2 files changed, 112 insertions, 0 deletions
diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp
new file mode 100644
index 00000000..4d4c5312
--- /dev/null
+++ b/puppet/modules/opendkim/manifests/init.pp
@@ -0,0 +1,67 @@
+#
+# I am not sure about what issues might arise with DKIM key sizes
+# larger than 2048. It might or might not be supported. See:
+# http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.3.3.3
+#
+class opendkim {
+
+  $domain_hash = hiera('domain')
+  $domain      = $domain_hash['full_suffix']
+  $mx          = hiera('mx')
+  $dkim        = $mx['dkim']
+  $selector    = $dkim['selector']
+  $dkim_cert   = $dkim['public_key']
+  $dkim_key    = $dkim['private_key']
+
+  ensure_packages(['opendkim', 'libvbr2'])
+
+  # postfix user needs to be in the opendkim group
+  # in order to access the opendkim socket located at:
+  # local:/var/run/opendkim/opendkim.sock
+  user { 'postfix':
+    groups  => 'opendkim',
+    require => Package['opendkim'];
+  }
+
+  service { 'opendkim':
+    ensure     => running,
+    enable     => true,
+    hasstatus  => true,
+    hasrestart => true,
+    subscribe  => File[$dkim_key];
+  }
+
+  file {
+    '/etc/opendkim.conf':
+      ensure  => file,
+      content => template('opendkim/opendkim.conf'),
+      mode    => '0644',
+      owner   => root,
+      group   => root,
+      notify  => Service['opendkim'],
+      require => Package['opendkim'];
+
+    '/etc/default/opendkim.conf':
+      ensure  => file,
+      content => 'SOCKET="inet:8891@localhost" # listen on loopback on port 8891',
+      mode    => '0644',
+      owner   => root,
+      group   => root,
+      notify  => Service['opendkim'],
+      require => Package['opendkim'];
+
+    $dkim_key:
+      ensure  => file,
+      mode    => '0600',
+      owner   => 'opendkim',
+      group   => 'opendkim',
+      require => Package['opendkim'];
+
+    $dkim_cert:
+      ensure  => file,
+      mode    => '0600',
+      owner   => 'opendkim',
+      group   => 'opendkim',
+      require => Package['opendkim'];
+  }
+}
diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf
new file mode 100644
index 00000000..5a948229
--- /dev/null
+++ b/puppet/modules/opendkim/templates/opendkim.conf
@@ -0,0 +1,45 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog                  yes
+SyslogSuccess           yes
+LogWhy                  no
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask                   002
+
+Domain                  <%= @domain %>
+SubDomains              yes
+
+# set internal hosts to all the known hosts, like mydomains?
+
+# can we generate a larger key and get it in dns?
+KeyFile                 <%= @dkim_key %>
+
+Selector                <%= @selector %>
+
+# Commonly-used options; the commented-out versions show the defaults.
+Canonicalization        relaxed
+#Mode                   sv
+#ADSPDiscard            no
+
+SignatureAlgorithm      rsa-sha256
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders         From
+
+# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
+# (ATPS) (experimental)
+
+#ATPSDomains            example.com
+
+RemoveOldSignatures     yes
+
+Mode                    sv
+BaseDirectory           /var/tmp