Add the SPF and opendkim config in mtaserver role

11 files changed, 273 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index 6c8c0d6..ff7a031 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@ roles/torrelay/files/rendezvous
 roles/mtaserver/vars/users.yml
 roles/mtaserver/files/virtual
 roles/mtaserver/files/credentials
+roles/mtaserver/files/keys
 roles/reverseproxy/vars/email.yml
 roles/clients/files/credentials
 roles/proxy/vars/email.yml
diff --git a/roles/mtaserver/files/KeyTable b/roles/mtaserver/files/KeyTable
new file mode 100644
index 0000000..f19ba99
--- /dev/null
+++ b/roles/mtaserver/files/KeyTable
@@ -0,0 +1,8 @@
+# OPENDKIM KEY TABLE
+# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
+# then uncomment the following line and replace example.com with your domain
+# name, then restart OpenDKIM. Additional keys may be added on separate lines.
+
+#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
+201708._domainkey.casperlefantom.net casperlefantom.net:201708:/etc/opendkim/keys/casperlefantom.private
+201708._domainkey.jaysfoodventure.com jaysfoodventure.com:201708:/etc/opendkim/keys/jaysfoodventure.private
diff --git a/roles/mtaserver/files/SigningTable b/roles/mtaserver/files/SigningTable
new file mode 100644
index 0000000..25a88a6
--- /dev/null
+++ b/roles/mtaserver/files/SigningTable
@@ -0,0 +1,30 @@
+# OPENDKIM SIGNING TABLE
+# This table controls how to apply one or more signatures to outgoing messages based
+# on the address found in the From: header field. In simple terms, this tells
+# OpenDKIM "how" to apply your keys.
+
+# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
+# then uncomment one of the usage examples below and replace example.com with your
+# domain name, then restart OpenDKIM.
+
+# WILDCARD EXAMPLE
+# Enables signing for any address on the listed domain(s), but will work only if
+# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
+# Create additional lines for additional domains.
+
+#*@example.com default._domainkey.example.com
+
+# NON-WILDCARD EXAMPLE
+# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
+# wildcards will not work. Instead, full user@host is checked first, then simply host,
+# then user@.domain (with all superdomains checked in sequence, so "foo.example.com"
+# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),
+# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
+# "SigningTable" for more details.
+
+#example.com default._domainkey.example.com
+*@casperlefantom.net 201708._domainkey.casperlefantom.net
+*@jaysfoodventure.com 201708._domainkey.jaysfoodventure.com
+*@mail.casperlefantom.net 201708._domainkey.casperlefantom.net
+*@fedoraproject.org 201708._domainkey.casperlefantom.net
+*@april.org 201708._domainkey.casperlefantom.net
diff --git a/roles/mtaserver/files/TrustedHosts b/roles/mtaserver/files/TrustedHosts
new file mode 100644
index 0000000..7867467
--- /dev/null
+++ b/roles/mtaserver/files/TrustedHosts
@@ -0,0 +1,18 @@
+# OPENDKIM TRUSTED HOSTS
+# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
+# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
+# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
+# The localhost IP (127.0.0.1) should always be the first entry in this file.
+127.0.0.1
+::1
+#host.example.com
+#192.168.1.0/24
+localhost
+localhost.localdomain
+192.168.122.124
+192.168.0.25
+2a01:e35:2f76:7750::4
+manchester
+manchester.casperlefantom.net
+mail.casperlefantom.net
+casperlefantom.net
diff --git a/roles/mtaserver/files/opendkim.conf b/roles/mtaserver/files/opendkim.conf
new file mode 100644
index 0000000..d1efa8f
--- /dev/null
+++ b/roles/mtaserver/files/opendkim.conf
@@ -0,0 +1,133 @@
+## BASIC OPENDKIM CONFIGURATION FILE
+## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more
+
+## BEFORE running OpenDKIM you must:
+
+## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
+## - generate keys for your domain (if signing)
+## - edit your DNS records to publish your public keys (if signing)
+
+## See /usr/share/doc/opendkim/INSTALL for detailed instructions.
+
+## DEPRECATED CONFIGURATION OPTIONS
+## 
+## The following configuration options are no longer valid.  They should be
+## removed from your existing configuration file to prevent potential issues.
+## Failure to do so may result in opendkim being unable to start.
+## 
+## Removed in 2.10.0:
+##   AddAllSignatureResults
+##   ADSPAction
+##   ADSPNoSuchDomain
+##   BogusPolicy
+##   DisableADSP
+##   LDAPSoftStart
+##   LocalADSP
+##   NoDiscardableMailTo
+##   On-PolicyError
+##   SendADSPReports
+##   UnprotectedPolicy
+
+## CONFIGURATION OPTIONS
+
+##  Specifies the path to the process ID file.
+PidFile	/var/run/opendkim/opendkim.pid
+
+##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
+##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
+##  messages.
+Mode	sv
+
+##  Log activity to the system log.
+Syslog	yes
+
+##  Log additional entries indicating successful signing or verification of messages.
+SyslogSuccess	yes
+
+##  If logging is enabled, include detailed logging about why or why not a message was
+##  signed or verified. This causes an increase in the amount of log data generated
+##  for each message, so set this to No (or comment it out) if it gets too noisy.
+LogWhy	yes
+
+##  Attempt to become the specified user before starting operations.
+UserID	opendkim:opendkim
+
+##  Create a socket through which your MTA can communicate.
+Socket	inet:8891@localhost
+
+##  Required to use local socket with MTAs that access the socket as a non-
+##  privileged user (e.g. Postfix)
+Umask	002
+
+##  This specifies a text file in which to store DKIM transaction statistics.
+##  OpenDKIM must be manually compiled with --enable-stats to enable this feature.
+# Statistics	/var/spool/opendkim/stats.dat
+
+##  Specifies whether or not the filter should generate report mail back
+##  to senders when verification fails and an address for such a purpose
+##  is provided. See opendkim.conf(5) for details.
+SendReports	yes
+
+##  Specifies the sending address to be used on From: headers of outgoing
+##  failure reports.  By default, the e-mail address of the user executing
+##  the filter is used (executing_user@hostname).
+# ReportAddress	"Example.com Postmaster" <postmaster@example.com>
+
+##  Add a DKIM-Filter header field to messages passing through this filter
+##  to identify messages it has processed.
+SoftwareHeader	yes
+
+## SIGNING OPTIONS
+
+##  Selects the canonicalization method(s) to be used when signing messages.
+Canonicalization	relaxed/relaxed
+
+##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
+##  be verified rather than being signed. Uncomment and use your domain name.
+##  This parameter is not required if a SigningTable is in use.
+# Domain	example.com
+
+##  Defines the name of the selector to be used when signing messages.
+Selector	default
+
+##  Specifies the minimum number of key bits for acceptable keys and signatures.
+MinimumKeyBits	1024
+
+##  Gives the location of a private key to be used for signing ALL messages. This
+##  directive is ignored if KeyTable is enabled.
+#KeyFile	/etc/opendkim/keys/default.private
+
+##  Gives the location of a file mapping key names to signing keys. In simple terms,
+##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
+##  directive in the configuration file. Requires SigningTable be enabled.
+KeyTable	/etc/opendkim/KeyTable
+
+##  Defines a table used to select one or more signatures to apply to a message based
+##  on the address found in the From: header field. In simple terms, this tells
+##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
+SigningTable	refile:/etc/opendkim/SigningTable
+
+##  Identifies a set of "external" hosts that may send mail through the server as one
+##  of the signing domains without credentials as such.
+ExternalIgnoreList	refile:/etc/opendkim/TrustedHosts
+
+##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
+InternalHosts	refile:/etc/opendkim/TrustedHosts
+
+##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
+##  whose mail should be neither signed nor verified by this filter.  See man
+##  page for file format.
+# PeerList	X.X.X.X
+
+##  Always oversign From (sign using actual From and a null From to prevent
+##  malicious signatures header fields (From and/or others) between the signer
+##  and the verifier.  From is oversigned by default in the Fedora package
+##  because it is often the identity key used by reputation systems and thus
+##  somewhat security sensitive.
+OversignHeaders	From
+
+##  Instructs the DKIM library to maintain its own local cache of keys and
+##  policies retrieved from DNS, rather than relying on the nameserver for
+##  caching service. Useful if the nameserver being used by the filter is
+##  not local.
+# QueryCache	yes
diff --git a/roles/mtaserver/files/policyd-spf.conf b/roles/mtaserver/files/policyd-spf.conf
new file mode 100644
index 0000000..3e2a410
--- /dev/null
+++ b/roles/mtaserver/files/policyd-spf.conf
@@ -0,0 +1,15 @@
+#  For a fully commented sample config file see policyd-spf.conf.commented
+
+debugLevel = 1 
+TestOnly = 1
+
+HELO_reject = Softfail
+Mail_From_reject = Softfail
+
+PermError_reject = False
+TempError_Defer = False
+
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
+
+# bastion01 et bastion02 (helo=bastion.fedoraproject.org)
+Whitelist = 209.132.181.2,209.132.181.3
diff --git a/roles/mtaserver/handlers/main.yml b/roles/mtaserver/handlers/main.yml
index 0b600d1..f5ec784 100644
--- a/roles/mtaserver/handlers/main.yml
+++ b/roles/mtaserver/handlers/main.yml
@@ -1,2 +1,3 @@
 - import_tasks: postfix.yml
 - import_tasks: systemd.yml
+- import_tasks: opendkim.yml
diff --git a/roles/mtaserver/handlers/opendkim.yml b/roles/mtaserver/handlers/opendkim.yml
new file mode 100644
index 0000000..ac98427
--- /dev/null
+++ b/roles/mtaserver/handlers/opendkim.yml
@@ -0,0 +1,4 @@
+- name: restart opendkim
+  service:
+    name: opendkim
+    state: restarted
diff --git a/roles/mtaserver/tasks/config.yml b/roles/mtaserver/tasks/config.yml
index ecdfe80..17dc9e3 100644
--- a/roles/mtaserver/tasks/config.yml
+++ b/roles/mtaserver/tasks/config.yml
@@ -81,3 +81,56 @@
   with_items:
     - "{{ userlist }}"
   when: mtadomain is defined
+
+- name: Configuration du SPF
+  copy:
+    src: policyd-spf.conf
+    dest: /etc/python-policyd-spf/policyd-spf.conf
+    mode: 0644
+  when: mtadomain is defined
+
+- name: Configuration de OpenDKIM
+  copy:
+    src: opendkim.conf
+    dest: /etc/opendkim.conf
+    mode: 0644
+  when: mtadomain is defined
+  notify: restart opendkim
+
+- name: Configuration des règles de signature
+  copy:
+    src: "{{ item }}"
+    dest: /etc/opendkim
+    owner: opendkim
+    group: opendkim
+    mode: 0640
+  with_items:
+    - KeyTable
+    - SigningTable
+    - TrustedHosts
+  when: mtadomain is defined
+  notify: restart opendkim
+
+- name: Création du répertoire des clés
+  file:
+    path: /etc/opendkim/keys
+    state: directory
+    owner: opendkim
+    group: opendkim
+    mode: 0750
+  when: mtadomain is defined
+
+- name: Installation des clés OpenDKIM
+  copy:
+    src: "keys/{{ item }}"
+    dest: "/etc/opendkim/keys/{{ item }}"
+    owner: opendkim
+    group: opendkim
+    mode: 0440
+  with_items:
+    - casperlefantom.private
+    - casperlefantom.txt
+    - jaysfoodventure.private
+    - jaysfoodventure.txt
+  when: mtadomain is defined
+  notify: restart opendkim
diff --git a/roles/mtaserver/tasks/pkgs.yml b/roles/mtaserver/tasks/pkgs.yml
index 31094a8..52972a5 100644
--- a/roles/mtaserver/tasks/pkgs.yml
+++ b/roles/mtaserver/tasks/pkgs.yml
@@ -4,6 +4,8 @@
     - postfix
     - cyrus-sasl
     - cyrus-sasl-plain
+    - pypolicyd-spf
+    - opendkim
   when: ansible_pkg_mgr == "yum"
 
 - name: Installation des paquets
@@ -12,5 +14,7 @@
     - postfix
     - cyrus-sasl
     - cyrus-sasl-plain
+    - pypolicyd-spf
+    - opendkim
   when: ansible_pkg_mgr == "dnf"
 
diff --git a/roles/mtaserver/tasks/services.yml b/roles/mtaserver/tasks/services.yml
index 7aca6dc..6150ba7 100644
--- a/roles/mtaserver/tasks/services.yml
+++ b/roles/mtaserver/tasks/services.yml
@@ -3,3 +3,9 @@
     name: postfix
     state: started
     enabled: yes
+
+- name: Activation et démarrage de OpenDKIM
+  service:
+    name: opendkim
+    state: started
+    enabled: yes