Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
2557ba3d
Commit
2557ba3d
authored
Nov 21, 2020
by
Kristian Klausen
🎉
Browse files
Use Rspamd for DKIM signing
Fix
#213
parent
36998f35
Changes
10
Hide whitespace changes
Inline
Side-by-side
playbooks/apollo.yml
View file @
2557ba3d
...
...
@@ -30,7 +30,6 @@
-
{
role
:
rspamd
,
tags
:
[
"
mail"
]
}
-
{
role
:
unbound
,
tags
:
[
"
mail"
]
}
-
{
role
:
postfix
,
postfix_relayhost
:
"
mail.archlinux.org"
,
postfix_smtpd_public
:
true
,
postfix_patchwork_enabled
:
true
,
tags
:
[
"
mail"
]
}
-
{
role
:
opendkim
,
dkim_selector
:
apollo
,
tags
:
[
'
mail'
]
}
-
{
role
:
postfwd
,
tags
:
[
'
mail'
]
}
-
role
:
postgres
postgres_listen_addresses
:
"
*"
...
...
playbooks/mail.archlinux.org.yml
View file @
2557ba3d
...
...
@@ -15,5 +15,4 @@
-
{
role
:
postfwd
,
tags
:
[
'
mail'
]
}
-
{
role
:
archusers
}
-
{
role
:
fail2ban
}
-
{
role
:
opendkim
,
dkim_selector
:
mail
,
tags
:
[
'
mail'
]
}
-
{
role
:
prometheus_exporters
}
roles/opendkim/handlers/main.yml
deleted
100644 → 0
View file @
36998f35
---
-
name
:
restart opendkim
service
:
name=opendkim state=restarted
roles/opendkim/tasks/main.yml
deleted
100644 → 0
View file @
36998f35
---
-
name
:
install opendkim
pacman
:
name=opendkim state=present
-
name
:
install opendkim.conf
template
:
src=opendkim.conf.j2 dest=/etc/opendkim/opendkim.conf owner=root group=root mode=0644
notify
:
-
restart opendkim
-
name
:
create opendkim spool directory
file
:
path="/var/spool/opendkim/" state=directory owner=opendkim group=postfix mode=0750
-
name
:
install domains config
template
:
src=domains.j2 dest=/etc/opendkim/domains owner=root group=root mode=0644
notify
:
-
restart opendkim
-
name
:
create dkim key directory
file
:
path="/etc/opendkim/private" state=directory owner=root group=root mode=0700
-
name
:
generate DKIM key for {{ dkim_selector }}
command
:
opendkim-genkey -r -s {{ dkim_selector }} -d archlinux.org --bits=4096
args
:
creates
:
/etc/opendkim/private/{{ dkim_selector }}.private
chdir
:
/etc/opendkim/private
# see README.md for instruction on how to add the key to DNS. This will fail unless the key in DNS is correct!
-
name
:
verify key in dns
command
:
opendkim-testkey -d archlinux.org -s {{ dkim_selector }} -k /etc/opendkim/private/{{ dkim_selector }}.private -vvv
tags
:
-
dkimverify
changed_when
:
false
-
name
:
start and enable opendkim
service
:
name=opendkim enabled=yes state=started
roles/opendkim/templates/domains.j2
deleted
100644 → 0
View file @
36998f35
{# TODO check for mailman and add lists.archlinux.org to this list #}
archlinux.org
roles/opendkim/templates/opendkim.conf.j2
deleted
100644 → 0
View file @
36998f35
AlwaysAddARHeader yes
Canonicalization relaxed/simple
Domain file:/etc/opendkim/domains
KeyFile /etc/opendkim/private/{{dkim_selector}}.private
Selector {{dkim_selector}}
Socket local:/var/spool/opendkim/opendkim
Syslog Yes
SyslogSuccess Yes
UMask 007
UserID opendkim:postfix
roles/postfix/templates/main.cf.j2
View file @
2557ba3d
...
...
@@ -165,8 +165,8 @@ submission_recipient_restrictions=
permit_sasl_authenticated,
reject
smtpd_milters=
unix:/var/spool/opendkim/opendkim
inet:localhost:11332
non_smtpd_milters=
unix:/var/spool/opendkim/opendkim
inet:localhost:11332
smtpd_milters=inet:localhost:11332
non_smtpd_milters=inet:localhost:11332
# Pass internal mails through filters so they get signed by opendkim
# XXX: Be careful not to have filters that may reject mails!
...
...
roles/postfix/templates/master.cf.j2
View file @
2557ba3d
...
...
@@ -30,7 +30,6 @@ submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_client_connection_count_limit=10
#-o smtpd_milters=unix:/var/spool/opendkim/opendkim
{% endif %}
#smtp inet n - n - 1 postscreen
...
...
roles/rspamd/files/local.d/dkim_signing.conf
0 → 100644
View file @
2557ba3d
domain
{
archlinux
.
org
{
selectors
[
{
selector
=
"dkim-ed25519"
;
path
=
"/var/lib/rspamd/dkim/archlinux.org.dkim-ed25519.key"
;
},
{
selector
=
"dkim-rsa"
;
path
=
"/var/lib/rspamd/dkim/archlinux.org.dkim-rsa.key"
;
}
]
}
}
check_pubkey
=
true
;
allow_pubkey_mismatch
=
false
;
allow_hdrfrom_mismatch
=
false
;
allow_hdrfrom_mismatch_sign_networks
=
true
;
allow_username_mismatch
=
true
;
use_domain
=
"header"
;
sign_authenticated
=
true
;
use_esld
=
true
;
roles/rspamd/tasks/main.yml
View file @
2557ba3d
...
...
@@ -7,5 +7,31 @@
notify
:
-
reload rspamd
-
name
:
create rspamd dkim directory
file
:
path=/var/lib/rspamd/dkim state=directory owner=rspamd group=rspamd mode=0755
-
name
:
generate DKIM keys
command
:
rspamadm dkim_keygen -s dkim-{{ item.key_type }} -b {{ item.key_length }} -d archlinux.org -t {{ item.key_type }} -k archlinux.org.dkim-{{ item.key_type }}.key > archlinux.org.dkim-{{ item.key_type }}.key.pub
become
:
yes
become_user
:
rspamd
args
:
creates
:
/var/lib/rspamd/dkim/archlinux.org.dkim-{{ item.key_type }}.key
chdir
:
/var/lib/rspamd/dkim
loop
:
-
{
key_type
:
'
ed25519'
,
key_length
:
0
}
-
{
key_type
:
'
rsa'
,
key_length
:
4096
}
notify
:
-
reload rspamd
tags
:
-
generate_dkim_keys
-
name
:
install DKIM keys
copy
:
src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600
loop
:
-
archlinux.org.dkim-ed25519.key
-
archlinux.org.dkim-rsa.key
notify
:
-
reload rspamd
-
name
:
start and enable rspamd
service
:
name=rspamd enabled=yes state=started
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment