OpenDKIM

Table of Contents

1. Description
2. Setup - The basics of getting started with OpenDKIM
   • What opendkim module affects
   • Beginning with opendkim
3. Usage - Configuration options and additional functionality
4. Reference - An under-the-hood peek at what the module is doing and how
5. Limitations - OS compatibility, etc.
6. Development - Guide for contributing to the module

Description

A Puppet module to install and manage OpenDKIM

Setup

What OpenDKIM affects {#what-opendkim-module-affects}

• install OpenDKIM package
• modify the configuration file /etc/opendkim.conf
• add and modify files in /etc/opendkim
• purge /etc/opendkim and /etc/dkim from all unuseful files

Warning : this package will replace all your RSA keys ! Before using it, be sure to add all your keys in Hiera !

Beginning with OpenDKIM

A basic example is as follows:

class { '::opendkim':
  socket        => 'inet:8891@127.0.0.1',
  trusted_hosts => ['::1','127.0.0.1','localhost'],
  keys          => [
      { 
          domain         => 'mydomain.com',
          selector       => 'default',
          publickey      => 'p=yourPublicKey',
          privatekey     => 'Your Private Key',
          signingdomains => ['*@mydomain.com', '*@subdomain.mydomain.com'],
      }
  ]
}

Usage

You can also use natively Hiera :

include ::opendkim

opendkim::socket: 'inet:8891@127.0.0.1'
opendkim::trusted_hosts:
    - '::1'
    - '127.0.0.1'
    - 'localhost'
opendkim::keys:
    - domain: mydomain.com
      selector: default
      hash_algorithms: "sha1256"
      publickey: "p=yourPublicKey"
      publickeyextended: "secondLineofPublicKey"
      privatekey: | 
        -----BEGIN RSA PRIVATE KEY-----
        Your Private Key
        -----END RSA PRIVATE KEY-----
      signingdomains: 
          - '*@mydomain.com'
          - '*@subdomain.mydomain.com'

If you want to use OpenDKIM though a UNIX socket with postfix for example, you should configure the socket like this :

opendkim::socket: 'local:/var/run/opendkim/opendkim.sock'
opendkim::umask: '0111'

Limitations

This module has only been tested on my Debian and Centos servers. I can not guarantee for any other Operating System

Development

You are pleased to fork this module and adapt it for you needs. I am open to any Pull Request :-)

Reference

Table of Contents

Classes

Public Classes

• opendkim: This class manages the opendkim service.

Private Classes

• opendkim::config: Configure opendkim
• opendkim::install: Managing the opendkim installation
• opendkim::service: Managing the opendkim service
• opendkim::user: Managing the opendkim user

Data types

• Opendkim::Key: Validate an opendkim key struct

Classes

opendkim

This class manages the opendkim service.

• See also
  • Please
    • see the README.md

Parameters

The following parameters are available in the opendkim class:

• user
• uid
• user_shell
• user_system
• homedir
• group
• gid
• group_system
• configdir
• configfile
• pidfile
• rundir_mode
• sysconfigfile
• package_name
• service_name
• service_ensure
• service_enable
• log_why
• subdomains
• socket
• umask
• nameservers
• mode
• canonicalization
• removeoldsignatures
• maximum_signed_bytes
• trustanchorfile
• senderheaders
• signaturealgorithm
• minimumkeybits
• additional_options
• trusted_hosts
• manage_private_keys
• keys
• alldomain
• selector
• publickey
• publickeyextended
• privatekey
• key_algorithm
• hash_algorithms
• autorestart
• autorestartrate

user

Data type: String[1]

Name of the user running the service.

Default value: 'opendkim'

uid

Data type: Optional[Integer[0]]

UserID from the user running the service.

Default value: undef

user_shell

Data type: Stdlib::Absolutepath

Sets the login shell of user running the service.

Default value: '/usr/sbin/nologin'

user_system

Data type: Boolean

Switch if user should be use systemuser uid range or normal user uid range.

Default value: true

homedir

Data type: Stdlib::Absolutepath

Homedir of the user running the service.

Default value: '/run/opendkim'

group

Data type: String[1]

Name of the group running the service. Also also set as primary group of the user running the service.

Default value: 'opendkim'

gid

Data type: Optional[Integer[0]]

GroupID from the group running the service.

Default value: undef

group_system

Data type: Boolean

Switch if group should be use systemgroup gid range or normal group gid range.

Default value: true

configdir

Data type: Stdlib::Absolutepath

Directory where the configurations will be located.

Default value: '/etc/opendkim'

configfile

Data type: Stdlib::Absolutepath

Path of the main config file.

Default value: '/etc/opendkim.conf'

pidfile

Data type: Stdlib::Absolutepath

Path of the process id file of the service.

Default value: '/run/opendkim/opendkim.pid'

rundir_mode

Data type: Pattern[/\A[0-7]{3,4}\z/]

Run directory permission of the service.

Default value: '0755'

sysconfigfile

Data type: Optional[Stdlib::Absolutepath]

Path of the sysconfig file.

Default value: undef

package_name

Data type: String[1]

Name of the package providing opendkim.

Default value: 'opendkim'

service_name

Data type: String[1]

Name of the service

Default value: 'opendkim'

service_ensure

Data type: Stdlib::Ensure::Service

Defines the state of the service.

Default value: 'running'

service_enable

Data type: Boolean

Switch if service should boot at startup.

Default value: true

log_why

Data type: Variant[Boolean,Enum['yes','no']]

If logging is enabled, issues very detailed logging about the logic behind the filter’s decision to either sign a message or verify it.

Default value: 'no'

subdomains

Data type: Variant[Boolean,Enum['yes','no']]

Sign subdomains of those listed by the Domain parameter as well as the actual domains.

Default value: 'yes'

socket

Data type: String

The socket the service should listen on.

Default value: 'inet:8891@127.0.0.1'

umask

Data type: Pattern[/\A[0-7]{3,4}\z/]

Requests a specific permissions mask to be used for file creation. This only really applies to creation of the socket when Socket specifies a UNIX domain socket, and to the PidFile.

Default value: '0022'

nameservers

Data type: Array[Stdlib::IP::Address]

List of IP addresses that are to be used when doing DNS queries to retrieve DKIM keys, VBR records, etc.

Default value: []

mode

Data type: Pattern[/\A[sv]{1,2}\z/]

Selects operating modes. The string is a concatenation of characters that indicate which mode(s) of operation are desired.

Default value: 'sv'

canonicalization

Data type: Pattern[/\A((relaxed|simple)\/)?(relaxed|simple)\z/]

Selects the canonicalization method(s) to be used when signing messages. When verifying, the message’s DKIM-Signature: header field specifies the canonicalization method. The recognized values are relaxed and simple as defined by the DKIM specification. The value may include two different canonicalizations separated by a slash ("/") character, in which case the first will be applied to the header and the second to the body.

Default value: 'relaxed/simple'

removeoldsignatures

Data type: Variant[Boolean,Enum['yes','no']]

Removes all existing signatures when operating in signing mode.

Default value: 'no'

maximum_signed_bytes

Data type: Optional[Integer[1]]

Specifies the maximum number of bytes of message body to be signed. Messages shorter than this limit will be signed in their entirety.

Default value: undef

trustanchorfile

Data type: Optional[Stdlib::Absolutepath]

Specifies a file from which trust anchor data should be read when doing DNS queries and applying the DNSSEC protocol.

Default value: undef

senderheaders

Data type: Optional[Array[String,1]]

Specifies an ordered list of header fields that should be searched to determine the sender of a message. The first header field found is the one whose value is used. This is mainly used when signing for deciding which signing request(s) to make.

Default value: undef

signaturealgorithm

Data type: Optional[String[1]]

Selects the signing algorithm to use when generating signatures.

Default value: undef

minimumkeybits

Data type: Optional[Integer[1]]

Establishes a minimum key size for acceptable signatures. Signatures with smaller key sizes, even if they otherwise pass DKIM validation, will me marked as invalid.

Default value: undef

additional_options

Data type: Hash[String,Variant[Array[String],String,Integer,Boolean]]

These options will be also written into the opendkim config file

Default value: {}

trusted_hosts

Data type: Array[String,1]

Hosts that may send mail through the server as one of the signing domains without credentials and whose mail should be signed rather than verified.

Default value: ['::1', '127.0.0.1', 'localhost']

manage_private_keys

Data type: Boolean

Switch for the mangement of the private key files.

Default value: true

keys

Data type: Array[Opendkim::Key]

Structure of the keys to manage and to generate the configure from.

Default value: []

alldomain

Data type: Boolean

Switch for an alternative mangement mode that only configures one key that will be used to sign all domains.

Default value: false

selector

Data type: Optional[String[1]]

The selector used for signing in alldomain mode.

Default value: undef

publickey

Data type: Optional[String[1]]

The publickey used for signing in alldomain mode.

Default value: undef

publickeyextended

Data type: Optional[String[1]]

Deprecated: Just use publickey. The template will split the in chunks for the dns txt file.

The publickeyextended used for signing in alldomain mode.

Default value: undef

privatekey

Data type: Optional[String[1]]

The privatekey used for signing in alldomain mode.

Default value: undef

key_algorithm

Data type: Optional[String[1]]

The key_algorithm used for signing in alldomain mode.

Default value: undef

hash_algorithms

Data type: Optional[String[1]]

The hash_algorithms used for signing in alldomain mode.

Default value: undef

autorestart

Data type: Optional[Variant[Boolean,Enum['yes','no']]]

Either boolean or yes/no as to whether opendkim should restart on failure

Default value: undef

autorestartrate

Data type: Optional[Pattern[/\A[0-9]+\/[0-9]+[sSmMhHdD]\z/]]

The rate limit on auto restarting

Default value: undef

Data types

Opendkim::Key

Validate an opendkim key struct

Alias of

Struct[{
    domain            => String[1],
    selector          => String[1],
    key_algorithm     => Optional[String[1]],
    hash_algorithms   => Optional[String[1]],
    publickey         => String[1],
    publickeyextended => Optional[String[1]],
    privatekey        => Variant[String[1],Deferred],
    signingdomains    => Array[String[1]],
}]

Changelog

v0.4.2 - Compatible with Puppet from 6.24 up to, but not including, 8.0

What's Changed

• Lookup osfamily for RedHat clones by @msalway in https://github.com/lvicainne/puppet-opendkim/pull/43
• Missing Optional for autorestart by @msalway in https://github.com/lvicainne/puppet-opendkim/pull/44
• chore: update module version and metadata by @parveenk27 in https://github.com/lvicainne/puppet-opendkim/pull/54
• Chunking publickey in 255 char blocks for dns txt by @cruelsmith in https://github.com/lvicainne/puppet-opendkim/pull/51
• Add SignHeaders From by @seriv in https://github.com/lvicainne/puppet-opendkim/pull/48
• feat(pdk): enable pdk to improve test and reliability of the module by @lvicainne in https://github.com/lvicainne/puppet-opendkim/pull/55

New Contributors

• @parveenk27 made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/54
• @seriv made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/48

Full Changelog: https://github.com/lvicainne/puppet-opendkim/compare/v0.4.0...v0.4.2

v0.4.0

What's Changed

• Add Missing Socket for Ubuntu 16.04 by @HielkeJ in https://github.com/lvicainne/puppet-opendkim/pull/3
• Replace deprecated stdlib functions with puppet data types by @jkroepke in https://github.com/lvicainne/puppet-opendkim/pull/5
• Removed full path comments on configfile by @jkroepke in https://github.com/lvicainne/puppet-opendkim/pull/6
• Adding nameserver config paramter by @jkroepke in https://github.com/lvicainne/puppet-opendkim/pull/7
• if you default it to undef in params, you need to make it Optional to acce… by @qs5779 in https://github.com/lvicainne/puppet-opendkim/pull/8
• add force to directory absent resources by @qs5779 in https://github.com/lvicainne/puppet-opendkim/pull/9
• Add parameters: mode, canonicalization, removeoldsignatures by @sa5bke in https://github.com/lvicainne/puppet-opendkim/pull/12
• Add support for MaximumSignedBytes by @tetsuo13 in https://github.com/lvicainne/puppet-opendkim/pull/13
• Make sure to create users before package installation by @Arakmar in https://github.com/lvicainne/puppet-opendkim/pull/14
• Allow handling of private keys outsite puppet by @jeebiq in https://github.com/lvicainne/puppet-opendkim/pull/18
• Test bumping version by @cFire in https://github.com/lvicainne/puppet-opendkim/pull/17
• add ability to validate dnssec by @tobiWu in https://github.com/lvicainne/puppet-opendkim/pull/19
• Fix duplicate resource if multiple keys are added for a domain by @nikdoof in https://github.com/lvicainne/puppet-opendkim/pull/16
• make trustanchorfile optional by @antondollmaier in https://github.com/lvicainne/puppet-opendkim/pull/20
• Add support for FreeBSD by @smortex in https://github.com/lvicainne/puppet-opendkim/pull/21
• Add management of /etc/tmpfiles.d/opendkim.conf for RedHat by @razorbladex401 in https://github.com/lvicainne/puppet-opendkim/pull/22
• Allow to apply a DKIM cert on all domains by @kapouik in https://github.com/lvicainne/puppet-opendkim/pull/24
• Allow stdlib v8 by @sazzle2611 in https://github.com/lvicainne/puppet-opendkim/pull/25
• Allow private keys to be Deferred for use with node_encrypt by @msalway in https://github.com/lvicainne/puppet-opendkim/pull/28
• Add SenderHeaders option to opendkim.conf by @tallenaz in https://github.com/lvicainne/puppet-opendkim/pull/29
• Fix legacy fact usage by @smortex in https://github.com/lvicainne/puppet-opendkim/pull/30
• Adds Parameters to support 2048 bit keys and Specifying hash_algorithms by @razorbladex401 in https://github.com/lvicainne/puppet-opendkim/pull/31
• Rework module to hiera and epp templates by @cruelsmith in https://github.com/lvicainne/puppet-opendkim/pull/35
• chore(puppet): update module version and metadata by @lvicainne in https://github.com/lvicainne/puppet-opendkim/pull/36
• Fix default value for sysconfigfile by @smortex in https://github.com/lvicainne/puppet-opendkim/pull/37
• Edit file ownership and permissions by @tallenaz in https://github.com/lvicainne/puppet-opendkim/pull/41
• Add autorestart config by @coreone in https://github.com/lvicainne/puppet-opendkim/pull/42

New Contributors

• @HielkeJ made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/3
• @jkroepke made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/5
• @qs5779 made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/8
• @sa5bke made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/12
• @tetsuo13 made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/13
• @Arakmar made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/14
• @jeebiq made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/18
• @cFire made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/17
• @tobiWu made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/19
• @nikdoof made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/16
• @antondollmaier made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/20
• @smortex made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/21
• @razorbladex401 made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/22
• @kapouik made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/24
• @sazzle2611 made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/25
• @tallenaz made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/29
• @coreone made their first contribution in https://github.com/lvicainne/puppet-opendkim/pull/42

Full Changelog: https://github.com/lvicainne/puppet-opendkim/commits/v0.4.0