From f938648c91e6b1e7c9882a6868cbce422771f00b Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Fri, 22 Mar 2019 09:16:03 +0000
Subject: [PATCH] Install and configure OpenDKIM for outbound email

---
 roles/mail/handlers/main.yml                  |  5 ++++
 roles/mail/tasks/frontend.yml                 | 29 +++++++++++++++++++
 roles/mail/templates/opendkim.conf.j2         | 22 ++++++++++++++
 roles/mail/templates/postfix-delivery/main.cf |  2 +-
 roles/mail/templates/postfix-in/main.cf       |  2 +-
 roles/mail/templates/postfix-out/main.cf      |  5 +++-
 6 files changed, 62 insertions(+), 3 deletions(-)
 create mode 100644 roles/mail/templates/opendkim.conf.j2

diff --git a/roles/mail/handlers/main.yml b/roles/mail/handlers/main.yml
index 6195f640..7ef08646 100644
--- a/roles/mail/handlers/main.yml
+++ b/roles/mail/handlers/main.yml
@@ -76,3 +76,8 @@
   systemd:
     name: auth-server.service
     state: restarted
+
+- name: reload opendkim
+  systemd:
+    name: opendkim.service
+    state: restarted
diff --git a/roles/mail/tasks/frontend.yml b/roles/mail/tasks/frontend.yml
index 2a67cbec..a3b748a7 100644
--- a/roles/mail/tasks/frontend.yml
+++ b/roles/mail/tasks/frontend.yml
@@ -9,6 +9,7 @@
     packages:
       - postfix-policyd-spf-python
       - policyd-rate-limit
+      - opendkim
 
 - set_fact:
     postfix_instances:
@@ -50,6 +51,34 @@
     dest: /etc/firewall/filter.d/20mail
   notify: "reload firewall"
 
+# Install opendkim
+
+- template:
+    src: opendkim.conf.j2
+    dest: /etc/opendkim.conf
+  notify: "reload opendkim"
+
+- file:
+    path: /etc/opendkim
+    state: directory
+
+- name: Install OpenDKIM key
+  copy:
+    src: "{{ credentials_dir }}/dkim/{{ dkim_selector }}.key"
+    dest: "/etc/opendkim/{{ dkim_selector }}.key
+  notify: "reload opendkim"
+
+- name: Create OpenDKIM key table
+  copy:
+    content: "% {{ dkim_selector }} /etc/opendkim/{{ dkim_selector }}.key\n"
+    dest: "/etc/opendkim/key-table"
+  notify: "reload opendkim"
+
+# This file is managed by ai-scripts, just ensure it exists.
+- file:
+    path: "/etc/opendkim/signing-table"
+    state: touch
+
 # Generate self-signed public certificates. This is only so dovecot
 # can start, certificates will be eventually replaced by ACME managed
 # ones.
diff --git a/roles/mail/templates/opendkim.conf.j2 b/roles/mail/templates/opendkim.conf.j2
new file mode 100644
index 00000000..c210512b
--- /dev/null
+++ b/roles/mail/templates/opendkim.conf.j2
@@ -0,0 +1,22 @@
+# OpenDKIM configuration for the postfix-out instance.
+
+# Daemon operation.
+Syslog yes
+UMask 002
+AutoRestart no
+Background no
+DNSTimeout 5
+Socket local:/var/run/opendkim/opendkim.sock
+
+# DKIM configuration.
+Mode s
+Canonicalization relaxed/relaxed
+SignatureAlgorithm rsa-sha256
+SubDomains no
+X-Header no
+SendReports no
+RequiredHeaders yes
+
+# Tables used to read the list of domains to sign.
+KeyTable /etc/opendkim/key-table
+SigningTable /etc/opendkim/signing-table
diff --git a/roles/mail/templates/postfix-delivery/main.cf b/roles/mail/templates/postfix-delivery/main.cf
index 7832d7c5..962f9eb6 100644
--- a/roles/mail/templates/postfix-delivery/main.cf
+++ b/roles/mail/templates/postfix-delivery/main.cf
@@ -32,7 +32,7 @@ milter_default_action = tempfail
 virtual_transport = lmtp:unix:private/dovecot-lmtp
 
 # Recipient domains that are sent to virtual_transport.
-virtual_mailbox_domains = ${indexed}domains
+virtual_mailbox_domains = ${indexed}domains cdb:/etc/postfix/domains-auto
 
 # Aliases have already been resolved by the postfix-out instance.
 # The return value from the lookup is ignored, because we've set
diff --git a/roles/mail/templates/postfix-in/main.cf b/roles/mail/templates/postfix-in/main.cf
index 01287ca0..ac083b5e 100644
--- a/roles/mail/templates/postfix-in/main.cf
+++ b/roles/mail/templates/postfix-in/main.cf
@@ -83,7 +83,7 @@ postscreen_cache_map = lmdb:${data_directory}/postscreen_cache
 # Mailman lists are sent directly to the LMTP handlers, bypassing postfix-out,
 # because we want to be able to reject messages right away due to membership
 # failures etc.
-relay_domains = ${indexed}domains
+relay_domains = ${indexed}domains cdb:/etc/postfix/domains-auto
 relay_recipient_maps =
     ${indexed}virtual,
     ${ldap}recipients,
diff --git a/roles/mail/templates/postfix-out/main.cf b/roles/mail/templates/postfix-out/main.cf
index 3985d141..3e1b2859 100644
--- a/roles/mail/templates/postfix-out/main.cf
+++ b/roles/mail/templates/postfix-out/main.cf
@@ -38,7 +38,7 @@ smtpd_timeout = 1200s
 # Use the "relay" transport for inbound mail, and the default
 # "smtp" transport for outbound mail (bounces, ...). The latter
 # won't starve the former of delivery agent slots.
-relay_domains = ${indexed}domains
+relay_domains = ${indexed}domains cdb:/etc/postfix/domains-auto
 relay_recipient_maps = ${ldap}recipients ${indexed}mailman_transport
 relay_destination_recipient_limit = 1
 
@@ -61,3 +61,6 @@ smtp_tls_security_level = may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 tls_random_source = dev:/dev/urandom
 smtp_tls_policy_maps = ${indexed}tls_policy
+
+# Process all messages through the opendkim milter.
+smtpd_milters = unix:/var/run/opendkim/opendkim.sock
-- 
GitLab