Replace OpenDKIM with Rspamd's dkim_signing module

- remove configuration of OpenDKIM
- remove OpenDKIM milter from postfix's configuration
- add configuration files for rpsamd's dkim module
- update the rspamd task
- update services in README

README.md

@@ -20,15 +20,15 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
 -   [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol) over SSL via [Dovecot](http://dovecot.org/), complete with full text search provided by [Solr](https://lucene.apache.org/solr/).
 -   [POP3](https://en.wikipedia.org/wiki/Post_Office_Protocol) over SSL, also via Dovecot
 -   [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) over SSL via Postfix, including a nice set of [DNSBLs](https://en.wikipedia.org/wiki/DNSBL) to discard spam before it ever hits your filters.
+-   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
+-   Spam fighting via [Rspamd](https://www.rspamd.com/).
+-   Mail server verification using [DKIM](http://www.dkim.org/) and [DMARC](http://www.dmarc.org/) so the Internet knows your mailserver is legit.
+-   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
 -   Webmail via [Roundcube](http://www.roundcube.net/).
 -   Mobile push notifications via [Z-Push](http://z-push.sourceforge.net/soswp/index.php?pages_id=1&t=home).
 -   Email client [automatic configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration).
 -   Jabber/[XMPP](http://xmpp.org/) instant messaging via [Prosody](http://prosody.im/).
 -   An RSS Reader via [Selfoss](http://selfoss.aditu.de/).
--   Virtual domains for your email, backed by [PostgreSQL](http://www.postgresql.org/).
--   Secure on-disk storage for email and more via [EncFS](http://www.arg0.net/encfs).
--   Spam fighting via [Rspamd](https://www.rspamd.com/) and [Postgrey](http://postgrey.schweikert.ch/).
--   Mail server verification via [OpenDKIM](http://www.opendkim.org/) and [DMARC](http://www.dmarc.org/) so the Internet knows your mailserver is legit.
 -   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [ownCloud](http://owncloud.org/).
 -   Your own private storage cloud via [ownCloud](http://owncloud.org/).
 -   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).
@@ -158,13 +158,13 @@ The `dependencies` tag just installs dependencies, performing no other operation
 
 Create an `MX` record for `example.com` which assigns `mail.example.com` as the domain’s mail server.
 
-To ensure your emails pass DKIM checks you need to add a `txt` record. The name field will be `default._domainkey.EXAMPLE.COM.` The value field contains the public key used by OpenDKIM. The exact value needed can be found in the file `/etc/opendkim/keys/EXAMPLE.COM/default.txt` it’ll look something like this:
+To ensure your emails pass DKIM checks you need to add a `txt` record. The name field will be `default._domainkey.EXAMPLE.COM.` The value field contains the public key used by DKIM. The exact value needed can be found in the file `/var/lib/rspamd/dkim/EXAMPLE.COM.default.txt`. It will look something like this:
 
     v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKKAQfMwKVx+oJripQI+Ag4uTwYnsXKjgBGtl7Tk6UMTUwhMqnitqbR/ZQEZjcNolTkNDtyKZY2Z6LqvM4KsrITpiMbkV1eX6GKczT8Lws5KXn+6BHCKULGdireTAUr3Id7mtjLrbi/E3248Pq0Zs39hkDxsDcve12WccjafJVwIDAQAB
 
-For DMARC you'll also need to add a `txt` record. The name field should be `_dmarc.EXAMPLE.COM` and the value should be `v=DMARC1; p=none`. More info on DMARC can be found [here](https://dmarc.org)
+For DMARC you'll also need to add a `txt` record. The name field should be `_dmarc.EXAMPLE.COM` and the value should be `v=DMARC1; p=none`. More info on DMARC can be found [here](https://dmarc.org).
 
-Set up SPF and reverse DNS [as per this post](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/). Make sure to validate that it’s all working, for example by sending an email to <a href="mailto:check-auth@verifier.port25.com">check-auth@verifier.port25.com</a> and reviewing the report that will be emailed back to you.
+Set up SPF and reverse DNS [as per this post](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/). Make sure to validate that it’s all working, for example, by sending an email to <a href="mailto:check-auth@verifier.port25.com">check-auth@verifier.port25.com</a> and reviewing the report that will be emailed back to you.
 
 ### 8. Miscellaneous Configuration
 

roles/mailserver/files/etc_opendkim.conf

@@ -1,18 +0,0 @@
-##
-## opendkim.conf -- configuration file for OpenDKIM filter
-##
-Canonicalization        relaxed/relaxed
-ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
-InternalHosts           refile:/etc/opendkim/TrustedHosts
-KeyTable                refile:/etc/opendkim/KeyTable
-LogWhy                  Yes
-MinimumKeyBits          1024
-Mode                    sv
-PidFile                 /var/run/opendkim/opendkim.pid
-SigningTable            refile:/etc/opendkim/SigningTable
-Socket                  inet:8891@localhost
-Syslog                  Yes
-SyslogSuccess           Yes
-TemporaryDirectory      /var/tmp
-UMask                   022
-UserID                  opendkim:opendkim

roles/mailserver/files/etc_rspamd_override.d_dkim_signing.conf

@@ -0,0 +1,5 @@
+# Default path to key, can include '$domain' and '$selector' variables
+path = "/var/lib/rspamd/dkim/$domain.$selector.key";
+  
+# Default selector to use
+selector = "default";

roles/mailserver/tasks/main.yml

@@ -2,8 +2,6 @@
   tags: postfix
 - include: dovecot.yml
   tags: dovecot
-- include: opendkim.yml
-  tags: opendkim
 - include: rspamd.yml
   tags: rspamd
 - include: solr.yml

roles/mailserver/tasks/opendkim.yml

@@ -1,44 +0,0 @@
----
-# Handy reference: http://stevejenkins.com/blog/2010/09/how-to-get-dkim-domainkeys-identified-mail-working-on-centos-5-5-and-postfix-using-opendkim/
-
-- name: Install OpenDKIM and related packages
-  apt: pkg={{ item }} state=installed
-  with_items:
-    - opendkim
-    - opendkim-tools
-  tags:
-    - dependencies
-
-- name: Create OpenDKIM config directory
-  file: state=directory path=/etc/opendkim group=opendkim owner=opendkim
-
-- name: Create OpenDKIM key directories
-  file: state=directory path=/etc/opendkim/keys/{{ item.name }} group=opendkim owner=opendkim
-  with_items: "{{ mail_virtual_domains }}"
-
-- name: Generate OpenDKIM keys
-  command: opendkim-genkey -r -d {{ item.name }} -D /etc/opendkim/keys/{{ item.name }}/ creates=/etc/opendkim/keys/{{ item.name }}/default.private
-  with_items: "{{ mail_virtual_domains }}"
-
-- name: Put opendkim.conf into place
-  copy: src=etc_opendkim.conf dest=/etc/opendkim.conf owner=opendkim group=opendkim
-  notify:
-    - restart opendkim
-    - restart postfix
-
-- name: Put additional OpenDKIM configuration files into place
-  template: src=etc_opendkim_{{ item }}.j2 dest=/etc/opendkim/{{ item }} owner=opendkim group=opendkim
-  with_items:
-    - KeyTable
-    - SigningTable
-    - TrustedHosts
-  notify:
-    - restart opendkim
-    - restart postfix
-
-- name: Set OpenDKIM config directory permissions
-  file: state=directory path=/etc/opendkim
-          group=opendkim owner=opendkim mode=0700 recurse=yes
-  notify:
-    - restart opendkim
-    - restart postfix

roles/mailserver/tasks/rspamd.yml

@@ -41,5 +41,19 @@
   copy: src=etc_rspamd_local.d_redis.conf dest=/etc/rspamd/local.d/redis.conf owner=root group=root mode="0644"
   notify: restart rspamd
 
+- name: Copy DKIM configuration into place
+  copy: src=etc_rspamd_override.d_dkim_signing.conf dest=/etc/rspamd/override.d/dkim_signing.conf owner=root group=root mode="0644"
+  notify: restart rspamd
+
+- name: Create dkim key directory
+  file: path=/var/lib/rspamd/dkim state=directory owner=_rspamd group=_rspamd
+
+- name: Generate DKIM keys
+  shell: rspamadm dkim_keygen -s default -d {{ item.name }} -k {{ item.name }}.default.key > {{ item.name }}.default.txt
+  args:
+    creates: /var/lib/rspamd/dkim/{{ item.name }}.default.key
+    chdir: /var/lib/rspamd/dkim/
+  with_items: "{{ mail_virtual_domains }}"
+
 - name: Start redis
   service: name=redis-server state=started

roles/mailserver/templates/etc_opendkim_KeyTable.j2

@@ -1,3 +0,0 @@
-{% for domain in mail_virtual_domains %}
-default._domainkey.{{ domain.name }} {{ domain.name }}:default:/etc/opendkim/keys/{{ domain.name}}/default.private
-{% endfor %}

roles/mailserver/templates/etc_opendkim_SigningTable.j2

@@ -1,3 +0,0 @@
-{% for domain in mail_virtual_domains %}
-*@{{ domain.name }} default._domainkey.{{ domain.name }}
-{% endfor %}

roles/mailserver/templates/etc_opendkim_TrustedHosts.j2

@@ -1,8 +0,0 @@
-127.0.0.1
-{{ ansible_default_ipv4.address }}
-{% for domain in mail_virtual_domains %}
-{{ domain.name }}
-{% endfor %}
-{% for domain in mail_virtual_domains %}
-{{ mail_server_hostname }}
-{% endfor %}

roles/mailserver/templates/etc_postfix_main.cf.j2

@@ -99,8 +99,8 @@ virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
 virtual_alias_maps = pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
 local_recipient_maps = $virtual_mailbox_maps
 
-# Milters: OpenDKIM, Rspamd
-smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:11332
+# Milters: Rspamd
+smtpd_milters = inet:127.0.0.1:11332
 non_smtpd_milters = $smtpd_milters
 milter_protocol = 6
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}