summaryrefslogtreecommitdiff
path: root/puppet/modules
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules')
-rw-r--r--puppet/modules/opendkim/manifests/init.pp13
-rw-r--r--puppet/modules/opendkim/templates/opendkim.conf3
-rw-r--r--puppet/modules/site_config/manifests/x509/dkim/key.pp13
3 files changed, 9 insertions, 20 deletions
diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp
index 9e67569e..e2e766e7 100644
--- a/puppet/modules/opendkim/manifests/init.pp
+++ b/puppet/modules/opendkim/manifests/init.pp
@@ -1,13 +1,15 @@
-# configure opendkim service (#5924)
+#
+# I am not sure about what issues might arise with DKIM key sizes
+# larger than 2048. It might or might not be supported. See:
+# http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.3.3.3
+#
class opendkim {
$domain_hash = hiera('domain')
$domain = $domain_hash['full_suffix']
$dkim = hiera('dkim')
- $selector = $dkim['dkim_selector']
-
- include site_config::x509::dkim::key
- $dkim_key = "${x509::variables::keys}/dkim.key"
+ $selector = $dkim['selector']
+ $dkim_key = $dkim['private_key']
ensure_packages(['opendkim', 'libopendkim7', 'libvbr2'])
@@ -23,7 +25,6 @@ class opendkim {
enable => true,
hasstatus => true,
hasrestart => true,
- require => Class['Site_config::X509::Dkim::Key'],
subscribe => File[$dkim_key];
}
diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf
index 46ddb7a8..5a948229 100644
--- a/puppet/modules/opendkim/templates/opendkim.conf
+++ b/puppet/modules/opendkim/templates/opendkim.conf
@@ -18,7 +18,6 @@ SubDomains yes
# can we generate a larger key and get it in dns?
KeyFile <%= @dkim_key %>
-# what selector do we use?
Selector <%= @selector %>
# Commonly-used options; the commented-out versions show the defaults.
@@ -26,6 +25,8 @@ Canonicalization relaxed
#Mode sv
#ADSPDiscard no
+SignatureAlgorithm rsa-sha256
+
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
diff --git a/puppet/modules/site_config/manifests/x509/dkim/key.pp b/puppet/modules/site_config/manifests/x509/dkim/key.pp
deleted file mode 100644
index c63a7e94..00000000
--- a/puppet/modules/site_config/manifests/x509/dkim/key.pp
+++ /dev/null
@@ -1,13 +0,0 @@
-class site_config::x509::dkim::key {
-
- ##
- ## This is for the DKIM key that is used exclusively for DKIM
- ## signing
-
- $x509 = hiera('x509')
- $key = $x509['dkim_key']
-
- x509::key { 'dkim':
- content => $key
- }
-}