deploy: Add dkim signing with rspamd
This commit is contained in:
parent
b563d4ec9f
commit
aa34a75bca
2 changed files with 86 additions and 0 deletions
|
|
@ -361,6 +361,13 @@
|
|||
notify:
|
||||
- restart postfix
|
||||
|
||||
- name: configure rspamd dkim
|
||||
template:
|
||||
src: templates/rspamd-dkim.cf.j2
|
||||
dest: /etc/rspamd/local.d/dkim_signing.conf
|
||||
notify:
|
||||
- restart rspamd
|
||||
|
||||
- name: configure rspamd
|
||||
copy:
|
||||
content: |
|
||||
|
|
|
|||
79
deploy/ansible/playbooks/templates/rspamd-dkim.cf.j2
Normal file
79
deploy/ansible/playbooks/templates/rspamd-dkim.cf.j2
Normal file
|
|
@ -0,0 +1,79 @@
|
|||
# local.d/dkim_signing.conf
|
||||
|
||||
enabled = true;
|
||||
|
||||
# If false, messages with empty envelope from are not signed
|
||||
allow_envfrom_empty = true;
|
||||
|
||||
# If true, envelope/header domain mismatch is ignored
|
||||
allow_hdrfrom_mismatch = false;
|
||||
|
||||
# If true, multiple from headers are allowed (but only first is used)
|
||||
allow_hdrfrom_multiple = false;
|
||||
|
||||
# If true, username does not need to contain matching domain
|
||||
allow_username_mismatch = false;
|
||||
|
||||
# Default path to key, can include '$domain' and '$selector' variables
|
||||
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
|
||||
|
||||
# Default selector to use
|
||||
selector = "dkim";
|
||||
|
||||
# If false, messages from authenticated users are not selected for signing
|
||||
sign_authenticated = true;
|
||||
|
||||
# If false, messages from local networks are not selected for signing
|
||||
sign_local = true;
|
||||
|
||||
# Map file of IP addresses/subnets to consider for signing
|
||||
# sign_networks = "/some/file"; # or url
|
||||
|
||||
# Symbol to add when message is signed
|
||||
symbol = "DKIM_SIGNED";
|
||||
|
||||
# Whether to fallback to global config
|
||||
try_fallback = true;
|
||||
|
||||
# Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From), "recipient" (SMTP To), "auth" (SMTP username) or directly specified domain name
|
||||
use_domain = "header";
|
||||
|
||||
# Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")
|
||||
#use_domain_sign_networks = "header";
|
||||
|
||||
# Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")
|
||||
#use_domain_sign_local = "header";
|
||||
|
||||
# Whether to normalise domains to eSLD
|
||||
use_esld = true;
|
||||
|
||||
# Whether to get keys from Redis
|
||||
use_redis = false;
|
||||
|
||||
# Hash for DKIM keys in Redis
|
||||
key_prefix = "DKIM_KEYS";
|
||||
|
||||
# map of domains -> names of selectors (since rspamd 1.5.3)
|
||||
#selector_map = "/etc/rspamd/dkim_selectors.map";
|
||||
|
||||
# map of domains -> paths to keys (since rspamd 1.5.3)
|
||||
#path_map = "/etc/rspamd/dkim_paths.map";
|
||||
|
||||
# If `true` get pubkey from DNS record and check if it matches private key
|
||||
check_pubkey = false;
|
||||
# Set to `false` if you want to skip signing if public and private keys mismatch
|
||||
allow_pubkey_mismatch = true;
|
||||
|
||||
# Domain specific settings
|
||||
domain {
|
||||
# Domain name is used as key
|
||||
{{ mail_domain }} {
|
||||
|
||||
# Private key path
|
||||
path = "/var/lib/rspamd/dkim/{{ mail_domain }}.key";
|
||||
|
||||
# Selector
|
||||
selector = "ds";
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Add table
Reference in a new issue