site-cookbooks/kosmos_email/recipes/default.rb

@@ -21,5 +21,6 @@ firewall_rule "private network access" do
   source   "10.1.1.0/24"
 end
 
+include_recipe 'kosmos_email::opendkim'
 include_recipe 'kosmos_email::postfix'
 include_recipe 'kosmos_email::dovecot'

site-cookbooks/kosmos_email/recipes/opendkim.rb

@@ -0,0 +1,74 @@
+#
+# Cookbook:: kosmos_email
+# Recipe:: opendkim
+#
+
+%w[
+  opendkim
+  opendkim-tools
+].each do |pkg|
+  apt_package pkg
+end
+
+domain   = node["email"]["domain"]
+selector = "mail"
+socket   = "inet:12301@localhost"
+
+template "/etc/opendkim.conf" do
+  source    "opendkim.conf.erb"
+  mode      0644
+  variables domain: domain,
+            selector: selector,
+            socket: socket
+  notifies :restart, "service[opendkim]", :delayed
+end
+
+template "/etc/default/opendkim" do
+  source    "opendkim_default.erb"
+  mode      0644
+  variables socket: socket
+  notifies :restart, "service[opendkim]", :delayed
+end
+
+directory "/run/opendkim" do
+  owner "opendkim"
+  group "opendkim"
+  action :create
+end
+
+directory "/etc/opendkim"
+
+template "/etc/opendkim/keytable" do
+  source    "opendkim_keytable.erb"
+  mode      0644
+  variables domain: domain,
+            selector: selector
+  notifies :restart, "service[opendkim]", :delayed
+end
+
+template "/etc/opendkim/signingtable" do
+  source    "opendkim_signingtable.erb"
+  mode      0644
+  variables domain: domain,
+            selector: selector
+  notifies :restart, "service[opendkim]", :delayed
+end
+
+directory "/etc/opendkim/keys/#{domain}" do
+  recursive true
+end
+
+execute "Create DKIM keys" do
+  cwd "/etc/opendkim/keys/#{domain}"
+  command "opendkim-genkey -s #{selector} -d #{domain}"
+  creates "/etc/opendkim/keys/#{domain}/#{selector}.private"
+end
+
+file "/etc/opendkim/keys/#{domain}/#{selector}.private" do
+  owner "opendkim"
+  group "opendkim"
+end
+
+service "opendkim" do
+  action [:enable, :start]
+end

site-cookbooks/kosmos_email/recipes/postfix.rb

@@ -36,7 +36,10 @@ node.normal['postfix']['main']['virtual_transport'] = "lmtp:unix:private/dovecot
 node.normal['postfix']['main']['smtputf8_enable'] = "no"
 node.normal['postfix']['main']['recipient_delimiter'] = "+"
 node.normal['postfix']['main']['alias_maps'] = "hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf"
-# node.normal['postfix']['main']['virtual_mailbox_maps'] = "ldap:/etc/postfix/ldap-virtual-mailboxes.cf"
+node.normal['postfix']['main']['milter_protocol'] = "2"
+node.normal['postfix']['main']['milter_default_action'] = "accept"
+node.normal['postfix']['main']['smtpd_milters'] = "inet:localhost:12301"
+node.normal['postfix']['main']['non_smtpd_milters'] = "inet:localhost:12301"
 
 node.normal['postfix']['master'] = {
   "#{ip_addr}:2525": {

site-cookbooks/kosmos_email/templates/opendkim.conf.erb

@@ -0,0 +1,59 @@
+# This is a basic configuration for signing and verifying. It can easily be
+# adapted to suit a basic installation. See opendkim.conf(5) and
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
+# documentation of available configuration parameters.
+
+Syslog			yes
+SyslogSuccess		yes
+LogWhy			yes
+
+AutoRestart      yes
+AutoRestartRate  10/1h
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization	relaxed/simple
+Mode			sv
+#SubDomains		no
+OversignHeaders		From
+
+# Signing domain, selector, and key (required). For example, perform signing
+# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
+# using the private key stored in /etc/dkimkeys/example.private. More granular
+# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
+Domain			<%= @domain %>
+Selector		<%= @selector %>
+#KeyFile		/etc/dkimkeys/example.private
+
+# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
+# using a local socket with MTAs that access the socket as a non-privileged
+# user (for example, Postfix). You may need to add user "postfix" to group
+# "opendkim" in that case.
+UserID			opendkim
+UMask			007
+
+# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
+# it must be ensured that the socket is accessible. In Debian, Postfix runs in
+# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
+# configured as shown on the last line below.
+Socket			local:/run/opendkim/opendkim.sock
+#Socket			inet:8891@localhost
+#Socket			inet:8891
+#Socket			local:/var/spool/postfix/opendkim/opendkim.sock
+
+PidFile			/run/opendkim/opendkim.pid
+
+# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
+# OPERATION section of opendkim(8) for more information.
+#InternalHosts		192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
+
+KeyTable      refile:/etc/opendkim/keytable
+SigningTable  refile:/etc/opendkim/signingtable
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile		/usr/share/dns/root.key
+#Nameservers		127.0.0.1
+
+Socket			<%= @socket %>

site-cookbooks/kosmos_email/templates/opendkim_default.erb

@@ -0,0 +1,31 @@
+# NOTE: This is a legacy configuration file. It is not used by the opendkim
+# systemd service. Please use the corresponding configuration parameters in
+# /etc/opendkim.conf instead.
+#
+# Previously, one would edit the default settings here, and then execute
+# /lib/opendkim/opendkim.service.generate to generate systemd override files at
+# /etc/systemd/system/opendkim.service.d/override.conf and
+# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
+# recommended to adjust the settings directly in /etc/opendkim.conf.
+#
+#DAEMON_OPTS=""
+# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
+# postfix in a chroot:
+#RUNDIR=/var/spool/postfix/run/opendkim
+RUNDIR=/run/opendkim
+#
+# Uncomment to specify an alternate socket
+# Note that setting this will override any Socket value in opendkim.conf
+# default:
+#SOCKET=local:$RUNDIR/opendkim.sock
+# listen on all interfaces on port 54321:
+#SOCKET=inet:54321
+# listen on loopback on port 12345:
+#SOCKET=inet:12345@localhost
+# listen on 192.0.2.1 on port 12345:
+#SOCKET=inet:12345@192.0.2.1
+SOCKET=<%= @socket %>
+USER=opendkim
+GROUP=opendkim
+PIDFILE=$RUNDIR/$NAME.pid
+EXTRAAFTER=

site-cookbooks/kosmos_email/templates/opendkim_keytable.erb

@@ -0,0 +1 @@
+<%= @selector %>._domainkey.<%= @domain %> <%= @domain %>:<%= @selector %>:/etc/opendkim/keys/<%= @domain %>/mail.private

site-cookbooks/kosmos_email/templates/opendkim_signingtable.erb

@@ -0,0 +1 @@
+*@<%= @domain %> <%= @selector %>._domainkey.<%= @domain %>