diff options
author | Matthieu Saulnier <fantom@fedoraproject.org> | 2018-12-23 22:14:27 +0100 |
---|---|---|
committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2018-12-23 22:14:27 +0100 |
commit | fa730c80e464dc136ca0d64bf50a61d1b7e24c00 (patch) | |
tree | a495557784038081819957eb3f47aa2ceba4fbac | |
parent | 459eb49e09c072c48b378fa99dd6cbe52671c240 (diff) | |
download | playbooks-ansible-fa730c80e464dc136ca0d64bf50a61d1b7e24c00.tar.gz playbooks-ansible-fa730c80e464dc136ca0d64bf50a61d1b7e24c00.tar.xz playbooks-ansible-fa730c80e464dc136ca0d64bf50a61d1b7e24c00.zip |
Add the SPF and opendkim config in mtaserver role
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | roles/mtaserver/files/KeyTable | 8 | ||||
-rw-r--r-- | roles/mtaserver/files/SigningTable | 30 | ||||
-rw-r--r-- | roles/mtaserver/files/TrustedHosts | 18 | ||||
-rw-r--r-- | roles/mtaserver/files/opendkim.conf | 133 | ||||
-rw-r--r-- | roles/mtaserver/files/policyd-spf.conf | 15 | ||||
-rw-r--r-- | roles/mtaserver/handlers/main.yml | 1 | ||||
-rw-r--r-- | roles/mtaserver/handlers/opendkim.yml | 4 | ||||
-rw-r--r-- | roles/mtaserver/tasks/config.yml | 53 | ||||
-rw-r--r-- | roles/mtaserver/tasks/pkgs.yml | 4 | ||||
-rw-r--r-- | roles/mtaserver/tasks/services.yml | 6 |
11 files changed, 273 insertions, 0 deletions
@@ -6,6 +6,7 @@ roles/torrelay/files/rendezvous roles/mtaserver/vars/users.yml roles/mtaserver/files/virtual roles/mtaserver/files/credentials +roles/mtaserver/files/keys roles/reverseproxy/vars/email.yml roles/clients/files/credentials roles/proxy/vars/email.yml diff --git a/roles/mtaserver/files/KeyTable b/roles/mtaserver/files/KeyTable new file mode 100644 index 0000000..f19ba99 --- /dev/null +++ b/roles/mtaserver/files/KeyTable @@ -0,0 +1,8 @@ +# OPENDKIM KEY TABLE +# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf, +# then uncomment the following line and replace example.com with your domain +# name, then restart OpenDKIM. Additional keys may be added on separate lines. + +#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private +201708._domainkey.casperlefantom.net casperlefantom.net:201708:/etc/opendkim/keys/casperlefantom.private +201708._domainkey.jaysfoodventure.com jaysfoodventure.com:201708:/etc/opendkim/keys/jaysfoodventure.private diff --git a/roles/mtaserver/files/SigningTable b/roles/mtaserver/files/SigningTable new file mode 100644 index 0000000..25a88a6 --- /dev/null +++ b/roles/mtaserver/files/SigningTable @@ -0,0 +1,30 @@ +# OPENDKIM SIGNING TABLE +# This table controls how to apply one or more signatures to outgoing messages based +# on the address found in the From: header field. In simple terms, this tells +# OpenDKIM "how" to apply your keys. + +# To use this file, uncomment the SigningTable option in /etc/opendkim.conf, +# then uncomment one of the usage examples below and replace example.com with your +# domain name, then restart OpenDKIM. + +# WILDCARD EXAMPLE +# Enables signing for any address on the listed domain(s), but will work only if +# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf. +# Create additional lines for additional domains. + +#*@example.com default._domainkey.example.com + +# NON-WILDCARD EXAMPLE +# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then +# wildcards will not work. Instead, full user@host is checked first, then simply host, +# then user@.domain (with all superdomains checked in sequence, so "foo.example.com" +# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"), +# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under +# "SigningTable" for more details. + +#example.com default._domainkey.example.com +*@casperlefantom.net 201708._domainkey.casperlefantom.net +*@jaysfoodventure.com 201708._domainkey.jaysfoodventure.com +*@mail.casperlefantom.net 201708._domainkey.casperlefantom.net +*@fedoraproject.org 201708._domainkey.casperlefantom.net +*@april.org 201708._domainkey.casperlefantom.net diff --git a/roles/mtaserver/files/TrustedHosts b/roles/mtaserver/files/TrustedHosts new file mode 100644 index 0000000..7867467 --- /dev/null +++ b/roles/mtaserver/files/TrustedHosts @@ -0,0 +1,18 @@ +# OPENDKIM TRUSTED HOSTS +# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts +# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts +# may be added on separate lines (IP addresses, hostnames, or CIDR ranges). +# The localhost IP (127.0.0.1) should always be the first entry in this file. +127.0.0.1 +::1 +#host.example.com +#192.168.1.0/24 +localhost +localhost.localdomain +192.168.122.124 +192.168.0.25 +2a01:e35:2f76:7750::4 +manchester +manchester.casperlefantom.net +mail.casperlefantom.net +casperlefantom.net diff --git a/roles/mtaserver/files/opendkim.conf b/roles/mtaserver/files/opendkim.conf new file mode 100644 index 0000000..d1efa8f --- /dev/null +++ b/roles/mtaserver/files/opendkim.conf @@ -0,0 +1,133 @@ +## BASIC OPENDKIM CONFIGURATION FILE +## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more + +## BEFORE running OpenDKIM you must: + +## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM +## - generate keys for your domain (if signing) +## - edit your DNS records to publish your public keys (if signing) + +## See /usr/share/doc/opendkim/INSTALL for detailed instructions. + +## DEPRECATED CONFIGURATION OPTIONS +## +## The following configuration options are no longer valid. They should be +## removed from your existing configuration file to prevent potential issues. +## Failure to do so may result in opendkim being unable to start. +## +## Removed in 2.10.0: +## AddAllSignatureResults +## ADSPAction +## ADSPNoSuchDomain +## BogusPolicy +## DisableADSP +## LDAPSoftStart +## LocalADSP +## NoDiscardableMailTo +## On-PolicyError +## SendADSPReports +## UnprotectedPolicy + +## CONFIGURATION OPTIONS + +## Specifies the path to the process ID file. +PidFile /var/run/opendkim/opendkim.pid + +## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. +## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing +## messages. +Mode sv + +## Log activity to the system log. +Syslog yes + +## Log additional entries indicating successful signing or verification of messages. +SyslogSuccess yes + +## If logging is enabled, include detailed logging about why or why not a message was +## signed or verified. This causes an increase in the amount of log data generated +## for each message, so set this to No (or comment it out) if it gets too noisy. +LogWhy yes + +## Attempt to become the specified user before starting operations. +UserID opendkim:opendkim + +## Create a socket through which your MTA can communicate. +Socket inet:8891@localhost + +## Required to use local socket with MTAs that access the socket as a non- +## privileged user (e.g. Postfix) +Umask 002 + +## This specifies a text file in which to store DKIM transaction statistics. +## OpenDKIM must be manually compiled with --enable-stats to enable this feature. +# Statistics /var/spool/opendkim/stats.dat + +## Specifies whether or not the filter should generate report mail back +## to senders when verification fails and an address for such a purpose +## is provided. See opendkim.conf(5) for details. +SendReports yes + +## Specifies the sending address to be used on From: headers of outgoing +## failure reports. By default, the e-mail address of the user executing +## the filter is used (executing_user@hostname). +# ReportAddress "Example.com Postmaster" <postmaster@example.com> + +## Add a DKIM-Filter header field to messages passing through this filter +## to identify messages it has processed. +SoftwareHeader yes + +## SIGNING OPTIONS + +## Selects the canonicalization method(s) to be used when signing messages. +Canonicalization relaxed/relaxed + +## Domain(s) whose mail should be signed by this filter. Mail from other domains will +## be verified rather than being signed. Uncomment and use your domain name. +## This parameter is not required if a SigningTable is in use. +# Domain example.com + +## Defines the name of the selector to be used when signing messages. +Selector default + +## Specifies the minimum number of key bits for acceptable keys and signatures. +MinimumKeyBits 1024 + +## Gives the location of a private key to be used for signing ALL messages. This +## directive is ignored if KeyTable is enabled. +#KeyFile /etc/opendkim/keys/default.private + +## Gives the location of a file mapping key names to signing keys. In simple terms, +## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile +## directive in the configuration file. Requires SigningTable be enabled. +KeyTable /etc/opendkim/KeyTable + +## Defines a table used to select one or more signatures to apply to a message based +## on the address found in the From: header field. In simple terms, this tells +## OpenDKIM how to use your keys. Requires KeyTable be enabled. +SigningTable refile:/etc/opendkim/SigningTable + +## Identifies a set of "external" hosts that may send mail through the server as one +## of the signing domains without credentials as such. +ExternalIgnoreList refile:/etc/opendkim/TrustedHosts + +## Identifies a set "internal" hosts whose mail should be signed rather than verified. +InternalHosts refile:/etc/opendkim/TrustedHosts + +## Contains a list of IP addresses, CIDR blocks, hostnames or domain names +## whose mail should be neither signed nor verified by this filter. See man +## page for file format. +# PeerList X.X.X.X + +## Always oversign From (sign using actual From and a null From to prevent +## malicious signatures header fields (From and/or others) between the signer +## and the verifier. From is oversigned by default in the Fedora package +## because it is often the identity key used by reputation systems and thus +## somewhat security sensitive. +OversignHeaders From + +## Instructs the DKIM library to maintain its own local cache of keys and +## policies retrieved from DNS, rather than relying on the nameserver for +## caching service. Useful if the nameserver being used by the filter is +## not local. +# QueryCache yes diff --git a/roles/mtaserver/files/policyd-spf.conf b/roles/mtaserver/files/policyd-spf.conf new file mode 100644 index 0000000..3e2a410 --- /dev/null +++ b/roles/mtaserver/files/policyd-spf.conf @@ -0,0 +1,15 @@ +# For a fully commented sample config file see policyd-spf.conf.commented + +debugLevel = 1 +TestOnly = 1 + +HELO_reject = Softfail +Mail_From_reject = Softfail + +PermError_reject = False +TempError_Defer = False + +skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1 + +# bastion01 et bastion02 (helo=bastion.fedoraproject.org) +Whitelist = 209.132.181.2,209.132.181.3 diff --git a/roles/mtaserver/handlers/main.yml b/roles/mtaserver/handlers/main.yml index 0b600d1..f5ec784 100644 --- a/roles/mtaserver/handlers/main.yml +++ b/roles/mtaserver/handlers/main.yml @@ -1,2 +1,3 @@ - import_tasks: postfix.yml - import_tasks: systemd.yml +- import_tasks: opendkim.yml diff --git a/roles/mtaserver/handlers/opendkim.yml b/roles/mtaserver/handlers/opendkim.yml new file mode 100644 index 0000000..ac98427 --- /dev/null +++ b/roles/mtaserver/handlers/opendkim.yml @@ -0,0 +1,4 @@ +- name: restart opendkim + service: + name: opendkim + state: restarted diff --git a/roles/mtaserver/tasks/config.yml b/roles/mtaserver/tasks/config.yml index ecdfe80..17dc9e3 100644 --- a/roles/mtaserver/tasks/config.yml +++ b/roles/mtaserver/tasks/config.yml @@ -81,3 +81,56 @@ with_items: - "{{ userlist }}" when: mtadomain is defined + +- name: Configuration du SPF + copy: + src: policyd-spf.conf + dest: /etc/python-policyd-spf/policyd-spf.conf + mode: 0644 + when: mtadomain is defined + +- name: Configuration de OpenDKIM + copy: + src: opendkim.conf + dest: /etc/opendkim.conf + mode: 0644 + when: mtadomain is defined + notify: restart opendkim + +- name: Configuration des règles de signature + copy: + src: "{{ item }}" + dest: /etc/opendkim + owner: opendkim + group: opendkim + mode: 0640 + with_items: + - KeyTable + - SigningTable + - TrustedHosts + when: mtadomain is defined + notify: restart opendkim + +- name: Création du répertoire des clés + file: + path: /etc/opendkim/keys + state: directory + owner: opendkim + group: opendkim + mode: 0750 + when: mtadomain is defined + +- name: Installation des clés OpenDKIM + copy: + src: "keys/{{ item }}" + dest: "/etc/opendkim/keys/{{ item }}" + owner: opendkim + group: opendkim + mode: 0440 + with_items: + - casperlefantom.private + - casperlefantom.txt + - jaysfoodventure.private + - jaysfoodventure.txt + when: mtadomain is defined + notify: restart opendkim diff --git a/roles/mtaserver/tasks/pkgs.yml b/roles/mtaserver/tasks/pkgs.yml index 31094a8..52972a5 100644 --- a/roles/mtaserver/tasks/pkgs.yml +++ b/roles/mtaserver/tasks/pkgs.yml @@ -4,6 +4,8 @@ - postfix - cyrus-sasl - cyrus-sasl-plain + - pypolicyd-spf + - opendkim when: ansible_pkg_mgr == "yum" - name: Installation des paquets @@ -12,5 +14,7 @@ - postfix - cyrus-sasl - cyrus-sasl-plain + - pypolicyd-spf + - opendkim when: ansible_pkg_mgr == "dnf" diff --git a/roles/mtaserver/tasks/services.yml b/roles/mtaserver/tasks/services.yml index 7aca6dc..6150ba7 100644 --- a/roles/mtaserver/tasks/services.yml +++ b/roles/mtaserver/tasks/services.yml @@ -3,3 +3,9 @@ name: postfix state: started enabled: yes + +- name: Activation et démarrage de OpenDKIM + service: + name: opendkim + state: started + enabled: yes |