Feature table

README.md

@@ -4,7 +4,7 @@
 
 Puppet module to manage OpenDKIM
 
-Currently only supports Debian/Ubuntu, fork me to support more distributions.
+Currently only supports Debian/Ubuntu/CentOS/Red Hat, fork me to support more distributions.
 
 * `opendkim` : Main class to install, enable and setup default configuration.
 * `opendkim::config` : Class to setup OpenDKIM main configuration files.
@@ -13,8 +13,9 @@ Currently only supports Debian/Ubuntu, fork me to support more distributions.
 
 Setup your DKIM keys:
 
-    openssl genrsa -out example.com.key 1024
-    openssl rsa -in example.com.key -out example.com.pub -pubout -outform PEM
+    export DOMAIN=example.com
+    openssl genrsa -out $DOMAIN.key 1024
+    openssl rsa -in $DOMAIN.key -out $DOMAIN.pub -pubout -outform PEM
     Move the private key file into your own puppet module
 
 Add your public key to a new TXT record in DNS.

files/etc/opendkim/KeyTable.header

@@ -0,0 +1,6 @@
+# OPENDKIM KEY TABLE
+# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
+# then uncomment the following line and replace example.com with your domain
+# name, then restart OpenDKIM. Additional keys may be added on separate lines.
+
+#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private

files/etc/opendkim/SigningTable.header

@@ -0,0 +1,25 @@
+# OPENDKIM SIGNING TABLE
+# This table controls how to apply one or more signatures to outgoing messages based
+# on the address found in the From: header field. In simple terms, this tells
+# OpenDKIM "how" to apply your keys.
+
+# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
+# then uncomment one of the usage examples below and replace example.com with your
+# domain name, then restart OpenDKIM.
+
+# WILDCARD EXAMPLE
+# Enables signing for any address on the listed domain(s), but will work only if
+# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
+# Create additional lines for additional domains.
+
+#*@example.com default._domainkey.example.com
+
+# NON-WILDCARD EXAMPLE
+# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
+# wildcards will not work. Instead, full user@host is checked first, then simply host,
+# then [email protected] (with all superdomains checked in sequence, so "foo.example.com"
+# would first check "[email protected]", then "[email protected]", then "[email protected]"),
+# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
+# "SigningTable" for more details.
+
+#example.com default._domainkey.example.com

files/selinux/messages.opendkim

@@ -0,0 +1,4 @@
+Feb 21 18:50:05 frf kernel: type=1400 audit(1393026605.540:13756): avc:  denied  { name_bind } for  pid=27688 comm="opendkim" src=8891 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
+Feb 21 18:50:32 frf kernel: type=1400 audit(1393026632.614:13759): avc:  denied  { dac_override } for  pid=27868 comm="opendkim" capability=1  scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
+type=AVC msg=audit(1402051399.771:785730): avc:  denied  { read write } for  pid=31574 comm="cleanup" path="socket:[52571246]" dev=sockfs ino=52571246 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:postfix_smtpd_t:s0 tclass=tcp_socket
+

manifests/config.pp

@@ -1,23 +1,64 @@
+# you cannot pass undef to oversignheaders, so use '' to disable
 class opendkim::config(
   $syslog                  = $opendkim::params::syslog,
   $umask                   = $opendkim::params::umask,
   $oversignheaders         = $opendkim::params::oversignheaders,
+  $logwhy                  = $opendkim::params::logwhy,
+  $milterdebug             = $opendkim::params::milterdebug,
 ) inherits ::opendkim::params {
 
-  concat { ['/etc/opendkim.conf', '/etc/default/opendkim']:
-    owner => root,
-    group => root,
-    mode  => '0644';
+  concat { '/etc/opendkim.conf':
+    owner  => root,
+    group  => root,
+    mode   => '0644',
   }
+
   concat::fragment {
-    "opendkim config":
-      target => '/etc/opendkim.conf',
-      content => template("opendkim/opendkim.conf.erb"),
+    'opendkim config':
+      target  => '/etc/opendkim.conf',
+      content => template('opendkim/opendkim.conf.erb'),
       order   => 01;
+  }
+
+  concat { '/etc/opendkim/KeyTable':
+    owner  => root,
+    group  => root,
+    mode   => '0644',
+  }
 
-    "opendkim default config":
-      target => '/etc/default/opendkim',
-      content => template("opendkim/opendkim_default.erb"),
+  concat::fragment {
+    'opendkim KeyTable header':
+      target  => '/etc/opendkim/KeyTable',
+      source  => 'puppet:///modules/opendkim/etc/opendkim/KeyTable.header',
       order   => 01;
   }
+
+  concat { '/etc/opendkim/SigningTable':
+    owner  => root,
+    group  => root,
+    mode   => '0644',
+  }
+
+  concat::fragment {
+    'opendkim SigningTable header':
+      target  => '/etc/opendkim/SigningTable',
+      source  => 'puppet:///modules/opendkim/etc/opendkim/SigningTable.header',
+      order   => 01;
+  }
+
+
+  if ($::opendkim::params::service_flavor == 'Debian') {
+    concat { $::opendkim::params::service_config:
+      owner => root,
+      group => root,
+      mode  => '0644';
+    }
+
+    concat::fragment {
+      'opendkim default config':
+        target  => '/etc/default/opendkim',
+        content => template('opendkim/opendkim_default.erb'),
+        order   => 01;
+    }
+  }
 }

manifests/domain.pp

@@ -2,23 +2,31 @@
   $private_key,
   $domain=$name,
   $selector='mail',
-  $key_folder='/etc/dkim'
+  $key_folder=$::opendkim::params::key_folder
 ) {
 
   file {
     "${key_folder}/${domain}.key":
-      owner  => 'root',
-      group  => 'root',
-      mode   => 0640,
-      source => $private_key;
+      owner   => 'root',
+      group   => 'opendkim',
+      mode    => '0640',
+      source  => $private_key,
+      require => Package[$::opendkim::params::package]
   }
-  concat::fragment{ $name:
-    target  => '/etc/opendkim.conf',
-    content => "Domain ${domain}\nKeyFile ${key_folder}/${domain}.key\nSelector ${selector}\n\n",
-    order   => 10,
-    require => File["$key_folder/$domain.key"],
-    notify  => Service[$opendkim::params::service];
+
+  concat::fragment { "opendkim KeyTable ${name}":
+      target  => '/etc/opendkim/KeyTable',
+      content  => "${selector}._domainkey.${domain} ${domain}:${selector}:${key_folder}/${domain}.key\n",
+      order   => 10,
+      require => File["${key_folder}/${domain}.key"],
+      notify  => Service[$opendkim::params::service],
   }
 
-}
+  concat::fragment { "opendkim SigningTable ${name}":
+      target  => '/etc/opendkim/SigningTable',
+      content  => "${domain} ${selector}._domainkey.${domain}\n",
+      order   => 10,
+      notify  => Service[$opendkim::params::service],
+  }
 
+}

manifests/init.pp

@@ -4,18 +4,22 @@
 ) inherits ::opendkim::params {
 
   package { $opendkim::params::package:
-    alias  => 'opendkim',
-    ensure => $ensure_version
+    ensure => $ensure_version,
+    alias  => 'opendkim'
   }
   service { $opendkim::params::service:
+    ensure  => running,
     enable  => true,
-    require => Package['opendkim'];
+    require => [
+      Package['opendkim'],
+      Class['opendkim::config'],
+    ]
   }
   file { '/etc/dkim':
     ensure => 'directory',
     owner  => 'root',
     group  => 'root',
-    mode   => 0644;
+    mode   => '0644'
   }
   if ($default_config) {
     include opendkim::config

manifests/params.pp

@@ -7,6 +7,16 @@
     'Ubuntu', 'Debian': {
       $package = 'opendkim'
       $service = 'opendkim'
+      $key_folder = '/etc/dkim'
+      $service_config = '/etc/default/opendkim'
+      $service_flavor = 'Debian'
+    }
+    'Fedora', 'CentOS', 'RedHat': {
+      $package = 'opendkim'
+      $service = 'opendkim'
+      $key_folder = '/etc/opendkim/keys'
+      $service_config = '/etc/sysconfig/opendkim'
+      $service_flavor = 'Fedora'
     }
     default: {
       fail("Unsupported operatingsystem ${::operatingsystem}, fork me baby.")

manifests/socket.pp

@@ -20,8 +20,8 @@
     }
   }
   concat::fragment{ $socket:
-    target  => '/etc/default/opendkim',
-    content => "SOCKET=$socket # ${name}\n",
+    target  => '/etc/opendkim.conf',
+    content => "Socket ${socket} # ${name}\n",
     order   => 10,
     notify  => Service[$opendkim::params::service];
   }

templates/opendkim.conf.erb

@@ -23,7 +23,11 @@ UMask			<%= scope.lookupvar('::opendkim::params::umask') %>
 # and the verifier.  From is oversigned by default in the Debian pacakge
 # because it is often the identity key used by reputation systems and thus
 # somewhat security sensitive.
-OversignHeaders		<%= scope.lookupvar('::opendkim::params::oversignheaders') %>
+<% if scope.lookupvar('::opendkim::config::oversignheaders') != '' -%>
+OversignHeaders		<%= scope.lookupvar('::opendkim::config::oversignheaders') %>
+<% else -%>
+# OversignHeaders is disabled
+<% end -%>
 
 # List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
 # (ATPS) (experimental)
@@ -32,3 +36,12 @@ OversignHeaders		<%= scope.lookupvar('::opendkim::params::oversignheaders') %>
 # Sign for example.com with key in /etc/mail/dkim.key using
 # selector '2007' (e.g. 2007._domainkey.example.com)
 
+<% if scope.lookupvar('::opendkim::config::logwhy') != '' -%>
+LogWhy yes
+<% end -%>
+<% if scope.lookupvar('::opendkim::config::milterdebug') != '' -%>
+MilterDebug <%= scope.lookupvar('::opendkim::config::milterdebug') %>
+<% end -%>
+
+KeyTable     /etc/opendkim/KeyTable
+SigningTable /etc/opendkim/SigningTable