From 685642e8bfdaff16a4f02bd40b5d2aef15b68d94 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 13 Feb 2016 23:48:48 -0800 Subject: get dkim working, closes #5924 --- puppet/modules/opendkim/manifests/init.pp | 13 +++++++------ puppet/modules/opendkim/templates/opendkim.conf | 3 ++- puppet/modules/site_config/manifests/x509/dkim/key.pp | 13 ------------- 3 files changed, 9 insertions(+), 20 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/x509/dkim/key.pp (limited to 'puppet/modules') diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp index 9e67569e..e2e766e7 100644 --- a/puppet/modules/opendkim/manifests/init.pp +++ b/puppet/modules/opendkim/manifests/init.pp @@ -1,13 +1,15 @@ -# configure opendkim service (#5924) +# +# I am not sure about what issues might arise with DKIM key sizes +# larger than 2048. It might or might not be supported. See: +# http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.3.3.3 +# class opendkim { $domain_hash = hiera('domain') $domain = $domain_hash['full_suffix'] $dkim = hiera('dkim') - $selector = $dkim['dkim_selector'] - - include site_config::x509::dkim::key - $dkim_key = "${x509::variables::keys}/dkim.key" + $selector = $dkim['selector'] + $dkim_key = $dkim['private_key'] ensure_packages(['opendkim', 'libopendkim7', 'libvbr2']) @@ -23,7 +25,6 @@ class opendkim { enable => true, hasstatus => true, hasrestart => true, - require => Class['Site_config::X509::Dkim::Key'], subscribe => File[$dkim_key]; } diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf index 46ddb7a8..5a948229 100644 --- a/puppet/modules/opendkim/templates/opendkim.conf +++ b/puppet/modules/opendkim/templates/opendkim.conf @@ -18,7 +18,6 @@ SubDomains yes # can we generate a larger key and get it in dns? KeyFile <%= @dkim_key %> -# what selector do we use? Selector <%= @selector %> # Commonly-used options; the commented-out versions show the defaults. @@ -26,6 +25,8 @@ Canonicalization relaxed #Mode sv #ADSPDiscard no +SignatureAlgorithm rsa-sha256 + # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian pacakge diff --git a/puppet/modules/site_config/manifests/x509/dkim/key.pp b/puppet/modules/site_config/manifests/x509/dkim/key.pp deleted file mode 100644 index c63a7e94..00000000 --- a/puppet/modules/site_config/manifests/x509/dkim/key.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_config::x509::dkim::key { - - ## - ## This is for the DKIM key that is used exclusively for DKIM - ## signing - - $x509 = hiera('x509') - $key = $x509['dkim_key'] - - x509::key { 'dkim': - content => $key - } -} -- cgit v1.2.3