Salt Formula for OpenDKIM

I wasn't happy with the existing options out there so have written a new formula for OpenDKIM.

GitHub Release

The full formula and basic README/pillar.example is now available via,

https://github.com/colin-stubbs/salt-formula-opendkim

At this point the code is still the documentation.


Deployment and configuration

Refer to the example further down the page.

If you would like full management of all aspects to the OpenDKIM service, configure and keys; use the "opendkim.service" state. It will pull in "opendkim", "opendkim.config" and "opendkim.keys" to install packages, configure and create private key files.

The "opendkim.genkey_default" can be used to generate a default key; however without any way to automate the publishing of appropriate DNS records this state won't achieve much. I plan to add a publishing capability via BIND (and possibly via a flexible API method) in future but it's not there as yet so you'll need to manually create DNS records.

MTA integration

Integration with Postfix or other MTA's should occur in the normal way.

e.g. use this Postfix state,

https://github.com/saltstack-formulas/postfix-formula

With a pillar configuration similar to this,

postfix:
  config:
    %{YOUR_OTHER_POSTFIX_CONFIG_IN_PILLAR}%
    non_smtpd_milters: inet:127.0.0.1:8891
    smtpd_milters: inet:127.0.0.1:8891
    milter_protocol: 2
    milter_default_action: accept

Example

The following is basically the pillar configuration that I've used,

opendkim:
  config:
    manage: True
    options:
      Domain: 'your_domain.tld'
      ExternalIgnoreList: 'refile:/etc/opendkim/ExternalIgnoreList'
      InternalHosts: 'refile:/etc/opendkim/InternalHosts'
      KeyTable: 'refile:/etc/opendkim/KeyTable'
      SigningTable: 'refile:/etc/opendkim/SigningTable'
      SignatureAlgorithm: 'rsa-sha256'
      UserID: 'opendkim:opendkim'
      PidFile: '/var/run/opendkim/opendkim.pid'
      Mode: 'sv'
      AutoRestart: 'Yes'
      AutoRestartRate: '10/1h'
      UMask: '002'
      Syslog: 'Yes'
      SyslogSuccess: 'Yes'
      LogWhy: 'Yes'
    default_key:
      generate: True
      options: '--restrict --subdomains'
      selector: 'mail'
    KeyTable:
      your_domain:
        domain: 'your_domain.tld'
        record: 'mail'
        key_file: 'your_domain'
    SigningTable:
      '*@your_domain.tld': 'your_domain'
      '*@*your_domain.tld': 'your_domain'
    ExternalIgnoreList:
      - 127.0.0.1
      - ::1
      - '*.your_domain.tld'
    InternalHosts:
      - 127.0.0.1
      - ::1
      - '*.your_domain.tld'
  keys:
    your_domain.tld: |
      -----BEGIN RSA PRIVATE KEY-----
      %{PRIVATE_KEY_CONTENT}%
      -----END RSA PRIVATE KEY-----

Application of state against a target,

[[email protected] ~]# salt 'mx.routedlogic.net' state.apply opendkim.service
mx.routedlogic.net:
----------
          ID: opendkim
    Function: pkg.installed
      Result: True
     Comment: All specified packages are already installed
     Started: 09:57:52.463630
    Duration: 1060.491 ms
     Changes:
----------
          ID: /etc/opendkim
    Function: file.directory
      Result: True
     Comment: Directory /etc/opendkim is in the correct state
              Directory /etc/opendkim updated
     Started: 09:57:53.526576
    Duration: 1.876 ms
     Changes:
----------
          ID: /etc/opendkim/KeyTable
    Function: file.managed
      Result: True
     Comment: File /etc/opendkim/KeyTable is in the correct state
     Started: 09:57:53.528919
    Duration: 156.021 ms
     Changes:
----------
          ID: /etc/opendkim/SigningTable
    Function: file.managed
      Result: True
     Comment: File /etc/opendkim/SigningTable is in the correct state
     Started: 09:57:53.685204
    Duration: 148.8 ms
     Changes:
----------
          ID: /etc/opendkim/ExternalIgnoreList
    Function: file.managed
      Result: True
     Comment: File /etc/opendkim/ExternalIgnoreList is in the correct state
     Started: 09:57:53.834429
    Duration: 139.783 ms
     Changes:
----------
          ID: /etc/opendkim/InternalHosts
    Function: file.managed
      Result: True
     Comment: File /etc/opendkim/InternalHosts is in the correct state
     Started: 09:57:53.974529
    Duration: 143.712 ms
     Changes:
----------
          ID: /etc/opendkim.conf
    Function: file.managed
      Result: True
     Comment: File /etc/opendkim.conf is in the correct state
     Started: 09:57:54.118727
    Duration: 139.158 ms
     Changes:
----------
          ID: /etc/opendkim/keys
    Function: file.directory
      Result: True
     Comment: Directory /etc/opendkim/keys is in the correct state
              Directory /etc/opendkim/keys updated
     Started: 09:57:54.258318
    Duration: 2.265 ms
     Changes:
----------
          ID: /etc/opendkim/keys/routedlogic.private
    Function: file.managed
      Result: True
     Comment: File /etc/opendkim/keys/routedlogic.private is in the correct state
     Started: 09:57:54.261032
    Duration: 2.096 ms
     Changes:
----------
          ID: /etc/sysconfig/opendkim
    Function: file.managed
      Result: True
     Comment: File /etc/sysconfig/opendkim is in the correct state
     Started: 09:57:54.263489
    Duration: 147.378 ms
     Changes:
----------
          ID: service-opendkim
    Function: service.running
        Name: opendkim
      Result: True
     Comment: The service opendkim is already running
     Started: 09:57:54.413615
    Duration: 46.212 ms
     Changes:

Summary for mx.routedlogic.net
-------------
Succeeded: 11
Failed:     0
-------------
Total states run:     11
Total run time:    1.988 s
[[email protected] ~]#
Author image
About Colin Stubbs
Brisbane, Queensland, Australia
Space monkey meat popsicle with technology and noise addictions.