I want my relay to sign mail for the domain example.com, and also for emails where the domain is a specific host, like [email protected].

That is to say, I'd like /etc/opendkim_signingtable.conf to look like so:

###### MANAGED BY PUPPET
example.com  default._domainkey.example.com
.example.com default._domainkey.example.com

I've tried to do it like so:

opendkim::domain { ['example.com', '.example.com']:
  private_key_content => hiera('dkim_keys/example.com-default.key'),
  selector        => 'default',
}

Unfortunately for the subdomains, this winds up with the signature using a separate entry in the keytable with a leading . on the domain, and the final signature contains d=.example.com, which doesn't work. I don't see a way to use this module without changing it, or perhaps a hackish direct call to concat to extend the signing table as required.

For my particular use case it would be nice to just have a boolean flag on opendkim::domain called something like 'sign_subdomains', which puts the extra entry in /etc/opendkim_signingtable.conf when set to true.

In my case I want to use the same signing key for subdomains that I use for the top level domain. Probably someone else will have a different use case, but that's not my current concern. Beyond the scope of this issue, opendkim allows for a much broader range of configurations, which are not covered by this module. While having a high level defined type like this may suit a lot of uses, I think it should probably sit on top of types which allow for more of what opendkim allows.

Hi there,

This is the best opendkim puppet module that i have found so far.

Is there any possibility on getting it published to the puppet forge?

https://docs.puppet.com/puppet/latest/reference/modules_publishing.html

opendkim::domain expects to be provided with private_key, which is used as a source attribute for the created file.

This means that the private key has to be provided as a download from the puppetmaster or some other source with relatively little security. Any host that can connect to the puppetmaster can download it.

I suggest that the option be added to provide private_key_content instead, which should be passed as a content attribute to the file resource.

to use this module on a gateway/relay it must also managed InternalHosts.

Default content (worked also without wildcard support) can be

127.0.0.1
localhost
$::network_eth0/$::netmask_eth0

Not sure if it better to use refile:/etc/opendkim_trustedHosts to allow wildcards.

To enable this kind of function a flag should be included (like relaymode) which has false as default.

Hi. If any of the files at https://github.com/rjpearce/puppet-opendkim/blob/master/manifests/config.pp#L33-38 are missing concat will throw a bunch of error messages:

Notice: /Stage[main]/Opendkim::Config/Concat[/etc/opendkim_keytable.conf]/Exec[concat_/etc/opendkim_keytable.conf]/returns: The fragments directory is empty, cowardly refusing to make empty config files
Error: /var/lib/puppet/concat/bin/concatfragments.sh -o /var/lib/puppet/concat/_etc_opendkim_keytable.conf/fragments.concat.out -d /var/lib/puppet/concat/_etc_opendkim_keytable.conf     returned 1 instead of one of [0]
Error: /Stage[main]/Opendkim::Config/Concat[/etc/opendkim_keytable.conf]/Exec[concat_/etc/opendkim_keytable.conf]/returns: change from notrun to 0 failed: /var/lib/puppet/concat/bin/concatfragments.sh -o /var/lib/puppet/concat/_etc_opendkim_keytable.conf/fragments.concat.out -d /var/lib/puppet/concat/_etc_opendkim_keytable.conf     returned 1 instead of one of [0]

On a fresh install opendkim_keytable.conf and opendkim_signingtable.conf don't exist for me. force => true should be set for concat to resolve the issue.