Set up DKIM signing and verification

site-cookbooks/kosmos_email/recipes/default.rb

@@ -21,5 +21,6 @@ firewall_rule "private network access" do
   source   "10.1.1.0/24"
 end
 
+include_recipe 'kosmos_email::opendkim'
 include_recipe 'kosmos_email::postfix'
 include_recipe 'kosmos_email::dovecot'

site-cookbooks/kosmos_email/recipes/opendkim.rb

@@ -0,0 +1,74 @@
+#
+# Cookbook:: kosmos_email
+# Recipe:: opendkim
+#
+
+%w[
+  opendkim
+  opendkim-tools
+].each do |pkg|
+  apt_package pkg
+end
+
+domain   = node["email"]["domain"]
+selector = "mail"
+socket   = "inet:12301@localhost"
+
+template "/etc/opendkim.conf" do
+  source    "opendkim.conf.erb"
+  mode      0644
+  variables domain: domain,
+            selector: selector,
+            socket: socket
+  notifies :restart, "service[opendkim]", :delayed
+end
+
+template "/etc/default/opendkim" do
+  source    "opendkim_default.erb"
+  mode      0644
+  variables socket: socket
+  notifies :restart, "service[opendkim]", :delayed
+end
+
+directory "/run/opendkim" do
+  owner "opendkim"
+  group "opendkim"
+  action :create
+end
+
+directory "/etc/opendkim"
+
+template "/etc/opendkim/keytable" do
+  source    "opendkim_keytable.erb"
+  mode      0644
+  variables domain: domain,
+            selector: selector
+  notifies :restart, "service[opendkim]", :delayed
+end
+
+template "/etc/opendkim/signingtable" do
+  source    "opendkim_signingtable.erb"
+  mode      0644
+  variables domain: domain,
+            selector: selector
+  notifies :restart, "service[opendkim]", :delayed
+end
+
+directory "/etc/opendkim/keys/#{domain}" do
+  recursive true
+end
+
+execute "Create DKIM keys" do
+  cwd "/etc/opendkim/keys/#{domain}"
+  command "opendkim-genkey -s #{selector} -d #{domain}"
+  creates "/etc/opendkim/keys/#{domain}/#{selector}.private"
+end
+
+file "/etc/opendkim/keys/#{domain}/#{selector}.private" do
+  owner "opendkim"
+  group "opendkim"
+end
+
+service "opendkim" do
+  action [:enable, :start]
+end

site-cookbooks/kosmos_email/recipes/postfix.rb

@@ -36,7 +36,10 @@ node.normal['postfix']['main']['virtual_transport'] = "lmtp:unix:private/dovecot
 node.normal['postfix']['main']['smtputf8_enable'] = "no"
 node.normal['postfix']['main']['recipient_delimiter'] = "+"
 node.normal['postfix']['main']['alias_maps'] = "hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf"
-# node.normal['postfix']['main']['virtual_mailbox_maps'] = "ldap:/etc/postfix/ldap-virtual-mailboxes.cf"
+node.normal['postfix']['main']['milter_protocol'] = "2"
+node.normal['postfix']['main']['milter_default_action'] = "accept"
+node.normal['postfix']['main']['smtpd_milters'] = "inet:localhost:12301"
+node.normal['postfix']['main']['non_smtpd_milters'] = "inet:localhost:12301"
 
 node.normal['postfix']['master'] = {
   "#{ip_addr}:2525": {