Add opendkim

galaxy.yml

@@ -8,7 +8,7 @@ namespace: s3lph
 name: mailserver
 
 # The version of the collection. Must be compatible with semantic versioning
-version: '0.3.0'
+version: '0.3.1'
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md
@@ -38,6 +38,7 @@ tags:
   - postfixadmin
   - postsrsd
   - schleuder
+  - opendkim
 
 # Collections that this collection requires to be installed for it to be usable. The key of the dict is the
 # collection label 'namespace.name'. The value is a version range

roles/opendkim/defaults/main.yml

@@ -0,0 +1,22 @@
+---
+
+opendkim_testmode: no
+
+opendkim_syslog: yes
+opendkim_syslog_success: yes
+opendkim_log_why: no
+
+opendkim_canonicalization: relaxed/simple
+opendkim_mode: sv
+opendkim_subdomains: no
+opendkim_oversign_headers: From
+
+opendkim_selector: mail
+
+opendkim_socket: "local:/var/spool/postfix/private/opendkim"
+opendkim_internal_hosts:
+  - "::1"
+  - 127.0.0.0/8
+  - 192.168.0.0/16
+  - 10.0.0.0/8
+  - 172.16.0.0/12

roles/opendkim/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: restart opendkim
+  ansible.builtin.service:
+    name: opendkim
+    state: restarted

roles/opendkim/tasks/config.yml

@@ -0,0 +1,37 @@
+---
+
+- name: create /etc/dkimkeys diretory
+  ansible.builtin.file:
+    path: /etc/dkimkeys
+    state: directory
+    owner: root
+    group: opendkim
+    mode: 0750
+
+- name: create dkim keys for all configured domains
+  ansible.builtin.command: >-
+    /usr/sbin/opendkim-genkey
+    --directory=/etc/dkimkeys
+    --domain={{ item }}
+    --selector={{ opendkim_selector }}
+  args:
+    creates: "/etc/dkimkeys/{{ item }}.private"
+  become: yes
+  become_user: opendkim
+  loop: "{{ opendkim_domains }}"
+  notify: restart opendkim
+
+- name: render /etc/opendkim.conf
+  ansible.builtin.template:
+    src: etc/opendkim.conf.j2
+    dest: /etc/opendkim.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart opendkim
+
+- name: start and enable opendkim
+  ansible.builtin.service:
+    name: opendkim
+    state: started
+    enabled: yes

roles/opendkim/tasks/install.yml

@@ -0,0 +1,7 @@
+---
+
+- name: install opendkim
+  ansible.builtin.package:
+    name:
+      - opendkim
+      - opendkim-tools

roles/opendkim/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+- ansible.builtin.import_tasks: install.yml
+  tags:
+    - "role::opendkim"
+    - "role::opendkim:install"
+
+- ansible.builtin.import_tasks: config.yml
+  tags:
+    - "role::opendkim"
+    - "role::opendkim:config"

roles/opendkim/templates/etc/opendkim.conf.j2

@@ -0,0 +1,53 @@
+{{ ansible_managed | comment }}
+# This is a basic configuration for signing and verifying. It can easily be
+# adapted to suit a basic installation. See opendkim.conf(5) and
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
+# documentation of available configuration parameters.
+
+Syslog			{{ opendkim_syslog | ternary('yes', 'no') }}
+SyslogSuccess		{{ opendkim_syslog_success | ternary('yes', 'no') }}
+LogWhy			{{ opendkim_log_why | ternary('yes', 'no') }}
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization	{{ opendkim_canonicalization }}
+Mode			{{ opendkim_mode }}
+SubDomains		{{ opendkim_subdomains | ternary('yes', 'no') }}
+OversignHeaders		{{ opendkim_oversign_headers }}
+
+# Signing domain, selector, and key (required). For example, perform signing
+# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
+# using the private key stored in /etc/dkimkeys/example.private. More granular
+# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
+Domain			{{ opendkim_domains | join(', ') }}
+Selector		{{ opendkim_selector }}
+KeyFile			{{ opendkim_keyfile | default('/etc/dkimkeys/' + opendkim_domain + '.private') }}
+
+# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
+# using a local socket with MTAs that access the socket as a non-privileged
+# user (for example, Postfix). You may need to add user "postfix" to group
+# "opendkim" in that case.
+UserID			opendkim
+UMask			007
+
+# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
+# it must be ensured that the socket is accessible. In Debian, Postfix runs in
+# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
+# configured as shown on the last line below.
+#Socket			local:/run/opendkim/opendkim.sock
+#Socket			inet:8891@localhost
+#Socket			inet:8891
+#Socket			local:/var/spool/postfix/opendkim/opendkim.sock
+Socket			{{ opendkim_socket }}
+
+PidFile			/run/opendkim/opendkim.pid
+
+# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
+# OPERATION section of opendkim(8) for more information.
+InternalHosts		{{ opendkim_internal_hosts | join(', ') }}
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile		/usr/share/dns/root.key
+#Nameservers		127.0.0.1

roles/postfix/defaults/main/global.yml

@@ -24,6 +24,7 @@ postfix_srsd_enable: no
 postfix_srsd_nodefault: no
 postfix_spamassassin_enable: no
 postfix_easywks_pipe_transport: no
+postfix_opendkim_enable: no
 postfix_srsd_forward_lookup: "tcp:localhost:10001"
 postfix_srsd_reverse_lookup: "tcp:localhost:10002"
 

roles/postfix/defaults/main/restrictions.yml

@@ -38,8 +38,10 @@ postfix_smtpd_client_restrictions:
   - reject_unknown_sender_domain
   - permit
 
+postfix_non_smtpd_milters: []
 postfix_smtpd_milters: []
 postfix_spamassassin_milter: "unix:/spamass/spamass.sock"
+postfix_opendkim_milter: "unix:private/opendkim"
 
 postfix_header_checks: []
 postfix_body_checks: []

roles/postfix/templates/etc/postfix/main.cf.j2

@@ -134,9 +134,19 @@ smtpd_milters =
 {% if postfix_spamassassin_enable %}
 	{{ postfix_spamassassin_milter }},
 {% endif %}
+{% if postfix_opendkim_enable %}
+	{{ postfix_opendkim_milter }},
+{% endif %}
 {% for milter in postfix_smtpd_milters %}
 	{{ milter }},
 {% endfor %}
+non_smtpd_milters =
+{% if postfix_opendkim_enable %}
+	{{ postfix_opendkim_milter }},
+{% endif %}
+{% for milter in postfix_non_smtpd_milters %}
+	{{ milter }},
+{% endfor %}
 
 header_checks =
 {% for check in postfix_header_checks %}