Add DKIM signing when using multiple domains.

tasks/opendkim.yml

@@ -21,14 +21,45 @@
     mode: '0770'
   notify: restart opendkim
 
-- name: Generate DKIM signing key
+#- name: Generate DKIM signing key
+#  ansible.builtin.command:
+#    cmd: "opendkim-genkey -r -s {{ dkim_selector }} -b 2048 -d {{ postfix_domain }} --directory /etc/dkimkeys"
+#    creates: "/etc/dkimkeys/{{ dkim_selector }}.private"
+#  become: true
+#  become_user: opendkim
+#  notify: restart opendkim
+
+- name: Ensure DKIM directories exist for each domain
+  ansible.builtin.file:
+    path: "/etc/dkimkeys/{{ item.name }}"
+    state: directory
+    owner: opendkim
+    group: opendkim
+    mode: '0750'
+  loop: "{{ [{'name': postfix_domain}] + postfix_virtual_domains }}"
+
+- name: Generate DKIM signing keys for each domain
   ansible.builtin.command:
-    cmd: "opendkim-genkey -r -s {{ dkim_selector }} -b 2048 -d {{ postfix_domain }} --directory /etc/dkimkeys"
-    creates: "/etc/dkimkeys/{{ dkim_selector }}.private"
-  become: true
+    cmd: "opendkim-genkey -r -s {{ dkim_selector }} -b 2048 -d {{ item.name }} --directory /etc/dkimkeys/{{ item.name }}"
+    creates: "/etc/dkimkeys/{{ item.name }}/{{ dkim_selector }}.private"
+  loop: "{{ [{'name': postfix_domain}] + postfix_virtual_domains }}"
   become_user: opendkim
   notify: restart opendkim
 
+- name: Configure the KeyTable
+  ansible.builtin.template:
+    src: keytable.j2
+    dest: "{{ dkim_key_path }}/KeyTable"
+    mode: '0644'
+  notify: restart opendkim
+
+- name: Configuring the SigningTable
+  ansible.builtin.template:
+    src: signingtable.j2
+    dest: "{{ dkim_key_path }}/SigningTable"
+    mode: '0644'
+  notify: restart opendkim
+
 - name: Ensure postfix is in opendkim group
   ansible.builtin.user:
     name: postfix

templates/keytable.j2

@@ -0,0 +1,8 @@
+{% if postfix_virtual_domains|length > 0 %}
+{{ dkim_selector }}._domainkey.{{ postfix_domain }} {{ postfix_domain }}:mail:/etc/dkimkeys/{{ postfix_domain }}/{{ dkim_selector }}.private
+{% for domain in postfix_virtual_domains %}
+{{ dkim_selector }}._domainkey.{{ domain.name }} {{ domain.name }}:mail:/etc/dkimkeys/{{ domain.name }}/{{ dkim_selector }}.private
+{% endfor %}
+{% else %}
+{{ dkim_selector }}._domainkey.{{ postfix_domain }} {{ postfix_domain }}:mail:/etc/dkimkeys/{{ postfix_domain }}/{{ dkim_selector }}.private
+{% endif %}

templates/opendkim.conf.j2

@@ -21,7 +21,8 @@ OversignHeaders		From
 # setup options can be found in /usr/share/doc/opendkim/README.opendkim.
 Domain			{{ postfix_domain }}
 Selector		{{ dkim_selector }}
-KeyFile		    {{ dkim_key_path}}/{{ dkim_selector }}.private
+KeyTable        {{ dkim_key_path }}/KeyTable
+SigningTable      refile:{{ dkim_key_path }}/SigningTable
 
 # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
 # using a local socket with MTAs that access the socket as a non-privileged

templates/signingtable.j2

@@ -0,0 +1,8 @@
+{% if postfix_virtual_domains|length > 0 %}
+*@{{ postfix_domain }} {{ dkim_selector }}._domainkey.{{ postfix_domain }}
+{% for domain in postfix_virtual_domains %}
+*@{{ domain.name }} {{ dkim_selector }}._domainkey.{{ domain.name }}
+{% endfor %}
+{% else %}
+*@{{ postfix_domain }} {{ dkim_selector }}._domainkey.{{ postfix_domain }}
+{% endif %}