summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/amavis/tasks/main.yml10
-rw-r--r--roles/amavis/templates/etc/amavis/conf.d/50-user.j22
-rwxr-xr-xroles/common/files/usr/local/bin/genkeypair.sh16
3 files changed, 8 insertions, 20 deletions
diff --git a/roles/amavis/tasks/main.yml b/roles/amavis/tasks/main.yml
index 92a0e81..3036c52 100644
--- a/roles/amavis/tasks/main.yml
+++ b/roles/amavis/tasks/main.yml
@@ -52,8 +52,8 @@
- dkim
- name: Generate a private key for DKIM signing
- command: genkeypair.sh dkim --privkey=/etc/amavis/dkim/{{ item }}.pem -t rsa -b 2048
- with_items: "{{ (dkim_keys[inventory_hostname_short] | default({})).values() | map(attribute='s') | list }}"
+ command: genkeypair.sh dkim --privkey="/etc/amavis/dkim/{{ item.s }}:{{ item.d }}.pem" -t rsa -b 2048
+ with_items: "{{ (dkim_keys[inventory_hostname_short] | default({})).values() | list }}"
register: dkim
changed_when: dkim.rc == 0
failed_when: dkim.rc > 1
@@ -66,9 +66,9 @@
- name: Fetch DKIM keys
fetch_cmd: cmd="openssl pkey -pubout -outform PEM"
- stdin=/etc/amavis/dkim/{{ item }}.pem
- dest=certs/dkim/{{ item }}.pub
- with_items: "{{ (dkim_keys[inventory_hostname_short] | default({})).values() | map(attribute='s') | list }}"
+ stdin="/etc/amavis/dkim/{{ item.s }}:{{ item.d }}.pem"
+ dest="certs/dkim/{{ item.s }}:{{ item.d }}.pub"
+ with_items: "{{ (dkim_keys[inventory_hostname_short] | default({})).values() | list }}"
tags:
- genkey
- dkim
diff --git a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2 b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
index f3ff416..a09c366 100644
--- a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
+++ b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
@@ -33,7 +33,7 @@ $enable_dkim_signing = 1;
# Sign *all* outgoing mails with *our* key (yes, amavis complains, but this is
# safe as we force our domain with the 'd' tag).
{% for x,k in dkim_keys[inventory_hostname_short] | default({}) | dictsort() -%}
-dkim_key({{ (x == "~") | ternary('qr/./', "'"+x+"'") }}, '{{ k.s }}', '/etc/amavis/dkim/{{ k.s }}.pem');
+dkim_key({{ (x == "~") | ternary('qr/./', "'"+x+"'") }}, '{{ k.s }}', '/etc/amavis/dkim/{{ k.s }}:{{ k.d }}.pem');
{% endfor -%}
@dkim_signature_options_bysender_maps = (
{% for x,k in dkim_keys[inventory_hostname_short] | default({}) | dictsort() %}
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index 01b279a..ad65aef 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -21,6 +21,7 @@
set -ue
PATH=/usr/bin:/bin
+export PATH
# Default values
type=rsa
@@ -74,18 +75,6 @@ usage() {
EOF
}
-dkiminfo() {
- echo "Add the following TXT record to your DNS zone:"
- echo "${cn:-$(date +%Y%m%d)}._domainkey\tIN\tTXT ( "
- # See https://tools.ietf.org/html/rfc4871#section-3.6.1
- # t=s: the "i=" domain in signature headers MUST NOT be a subdomain of "d="
- # s=email: limit DKIM signing to email
- openssl pkey -pubout <"$privkey" | sed '/^--.*--$/d' \
- | { echo -n "v=DKIM1; k=$type; t=s; s=email; p="; tr -d '\n'; } \
- | fold -w 250 \
- | { sed 's/.*/\t"&"/'; echo ' )'; }
-}
-
[ $# -gt 0 ] || { usage; exit 2; }
cmd="$1"; shift
case "$cmd" in
@@ -181,12 +170,11 @@ fi
if [ -s "$privkey" -a $force -eq 0 ]; then
echo "Error: private key exists: $privkey" >&2
- [ "$cmd" = dkim ] && dkiminfo
exit 1
elif [ ! -s "$privkey" -o $force -ge 2 ]; then
install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2
openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
- [ "$cmd" = dkim ] && { dkiminfo; exit; }
+ [ "$cmd" = dkim ] && exit
fi
if [ "$cmd" = x509 -a "$pubkey" = "$privkey" ]; then
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-28 08:16:09 +0000