See #2081. Supporto a ARC.
This commit is contained in:
parent
cfc40d98ca
commit
f24b5aaa98
|
@ -129,6 +129,22 @@ postfix_dkim_v_sendreports: 'no'
|
|||
postfix_dkim_reportaddress: ''
|
||||
postfix_dkim_canonicalization: 'relaxed/relaxed'
|
||||
postfix_dkim_minkeybits: 1024
|
||||
# ARC
|
||||
# - domain: 'example.com'
|
||||
# arc_selector: 'default'
|
||||
# s: sign
|
||||
# v: verify
|
||||
# sv: sign and verify
|
||||
postfix_arc_enabled: false
|
||||
postfix_arc_domain: ""
|
||||
postfix_arc_domain_selector: "arc-{{ ansible_hostname }}"
|
||||
postfix_arc_trusted_hosts:
|
||||
- "127.0.0.1"
|
||||
postfix_arc_mode: 'v'
|
||||
postfix_arc_socket: 'inet:8894@localhost'
|
||||
postfix_arc_milter_socket: 'inet:[127.0.0.1]:8894'
|
||||
postfix_arc_canonicalization: 'relaxed/relaxed'
|
||||
|
||||
# SRS
|
||||
# Compute it with 'dd if=/dev/urandom bs=18 count=1 2>/dev/null | base64'
|
||||
# postfix_srs_secret: 'use a vault'
|
||||
|
@ -166,6 +182,7 @@ postfix_smtpd_mx_client_restrictions:
|
|||
- reject_non_fqdn_recipient
|
||||
- reject_invalid_hostname
|
||||
- reject_unauth_destination
|
||||
- reject_unauth_pipelining
|
||||
- reject_unknown_recipient_domain
|
||||
- reject_unlisted_recipient
|
||||
|
||||
|
|
|
@ -1,32 +1,46 @@
|
|||
---
|
||||
- name: Update SASL hash
|
||||
shell: postmap hash:/etc/postfix/sasl_passwd
|
||||
ansible.builtin.command: postmap hash:/etc/postfix/sasl_passwd
|
||||
|
||||
- name: Reload postfix
|
||||
service: name=postfix state=reloaded
|
||||
ansible.builtin.service:
|
||||
name: postfix
|
||||
state: reloaded
|
||||
when: postfix_enabled | bool
|
||||
|
||||
- name: Restart postfix
|
||||
service: name=postfix state=restarted
|
||||
ansible.builtin.service:
|
||||
name: postfix
|
||||
state: restarted
|
||||
when: postfix_enabled | bool
|
||||
|
||||
- name: Update the network hash table
|
||||
shell: postmap hash:/etc/postfix/network_table
|
||||
ansible.builtin.command: postmap hash:/etc/postfix/network_table
|
||||
|
||||
- name: start saslauth daemon
|
||||
service: name=saslauthd state=started enabled=yes
|
||||
ansible.builtin.service:
|
||||
name: saslauthd
|
||||
state: started
|
||||
enabled: true
|
||||
when: postfix_enabled | bool
|
||||
|
||||
- name: restart saslauth daemon
|
||||
service: name=saslauthd state=restarted
|
||||
ansible.builtin.service:
|
||||
name: saslauthd
|
||||
state: restarted
|
||||
when: postfix_enabled | bool
|
||||
|
||||
- name: restart opendkim
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: opendkim
|
||||
state: restarted
|
||||
|
||||
- name: Restart openarc
|
||||
ansible.builtin.service:
|
||||
name: openarc
|
||||
state: restarted
|
||||
|
||||
- name: restart postsrsd
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: postsrsd
|
||||
state: restarted
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
---
|
||||
- name: arc | Manage the arc packages in EL systems
|
||||
when:
|
||||
- ansible_distribution_file_variety == "RedHat"
|
||||
- postfix_arc_enabled
|
||||
tags: ['postfix', 'postfix_arc', 'arc']
|
||||
block:
|
||||
- name: arc | Install the arc packages on EL
|
||||
ansible.builtin.yum:
|
||||
pkg: '{{ postfix_arc_el_pkgs }}'
|
||||
state: present
|
||||
|
||||
|
||||
- name: arc | Manage the arc packages in DEB systems
|
||||
when:
|
||||
- ansible_distribution_file_variety == "Debian"
|
||||
- postfix_arc_enabled
|
||||
tags: ['postfix', 'postfix_arc', 'arc']
|
||||
block:
|
||||
- name: arc | Install the arc packages on DEB
|
||||
ansible.builtin.apt:
|
||||
pkg: '{{ postfix_arc_deb_pkgs }}'
|
||||
state: present
|
||||
cache_valid_time: 1800
|
||||
|
||||
- name: arc | ARC configuration
|
||||
tags: ['postfix', 'postfix_arc', 'arc', 'postfix_conf', 'arc_conf']
|
||||
block:
|
||||
- name: arc | Ensure that the /var/run/openarc directory exists
|
||||
ansible.builtin.file:
|
||||
dest: /var/run/openarc
|
||||
state: directory
|
||||
mode: "0700"
|
||||
owner: '{{ postfix_arc_user }}'
|
||||
group: '{{ postfix_arc_group }}'
|
||||
|
||||
- name: arc | Create the arc domains subdirs
|
||||
ansible.builtin.file:
|
||||
dest: '{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}'
|
||||
state: directory
|
||||
mode: "0750"
|
||||
owner: '{{ postfix_arc_user }}'
|
||||
group: '{{ postfix_arc_group }}'
|
||||
|
||||
- name: arc | Create the arc signature (only one domain is supported)
|
||||
become: true
|
||||
become_user: '{{ postfix_arc_user }}'
|
||||
ansible.builtin.command: opendkim-genkey -D {{ postfix_arc_key_dir }} -d {{ postfix_arc_domain }} -s {{ postfix_arc_domain_selector }}
|
||||
args:
|
||||
creates: '{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}/{{ postfix_arc_domain_selector }}.private'
|
||||
notify: Restart openarc
|
||||
|
||||
- name: arc | Install the trustedhosts list when defined
|
||||
ansible.builtin.template:
|
||||
src: 'arc_trustedhosts.j2'
|
||||
dest: '{{ postfix_arc_base_dir }}/trustedhosts'
|
||||
owner: '{{ postfix_arc_user }}'
|
||||
group: '{{ postfix_arc_group }}'
|
||||
mode: "0600"
|
||||
notify: Restart openarc
|
||||
|
||||
- name: arc | Install the openarc configuration
|
||||
ansible.builtin.template:
|
||||
src: openarc.conf.j2
|
||||
dest: '{{ postfix_arc_conf }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: Restart openarc
|
||||
|
||||
- name: arc | Manage the arc service
|
||||
tags: ['postfix', 'postfix_arc', 'arc']
|
||||
block:
|
||||
- name: arc | Ensure that the openarc service is started and enabled
|
||||
ansible.builtin.service:
|
||||
name: openarc
|
||||
state: started
|
||||
enabled: true
|
|
@ -1,88 +1,85 @@
|
|||
---
|
||||
- name: Manage the DKIM packages in EL systems
|
||||
block:
|
||||
- name: Install the DKIM packages on EL
|
||||
yum:
|
||||
pkg: '{{ postfix_dkim_el_pkgs }}'
|
||||
state: present
|
||||
|
||||
- name: dkim | Manage the DKIM packages in EL systems
|
||||
when:
|
||||
- ansible_distribution_file_variety == "RedHat"
|
||||
- postfix_dkim_enabled
|
||||
tags: ['postfix', 'postfix_dkim', 'dkim']
|
||||
|
||||
- name: Manage the DKIM packages in DEB systems
|
||||
block:
|
||||
- name: Install the DKIM packages on DEB
|
||||
apt:
|
||||
pkg: '{{ postfix_dkim_deb_pkgs }}'
|
||||
- name: dkim | Install the DKIM packages on EL
|
||||
ansible.builtin.yum:
|
||||
pkg: '{{ postfix_dkim_el_pkgs }}'
|
||||
state: present
|
||||
cache_valid_time: 1800
|
||||
|
||||
|
||||
- name: dkim | Manage the DKIM packages in DEB systems
|
||||
when:
|
||||
- ansible_distribution_file_variety == "Debian"
|
||||
- postfix_dkim_enabled
|
||||
tags: ['postfix', 'postfix_dkim', 'dkim']
|
||||
|
||||
- name: DKIM configuration
|
||||
block:
|
||||
- name: Create the dkim domains subdirs
|
||||
file:
|
||||
- name: dkim | Install the DKIM packages on DEB
|
||||
ansible.builtin.apt:
|
||||
pkg: '{{ postfix_dkim_deb_pkgs }}'
|
||||
state: present
|
||||
cache_valid_time: 1800
|
||||
|
||||
- name: dkim | DKIM configuration
|
||||
tags: ['postfix', 'postfix_dkim', 'dkim', 'postfix_conf', 'dkim_conf']
|
||||
block:
|
||||
- name: dkim | Create the dkim domains subdirs
|
||||
ansible.builtin.file:
|
||||
dest: '{{ postfix_dkim_base_dir }}/{{ item.domain }}'
|
||||
state: directory
|
||||
mode: 0750
|
||||
mode: "0750"
|
||||
owner: '{{ postfix_dkim_user }}'
|
||||
group: '{{ postfix_dkim_group }}'
|
||||
loop: '{{ postfix_dkim_domains }}'
|
||||
|
||||
- name: Create the dkim signatures
|
||||
- name: dkim | Create the dkim signatures
|
||||
become: true
|
||||
become_user: '{{ postfix_dkim_user }}'
|
||||
shell: opendkim-genkey -D {{ postfix_dkim_base_dir }}/{{ item.domain }} -d {{ item.domain }} -s {{ item.dkim_selector }}
|
||||
ansible.builtin.command: opendkim-genkey -D {{ postfix_dkim_base_dir }}/{{ item.domain }} -d {{ item.domain }} -s {{ item.dkim_selector }}
|
||||
args:
|
||||
creates: '{{ postfix_dkim_base_dir }}/{{ item.domain }}/{{ item.dkim_selector }}.private'
|
||||
loop: '{{ postfix_dkim_domains }}'
|
||||
notify: restart opendkim
|
||||
|
||||
- name: Update the keytable and signitable files
|
||||
template:
|
||||
- name: dkim | Update the keytable and signitable files
|
||||
ansible.builtin.template:
|
||||
src: 'dkim_{{ item }}.j2'
|
||||
dest: '{{ postfix_dkim_base_dir }}/{{ item }}'
|
||||
owner: '{{ postfix_dkim_user }}'
|
||||
group: '{{ postfix_dkim_group }}'
|
||||
mode: 0600
|
||||
mode: "0600"
|
||||
loop:
|
||||
- keytable
|
||||
- signingtable
|
||||
notify: restart opendkim
|
||||
|
||||
- name: Install the trustedhosts list when defined
|
||||
template:
|
||||
- name: dkim | Install the trustedhosts list when defined
|
||||
ansible.builtin.template:
|
||||
src: 'dkim_trustedhosts.j2'
|
||||
dest: '{{ postfix_dkim_base_dir }}/trustedhosts'
|
||||
owner: '{{ postfix_dkim_user }}'
|
||||
group: '{{ postfix_dkim_group }}'
|
||||
mode: 0600
|
||||
mode: "0600"
|
||||
notify: restart opendkim
|
||||
when: postfix_dkim_trusted_hosts_enabled
|
||||
|
||||
- name: Install the opendkim configuration
|
||||
template:
|
||||
- name: dkim | Install the opendkim configuration
|
||||
ansible.builtin.template:
|
||||
src: opendkim.conf.j2
|
||||
dest: '{{ postfix_dkim_conf }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
notify: restart opendkim
|
||||
|
||||
tags: ['postfix', 'postfix_dkim', 'dkim', 'postfix_conf', 'dkim_conf']
|
||||
|
||||
- name: Manage the DKIM service
|
||||
- name: dkim | Manage the DKIM service
|
||||
tags: ['postfix', 'postfix_dkim', 'dkim']
|
||||
block:
|
||||
- name: Ensure that the opendkim service is started and enabled
|
||||
service:
|
||||
- name: dkim | Ensure that the opendkim service is started and enabled
|
||||
ansible.builtin.service:
|
||||
name: opendkim
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
tags: ['postfix', 'postfix_dkim', 'dkim']
|
||||
|
|
|
@ -1,20 +1,33 @@
|
|||
---
|
||||
- import_tasks: smtp-common-packages.yml
|
||||
- import_tasks: dkim.yml
|
||||
- name: SMTP packages
|
||||
ansible.builtin.import_tasks: smtp-common-packages.yml
|
||||
- name: DKIM management
|
||||
ansible.builtin.import_tasks: dkim.yml
|
||||
when: postfix_dkim_enabled
|
||||
- import_tasks: postsrsd.yml
|
||||
- name: ARC management
|
||||
ansible.builtin.import_tasks: arc.yml
|
||||
when: postfix_arc_enabled
|
||||
- name: SRS support
|
||||
ansible.builtin.import_tasks: postsrsd.yml
|
||||
when: postfix_srs_sender_enabled or postfix_srs_receiver_enabled
|
||||
- import_tasks: postfix_spf_policy.yml
|
||||
- name: SPF policy check
|
||||
ansible.builtin.import_tasks: postfix_spf_policy.yml
|
||||
when: postfix_spf_policy_install
|
||||
- import_tasks: smtp-configuration.yml
|
||||
- import_tasks: postfix_pflogsumm.yml
|
||||
- import_tasks: postfix_firewalld.yml
|
||||
- name: Postfix configuration
|
||||
ansible.builtin.import_tasks: smtp-configuration.yml
|
||||
- name: Install and configure pflogsumm
|
||||
ansible.builtin.import_tasks: postfix_pflogsumm.yml
|
||||
- name: EL firewalld rules
|
||||
ansible.builtin.import_tasks: postfix_firewalld.yml
|
||||
when: ansible_distribution_file_variety == "RedHat"
|
||||
- import_tasks: smtp-sasl-auth.yml
|
||||
- name: SASL auth
|
||||
ansible.builtin.import_tasks: smtp-sasl-auth.yml
|
||||
when:
|
||||
- postfix_use_sasl_auth | bool
|
||||
- postfix_relay_client | bool
|
||||
- import_tasks: postfix-relay-server.yml
|
||||
- name: Postfix as a relay server
|
||||
ansible.builtin.import_tasks: postfix-relay-server.yml
|
||||
when: postfix_smtpd_server | bool
|
||||
- import_tasks: postfix-letsencrypt-hook.yml
|
||||
- name: Manage the letsencrypt certificates
|
||||
ansible.builtin.import_tasks: postfix-letsencrypt-hook.yml
|
||||
when: postfix_use_letsencrypt | bool
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
{% for item in postfix_arc_trusted_hosts %}
|
||||
{{ item }}
|
||||
{% endfor %}
|
|
@ -579,6 +579,9 @@ milter_connect_macros = j {daemon_name} v _
|
|||
{% endif %}
|
||||
# What to do in case of errors? Specify accept, reject, tempfail,
|
||||
# or quarantine (Postfix 2.6 or later).
|
||||
# DMARC/ARC order
|
||||
# * sending: dkim before arc
|
||||
# * receiving: arc before dmarc
|
||||
milter_default_action = {{ postfix_milter_action }}
|
||||
smtpd_milters =
|
||||
{% if postfix_clamav_milter %}
|
||||
|
@ -590,9 +593,15 @@ smtpd_milters =
|
|||
{% if postfix_dkim_enabled %}
|
||||
{{ postfix_dkim_milter_socket }}
|
||||
{% endif %}
|
||||
{% if postfix_arc_enabled %}
|
||||
{{ postfix_arc_milter_socket }}
|
||||
{% endif %}
|
||||
{% if postfix_dkim_enabled %}
|
||||
non_smtpd_milters =
|
||||
{{ postfix_dkim_milter_socket }}
|
||||
{% if postfix_arc_enabled %}
|
||||
{{ postfix_arc_milter_socket }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
|
@ -677,6 +686,7 @@ smtpd_sender_restrictions =
|
|||
{% if postfix_reject_unknown_sender_domain %}
|
||||
reject_unknown_sender_domain
|
||||
reject_non_fqdn_sender
|
||||
reject_unauth_pipelining
|
||||
{% endif %}
|
||||
{% if postfix_reject_sender_login_mismatch %}
|
||||
reject_sender_login_mismatch
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
## See openarc.conf(5) or /usr/share/doc/openarc-1.0.0/openarc.conf.sample for more
|
||||
PidFile /var/run/openarc/openarc.pid
|
||||
Syslog yes
|
||||
#Umask 002
|
||||
UserID {{ postfix_arc_user }}:{{ postfix_arc_group }}
|
||||
Socket {{ postfix_arc_socket }}
|
||||
|
||||
## After setting Mode to "sv", running
|
||||
## opendkim-genkey -D /etc/openarc -s key -d phx2.fedoraproject.org
|
||||
## and putting /etc/openarc
|
||||
Canonicalization {{ postfix_arc_canonicalization }}
|
||||
Domain {{ postfix_arc_domain }}
|
||||
Selector {{ postfix_arc_domain_selector }}
|
||||
KeyFile {{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}/{{ postfix_arc_domain_selector }}.private
|
||||
SignatureAlgorithm rsa-sha256
|
||||
InternalHosts {{ postfix_arc_base_dir }}/trustedhosts
|
||||
Mode {{ postfix_arc_mode }}
|
|
@ -11,6 +11,17 @@ postfix_dkim_user: opendkim
|
|||
postfix_dkim_group: opendkim
|
||||
postfix_dkim_conf: /etc/opendkim.conf
|
||||
|
||||
postfix_arc_el_pkgs:
|
||||
- openarc
|
||||
|
||||
postfix_arc_deb_pkgs: []
|
||||
|
||||
postfix_arc_base_dir: /etc/openarc
|
||||
postfix_arc_key_dir: "{{ postfix_arc_base_dir }}/{{ postfix_arc_domain }}"
|
||||
postfix_arc_user: openarc
|
||||
postfix_arc_group: openarc
|
||||
postfix_arc_conf: /etc/openarc.conf
|
||||
|
||||
# Conf files and data files
|
||||
postfix_srs_secret_file: '/etc/postsrsd.secret'
|
||||
postfix_srs_conf_file: '/etc/default/postsrsd'
|
||||
|
|
Loading…
Reference in New Issue