Getting started

Default DKIM configuration

The role by default will create a DomainKey for the host's DNS domain, which will use a mail DKIM selector. The private key can be found in the secret/opendkim/domainkeys/ directory on the Ansible Controller (as well as on the remote hosts). Using the installed script in the secret/opendkim/lib/ directory you can extract the public key in the form of a DNS TXT record and place it in your DNS zone.

OpenDKIM will be configured to sign mail messages from localhost and the host's FQDN. Messages sent from the host's own DNS domain, as well as any messages from the subdomains will be signed by default.

Support for Unbound DNS resolver

The debops.opendkim role checks if the Unbound service has been installed on a given host, by checking for the Ansible local facts defined by the debops.unbound role. If Unbound is present, OpenDKIM will automatically use it to resolve DNS queries and check DNSSEC validity.

Postfix integration

If the debops.opendkim role detects an installed Postfix instance by checking the Ansible local facts created by the debops.postfix Ansible role, Postfix support will be enabled automatically.

OpenDKIM will be reconfigured to create its listening socket in /var/spool/postfix/opendkim/ directory. This directory is created with SGID bit set, and its group is set to the Postfix main group, so that the socket created by OpenDKIM will be automatically accessible by Postfix.

The debops.opendkim role will add Postfix main.cf configuration options using the debops.postfix dependent role variables. OpenDKIM filter will be added to the smtpd_milters as well as non_smtpd_milters configuration options.

Example inventory

The install and configure OpenDKIM on a host, it needs to be present in the [debops_service_opendkim] Ansible inventory group:

[debops_service_opendkim]
hostname

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.opendkim role:

---

- name: Manage OpenDKIM service
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_service_opendkim' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  pre_tasks:

    - name: Prepare opendkim environment
      ansible.builtin.import_role:
        name: 'opendkim'
        tasks_from: 'main_env'
      tags: [ 'role::opendkim', 'role::secret' ]

    - name: Prepare postfix environment
      ansible.builtin.import_role:
        name: 'postfix'
        tasks_from: 'main_env'
      vars:
        postfix__dependent_maincf:
          - role: 'opendkim'
            config: '{{ opendkim__postfix__dependent_maincf }}'
      when: opendkim__postfix_integration | bool
      tags: [ 'role::postfix', 'role::secret', 'role::ferm' ]

  roles:

    - role: secret
      tags: [ 'role::secret', 'role::opendkim', 'role::postfix' ]
      secret__directories:
        - '{{ postfix__secret__directories  | d([]) }}'
        - '{{ opendkim__secret__directories | d([]) }}'

    - role: postfix
      tags: [ 'role::postfix', 'skip::postfix' ]
      postfix__dependent_maincf:
        - role: 'opendkim'
          config: '{{ opendkim__postfix__dependent_maincf }}'
      when: opendkim__postfix_integration | bool

    - role: opendkim
      tags: [ 'role::opendkim', 'skip::opendkim' ]

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the configuration is already in the desired state.

Available role tags:

role::opendkim

Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.