diff --git a/roles/opendkim/files/KeyTable b/roles/opendkim/files/KeyTable new file mode 100644 index 0000000000..39985d1ebf --- /dev/null +++ b/roles/opendkim/files/KeyTable @@ -0,0 +1,6 @@ +# OPENDKIM KEY TABLE +# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf, +# then uncomment the following line and replace example.com with your domain +# name, then restart OpenDKIM. Additional keys may be added on separate lines. + +bastion._domainkey.fedoraproject.org fedoraproject.org:bastion:/etc/opendkim/keys/bastion.key diff --git a/roles/opendkim/files/SigningTable b/roles/opendkim/files/SigningTable new file mode 100644 index 0000000000..0b5b68ee4b --- /dev/null +++ b/roles/opendkim/files/SigningTable @@ -0,0 +1,28 @@ +# OPENDKIM SIGNING TABLE +# This table controls how to apply one or more signatures to outgoing messages based +# on the address found in the From: header field. In simple terms, this tells +# OpenDKIM "how" to apply your keys. + +# To use this file, uncomment the SigningTable option in /etc/opendkim.conf, +# then uncomment one of the usage examples below and replace example.com with your +# domain name, then restart OpenDKIM. + +# WILDCARD EXAMPLE +# Enables signing for any address on the listed domain(s), but will work only if +# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf. +# Create additional lines for additional domains. + +*@fedoraproject.org bastion._domainkey.fedoraproject.org +*@lists.fedoraproject.org bastion._domainkey.fedoraproject.org +*@stg.fedoraproject.org bastion._domainkey.fedoraproject.org + +# NON-WILDCARD EXAMPLE +# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then +# wildcards will not work. Instead, full user@host is checked first, then simply host, +# then user@.domain (with all superdomains checked in sequence, so "foo.example.com" +# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"), +# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under +# "SigningTable" for more details. + +#example.com default._domainkey.example.com + diff --git a/roles/opendkim/files/opendkim.conf b/roles/opendkim/files/opendkim.conf index d1977c0a07..899711ab96 100644 --- a/roles/opendkim/files/opendkim.conf +++ b/roles/opendkim/files/opendkim.conf @@ -85,8 +85,7 @@ Canonicalization relaxed/relaxed ## Domain(s) whose mail should be signed by this filter. Mail from other domains will ## be verified rather than being signed. Uncomment and use your domain name. ## This parameter is not required if a SigningTable is in use. -Domain fedoraproject.org -SubDomains yes +# Domain fedoraproject.org ## Defines the name of the selector to be used when signing messages. Selector bastion @@ -101,16 +100,16 @@ KeyFile /etc/opendkim/keys/bastion.key ## Gives the location of a file mapping key names to signing keys. In simple terms, ## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile ## directive in the configuration file. Requires SigningTable be enabled. -# KeyTable /etc/opendkim/KeyTable +KeyTable /etc/opendkim/KeyTable ## Defines a table used to select one or more signatures to apply to a message based ## on the address found in the From: header field. In simple terms, this tells ## OpenDKIM how to use your keys. Requires KeyTable be enabled. -# SigningTable refile:/etc/opendkim/SigningTable +SigningTable refile:/etc/opendkim/SigningTable ## Identifies a set of "external" hosts that may send mail through the server as one ## of the signing domains without credentials as such. -# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts +ExternalIgnoreList refile:/etc/opendkim/TrustedHosts ## Identifies a set "internal" hosts whose mail should be signed rather than verified. InternalHosts refile:/etc/opendkim/TrustedHosts diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml index a452dcc694..8069991d34 100644 --- a/roles/opendkim/tasks/main.yml +++ b/roles/opendkim/tasks/main.yml @@ -11,6 +11,20 @@ - config - base +- name: install opendkim KeyTable file + copy: src=KeyTable dest=/etc/opendkim/KeyTable mode=644 owner=opendkim group=opendkim + tags: + - opendkim + - config + - base + +- name: install opendkim SigningTable file + copy: src=SigningTable dest=/etc/opendkim/SigningTabl mode=644 owner=opendkim group=opendkim + tags: + - opendkim + - config + - base + - name: install opendkim trusted hosts file copy: src=TrustedHosts dest=/etc/opendkim/TrustedHosts tags: