add dkim

2024-11-13 23:57:09 +00:00 · 2021-02-04 12:41:33 +01:00 · 2021-02-04 12:41:33 +01:00 · 4840281a63
commit 4840281a63
parent 54c8522f1a
8 changed files with 116 additions and 10 deletions
--- a/roles/email/defaults/main.yml
+++ b/roles/email/defaults/main.yml
@ -1,27 +1,34 @@
 #postfix
-#postfix_user_name: postfix-user #TODO do not run as root
+#user_config:
+postfix_user_name: postfix #TODO do not run as root
+opendkim_user_name: opendkim
+email_group_name: email
+
+email_domain: ratzupaltuff-test.famedly.de
 email_base_path: "/opt/email"
 postfix_base_path: "{{ email_base_path }}/postfix"
 postfix_container_spool_path: /var/spool/postfix
 postfix_container_config_path: /etc/postfix
-postfix_config_files: #TODO Use
+postfix_config_files:
  - main.cf
  - master.cf
 postfix_container_dkim_path: /etc/opendkim/keys
-postfix_docker_name: postfix-server
+postfix_docker_name: postfix
 postfix_docker_image: registry.gitlab.com/famedly/containers/email
-postfix_docker_ports: 
+postfix_docker_ports: []
 #  - 25:25
-  - 587:587
+#  - 587:587
    #  - 1587:1587 #smtp for dovecot
 postfix_docker_labels: {} #override e.g. for traefik

-postfix_hostname: mail.ratzupaltuff-test.famedly.de
+postfix_hostname: "mail.{{ email_domain }}"
+postfix_sender_networks: "172.3.0.0/24, 127.0.0.0/24" #comma separated
+email_network_prefix: "172.3.0"

 #dovecot
 dovecot_user_name: vmail
 dovecot_base_path: "{{ email_base_path }}/dovecot"
-dovecot_docker_name: dovecot-server
+dovecot_docker_name: dovecot
 dovecot_docker_image: registry.gitlab.com/famedly/containers/dovecot
 dovecot_docker_ports: 
 #  - 110:110 #pop3
@ -29,3 +36,13 @@ dovecot_docker_ports:
  - 993:993 #imap secure
 #  - 995:993 #pop3 secure
 dovecot_docker_labels: {}
+
+#opendkim
+opendkim_base_path: "{{ email_base_path }}/opendkim"
+opendkim_docker_name: opendkim
+opendkim_docker_image: registry.gitlab.com/famedly/containers/dkim
+opendkim_docker_ports: []
+opendkim_docker_labels: {}
+opendkim_cert_path: "/var/db/dkim"
+opendkim_cert_filename: "{{ opendkim_selector_name }}.key.pem"
+opendkim_selector_name: ratzupaltuff-test #hostname or month/year
--- a/roles/email/tasks/main.yml
+++ b/roles/email/tasks/main.yml
@ -1,12 +1,37 @@
 ---
+  - name: Ensure group "{{ email_group_name }}" exists
+    ansible.builtin.group:
+      name: "{{ email_group_name }}"
+      state: present
+    become: true
+
  - name: create email directory
    file:
      path: '{{ email_base_path }}'
      state: directory
+      group: "{{ email_group_name }}"
    become: true

  - name: install postfix
    import_tasks: postfix.yml
+    become: true
+  
+  - name: install opendkim
+    import_tasks: opendkim.yml
+    become: true

  - name: install dovecot
    import_tasks: dovecot.yml
+    become: true
+
+  - name: create email docker-network
+    docker_network:
+      name: email
+      connected:
+        - "{{ postfix_docker_name }}"
+        - "{{ dovecot_docker_name }}"
+        - "{{ opendkim_docker_name }}"
+      ipam_config:
+        - subnet: "{{ email_network_prefix }}.0/24"
+          #aux_addresses: "{'{{ postfix_docker_name }}': '{{ email_network_prefix }}.2', '{{ dovecot_docker_name }}': '{{ email_network_prefix }}.3'}"
+    become: true
--- a/roles/email/tasks/opendkim.yml
+++ b/roles/email/tasks/opendkim.yml
@ -0,0 +1,43 @@
+---
+  - name: Add opendkim user
+    ansible.builtin.user:
+      name: "{{ opendkim_user_name }}"
+      group: "{{ email_group_name }}"
+
+  - name: create directory for opendkim config and dkim-certs
+    file:
+      path: '{{ opendkim_base_path }}/{{ item }}'
+      state: directory
+      owner: "{{ opendkim_user_name }}"
+      group: "{{ email_group_name }}"
+    with_items:
+      - 
+      - certs
+#      - opendkim/config
+
+#  - name: configure opendkim
+#    template:
+#      src: "opendkim/{{ item }}"
+#      dest: "{{ opendkim_base_path }}/config/{{ item }}"
+#      owner: root #TODO do not run as root
+#      group: root
+#      mode: '0744'
+#    with_items:
+#      - dkim_signing.conf
+
+  - name: opendkim cert-gen
+    import_tasks: opendkim_cert_gen.yml
+
+  - name: install opendkim container
+    docker_container:
+      name: "{{ opendkim_docker_name }}"
+      hostname: "{{ opendkim_docker_name }}"
+      image: "{{ opendkim_docker_image }}"
+      ports: "{{ opendkim_docker_ports }}"
+      labels: "{{ opendkim_docker_labels }}"
+      restart_policy: unless-stopped
+      recreate: true
+      pull: true
+      command: "/usr/sbin/opendkim -f -l -p SOCKETSPEC -d {{ email_domain }} -k {{ opendkim_cert_path }}/{{ opendkim_cert_filename }} -s {{ opendkim_selector_name }}"
+      volumes:
+        - "{{ opendkim_base_path }}/certs/{{ opendkim_cert_filename }}:{{ opendkim_cert_path }}/{{ opendkim_cert_filename }}"
--- a/roles/email/tasks/opendkim_cert_gen.yml
+++ b/roles/email/tasks/opendkim_cert_gen.yml
@ -0,0 +1,9 @@
+---
+#opendkim-genkey --domain=email.ratzupaltuff-test.famedly.de --selector=ratzupaltuff-test --testmode
+
+#upload dkim key
+
+#test:
+#opendkim-testkey -d ratzupaltuff-test.famedly.de -s ratzupaltuff-test -k ratzupaltuff-test.private
+
+
--- a/roles/email/tasks/postfix.yml
+++ b/roles/email/tasks/postfix.yml
@ -30,6 +30,7 @@
  - name: install postfix container
    docker_container:
      name: "{{ postfix_docker_name }}"
+      hostname: "{{ postfix_docker_name }}"
      image: "{{ postfix_docker_image }}"
      ports: "{{ postfix_docker_ports }}"
      labels: "{{ postfix_docker_labels }}"
--- a/roles/email/templates/postfix/aliases.db
+++ b/roles/email/templates/postfix/aliases.db
@ -9,7 +9,7 @@
 #

 # Person who should get root's mail. Don't receive mail as root!
-root:		/dev/stdout
+root:		"| > /dev/stdout"

 # Basic system aliases -- these MUST be present
 MAILER-DAEMON:	postmaster
--- a/roles/email/templates/postfix/main.cf
+++ b/roles/email/templates/postfix/main.cf
@ -282,7 +282,9 @@ unknown_local_recipient_reject_code = 550
 #mynetworks = 168.100.189.0/28, 127.0.0.0/8
 #mynetworks = $config_directory/mynetworks
 #mynetworks = hash:/etc/postfix/network_table
-mynetworks = 127.0.0.0/8, 172.17.0.0/16
+mynetworks = {{ postfix_sender_networks }}
+#127.0.0.0/8
+#, 172.17.0.0/16 traefik uses this address too, if used you created an open relay

 # The relay_domains parameter restricts what destinations this system will
 # relay mail to.  See the smtpd_recipient_restrictions description in
@ -608,7 +610,7 @@ debug_peer_level = 2
 # increase the verbose logging level by the amount specified in the
 # debug_peer_level parameter.
 #
-#debug_peer_list = 127.0.0.1
+debug_peer_list = 127.0.0.1, 172.3.0.4
 #debug_peer_list = some.domain

 # The debugger_command specifies the external command that is executed
--- a/roles/email/tests/openrelaycheck.yml
+++ b/roles/email/tests/openrelaycheck.yml
@ -0,0 +1,9 @@
+---
+- name: connect to host
+  telnet:
+    host: "{{ postfix_hostname }}"
+    command:
+      - "HELO {{ postfix_hostname }}"
+      - "MAIL FROM: test@{{ email_domain }}"
+      - "RCPT TO: v.wilke@famedly.de"
+      - "DATA" #not tested this file has to be reviewed!