blee/ansible-role-disposable-mail
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add DKIM signing when using multiple domains.

Browse Source
This commit is contained in:
Brian Lee 2024-05-29 11:58:31 -07:00
parent 4b48892f74
commit a72c8440f8
4 changed files with 53 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
tasks/opendkim.yml
View File

@ -21,14 +21,45 @@
mode: '0770' mode: '0770'
notify: restart opendkim notify: restart opendkim
- name: Generate DKIM signing key #- name: Generate DKIM signing key
# ansible.builtin.command:
# cmd: "opendkim-genkey -r -s {{ dkim_selector }} -b 2048 -d {{ postfix_domain }} --directory /etc/dkimkeys"
# creates: "/etc/dkimkeys/{{ dkim_selector }}.private"
# become: true
# become_user: opendkim
# notify: restart opendkim
- name: Ensure DKIM directories exist for each domain
ansible.builtin.file:
path: "/etc/dkimkeys/{{ item.name }}"
state: directory
owner: opendkim
group: opendkim
mode: '0750'
loop: "{{ [{'name': postfix_domain}] + postfix_virtual_domains }}"
- name: Generate DKIM signing keys for each domain
ansible.builtin.command: ansible.builtin.command:
cmd: "opendkim-genkey -r -s {{ dkim_selector }} -b 2048 -d {{ postfix_domain }} --directory /etc/dkimkeys" cmd: "opendkim-genkey -r -s {{ dkim_selector }} -b 2048 -d {{ item.name }} --directory /etc/dkimkeys/{{ item.name }}"
creates: "/etc/dkimkeys/{{ dkim_selector }}.private" creates: "/etc/dkimkeys/{{ item.name }}/{{ dkim_selector }}.private"
become: true loop: "{{ [{'name': postfix_domain}] + postfix_virtual_domains }}"
become_user: opendkim become_user: opendkim
notify: restart opendkim notify: restart opendkim
- name: Configure the KeyTable
ansible.builtin.template:
src: keytable.j2
dest: "{{ dkim_key_path }}/KeyTable"
mode: '0644'
notify: restart opendkim
- name: Configuring the SigningTable
ansible.builtin.template:
src: signingtable.j2
dest: "{{ dkim_key_path }}/SigningTable"
mode: '0644'
notify: restart opendkim
- name: Ensure postfix is in opendkim group - name: Ensure postfix is in opendkim group
ansible.builtin.user: ansible.builtin.user:
name: postfix name: postfix

8
templates/keytable.j2 Normal file
View File

@ -0,0 +1,8 @@
{% if postfix_virtual_domains|length > 0 %}
{{ dkim_selector }}._domainkey.{{ postfix_domain }} {{ postfix_domain }}:mail:/etc/dkimkeys/{{ postfix_domain }}/{{ dkim_selector }}.private
{% for domain in postfix_virtual_domains %}
{{ dkim_selector }}._domainkey.{{ domain.name }} {{ domain.name }}:mail:/etc/dkimkeys/{{ domain.name }}/{{ dkim_selector }}.private
{% endfor %}
{% else %}
{{ dkim_selector }}._domainkey.{{ postfix_domain }} {{ postfix_domain }}:mail:/etc/dkimkeys/{{ postfix_domain }}/{{ dkim_selector }}.private
{% endif %}

3
templates/opendkim.conf.j2
View File

@ -21,7 +21,8 @@ OversignHeaders From
# setup options can be found in /usr/share/doc/opendkim/README.opendkim. # setup options can be found in /usr/share/doc/opendkim/README.opendkim.
Domain {{ postfix_domain }} Domain {{ postfix_domain }}
Selector {{ dkim_selector }} Selector {{ dkim_selector }}
KeyFile {{ dkim_key_path}}/{{ dkim_selector }}.private KeyTable {{ dkim_key_path }}/KeyTable
SigningTable refile:{{ dkim_key_path }}/SigningTable
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged # using a local socket with MTAs that access the socket as a non-privileged

8
templates/signingtable.j2 Normal file
View File

@ -0,0 +1,8 @@
{% if postfix_virtual_domains|length > 0 %}
*@{{ postfix_domain }} {{ dkim_selector }}._domainkey.{{ postfix_domain }}
{% for domain in postfix_virtual_domains %}
*@{{ domain.name }} {{ dkim_selector }}._domainkey.{{ domain.name }}
{% endfor %}
{% else %}
*@{{ postfix_domain }} {{ dkim_selector }}._domainkey.{{ postfix_domain }}
{% endif %}