Enable DKIM for messages submitted from localhost for openrailwaymap.org

Author: Nakaner

ansible/roles/mail/tasks/files/opendkim.conf

@@ -0,0 +1,35 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog                  yes
+LogResults              yes
+LogWhy                  yes
+SyslogSuccess           yes
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask                   007
+
+# Commonly-used options; the commented-out versions show the defaults.
+Canonicalization        relaxed/relaxed #simple
+Mode                    s
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders         From
+
+# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
+# (ATPS) (experimental)
+
+#ATPSDomains            example.com
+
+KeyTable            /etc/opendkim/keytable
+SigningTable        refile:/etc/opendkim/signingtable
+
+Socket      local:/var/spool/postfix/opendkim/opendkim.sock
+PidFile     /var/run/opendkim/opendkim.pid
+UserID      opendkim

ansible/roles/mail/tasks/main.yml

@@ -122,6 +122,103 @@
         - systemctl restart amavis
         - systemctl restart amavisd-milter
 
+    - name: Install OpenDKIM
+      block:
+        - name: Install OpenDKIM from APT
+          apt:
+            name: [opendkim, opendkim-tools]
+
+        - name: Write /etc/opendkim.conf
+          copy:
+            src: opendkim.conf
+            dest: /etc/opendkim.conf
+            owner: root
+            group: root
+            mode: 0644
+          notify:
+            - systemctl restart opendkim
+
+        - name: Ensure correct permissions on /etc/opendkim
+          file:
+            state: directory
+            path: /etc/opendkim
+            owner: root
+            group: root
+            mode: 0755
+
+        - name: Ensure correct permissions on /etc/opendkim/keys
+          file:
+            state: directory
+            path: /etc/opendkim/keys
+            owner: root
+            group: opendkim
+            mode: 0750
+          notify:
+            - systemctl restart opendkim
+
+        - name: Create OpenDKIM key
+          shell:
+            chdir: /etc/opendkim
+            cmd: 'opendkim-genkey --selector=2020 --bits=2048 --directory=keys'
+            creates: /etc/opendkim/keys/2020.private
+          register: opendkim_key_creation
+
+        - name: Make OpenDKIM key readable for user opendkim
+          when: opendkim_key_creation.changed
+          file:
+            path: '/etc/opendkim/{{ item }}'
+            owner: opendkim
+            group: root
+            mode: 0600
+          loop:
+            - '2020.private'
+            - '2020.txt'
+
+        - name: Print public OpenDKIM key
+          when: opendkim_key_creation.changed
+          block:
+            - slurp:
+                src: /etc/opendkim/keys/2020.txt
+              register: opendkim_public_key
+            - debug:
+                msg: 'Please publish the following DNS entry with your public DKIM key:\n{{ opendkim.public_key }}'
+
+        - name: Write /etc/opendkim/keytable
+          copy:
+            dest: /etc/opendkim/keytable
+            owner: root
+            group: root
+            mode: 0644
+            content: |
+              default    %:2020:/etc/opendkim/keys/2020.private
+          notify:
+            - systemctl restart opendkim
+
+        - name: Write /etc/opendkim/signingtable
+          copy:
+            dest: /etc/opendkim/signingtable
+            owner: root
+            group: root
+            mode: 0644
+            content: |
+              *@openrailwaymap.org default
+          notify:
+            - systemctl restart opendkim
+
+        - name: Create /var/spool/postfix/opendkim
+          file:
+            path: /var/spool/postfix/opendkim
+            owner: opendkim
+            group: opendkim
+            mode: 0755
+            state: directory
+
+    - name: Add Postfix to opendkim group
+      user:
+        append: yes
+        name: postfix
+        groups: opendkim
+
     - name: Install Spamassassin
       apt:
         name: spamassassin
@@ -278,3 +375,7 @@
       systemd:
         name: amavisd-milter
         state: restarted
+    - name: systemctl restart opendkim
+      systemd:
+        name: opendkim
+        state: restarted

ansible/roles/mail/tasks/templates/main.cf

@@ -51,17 +51,12 @@ recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = all
 
-# Filter mail with Amavis (via amavisd-milter)
+# Filter mail with Amavis (via amavisd-milter), sign emails submitted from localhost with correct domain
 milter_default_action = accept
 milter_protocol = 2
-smtpd_milters = unix:amavis/amavis.sock
-#smtpd_milters = unix:amavis/amavis.sock,
-#                unix:opendkim/opendkim.sock
-#non_smtpd_milters = unix:opendkim/opendkim.sock
-
-# add OpenDKIM signatures
-milter_default_action = accept
-#non_smtpd_milters = unix:opendkim/opendkim.sock
+smtpd_milters = unix:amavis/amavis.sock,
+                unix:opendkim/opendkim.sock
+non_smtpd_milters = unix:opendkim/opendkim.sock
 
 # Restriction controlling access to the Postfix SMTP server
 # Their purpose is to reject clients where reverse DNS fails