add opendkim to exim4 and postfix

all.yaml

@@ -1,6 +1,7 @@
 - include: ldap.yaml
 - include: blogs.yaml
 - include: lists.yaml
+- include: mail.yaml
 - include: projects.yaml
 - include: users.yaml
 - include: webmail.yaml

roles/exim4/tasks/main.yaml

@@ -61,10 +61,53 @@
       service_packages:
         - exim4
 
-  - name: exim4 macro for sympa aliases
+- name: generate the TLS key
+  shell: "/usr/share/doc/exim4-base/examples/exim-gencert"
+  args:
+    creates: /etc/exim4/exim.key
+  notify: restart exim4
+
+- include_role:
+    name: service
+  vars:
+    service_name: opendkim
+    service_packages:
+           - opendkim
+           - opendkim-tools
+
+- name: create opendkim folder
+  file:
+    path: /etc/opendkim/
+    state: directory
+    mode: 0750
+    owner: root
+    group: Debian-exim
+
+- name: create opendkim key for lilik.it
+  command: opendkim-genkey -D /etc/opendkim/ -d lists.lilik.it -s lists
+  args:
+    creates:
+      - /etc/opendkim/mail.private
+      - /etc/opendkim/mail.txt
+
+- name: check /etc/opendkim/mail.private permissions
+  file:
+    path: /etc/opendkim/mail.private
+    owner: root
+    group: Debian-exim
+    mode: 0640
+
+  - name: exim4 macro for TLS, DKIM and sympa aliases
     blockinfile:
       dest: /etc/exim4/exim4.conf.localmacros
       block: |
+              MAIN_TLS_ENABLE = yes
+
+              DKIM_CANON = relaxed
+              DKIM_SELECTOR = lists
+              DKIM_DOMAIN = lists.lilik.it
+              DKIM_PRIVATE_KEY = /etc/opendkim/lists.private
+
               #--------------
               # Activating pipe transport in system_aliases router (pipes in /etc/aliases)
               .ifndef SYSTEM_ALIASES_PIPE_TRANSPORT

roles/postfix/defaults/main.yaml

@@ -0,0 +1 @@
+postfix_milters: []

roles/postfix/tasks/antispam.yaml

@@ -29,19 +29,9 @@
       MILTERSOCKET=inet:60001@127.0.0.1
   notify: restart amavisd-milter
 
-- name: add amavis milter for smtp to postfix
-  lineinfile:
-    dest: '/etc/postfix/main.cf'
-    line: 'smtpd_milters=inet:127.0.0.1:60001'
-    regexp: '^smtpd_milters='
-  notify: restart postfix
-
-- name: add amavis milter for non smtp to postfix
-  lineinfile:
-    dest: '/etc/postfix/main.cf'
-    line: 'non_smtpd_milters=inet:127.0.0.1:60001'
-    regexp: '^non_smtpd_milters='
-  notify: restart postfix
+- name: add opendkim milter
+  set_fact:
+    postfix_milters: '{{postfix_milters + ["inet:127.0.0.1:60001"]}}'
 
 - include_role:
     name: service

roles/postfix/tasks/dkim.yaml

@@ -0,0 +1,62 @@
+- include_role:
+    name: service
+  vars:
+    service_name: opendkim
+    service_packages:
+           - opendkim
+           - opendkim-tools
+
+- name: adding existing user postfix to group opendkim
+  user: name=postfix
+        groups=opendkim
+        append=yes
+  notify: restart postfix
+
+- name: create opendkim folder
+  file:
+    path: /etc/opendkim/
+    state: directory
+    mode: 0700
+    owner: opendkim
+    group: opendkim
+
+- name: 'enable opendkim socket on 127.0.0.1:12345'
+  lineinfile:
+    dest: /etc/default/opendkim
+    line: 'SOCKET="inet:12345@127.0.0.1"'
+    regexp: "^SOCKET="
+  notify: restart opendkim
+
+- name: create opendkim key for lilik.it
+  command: opendkim-genkey -D /etc/opendkim/ -d lilik.it -s mail
+  args:
+    creates:
+      - /etc/opendkim/mail.private
+      - /etc/opendkim/mail.txt
+
+- name: check /etc/opendkim/mail.private permissions
+  file:
+    path: /etc/opendkim/mail.private
+    owner: opendkim
+    group: opendkim
+    mode: 0600
+
+- name: check /etc/opendkim/mail.txt permissions
+  file:
+    path: /etc/opendkim/mail.txt
+    owner: opendkim
+    group: opendkim
+    mode: 0660
+
+- name: configure opendkim
+  blockinfile:
+    dest: '/etc/opendkim.conf'
+    block: |
+      Domain                  lilik.it
+      KeyFile         /etc/opendkim/mail.private
+      Selector                mail
+  notify: restart opendkim
+
+- name: add opendkim milter
+  set_fact:
+    postfix_milters: '{{["inet:127.0.0.1:12345"] + postfix_milters}}'

roles/postfix/tasks/main.yaml

@@ -73,6 +73,14 @@
     state: present
   notify: restart postfix
 
+- name: enable tls for outgoing mail
+  lineinfile:
+    dest: /etc/postfix/main.cf
+    line: "smtp_tls_security_level = encrypt"
+    regexp: 'smtp_tls_security_level ='
+    state: present
+  notify: restart postfix
+
 - name: create transport map
   lineinfile:
     dest: /etc/postfix/transport
@@ -105,3 +113,20 @@
 
 - name: install antivirus and anti spam services
   include: antispam.yaml
+
+- name: install opendkim service
+  include: dkim.yaml
+
+- name: add milters for smtp to postfix
+  lineinfile:
+    dest: '/etc/postfix/main.cf'
+    line: 'smtpd_milters={{ postfix_milters|join(",") }}'
+    regexp: '^smtpd_milters='
+  notify: restart postfix
+
+- name: add milters for non smtp to postfix
+  lineinfile:
+    dest: '/etc/postfix/main.cf'
+    line: 'non_smtpd_milters={{ postfix_milters|join(",") }}'
+    regexp: '^non_smtpd_milters='
+  notify: restart postfix