Add DKIM signing when using multiple domains.

This commit is contained in:
Brian Lee 2024-05-29 11:58:31 -07:00
parent 4b48892f74
commit a72c8440f8
4 changed files with 53 additions and 5 deletions

View File

@ -21,14 +21,45 @@
mode: '0770'
notify: restart opendkim
- name: Generate DKIM signing key
#- name: Generate DKIM signing key
# ansible.builtin.command:
# cmd: "opendkim-genkey -r -s {{ dkim_selector }} -b 2048 -d {{ postfix_domain }} --directory /etc/dkimkeys"
# creates: "/etc/dkimkeys/{{ dkim_selector }}.private"
# become: true
# become_user: opendkim
# notify: restart opendkim
- name: Ensure DKIM directories exist for each domain
ansible.builtin.file:
path: "/etc/dkimkeys/{{ item.name }}"
state: directory
owner: opendkim
group: opendkim
mode: '0750'
loop: "{{ [{'name': postfix_domain}] + postfix_virtual_domains }}"
- name: Generate DKIM signing keys for each domain
ansible.builtin.command:
cmd: "opendkim-genkey -r -s {{ dkim_selector }} -b 2048 -d {{ postfix_domain }} --directory /etc/dkimkeys"
creates: "/etc/dkimkeys/{{ dkim_selector }}.private"
become: true
cmd: "opendkim-genkey -r -s {{ dkim_selector }} -b 2048 -d {{ item.name }} --directory /etc/dkimkeys/{{ item.name }}"
creates: "/etc/dkimkeys/{{ item.name }}/{{ dkim_selector }}.private"
loop: "{{ [{'name': postfix_domain}] + postfix_virtual_domains }}"
become_user: opendkim
notify: restart opendkim
- name: Configure the KeyTable
ansible.builtin.template:
src: keytable.j2
dest: "{{ dkim_key_path }}/KeyTable"
mode: '0644'
notify: restart opendkim
- name: Configuring the SigningTable
ansible.builtin.template:
src: signingtable.j2
dest: "{{ dkim_key_path }}/SigningTable"
mode: '0644'
notify: restart opendkim
- name: Ensure postfix is in opendkim group
ansible.builtin.user:
name: postfix

8
templates/keytable.j2 Normal file
View File

@ -0,0 +1,8 @@
{% if postfix_virtual_domains|length > 0 %}
{{ dkim_selector }}._domainkey.{{ postfix_domain }} {{ postfix_domain }}:mail:/etc/dkimkeys/{{ postfix_domain }}/{{ dkim_selector }}.private
{% for domain in postfix_virtual_domains %}
{{ dkim_selector }}._domainkey.{{ domain.name }} {{ domain.name }}:mail:/etc/dkimkeys/{{ domain.name }}/{{ dkim_selector }}.private
{% endfor %}
{% else %}
{{ dkim_selector }}._domainkey.{{ postfix_domain }} {{ postfix_domain }}:mail:/etc/dkimkeys/{{ postfix_domain }}/{{ dkim_selector }}.private
{% endif %}

View File

@ -21,7 +21,8 @@ OversignHeaders From
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
Domain {{ postfix_domain }}
Selector {{ dkim_selector }}
KeyFile {{ dkim_key_path}}/{{ dkim_selector }}.private
KeyTable {{ dkim_key_path }}/KeyTable
SigningTable refile:{{ dkim_key_path }}/SigningTable
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged

View File

@ -0,0 +1,8 @@
{% if postfix_virtual_domains|length > 0 %}
*@{{ postfix_domain }} {{ dkim_selector }}._domainkey.{{ postfix_domain }}
{% for domain in postfix_virtual_domains %}
*@{{ domain.name }} {{ dkim_selector }}._domainkey.{{ domain.name }}
{% endfor %}
{% else %}
*@{{ postfix_domain }} {{ dkim_selector }}._domainkey.{{ postfix_domain }}
{% endif %}