From 8af0ec91d981014055de4a1b872418ac1bc460f6 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 8 Mar 2015 10:40:37 -0300 Subject: OpenDKIM support --- files/opendkim/KeyTable | 3 ++ files/opendkim/SigningTable | 3 ++ files/opendkim/TrustedHosts | 7 ++++ files/opendkim/default | 11 ++++++ files/opendkim/opendkim.conf | 55 ++++++++++++++++++++++++++++ manifests/opendkim.pp | 82 ++++++++++++++++++++++++++++++++++++++++++ manifests/opendkim/key.pp | 18 ++++++++++ manifests/opendkim/packages.pp | 5 +++ manifests/system.pp | 4 +++ 9 files changed, 188 insertions(+) create mode 100644 files/opendkim/KeyTable create mode 100644 files/opendkim/SigningTable create mode 100644 files/opendkim/TrustedHosts create mode 100644 files/opendkim/default create mode 100644 files/opendkim/opendkim.conf create mode 100644 manifests/opendkim.pp create mode 100644 manifests/opendkim/key.pp create mode 100644 manifests/opendkim/packages.pp diff --git a/files/opendkim/KeyTable b/files/opendkim/KeyTable new file mode 100644 index 0000000..b1578e2 --- /dev/null +++ b/files/opendkim/KeyTable @@ -0,0 +1,3 @@ +#mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private +#mail._domainkey.example.net example.net:mail:/etc/opendkim/keys/example.net/mail.private +#mail._domainkey.example.org example.org:mail:/etc/opendkim/keys/example.org/mail.private diff --git a/files/opendkim/SigningTable b/files/opendkim/SigningTable new file mode 100644 index 0000000..abee429 --- /dev/null +++ b/files/opendkim/SigningTable @@ -0,0 +1,3 @@ +#*@example.com mail._domainkey.example.com +#*@example.net mail._domainkey.example.net +#*@example.org mail._domainkey.example.org diff --git a/files/opendkim/TrustedHosts b/files/opendkim/TrustedHosts new file mode 100644 index 0000000..7fa5b0c --- /dev/null +++ b/files/opendkim/TrustedHosts @@ -0,0 +1,7 @@ +127.0.0.1 +localhost +192.168.0.1/24 + +#*.example.com +#*.example.net +#*.example.org diff --git a/files/opendkim/default b/files/opendkim/default new file mode 100644 index 0000000..1098626 --- /dev/null +++ b/files/opendkim/default @@ -0,0 +1,11 @@ +# Command-line options specified here will override the contents of +# /etc/opendkim.conf. See opendkim(8) for a complete list of options. +#DAEMON_OPTS="" +# +# Uncomment to specify an alternate socket +# Note that setting this will override any Socket value in opendkim.conf +#SOCKET="local:/var/run/opendkim/opendkim.sock" # default +#SOCKET="inet:54321" # listen on all interfaces on port 54321 +#SOCKET="inet:12345@localhost" # listen on loopback on port 12345 +#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345 +SOCKET="inet:12301@localhost" diff --git a/files/opendkim/opendkim.conf b/files/opendkim/opendkim.conf new file mode 100644 index 0000000..695156a --- /dev/null +++ b/files/opendkim/opendkim.conf @@ -0,0 +1,55 @@ +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +# Log to syslog +Syslog yes +# Required to use local socket with MTAs that access the socket as a non- +# privileged user (e.g. Postfix) +UMask 002 + +# Sign for example.com with key in /etc/mail/dkim.key using +# selector '2007' (e.g. 2007._domainkey.example.com) +#Domain example.com +#KeyFile /etc/mail/dkim.key +#Selector 2007 + +# Commonly-used options; the commented-out versions show the defaults. +#Canonicalization simple +#Mode sv +#SubDomains no +#ADSPDiscard no + +# Always oversign From (sign using actual From and a null From to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From + +# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures +# (ATPS) (experimental) + +#ATPSDomains example.com + +AutoRestart Yes +AutoRestartRate 10/1h +UMask 002 +Syslog yes +SyslogSuccess Yes +LogWhy Yes + +Canonicalization relaxed/simple + +ExternalIgnoreList refile:/etc/opendkim/TrustedHosts +InternalHosts refile:/etc/opendkim/TrustedHosts +KeyTable refile:/etc/opendkim/KeyTable +SigningTable refile:/etc/opendkim/SigningTable + +Mode sv +PidFile /var/run/opendkim/opendkim.pid +SignatureAlgorithm rsa-sha256 + +UserID opendkim:opendkim + +Socket inet:12301@localhost diff --git a/manifests/opendkim.pp b/manifests/opendkim.pp new file mode 100644 index 0000000..2a60838 --- /dev/null +++ b/manifests/opendkim.pp @@ -0,0 +1,82 @@ +# Recipe from https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy +class mail::opendkim { + include mail::opendkim::packages + + file { '/etc/default/opendkim': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => "puppet:///modules/mail/opendkim/default", + require => Package['opendkim'], + } + + file { '/etc/opendkim.conf': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => [ "puppet:///modules/mail/opendkim/opendkim.conf", + "puppet:///modules/site_mail/opendkim/opendkim.conf" ], + require => Package['opendkim'], + } + + file { '/etc/opendkim': + ensure => directory, + owner => root, + group => root, + mode => 0644, + require => Package['opendkim'], + } + + file { '/etc/opendkim/keys': + ensure => directory, + owner => opendkim, + group => opendkim, + mode => 0750, + require => File['/etc/opendkim'], + } + + file { '/etc/opendkim/TrustedHosts': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => [ "puppet:///modules/mail/opendkim/TrustedHosts", + "puppet:///modules/site_mail/opendkim/TrustedHosts" ], + require => File['/etc/opendkim'], + } + + file { '/etc/opendkim/KeyTable': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => [ "puppet:///modules/mail/opendkim/KeyTable", + "puppet:///modules/site_mail/opendkim/KeyTable" ], + require => File['/etc/opendkim'], + } + + file { '/etc/opendkim/SigningTable': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => [ "puppet:///modules/mail/opendkim/SigningTable", + "puppet:///modules/site_mail/opendkim/SigningTable" ], + require => File['/etc/opendkim'], + } + + service { 'opendkim' : + ensure => running, + enable => true, + require => [ Package['opendkim'], + File['/etc/default/opendkim', '/etc/opendkim.conf', + '/etc/opendkim/TrustedHosts', '/etc/opendkim/KeyTable', '/etc/opendkim/SigningTable' ], + } + + postfix::config { "milter_protocol": value => '2' } + postfix::config { "milter_default_action": value => 'accept' } + postfix::config { "osmtpd_milters": value => 'inet:localhost:12301' } + postfix::config { "non_smtpd_milters": value => 'inet:localhost:12301' } +} diff --git a/manifests/opendkim/key.pp b/manifests/opendkim/key.pp new file mode 100644 index 0000000..bd9dadb --- /dev/null +++ b/manifests/opendkim/key.pp @@ -0,0 +1,18 @@ +define mail::opendkim::key() { + file { "/etc/opendkim/keys/${name}" : + ensure => directory, + owner => 'opendkim', + group => 'opendkim', + mode => '0750', + require => File['/etc/opendkim/keys'], + } + + exec { "opendkim-genkey-${name}" + command => "opendkim-genkey -s mail -d ${name}", + cwd => "/etc/opendkim/keys/${name}", + user => root, + group => root, + creates => File["/etc/opendkim/keys/${name}/mail.private", "/etc/opendkim/keys/${name}/mail.txt" ], + require => [ File["/etc/opendkim/keys/${name}"], Package['opendkim-tools'] ], + } +} diff --git a/manifests/opendkim/packages.pp b/manifests/opendkim/packages.pp new file mode 100644 index 0000000..bcb577a --- /dev/null +++ b/manifests/opendkim/packages.pp @@ -0,0 +1,5 @@ +class mail::opendkim::packages { + package { [ 'opendkim', 'opendkim-tools' ]: + ensure => installed, + } +} diff --git a/manifests/system.pp b/manifests/system.pp index 89f50c6..ec17ac7 100644 --- a/manifests/system.pp +++ b/manifests/system.pp @@ -50,6 +50,10 @@ class mail::system( include mail::header_checks include mail::clamav include mail::spamassassin + include mail::opendkim + + # DKIM + mail::opendkim::key { "$domain": } # Default parameters include mail::firma::params -- cgit v1.2.3