amavis: added amavis dkim signing

91eb4ec1 · Daniel Hoffend · b2af4686 · 91eb4ec1 · 91eb4ec1 · 91eb4ec1
Commit 91eb4ec1 authored Nov 27, 2019 by Daniel Hoffend
6 changed files
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -102,7 +102,7 @@ kolab_default_locale: en_US
 kolab_default_quota: 1048576

 # the generated uid
-kolab_policy_uid: "'%(givenname)s'[0:1]%(surname)s.lower()/g"
+kolab_policy_uid: "'%(givenname)s'[0:1]%(surname)s.lower()"

 # when you disable the recipient policy primary and secondary mail settings
 # will be ignoed and a php script will be run that removes the generated flag
@@ -178,7 +178,9 @@ kolab_postfix_smtp_tls_key_file: "{{ kolab_postfix_smtpd_tls_key_file }}"
 kolan_postfix_reject_rbl_client:
  - ix.dnsbl.manitu.net
  - zen.spamhaus.org
+
 kolab_postfix_content_filter: "smtp-amavis:[127.0.0.1]:10024"
+kolab_postfix_submission_content_filter: "{{ 'smtp-amavis:[127.0.0.1]:10022' if kolab_amavis_dkim|bool else '' }}"


 # ==============================================================================
@@ -465,6 +467,17 @@ kolab_amavis_sa_tag2_level_deflt: 5
 kolab_amavis_sa_kill_level_deflt: 6.31
 kolab_amavis_custom: ""

+kolab_amavis_dkim: false
+kolab_amavis_dkim_verification: true
+kolab_amavis_dkim_signing: false
+kolab_amavis_dkim_keys: []
+# - name: example.org
+#   version: 20190101
+#   key: |
+#     -----BEGIN RSA PRIVATE KEY-----
+#     [...]
+#     -----END RSA PRIVATE KEY-----
+

 # ==============================================================================
 # letsencrypt

--- a/files/amavis-update-dkim-keys.sh
+++ b/files/amavis-update-dkim-keys.sh
+#!/bin/bash
+
+KEYS=""
+MAPS=""
+
+# get the domains and keys
+for d in $(find /etc/amavis/dkim/*dkim*pem -printf "%f\n" | awk -F .dkim '{print $1}' | sort -u)
+do
+	# only take the last key
+        v=$(find /etc/amavis/dkim/ -name "$d.dkim*" -printf "%f\n" | sort -n | tail -n1 | awk -F ".(dkim|pem)" '{print "dkim"$2}')
+        MAPS="$MAPS
+        '$d' => { d => '$d', 'a' => 'rsa-sha256', ttl => 10*24*3600 },"
+        KEYS="$KEYS
+dkim_key('$d','$v','/etc/amavis/dkim/$d.$v.pem');"
+done
+
+# create new temporary file
+TMP=$(mktemp)
+cat > $TMP << EOF
+$KEYS
+
+@dkim_signature_options_bysender_maps = (
+    {
+$MAPS
+    }
+);
+EOF
+
+# check, copy and restart amavis if dkim keys have changed
+if [ -e $TMP ] ; then
+    cmp -s $TMP /etc/amavis/conf.d/60-dkim-keys && rm $TMP && exit
+    cat $TMP > /etc/amavis/conf.d/60-dkim-keys
+    /bin/systemctl restart amavis
+fi
+
--- a/tasks/amavis.yml
+++ b/tasks/amavis.yml
@@ -44,4 +44,54 @@
    mode: 0644
  notify: restart amavis

+- name: amavis - create dkim folder
+  file:
+    path: /etc/amavis/dkim
+    state: directory
+    owner: root
+    group: amavis
+    mode: 0750
+  when: kolab_amavis_dkim|bool
+
+- name: amavis - install dkim keys
+  copy:
+    content: "{{ item.key }}"
+    dest: /etc/amavis/dkim/{{ item.domain }}.dkim{{ item.version }}.pem
+    owner: root
+    group: amavis
+    mode: 0640
+  with_items: "{{ kolab_amavis_dkim_keys }}"
+  when: kolab_amavis_dkim|bool
+  register: dkim_keys_result
+
+- name: amavis - create initial dkim key for kolab_primary_domain if nothing is available
+  shell: |
+    V=$(date +"%Y%m%d")
+    /usr/sbin/amavisd-new genrsa /etc/amavis/dkim/{{ kolab_primary_domain }}.dkim${V}.pem
+    chown root:amavis /etc/amavis/dkim/{{ kolab_primary_domain }}.dkim${V}.pem
+    chmod 0640 /etc/amavis/dkim/{{ kolab_primary_domain }}.dkim${V}.pem
+  when: kolab_amavis_dkim|bool and lookup('fileglob', '/etc/amavis/dkim/*.pem') | length == 0
+  register: dkim_newkey_result
+
+- name: amavis - install script to update dkim domains
+  copy:
+    src: amavis-update-dkim-keys.sh
+    dest: /usr/local/sbin/amavis-update-dkim-keys.sh
+    owner: root
+    group: root
+    mode: 0755
+  when: kolab_amavis_dkim|bool

+- name: amavis - run amavis-update-dkim-keys.sh when keys have changed
+  command: /usr/local/sbin/amavis-update-dkim-keys.sh
+  when: kolab_amavis_dkim|bool and ( dkim_newkey_result is changed or dkim_keys_result is changed )
+
+- name: amavis - configure dkim signing
+  template:
+    src: amavis/65-dkim.j2
+    dest: /etc/amavis/conf.d/65-dkim
+    owner: root
+    group: root
+    mode: 0644
+  when: kolab_amavis_dkim|bool
+  notify: restart amavis
--- a/templates/amavis/50-user.j2
+++ b/templates/amavis/50-user.j2
@@ -37,6 +37,9 @@ $sa_kill_level_deflt		= {{ kolab_amavis_sa_kill_level_deflt }};		# triggers spam
 #$addr_extension_spam   = 'Spam';
 #@addr_extension_spam_maps = ('Spam');

+# dkim verification
+$enable_dkim_verification = {{ "1" if kolab_amavis_dkim_verification else "0" }};
+
 $banned_filename_re = new_RE(
  # block certain double extensions anywhere in the base name
  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

--- a/templates/amavis/65-dkim.j2
+++ b/templates/amavis/65-dkim.j2
+$inet_socket_port = [10024, 10022];
+$interface_policy{'10022'} = 'SUBMISSION';
+$policy_bank{'SUBMISSION'} = {
+    originating => 1,
+    smtpd_discard_ehlo_keywords => ['8BITMIME']
+};
+$enable_dkim_signing = {{ "1" if kolab_amavis_dkim_signing else "0" }};
--- a/templates/postfix/master.cf.j2
+++ b/templates/postfix/master.cf.j2
@@ -13,6 +13,9 @@ smtp                inet        n       -       n       -       -       smtpd
 #dnsblog            unix        -       -       n       -       0       dnsblog
 #tlsproxy           unix        -       -       n       -       0       tlsproxy
 submission          inet        n       -       n       -       -       smtpd
+{% if kolab_postfix_submission_content_filter != "" %}
+    -o content_filter={{ kolab_postfix_submission_content_filter }}
+{% endif %}
    -o cleanup_service_name=cleanup_submission
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt