Commit 91eb4ec1 authored by Daniel Hoffend's avatar Daniel Hoffend

amavis: added amavis dkim signing

parent b2af4686
......@@ -102,7 +102,7 @@ kolab_default_locale: en_US
kolab_default_quota: 1048576
# the generated uid
kolab_policy_uid: "'%(givenname)s'[0:1]%(surname)s.lower()/g"
kolab_policy_uid: "'%(givenname)s'[0:1]%(surname)s.lower()"
# when you disable the recipient policy primary and secondary mail settings
# will be ignoed and a php script will be run that removes the generated flag
......@@ -178,7 +178,9 @@ kolab_postfix_smtp_tls_key_file: "{{ kolab_postfix_smtpd_tls_key_file }}"
kolan_postfix_reject_rbl_client:
- ix.dnsbl.manitu.net
- zen.spamhaus.org
kolab_postfix_content_filter: "smtp-amavis:[127.0.0.1]:10024"
kolab_postfix_submission_content_filter: "{{ 'smtp-amavis:[127.0.0.1]:10022' if kolab_amavis_dkim|bool else '' }}"
# ==============================================================================
......@@ -465,6 +467,17 @@ kolab_amavis_sa_tag2_level_deflt: 5
kolab_amavis_sa_kill_level_deflt: 6.31
kolab_amavis_custom: ""
kolab_amavis_dkim: false
kolab_amavis_dkim_verification: true
kolab_amavis_dkim_signing: false
kolab_amavis_dkim_keys: []
# - name: example.org
# version: 20190101
# key: |
# -----BEGIN RSA PRIVATE KEY-----
# [...]
# -----END RSA PRIVATE KEY-----
# ==============================================================================
# letsencrypt
......
#!/bin/bash
KEYS=""
MAPS=""
# get the domains and keys
for d in $(find /etc/amavis/dkim/*dkim*pem -printf "%f\n" | awk -F .dkim '{print $1}' | sort -u)
do
# only take the last key
v=$(find /etc/amavis/dkim/ -name "$d.dkim*" -printf "%f\n" | sort -n | tail -n1 | awk -F ".(dkim|pem)" '{print "dkim"$2}')
MAPS="$MAPS
'$d' => { d => '$d', 'a' => 'rsa-sha256', ttl => 10*24*3600 },"
KEYS="$KEYS
dkim_key('$d','$v','/etc/amavis/dkim/$d.$v.pem');"
done
# create new temporary file
TMP=$(mktemp)
cat > $TMP << EOF
$KEYS
@dkim_signature_options_bysender_maps = (
{
$MAPS
}
);
EOF
# check, copy and restart amavis if dkim keys have changed
if [ -e $TMP ] ; then
cmp -s $TMP /etc/amavis/conf.d/60-dkim-keys && rm $TMP && exit
cat $TMP > /etc/amavis/conf.d/60-dkim-keys
/bin/systemctl restart amavis
fi
......@@ -44,4 +44,54 @@
mode: 0644
notify: restart amavis
- name: amavis - create dkim folder
file:
path: /etc/amavis/dkim
state: directory
owner: root
group: amavis
mode: 0750
when: kolab_amavis_dkim|bool
- name: amavis - install dkim keys
copy:
content: "{{ item.key }}"
dest: /etc/amavis/dkim/{{ item.domain }}.dkim{{ item.version }}.pem
owner: root
group: amavis
mode: 0640
with_items: "{{ kolab_amavis_dkim_keys }}"
when: kolab_amavis_dkim|bool
register: dkim_keys_result
- name: amavis - create initial dkim key for kolab_primary_domain if nothing is available
shell: |
V=$(date +"%Y%m%d")
/usr/sbin/amavisd-new genrsa /etc/amavis/dkim/{{ kolab_primary_domain }}.dkim${V}.pem
chown root:amavis /etc/amavis/dkim/{{ kolab_primary_domain }}.dkim${V}.pem
chmod 0640 /etc/amavis/dkim/{{ kolab_primary_domain }}.dkim${V}.pem
when: kolab_amavis_dkim|bool and lookup('fileglob', '/etc/amavis/dkim/*.pem') | length == 0
register: dkim_newkey_result
- name: amavis - install script to update dkim domains
copy:
src: amavis-update-dkim-keys.sh
dest: /usr/local/sbin/amavis-update-dkim-keys.sh
owner: root
group: root
mode: 0755
when: kolab_amavis_dkim|bool
- name: amavis - run amavis-update-dkim-keys.sh when keys have changed
command: /usr/local/sbin/amavis-update-dkim-keys.sh
when: kolab_amavis_dkim|bool and ( dkim_newkey_result is changed or dkim_keys_result is changed )
- name: amavis - configure dkim signing
template:
src: amavis/65-dkim.j2
dest: /etc/amavis/conf.d/65-dkim
owner: root
group: root
mode: 0644
when: kolab_amavis_dkim|bool
notify: restart amavis
......@@ -37,6 +37,9 @@ $sa_kill_level_deflt = {{ kolab_amavis_sa_kill_level_deflt }}; # triggers spam
#$addr_extension_spam = 'Spam';
#@addr_extension_spam_maps = ('Spam');
# dkim verification
$enable_dkim_verification = {{ "1" if kolab_amavis_dkim_verification else "0" }};
$banned_filename_re = new_RE(
# block certain double extensions anywhere in the base name
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
......
$inet_socket_port = [10024, 10022];
$interface_policy{'10022'} = 'SUBMISSION';
$policy_bank{'SUBMISSION'} = {
originating => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME']
};
$enable_dkim_signing = {{ "1" if kolab_amavis_dkim_signing else "0" }};
......@@ -13,6 +13,9 @@ smtp inet n - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
{% if kolab_postfix_submission_content_filter != "" %}
-o content_filter={{ kolab_postfix_submission_content_filter }}
{% endif %}
-o cleanup_service_name=cleanup_submission
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment