Use Rspamd for DKIM signing

Fix #213

playbooks/apollo.yml

@@ -30,7 +30,6 @@
     - { role: rspamd, tags: ["mail"] }
     - { role: unbound, tags: ["mail"] }
     - { role: postfix, postfix_relayhost: "mail.archlinux.org", postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail"] }
-    - { role: opendkim, dkim_selector: apollo, tags: ['mail'] }
     - { role: postfwd, tags: ['mail'] }
     - role: postgres
       postgres_listen_addresses: "*"

playbooks/mail.archlinux.org.yml

@@ -15,5 +15,4 @@
     - { role: postfwd, tags: ['mail'] }
     - { role: archusers }
     - { role: fail2ban }
-    - { role: opendkim, dkim_selector: mail, tags: ['mail'] }
     - { role: prometheus_exporters }

roles/opendkim/handlers/main.yml

----
-
-- name: restart opendkim
-  service: name=opendkim state=restarted
-

roles/opendkim/tasks/main.yml

----
-
-- name: install opendkim
-  pacman: name=opendkim state=present
-
-- name: install opendkim.conf
-  template: src=opendkim.conf.j2 dest=/etc/opendkim/opendkim.conf owner=root group=root mode=0644
-  notify:
-    - restart opendkim
-
-- name: create opendkim spool directory
-  file: path="/var/spool/opendkim/" state=directory owner=opendkim group=postfix mode=0750
-
-- name: install domains config
-  template: src=domains.j2 dest=/etc/opendkim/domains owner=root group=root mode=0644
-  notify:
-    - restart opendkim
-
-- name: create dkim key directory
-  file: path="/etc/opendkim/private" state=directory owner=root group=root mode=0700
-
-- name: generate DKIM key for {{ dkim_selector }}
-  command: opendkim-genkey -r -s {{ dkim_selector }} -d archlinux.org --bits=4096
-  args:
-    creates: /etc/opendkim/private/{{ dkim_selector }}.private
-    chdir: /etc/opendkim/private
-
-# see README.md for instruction on how to add the key to DNS. This will fail unless the key in DNS is correct!
-- name: verify key in dns
-  command: opendkim-testkey -d archlinux.org -s {{ dkim_selector }} -k /etc/opendkim/private/{{ dkim_selector }}.private -vvv
-  tags:
-    - dkimverify
-  changed_when: false
-
-- name: start and enable opendkim
-  service: name=opendkim enabled=yes state=started
-

roles/opendkim/templates/domains.j2

-{# TODO check for mailman and add lists.archlinux.org to this list #}
-archlinux.org
-

roles/opendkim/templates/opendkim.conf.j2

-AlwaysAddARHeader       yes
-Canonicalization        relaxed/simple
-Domain                  file:/etc/opendkim/domains
-KeyFile                 /etc/opendkim/private/{{dkim_selector}}.private
-Selector                {{dkim_selector}}
-Socket                  local:/var/spool/opendkim/opendkim
-Syslog                  Yes
-SyslogSuccess           Yes
-UMask                   007
-UserID                   opendkim:postfix
-

roles/postfix/templates/main.cf.j2

@@ -165,8 +165,8 @@ submission_recipient_restrictions=
   permit_sasl_authenticated,
   reject
 
-smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332
-non_smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332
+smtpd_milters=inet:localhost:11332
+non_smtpd_milters=inet:localhost:11332
 
 # Pass internal mails through filters so they get signed by opendkim
 # XXX: Be careful not to have filters that may reject mails!

roles/postfix/templates/master.cf.j2

@@ -30,7 +30,6 @@ submission inet n       -       n       -       -       smtpd
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_recipient_restrictions=$submission_recipient_restrictions
     -o smtpd_client_connection_count_limit=10
-    #-o smtpd_milters=unix:/var/spool/opendkim/opendkim
 {% endif %}
 
 #smtp      inet  n       -       n       -       1       postscreen

roles/rspamd/files/local.d/dkim_signing.conf

+domain {
+  archlinux.org {
+    selectors [
+      {
+        selector = "dkim-ed25519";
+        path = "/var/lib/rspamd/dkim/archlinux.org.dkim-ed25519.key";
+      },
+      {
+        selector = "dkim-rsa";
+        path = "/var/lib/rspamd/dkim/archlinux.org.dkim-rsa.key";
+      }
+    ]
+  }
+}
+
+check_pubkey = true;
+allow_pubkey_mismatch = false;
+allow_hdrfrom_mismatch = false;
+allow_hdrfrom_mismatch_sign_networks = true;
+allow_username_mismatch = true;
+use_domain = "header";
+sign_authenticated = true;
+use_esld = true;

roles/rspamd/tasks/main.yml

@@ -7,5 +7,31 @@
   notify:
     - reload rspamd
 
+- name: create rspamd dkim directory
+  file: path=/var/lib/rspamd/dkim state=directory owner=rspamd group=rspamd mode=0755
+
+- name: generate DKIM keys
+  command: rspamadm dkim_keygen -s dkim-{{ item.key_type }} -b {{ item.key_length }} -d archlinux.org -t {{ item.key_type }} -k archlinux.org.dkim-{{ item.key_type }}.key > archlinux.org.dkim-{{ item.key_type }}.key.pub
+  become: yes
+  become_user: rspamd
+  args:
+    creates: /var/lib/rspamd/dkim/archlinux.org.dkim-{{ item.key_type }}.key
+    chdir: /var/lib/rspamd/dkim
+  loop:
+    - {key_type: 'ed25519', key_length: 0}
+    - {key_type: 'rsa', key_length: 4096}
+  notify:
+    - reload rspamd
+  tags:
+    - generate_dkim_keys
+
+- name: install DKIM keys
+  copy: src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600
+  loop:
+    - archlinux.org.dkim-ed25519.key
+    - archlinux.org.dkim-rsa.key
+  notify:
+    - reload rspamd
+
 - name: start and enable rspamd
   service: name=rspamd enabled=yes state=started