summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/opendkim/manifests/init.pp38
-rw-r--r--puppet/modules/opendkim/templates/opendkim.conf44
-rw-r--r--puppet/modules/site_config/manifests/x509/dkim/key.pp13
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp2
4 files changed, 96 insertions, 1 deletions
diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp
new file mode 100644
index 00000000..9e67569e
--- /dev/null
+++ b/puppet/modules/opendkim/manifests/init.pp
@@ -0,0 +1,38 @@
+# configure opendkim service (#5924)
+class opendkim {
+
+ $domain_hash = hiera('domain')
+ $domain = $domain_hash['full_suffix']
+ $dkim = hiera('dkim')
+ $selector = $dkim['dkim_selector']
+
+ include site_config::x509::dkim::key
+ $dkim_key = "${x509::variables::keys}/dkim.key"
+
+ ensure_packages(['opendkim', 'libopendkim7', 'libvbr2'])
+
+ # postfix user needs to be in the opendkim group
+ # in order to access the opendkim socket located at:
+ # local:/var/run/opendkim/opendkim.sock
+ user { 'postfix':
+ groups => 'opendkim';
+ }
+
+ service { 'opendkim':
+ ensure => running,
+ enable => true,
+ hasstatus => true,
+ hasrestart => true,
+ require => Class['Site_config::X509::Dkim::Key'],
+ subscribe => File[$dkim_key];
+ }
+
+ file { '/etc/opendkim.conf':
+ ensure => present,
+ content => template('opendkim/opendkim.conf'),
+ mode => '0644',
+ owner => root,
+ group => root,
+ notify => Service['opendkim'],
+ require => Package['opendkim'];
+}
diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf
new file mode 100644
index 00000000..46ddb7a8
--- /dev/null
+++ b/puppet/modules/opendkim/templates/opendkim.conf
@@ -0,0 +1,44 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog yes
+SyslogSuccess yes
+LogWhy no
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask 002
+
+Domain <%= @domain %>
+SubDomains yes
+
+# set internal hosts to all the known hosts, like mydomains?
+
+# can we generate a larger key and get it in dns?
+KeyFile <%= @dkim_key %>
+
+# what selector do we use?
+Selector <%= @selector %>
+
+# Commonly-used options; the commented-out versions show the defaults.
+Canonicalization relaxed
+#Mode sv
+#ADSPDiscard no
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier. From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders From
+
+# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
+# (ATPS) (experimental)
+
+#ATPSDomains example.com
+
+RemoveOldSignatures yes
+
+Mode sv
+BaseDirectory /var/tmp
diff --git a/puppet/modules/site_config/manifests/x509/dkim/key.pp b/puppet/modules/site_config/manifests/x509/dkim/key.pp
new file mode 100644
index 00000000..c63a7e94
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/dkim/key.pp
@@ -0,0 +1,13 @@
+class site_config::x509::dkim::key {
+
+ ##
+ ## This is for the DKIM key that is used exclusively for DKIM
+ ## signing
+
+ $x509 = hiera('x509')
+ $key = $x509['dkim_key']
+
+ x509::key { 'dkim':
+ content => $key
+ }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index f0a2554a..edaa506f 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -50,7 +50,7 @@ class site_postfix::mx {
'local_recipient_maps':
value => '$alias_maps';
'smtpd_milters':
- value => 'unix:/run/clamav/milter.ctl';
+ value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock';
'milter_default_action':
value => 'accept';
}