diff --git a/README.md b/README.md index 2daffcd..e9427f4 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Puppet module to manage OpenDKIM -Currently only supports Debian/Ubuntu, fork me to support more distributions. +Currently only supports Debian/Ubuntu/CentOS/Red Hat, fork me to support more distributions. * `opendkim` : Main class to install, enable and setup default configuration. * `opendkim::config` : Class to setup OpenDKIM main configuration files. @@ -13,8 +13,9 @@ Currently only supports Debian/Ubuntu, fork me to support more distributions. Setup your DKIM keys: - openssl genrsa -out example.com.key 1024 - openssl rsa -in example.com.key -out example.com.pub -pubout -outform PEM + export DOMAIN=example.com + openssl genrsa -out $DOMAIN.key 1024 + openssl rsa -in $DOMAIN.key -out $DOMAIN.pub -pubout -outform PEM Move the private key file into your own puppet module Add your public key to a new TXT record in DNS. diff --git a/files/etc/opendkim/KeyTable.header b/files/etc/opendkim/KeyTable.header new file mode 100644 index 0000000..e804d68 --- /dev/null +++ b/files/etc/opendkim/KeyTable.header @@ -0,0 +1,6 @@ +# OPENDKIM KEY TABLE +# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf, +# then uncomment the following line and replace example.com with your domain +# name, then restart OpenDKIM. Additional keys may be added on separate lines. + +#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private diff --git a/files/etc/opendkim/SigningTable.header b/files/etc/opendkim/SigningTable.header new file mode 100644 index 0000000..e8161a1 --- /dev/null +++ b/files/etc/opendkim/SigningTable.header @@ -0,0 +1,25 @@ +# OPENDKIM SIGNING TABLE +# This table controls how to apply one or more signatures to outgoing messages based +# on the address found in the From: header field. In simple terms, this tells +# OpenDKIM "how" to apply your keys. + +# To use this file, uncomment the SigningTable option in /etc/opendkim.conf, +# then uncomment one of the usage examples below and replace example.com with your +# domain name, then restart OpenDKIM. + +# WILDCARD EXAMPLE +# Enables signing for any address on the listed domain(s), but will work only if +# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf. +# Create additional lines for additional domains. + +#*@example.com default._domainkey.example.com + +# NON-WILDCARD EXAMPLE +# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then +# wildcards will not work. Instead, full user@host is checked first, then simply host, +# then user@.domain (with all superdomains checked in sequence, so "foo.example.com" +# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"), +# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under +# "SigningTable" for more details. + +#example.com default._domainkey.example.com diff --git a/files/selinux/messages.opendkim b/files/selinux/messages.opendkim new file mode 100644 index 0000000..40b241a --- /dev/null +++ b/files/selinux/messages.opendkim @@ -0,0 +1,4 @@ +Feb 21 18:50:05 frf kernel: type=1400 audit(1393026605.540:13756): avc: denied { name_bind } for pid=27688 comm="opendkim" src=8891 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket +Feb 21 18:50:32 frf kernel: type=1400 audit(1393026632.614:13759): avc: denied { dac_override } for pid=27868 comm="opendkim" capability=1 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability +type=AVC msg=audit(1402051399.771:785730): avc: denied { read write } for pid=31574 comm="cleanup" path="socket:[52571246]" dev=sockfs ino=52571246 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:postfix_smtpd_t:s0 tclass=tcp_socket + diff --git a/manifests/config.pp b/manifests/config.pp index eb90c93..027ee2f 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,23 +1,64 @@ +# you cannot pass undef to oversignheaders, so use '' to disable class opendkim::config( $syslog = $opendkim::params::syslog, $umask = $opendkim::params::umask, $oversignheaders = $opendkim::params::oversignheaders, + $logwhy = $opendkim::params::logwhy, + $milterdebug = $opendkim::params::milterdebug, ) inherits ::opendkim::params { - concat { ['/etc/opendkim.conf', '/etc/default/opendkim']: - owner => root, - group => root, - mode => '0644'; + concat { '/etc/opendkim.conf': + owner => root, + group => root, + mode => '0644', } + concat::fragment { - "opendkim config": - target => '/etc/opendkim.conf', - content => template("opendkim/opendkim.conf.erb"), + 'opendkim config': + target => '/etc/opendkim.conf', + content => template('opendkim/opendkim.conf.erb'), order => 01; + } + + concat { '/etc/opendkim/KeyTable': + owner => root, + group => root, + mode => '0644', + } - "opendkim default config": - target => '/etc/default/opendkim', - content => template("opendkim/opendkim_default.erb"), + concat::fragment { + 'opendkim KeyTable header': + target => '/etc/opendkim/KeyTable', + source => 'puppet:///modules/opendkim/etc/opendkim/KeyTable.header', order => 01; } + + concat { '/etc/opendkim/SigningTable': + owner => root, + group => root, + mode => '0644', + } + + concat::fragment { + 'opendkim SigningTable header': + target => '/etc/opendkim/SigningTable', + source => 'puppet:///modules/opendkim/etc/opendkim/SigningTable.header', + order => 01; + } + + + if ($::opendkim::params::service_flavor == 'Debian') { + concat { $::opendkim::params::service_config: + owner => root, + group => root, + mode => '0644'; + } + + concat::fragment { + 'opendkim default config': + target => '/etc/default/opendkim', + content => template('opendkim/opendkim_default.erb'), + order => 01; + } + } } diff --git a/manifests/domain.pp b/manifests/domain.pp index c8c2534..1756d6e 100644 --- a/manifests/domain.pp +++ b/manifests/domain.pp @@ -2,23 +2,31 @@ $private_key, $domain=$name, $selector='mail', - $key_folder='/etc/dkim' + $key_folder=$::opendkim::params::key_folder ) { file { "${key_folder}/${domain}.key": - owner => 'root', - group => 'root', - mode => 0640, - source => $private_key; + owner => 'root', + group => 'opendkim', + mode => '0640', + source => $private_key, + require => Package[$::opendkim::params::package] } - concat::fragment{ $name: - target => '/etc/opendkim.conf', - content => "Domain ${domain}\nKeyFile ${key_folder}/${domain}.key\nSelector ${selector}\n\n", - order => 10, - require => File["$key_folder/$domain.key"], - notify => Service[$opendkim::params::service]; + + concat::fragment { "opendkim KeyTable ${name}": + target => '/etc/opendkim/KeyTable', + content => "${selector}._domainkey.${domain} ${domain}:${selector}:${key_folder}/${domain}.key\n", + order => 10, + require => File["${key_folder}/${domain}.key"], + notify => Service[$opendkim::params::service], } -} + concat::fragment { "opendkim SigningTable ${name}": + target => '/etc/opendkim/SigningTable', + content => "${domain} ${selector}._domainkey.${domain}\n", + order => 10, + notify => Service[$opendkim::params::service], + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 9a27808..a631981 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -4,18 +4,22 @@ ) inherits ::opendkim::params { package { $opendkim::params::package: - alias => 'opendkim', - ensure => $ensure_version + ensure => $ensure_version, + alias => 'opendkim' } service { $opendkim::params::service: + ensure => running, enable => true, - require => Package['opendkim']; + require => [ + Package['opendkim'], + Class['opendkim::config'], + ] } file { '/etc/dkim': ensure => 'directory', owner => 'root', group => 'root', - mode => 0644; + mode => '0644' } if ($default_config) { include opendkim::config diff --git a/manifests/params.pp b/manifests/params.pp index f15a1eb..bba4446 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -7,6 +7,16 @@ 'Ubuntu', 'Debian': { $package = 'opendkim' $service = 'opendkim' + $key_folder = '/etc/dkim' + $service_config = '/etc/default/opendkim' + $service_flavor = 'Debian' + } + 'Fedora', 'CentOS', 'RedHat': { + $package = 'opendkim' + $service = 'opendkim' + $key_folder = '/etc/opendkim/keys' + $service_config = '/etc/sysconfig/opendkim' + $service_flavor = 'Fedora' } default: { fail("Unsupported operatingsystem ${::operatingsystem}, fork me baby.") diff --git a/manifests/socket.pp b/manifests/socket.pp index df2009c..9baa347 100644 --- a/manifests/socket.pp +++ b/manifests/socket.pp @@ -20,8 +20,8 @@ } } concat::fragment{ $socket: - target => '/etc/default/opendkim', - content => "SOCKET=$socket # ${name}\n", + target => '/etc/opendkim.conf', + content => "Socket ${socket} # ${name}\n", order => 10, notify => Service[$opendkim::params::service]; } diff --git a/templates/opendkim.conf.erb b/templates/opendkim.conf.erb index 5eebb9d..055326f 100644 --- a/templates/opendkim.conf.erb +++ b/templates/opendkim.conf.erb @@ -23,7 +23,11 @@ UMask <%= scope.lookupvar('::opendkim::params::umask') %> # and the verifier. From is oversigned by default in the Debian pacakge # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. -OversignHeaders <%= scope.lookupvar('::opendkim::params::oversignheaders') %> +<% if scope.lookupvar('::opendkim::config::oversignheaders') != '' -%> +OversignHeaders <%= scope.lookupvar('::opendkim::config::oversignheaders') %> +<% else -%> +# OversignHeaders is disabled +<% end -%> # List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures # (ATPS) (experimental) @@ -32,3 +36,12 @@ OversignHeaders <%= scope.lookupvar('::opendkim::params::oversignheaders') %> # Sign for example.com with key in /etc/mail/dkim.key using # selector '2007' (e.g. 2007._domainkey.example.com) +<% if scope.lookupvar('::opendkim::config::logwhy') != '' -%> +LogWhy yes +<% end -%> +<% if scope.lookupvar('::opendkim::config::milterdebug') != '' -%> +MilterDebug <%= scope.lookupvar('::opendkim::config::milterdebug') %> +<% end -%> + +KeyTable /etc/opendkim/KeyTable +SigningTable /etc/opendkim/SigningTable