Commit 2557ba3d authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Use Rspamd for DKIM signing

Fix #213
parent 36998f35
......@@ -30,7 +30,6 @@
- { role: rspamd, tags: ["mail"] }
- { role: unbound, tags: ["mail"] }
- { role: postfix, postfix_relayhost: "mail.archlinux.org", postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail"] }
- { role: opendkim, dkim_selector: apollo, tags: ['mail'] }
- { role: postfwd, tags: ['mail'] }
- role: postgres
postgres_listen_addresses: "*"
......
......@@ -15,5 +15,4 @@
- { role: postfwd, tags: ['mail'] }
- { role: archusers }
- { role: fail2ban }
- { role: opendkim, dkim_selector: mail, tags: ['mail'] }
- { role: prometheus_exporters }
---
- name: restart opendkim
service: name=opendkim state=restarted
---
- name: install opendkim
pacman: name=opendkim state=present
- name: install opendkim.conf
template: src=opendkim.conf.j2 dest=/etc/opendkim/opendkim.conf owner=root group=root mode=0644
notify:
- restart opendkim
- name: create opendkim spool directory
file: path="/var/spool/opendkim/" state=directory owner=opendkim group=postfix mode=0750
- name: install domains config
template: src=domains.j2 dest=/etc/opendkim/domains owner=root group=root mode=0644
notify:
- restart opendkim
- name: create dkim key directory
file: path="/etc/opendkim/private" state=directory owner=root group=root mode=0700
- name: generate DKIM key for {{ dkim_selector }}
command: opendkim-genkey -r -s {{ dkim_selector }} -d archlinux.org --bits=4096
args:
creates: /etc/opendkim/private/{{ dkim_selector }}.private
chdir: /etc/opendkim/private
# see README.md for instruction on how to add the key to DNS. This will fail unless the key in DNS is correct!
- name: verify key in dns
command: opendkim-testkey -d archlinux.org -s {{ dkim_selector }} -k /etc/opendkim/private/{{ dkim_selector }}.private -vvv
tags:
- dkimverify
changed_when: false
- name: start and enable opendkim
service: name=opendkim enabled=yes state=started
{# TODO check for mailman and add lists.archlinux.org to this list #}
archlinux.org
AlwaysAddARHeader yes
Canonicalization relaxed/simple
Domain file:/etc/opendkim/domains
KeyFile /etc/opendkim/private/{{dkim_selector}}.private
Selector {{dkim_selector}}
Socket local:/var/spool/opendkim/opendkim
Syslog Yes
SyslogSuccess Yes
UMask 007
UserID opendkim:postfix
......@@ -165,8 +165,8 @@ submission_recipient_restrictions=
permit_sasl_authenticated,
reject
smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332
non_smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332
smtpd_milters=inet:localhost:11332
non_smtpd_milters=inet:localhost:11332
# Pass internal mails through filters so they get signed by opendkim
# XXX: Be careful not to have filters that may reject mails!
......
......@@ -30,7 +30,6 @@ submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_client_connection_count_limit=10
#-o smtpd_milters=unix:/var/spool/opendkim/opendkim
{% endif %}
#smtp inet n - n - 1 postscreen
......
domain {
archlinux.org {
selectors [
{
selector = "dkim-ed25519";
path = "/var/lib/rspamd/dkim/archlinux.org.dkim-ed25519.key";
},
{
selector = "dkim-rsa";
path = "/var/lib/rspamd/dkim/archlinux.org.dkim-rsa.key";
}
]
}
}
check_pubkey = true;
allow_pubkey_mismatch = false;
allow_hdrfrom_mismatch = false;
allow_hdrfrom_mismatch_sign_networks = true;
allow_username_mismatch = true;
use_domain = "header";
sign_authenticated = true;
use_esld = true;
......@@ -7,5 +7,31 @@
notify:
- reload rspamd
- name: create rspamd dkim directory
file: path=/var/lib/rspamd/dkim state=directory owner=rspamd group=rspamd mode=0755
- name: generate DKIM keys
command: rspamadm dkim_keygen -s dkim-{{ item.key_type }} -b {{ item.key_length }} -d archlinux.org -t {{ item.key_type }} -k archlinux.org.dkim-{{ item.key_type }}.key > archlinux.org.dkim-{{ item.key_type }}.key.pub
become: yes
become_user: rspamd
args:
creates: /var/lib/rspamd/dkim/archlinux.org.dkim-{{ item.key_type }}.key
chdir: /var/lib/rspamd/dkim
loop:
- {key_type: 'ed25519', key_length: 0}
- {key_type: 'rsa', key_length: 4096}
notify:
- reload rspamd
tags:
- generate_dkim_keys
- name: install DKIM keys
copy: src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600
loop:
- archlinux.org.dkim-ed25519.key
- archlinux.org.dkim-rsa.key
notify:
- reload rspamd
- name: start and enable rspamd
service: name=rspamd enabled=yes state=started
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment