Getting started
Default DKIM configuration
The role by default will create a DomainKey for the host's DNS domain, which
will use a mail
DKIM selector. The private key can be found in the
secret/opendkim/domainkeys/
directory on the Ansible Controller (as
well as on the remote hosts). Using the installed script in the
secret/opendkim/lib/ directory you can extract the public key in the form of
a DNS TXT record and place it in your DNS zone.
OpenDKIM will be configured to sign mail messages from localhost
and the
host's FQDN. Messages sent from the host's own DNS domain, as well as any
messages from the subdomains will be signed by default.
Support for Unbound DNS resolver
The debops.opendkim
role checks if the Unbound service has been installed
on a given host, by checking for the Ansible local facts defined by the
debops.unbound
role. If Unbound is present, OpenDKIM will automatically use
it to resolve DNS queries and check DNSSEC validity.
Postfix integration
If the debops.opendkim
role detects an installed Postfix instance by
checking the Ansible local facts created by the debops.postfix Ansible role,
Postfix support will be enabled automatically.
OpenDKIM will be reconfigured to create its listening socket in
/var/spool/postfix/opendkim/
directory. This directory is created with
SGID bit set, and its group is set to the Postfix main group, so that the
socket created by OpenDKIM will be automatically accessible by Postfix.
The debops.opendkim
role will add Postfix main.cf
configuration
options using the debops.postfix dependent role variables. OpenDKIM filter
will be added to the smtpd_milters
as well as non_smtpd_milters
configuration options.
Example inventory
The install and configure OpenDKIM on a host, it needs to be present in the
[debops_service_opendkim]
Ansible inventory group:
[debops_service_opendkim]
hostname
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.opendkim
role:
---
- name: Manage OpenDKIM service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_opendkim' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
pre_tasks:
- name: Prepare opendkim environment
import_role:
name: 'opendkim'
tasks_from: 'main_env'
tags: [ 'role::opendkim', 'role::secret' ]
- name: Prepare postfix environment
import_role:
name: 'postfix'
tasks_from: 'main_env'
vars:
postfix__dependent_maincf:
- role: 'opendkim'
config: '{{ opendkim__postfix__dependent_maincf }}'
when: opendkim__postfix_integration|bool
tags: [ 'role::postfix', 'role::secret', 'role::ferm' ]
roles:
- role: secret
tags: [ 'role::secret', 'role::opendkim', 'role::postfix' ]
secret__directories:
- '{{ postfix__secret__directories | d([]) }}'
- '{{ opendkim__secret__directories | d([]) }}'
- role: postfix
tags: [ 'role::postfix', 'skip::postfix' ]
postfix__dependent_maincf:
- role: 'opendkim'
config: '{{ opendkim__postfix__dependent_maincf }}'
when: opendkim__postfix_integration|bool
- role: opendkim
tags: [ 'role::opendkim', 'skip::opendkim' ]