles/postfix/templates/main.cf +++ b/roles/postfix/templates/main.cf @@ -13,7 +13,7 @@ smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_security_level = may smtpd_tls_loglevel = 1 -smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem +smtpd_tls_dh1024_param_file = {{ postfix.paths.dh2048 }} smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtpd_tls_ciphers = low smtpd_tls_mandatory_ciphers = high @@ -110,9 +110,10 @@ transport_maps = hash:/etc/postfix/transport_map mailman_destination_recipient_limit = 1 {% endif %} -{% if postfix.opendkim | default(False) %} +{% if postfix.opendkim is defined %} # DKIM & Milter milter_default_action = accept +# Path must match opendkim.env smtpd_milters = unix:opendkim/sock non_smtpd_milters = $smtpd_milters {% endif %} diff --git a/roles/postfix/templates/opendkim.conf b/roles/postfix/templates/opendkim.conf new file mode 100644 index 0000000..06203ea --- /dev/null +++ b/roles/postfix/templates/opendkim.conf @@ -0,0 +1,30 @@ +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +# Log to syslog +Syslog yes + +# Access control +UMask 007 +UserID opendkim + +# domains and keys are in table files +KeyTable /etc/opendkim/KeyTable +SigningTable /etc/opendkim/SigningTable + +# Commonly-used options; the commented-out versions show the defaults. +#Canonicalization simple +#Mode sv +#SubDomains no +#ADSPAction continue + +# use both Sender and From to check for which domain to sign +SenderHeaders Sender,From + +# Always oversign From (sign using actual From and a null From) to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From diff --git a/roles/postfix/templates/opendkim.env b/roles/postfix/templates/opendkim.env new file mode 100644 index 0000000..02fadef --- /dev/null +++ b/roles/postfix/templates/opendkim.env @@ -0,0 +1,13 @@ +# Command-line options specified here will override the contents of +# /etc/opendkim.conf. See opendkim(8) for a complete list of options. +#DAEMON_OPTS="" + +RUNDIR=/var/spool/postfix/opendkim + +# Path must match main.cf +SOCKET=local:$RUNDIR/sock + +USER=opendkim +GROUP=opendkim +PIDFILE=$RUNDIR/$NAME.pid +EXTRAAFTER= diff --git a/all.yml b/site.yml similarity index 100% rename from all.yml rename to site.yml -- 2.30.2