From 5da6f20ae82d938269c4eff0ecd89f96c0ffd9b7 Mon Sep 17 00:00:00 2001 From: Joe Banks Date: Tue, 30 Jul 2024 00:17:11 +0100 Subject: dmarc: add opendmarc role --- ansible/playbook.yml | 1 + ansible/roles/opendmarc/handlers/main.yml | 5 ++++ ansible/roles/opendmarc/tasks/main.yml | 30 ++++++++++++++++++++ .../roles/opendmarc/templates/opendmarc.conf.j2 | 33 ++++++++++++++++++++++ ansible/roles/opendmarc/vars/main.yml | 5 ++++ 5 files changed, 74 insertions(+) create mode 100644 ansible/roles/opendmarc/handlers/main.yml create mode 100644 ansible/roles/opendmarc/tasks/main.yml create mode 100644 ansible/roles/opendmarc/templates/opendmarc.conf.j2 create mode 100644 ansible/roles/opendmarc/vars/main.yml (limited to 'ansible') diff --git a/ansible/playbook.yml b/ansible/playbook.yml index d9e855e..2b33539 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -21,6 +21,7 @@ hosts: mail roles: - opendkim + - opendmarc - postfix - name: Deploy our monitoring stack diff --git a/ansible/roles/opendmarc/handlers/main.yml b/ansible/roles/opendmarc/handlers/main.yml new file mode 100644 index 0000000..4fe66b7 --- /dev/null +++ b/ansible/roles/opendmarc/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload OpenDMARC + service: + name: opendmarc + state: reloaded diff --git a/ansible/roles/opendmarc/tasks/main.yml b/ansible/roles/opendmarc/tasks/main.yml new file mode 100644 index 0000000..f236b4d --- /dev/null +++ b/ansible/roles/opendmarc/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Install OpenDMARC + package: + name: + - opendmarc + state: present + tags: + - role::opendmarc + +- name: Create spool location for OpenDMARC aggregation + file: + state: directory + path: /var/spool/opendmarc + owner: opendmarc + group: opendmarc + mode: "0700" + tags: + - role::opendmarc + +- name: Template OpenDMARC configuration + template: + src: opendmarc.conf.j2 + dest: /etc/opendmarc.conf + mode: "0644" + owner: root + group: root + tags: + - role::opendmarc + notify: + - Reload OpenDMARC diff --git a/ansible/roles/opendmarc/templates/opendmarc.conf.j2 b/ansible/roles/opendmarc/templates/opendmarc.conf.j2 new file mode 100644 index 0000000..de26eea --- /dev/null +++ b/ansible/roles/opendmarc/templates/opendmarc.conf.j2 @@ -0,0 +1,33 @@ +# Server name to identify to others with in generated reports +AuthservID {{ opendmarc_authserv_id }} + +# Copy failed messages to this address for investigation +CopyFailuresTo {{ opendmarc_failures }} + +# Generate failure reports +FailureReports true +FailureReportsBcc {{ opendmarc_failure_reports }} +FailureReportsOnNone true +FailureReportsSentBy {{ opendmarc_failure_reports_from }} + +HistoryFile /var/spool/opendmarc/opendmarc.dat +IgnoreAuthenticatedClients true + +# If needed in future +# IgnoreHosts /etc/opendmarc/ignore.hosts + +RejectFailures false +ReportCommand /usr/sbin/sendmail -t +RequiredHeaders true +Socket inet:8893@localhost +SoftwareHeader true +SPFIgnoreResults false +TrustedAuthservIDs HOSTNAME +PidFile /run/opendmarc/opendmarc.pid + +PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat + +TrustedAuthservIDs HOSTNAME + +UMask 0002 +UserID opendmarc diff --git a/ansible/roles/opendmarc/vars/main.yml b/ansible/roles/opendmarc/vars/main.yml new file mode 100644 index 0000000..a6072e8 --- /dev/null +++ b/ansible/roles/opendmarc/vars/main.yml @@ -0,0 +1,5 @@ +--- +opendmarc_failures: "dmarc+failures@pydis.wtf" +opendmarc_failure_reports: "dmarc+failurereports@pydis.wtf" +opendmarc_failure_reports_from: "dmarc+noreply@pydis.wtf" +opendmarc_authserv_id: "PyDisDMARC" -- cgit v1.2.3