2 files changed, 9 insertions, 7 deletions

diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp
index 9e67569e..e2e766e7 100644
--- a/puppet/modules/opendkim/manifests/init.pp
+++ b/puppet/modules/opendkim/manifests/init.pp
@@ -1,13 +1,15 @@
-# configure opendkim service (#5924)
+#
+# I am not sure about what issues might arise with DKIM key sizes
+# larger than 2048. It might or might not be supported. See:
+# http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.3.3.3
+#
 class opendkim {
 
   $domain_hash = hiera('domain')
   $domain      = $domain_hash['full_suffix']
   $dkim        = hiera('dkim')
-  $selector    = $dkim['dkim_selector']
-
-  include site_config::x509::dkim::key
-  $dkim_key    = "${x509::variables::keys}/dkim.key"
+  $selector    = $dkim['selector']
+  $dkim_key    = $dkim['private_key']
 
   ensure_packages(['opendkim', 'libopendkim7', 'libvbr2'])
 
@@ -23,7 +25,6 @@ class opendkim {
     enable     => true,
     hasstatus  => true,
     hasrestart => true,
-    require    => Class['Site_config::X509::Dkim::Key'],
     subscribe  => File[$dkim_key];
   }
 
diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf
index 46ddb7a8..5a948229 100644
--- a/puppet/modules/opendkim/templates/opendkim.conf
+++ b/puppet/modules/opendkim/templates/opendkim.conf
@@ -18,7 +18,6 @@ SubDomains              yes
 # can we generate a larger key and get it in dns?
 KeyFile                 <%= @dkim_key %>
 
-# what selector do we use?
 Selector                <%= @selector %>
 
 # Commonly-used options; the commented-out versions show the defaults.
@@ -26,6 +25,8 @@ Canonicalization        relaxed
 #Mode                   sv
 #ADSPDiscard            no
 
+SignatureAlgorithm      rsa-sha256
+
 # Always oversign From (sign using actual From and a null From to prevent
 # malicious signatures header fields (From and/or others) between the signer
 # and the verifier.  From is oversigned by default in the Debian pacakge