From 2557ba3d732e4f7e57571d2ed5fe7a1937cb0517 Mon Sep 17 00:00:00 2001 From: Kristian Klausen Date: Sat, 21 Nov 2020 22:35:41 +0100 Subject: [PATCH] Use Rspamd for DKIM signing Fix #213 --- playbooks/apollo.yml | 1 - playbooks/mail.archlinux.org.yml | 1 - roles/opendkim/handlers/main.yml | 5 --- roles/opendkim/tasks/main.yml | 37 -------------------- roles/opendkim/templates/domains.j2 | 3 -- roles/opendkim/templates/opendkim.conf.j2 | 11 ------ roles/postfix/templates/main.cf.j2 | 4 +-- roles/postfix/templates/master.cf.j2 | 1 - roles/rspamd/files/local.d/dkim_signing.conf | 23 ++++++++++++ roles/rspamd/tasks/main.yml | 26 ++++++++++++++ 10 files changed, 51 insertions(+), 61 deletions(-) delete mode 100644 roles/opendkim/handlers/main.yml delete mode 100644 roles/opendkim/tasks/main.yml delete mode 100644 roles/opendkim/templates/domains.j2 delete mode 100644 roles/opendkim/templates/opendkim.conf.j2 create mode 100644 roles/rspamd/files/local.d/dkim_signing.conf diff --git a/playbooks/apollo.yml b/playbooks/apollo.yml index e9570039..27ce06f9 100644 --- a/playbooks/apollo.yml +++ b/playbooks/apollo.yml @@ -30,7 +30,6 @@ - { role: rspamd, tags: ["mail"] } - { role: unbound, tags: ["mail"] } - { role: postfix, postfix_relayhost: "mail.archlinux.org", postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail"] } - - { role: opendkim, dkim_selector: apollo, tags: ['mail'] } - { role: postfwd, tags: ['mail'] } - role: postgres postgres_listen_addresses: "*" diff --git a/playbooks/mail.archlinux.org.yml b/playbooks/mail.archlinux.org.yml index e7a91e4d..f06f7ab0 100644 --- a/playbooks/mail.archlinux.org.yml +++ b/playbooks/mail.archlinux.org.yml @@ -15,5 +15,4 @@ - { role: postfwd, tags: ['mail'] } - { role: archusers } - { role: fail2ban } - - { role: opendkim, dkim_selector: mail, tags: ['mail'] } - { role: prometheus_exporters } diff --git a/roles/opendkim/handlers/main.yml b/roles/opendkim/handlers/main.yml deleted file mode 100644 index b492603c..00000000 --- a/roles/opendkim/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: restart opendkim - service: name=opendkim state=restarted - diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml deleted file mode 100644 index 895a8afd..00000000 --- a/roles/opendkim/tasks/main.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -- name: install opendkim - pacman: name=opendkim state=present - -- name: install opendkim.conf - template: src=opendkim.conf.j2 dest=/etc/opendkim/opendkim.conf owner=root group=root mode=0644 - notify: - - restart opendkim - -- name: create opendkim spool directory - file: path="/var/spool/opendkim/" state=directory owner=opendkim group=postfix mode=0750 - -- name: install domains config - template: src=domains.j2 dest=/etc/opendkim/domains owner=root group=root mode=0644 - notify: - - restart opendkim - -- name: create dkim key directory - file: path="/etc/opendkim/private" state=directory owner=root group=root mode=0700 - -- name: generate DKIM key for {{ dkim_selector }} - command: opendkim-genkey -r -s {{ dkim_selector }} -d archlinux.org --bits=4096 - args: - creates: /etc/opendkim/private/{{ dkim_selector }}.private - chdir: /etc/opendkim/private - -# see README.md for instruction on how to add the key to DNS. This will fail unless the key in DNS is correct! -- name: verify key in dns - command: opendkim-testkey -d archlinux.org -s {{ dkim_selector }} -k /etc/opendkim/private/{{ dkim_selector }}.private -vvv - tags: - - dkimverify - changed_when: false - -- name: start and enable opendkim - service: name=opendkim enabled=yes state=started - diff --git a/roles/opendkim/templates/domains.j2 b/roles/opendkim/templates/domains.j2 deleted file mode 100644 index 72ce5b29..00000000 --- a/roles/opendkim/templates/domains.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{# TODO check for mailman and add lists.archlinux.org to this list #} -archlinux.org - diff --git a/roles/opendkim/templates/opendkim.conf.j2 b/roles/opendkim/templates/opendkim.conf.j2 deleted file mode 100644 index 2b45d59f..00000000 --- a/roles/opendkim/templates/opendkim.conf.j2 +++ /dev/null @@ -1,11 +0,0 @@ -AlwaysAddARHeader yes -Canonicalization relaxed/simple -Domain file:/etc/opendkim/domains -KeyFile /etc/opendkim/private/{{dkim_selector}}.private -Selector {{dkim_selector}} -Socket local:/var/spool/opendkim/opendkim -Syslog Yes -SyslogSuccess Yes -UMask 007 -UserID opendkim:postfix - diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 index 898e3c84..d2309f18 100644 --- a/roles/postfix/templates/main.cf.j2 +++ b/roles/postfix/templates/main.cf.j2 @@ -165,8 +165,8 @@ submission_recipient_restrictions= permit_sasl_authenticated, reject -smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332 -non_smtpd_milters=unix:/var/spool/opendkim/opendkim inet:localhost:11332 +smtpd_milters=inet:localhost:11332 +non_smtpd_milters=inet:localhost:11332 # Pass internal mails through filters so they get signed by opendkim # XXX: Be careful not to have filters that may reject mails! diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2 index 25afbade..5b64a2a5 100644 --- a/roles/postfix/templates/master.cf.j2 +++ b/roles/postfix/templates/master.cf.j2 @@ -30,7 +30,6 @@ submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=$submission_recipient_restrictions -o smtpd_client_connection_count_limit=10 - #-o smtpd_milters=unix:/var/spool/opendkim/opendkim {% endif %} #smtp inet n - n - 1 postscreen diff --git a/roles/rspamd/files/local.d/dkim_signing.conf b/roles/rspamd/files/local.d/dkim_signing.conf new file mode 100644 index 00000000..e5c76489 --- /dev/null +++ b/roles/rspamd/files/local.d/dkim_signing.conf @@ -0,0 +1,23 @@ +domain { + archlinux.org { + selectors [ + { + selector = "dkim-ed25519"; + path = "/var/lib/rspamd/dkim/archlinux.org.dkim-ed25519.key"; + }, + { + selector = "dkim-rsa"; + path = "/var/lib/rspamd/dkim/archlinux.org.dkim-rsa.key"; + } + ] + } +} + +check_pubkey = true; +allow_pubkey_mismatch = false; +allow_hdrfrom_mismatch = false; +allow_hdrfrom_mismatch_sign_networks = true; +allow_username_mismatch = true; +use_domain = "header"; +sign_authenticated = true; +use_esld = true; diff --git a/roles/rspamd/tasks/main.yml b/roles/rspamd/tasks/main.yml index 21066628..41c2a4ea 100644 --- a/roles/rspamd/tasks/main.yml +++ b/roles/rspamd/tasks/main.yml @@ -7,5 +7,31 @@ notify: - reload rspamd +- name: create rspamd dkim directory + file: path=/var/lib/rspamd/dkim state=directory owner=rspamd group=rspamd mode=0755 + +- name: generate DKIM keys + command: rspamadm dkim_keygen -s dkim-{{ item.key_type }} -b {{ item.key_length }} -d archlinux.org -t {{ item.key_type }} -k archlinux.org.dkim-{{ item.key_type }}.key > archlinux.org.dkim-{{ item.key_type }}.key.pub + become: yes + become_user: rspamd + args: + creates: /var/lib/rspamd/dkim/archlinux.org.dkim-{{ item.key_type }}.key + chdir: /var/lib/rspamd/dkim + loop: + - {key_type: 'ed25519', key_length: 0} + - {key_type: 'rsa', key_length: 4096} + notify: + - reload rspamd + tags: + - generate_dkim_keys + +- name: install DKIM keys + copy: src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600 + loop: + - archlinux.org.dkim-ed25519.key + - archlinux.org.dkim-rsa.key + notify: + - reload rspamd + - name: start and enable rspamd service: name=rspamd enabled=yes state=started -- GitLab