summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2015-03-08 10:40:37 -0300
committerSilvio Rhatto <rhatto@riseup.net>2015-03-08 10:40:37 -0300
commit8af0ec91d981014055de4a1b872418ac1bc460f6 (patch)
treef4fe00836e990761ae53f481ff0c691a0dc67193
parent3c207f9a435963a1aa590d219527a62082749b39 (diff)
downloadpuppet-mail-8af0ec91d981014055de4a1b872418ac1bc460f6.tar.gz
puppet-mail-8af0ec91d981014055de4a1b872418ac1bc460f6.tar.bz2
OpenDKIM support
-rw-r--r--files/opendkim/KeyTable3
-rw-r--r--files/opendkim/SigningTable3
-rw-r--r--files/opendkim/TrustedHosts7
-rw-r--r--files/opendkim/default11
-rw-r--r--files/opendkim/opendkim.conf55
-rw-r--r--manifests/opendkim.pp82
-rw-r--r--manifests/opendkim/key.pp18
-rw-r--r--manifests/opendkim/packages.pp5
-rw-r--r--manifests/system.pp4
9 files changed, 188 insertions, 0 deletions
diff --git a/files/opendkim/KeyTable b/files/opendkim/KeyTable
new file mode 100644
index 0000000..b1578e2
--- /dev/null
+++ b/files/opendkim/KeyTable
@@ -0,0 +1,3 @@
+#mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private
+#mail._domainkey.example.net example.net:mail:/etc/opendkim/keys/example.net/mail.private
+#mail._domainkey.example.org example.org:mail:/etc/opendkim/keys/example.org/mail.private
diff --git a/files/opendkim/SigningTable b/files/opendkim/SigningTable
new file mode 100644
index 0000000..abee429
--- /dev/null
+++ b/files/opendkim/SigningTable
@@ -0,0 +1,3 @@
+#*@example.com mail._domainkey.example.com
+#*@example.net mail._domainkey.example.net
+#*@example.org mail._domainkey.example.org
diff --git a/files/opendkim/TrustedHosts b/files/opendkim/TrustedHosts
new file mode 100644
index 0000000..7fa5b0c
--- /dev/null
+++ b/files/opendkim/TrustedHosts
@@ -0,0 +1,7 @@
+127.0.0.1
+localhost
+192.168.0.1/24
+
+#*.example.com
+#*.example.net
+#*.example.org
diff --git a/files/opendkim/default b/files/opendkim/default
new file mode 100644
index 0000000..1098626
--- /dev/null
+++ b/files/opendkim/default
@@ -0,0 +1,11 @@
+# Command-line options specified here will override the contents of
+# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
+#DAEMON_OPTS=""
+#
+# Uncomment to specify an alternate socket
+# Note that setting this will override any Socket value in opendkim.conf
+#SOCKET="local:/var/run/opendkim/opendkim.sock" # default
+#SOCKET="inet:54321" # listen on all interfaces on port 54321
+#SOCKET="inet:12345@localhost" # listen on loopback on port 12345
+#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345
+SOCKET="inet:12301@localhost"
diff --git a/files/opendkim/opendkim.conf b/files/opendkim/opendkim.conf
new file mode 100644
index 0000000..695156a
--- /dev/null
+++ b/files/opendkim/opendkim.conf
@@ -0,0 +1,55 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog yes
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask 002
+
+# Sign for example.com with key in /etc/mail/dkim.key using
+# selector '2007' (e.g. 2007._domainkey.example.com)
+#Domain example.com
+#KeyFile /etc/mail/dkim.key
+#Selector 2007
+
+# Commonly-used options; the commented-out versions show the defaults.
+#Canonicalization simple
+#Mode sv
+#SubDomains no
+#ADSPDiscard no
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier. From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders From
+
+# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
+# (ATPS) (experimental)
+
+#ATPSDomains example.com
+
+AutoRestart Yes
+AutoRestartRate 10/1h
+UMask 002
+Syslog yes
+SyslogSuccess Yes
+LogWhy Yes
+
+Canonicalization relaxed/simple
+
+ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
+InternalHosts refile:/etc/opendkim/TrustedHosts
+KeyTable refile:/etc/opendkim/KeyTable
+SigningTable refile:/etc/opendkim/SigningTable
+
+Mode sv
+PidFile /var/run/opendkim/opendkim.pid
+SignatureAlgorithm rsa-sha256
+
+UserID opendkim:opendkim
+
+Socket inet:12301@localhost
diff --git a/manifests/opendkim.pp b/manifests/opendkim.pp
new file mode 100644
index 0000000..2a60838
--- /dev/null
+++ b/manifests/opendkim.pp
@@ -0,0 +1,82 @@
+# Recipe from https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
+class mail::opendkim {
+ include mail::opendkim::packages
+
+ file { '/etc/default/opendkim':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => "puppet:///modules/mail/opendkim/default",
+ require => Package['opendkim'],
+ }
+
+ file { '/etc/opendkim.conf':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => [ "puppet:///modules/mail/opendkim/opendkim.conf",
+ "puppet:///modules/site_mail/opendkim/opendkim.conf" ],
+ require => Package['opendkim'],
+ }
+
+ file { '/etc/opendkim':
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => 0644,
+ require => Package['opendkim'],
+ }
+
+ file { '/etc/opendkim/keys':
+ ensure => directory,
+ owner => opendkim,
+ group => opendkim,
+ mode => 0750,
+ require => File['/etc/opendkim'],
+ }
+
+ file { '/etc/opendkim/TrustedHosts':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => [ "puppet:///modules/mail/opendkim/TrustedHosts",
+ "puppet:///modules/site_mail/opendkim/TrustedHosts" ],
+ require => File['/etc/opendkim'],
+ }
+
+ file { '/etc/opendkim/KeyTable':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => [ "puppet:///modules/mail/opendkim/KeyTable",
+ "puppet:///modules/site_mail/opendkim/KeyTable" ],
+ require => File['/etc/opendkim'],
+ }
+
+ file { '/etc/opendkim/SigningTable':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ source => [ "puppet:///modules/mail/opendkim/SigningTable",
+ "puppet:///modules/site_mail/opendkim/SigningTable" ],
+ require => File['/etc/opendkim'],
+ }
+
+ service { 'opendkim' :
+ ensure => running,
+ enable => true,
+ require => [ Package['opendkim'],
+ File['/etc/default/opendkim', '/etc/opendkim.conf',
+ '/etc/opendkim/TrustedHosts', '/etc/opendkim/KeyTable', '/etc/opendkim/SigningTable' ],
+ }
+
+ postfix::config { "milter_protocol": value => '2' }
+ postfix::config { "milter_default_action": value => 'accept' }
+ postfix::config { "osmtpd_milters": value => 'inet:localhost:12301' }
+ postfix::config { "non_smtpd_milters": value => 'inet:localhost:12301' }
+}
diff --git a/manifests/opendkim/key.pp b/manifests/opendkim/key.pp
new file mode 100644
index 0000000..bd9dadb
--- /dev/null
+++ b/manifests/opendkim/key.pp
@@ -0,0 +1,18 @@
+define mail::opendkim::key() {
+ file { "/etc/opendkim/keys/${name}" :
+ ensure => directory,
+ owner => 'opendkim',
+ group => 'opendkim',
+ mode => '0750',
+ require => File['/etc/opendkim/keys'],
+ }
+
+ exec { "opendkim-genkey-${name}"
+ command => "opendkim-genkey -s mail -d ${name}",
+ cwd => "/etc/opendkim/keys/${name}",
+ user => root,
+ group => root,
+ creates => File["/etc/opendkim/keys/${name}/mail.private", "/etc/opendkim/keys/${name}/mail.txt" ],
+ require => [ File["/etc/opendkim/keys/${name}"], Package['opendkim-tools'] ],
+ }
+}
diff --git a/manifests/opendkim/packages.pp b/manifests/opendkim/packages.pp
new file mode 100644
index 0000000..bcb577a
--- /dev/null
+++ b/manifests/opendkim/packages.pp
@@ -0,0 +1,5 @@
+class mail::opendkim::packages {
+ package { [ 'opendkim', 'opendkim-tools' ]:
+ ensure => installed,
+ }
+}
diff --git a/manifests/system.pp b/manifests/system.pp
index 89f50c6..ec17ac7 100644
--- a/manifests/system.pp
+++ b/manifests/system.pp
@@ -50,6 +50,10 @@ class mail::system(
include mail::header_checks
include mail::clamav
include mail::spamassassin
+ include mail::opendkim
+
+ # DKIM
+ mail::opendkim::key { "$domain": }
# Default parameters
include mail::firma::params