Faidon has uploaded a new change for review.
https://gerrit.wikimedia.org/r/79754
Change subject: exim: add DKIM for wikimedia.org domains
......................................................................
exim: add DKIM for wikimedia.org domains
This adds DKIM support to exim manifests with three different keys:
1) typical user/machine mails From: @wikimedia.org
2) wiki-mail, i.e. MediaWiki generated emails, also from: @wikimedia.org
3) lists.wikimedia.org mails
The first two share the domain with different selectors, while the third
one uses lists.wikimedia.org as the domain. This will effectively mean
that the wikimedia.org domain will soon have DKIM with *four* different
selectors: wikimedia, wiki-mail, fundraising (already exists), google
(for Google Apps originating mail, private key belonging to Google,
TBD).
The manifest could be a lot more DRY by having a separate ::dkim defined
type but this is left a later iteration.
The private repo & DNS changes required by this change have already been
done; preexisting DKIM policy record specifies that *some* mail may be
signed for this domain, so this is effectively a no-op change.
DKIM support was added in exim4 4.70 and hence *cannot* be applied
manually to mchenry as it is right now.
Change-Id: I727cf3c894b99cff761c6822d719a755f7cd9cbc
---
M manifests/mail.pp
M templates/exim/exim4.conf.SMTP_IMAP_MM.erb
2 files changed, 51 insertions(+), 4 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/54/79754/1
diff --git a/manifests/mail.pp b/manifests/mail.pp
index f26175a..dda823a 100644
--- a/manifests/mail.pp
+++ b/manifests/mail.pp
@@ -169,6 +169,13 @@
group => Debian-exim,
mode => 0440,
content =>
template("exim/exim4.conf.SMTP_IMAP_MM.erb");
+ "/etc/exim4/dkim/":
+ ensure => 'directory',
+ purge => true,
+ owner => root,
+ group => Debian-exim,
+ mode => 0440,
+ require => Package[exim4-config];
"/etc/exim4/system_filter":
owner => root,
group => Debian-exim,
@@ -184,25 +191,53 @@
class mail_relay {
Class["exim::config"] -> Class[exim::roled::mail_relay]
- file {
- "/etc/exim4/relay_domains":
+ file { '/etc/exim4/relay_domains':
owner => root,
group => root,
mode => 0444,
source =>
"puppet:///files/exim/exim4.secondary_relay_domains.conf";
+ }
+ file { '/etc/exim4/dkim/wikimedia.org-wikimedia.key':
+ ensure => present,
+ owner => 'root',
+ group => 'Debian-exim',
+ mode => '0440',
+ content =>
'puppet:///private/dkim/wikimedia.org-wikimedia.key',
+ require => File['/etc/exim4/dkim'],
+ notify => Service['exim4'],
}
}
class mailman {
Class["exim::config"] -> Class[exim::roled::mailman]
- file {
- "/etc/exim4/aliases/lists.wikimedia.org":
+ file { '/etc/exim4/aliases/lists.wikimedia.org':
owner => root,
group => root,
mode => 0444,
source =>
"puppet:///files/exim/exim4.listserver_aliases.conf";
}
+ file {
'/etc/exim4/dkim/lists.wikimedia.org-wikimedia.key':
+ ensure => present,
+ owner => 'root',
+ group => 'Debian-exim',
+ mode => '0440',
+ content =>
'puppet:///private/dkim/lists.wikimedia.org-wikimedia.key',
+ require => File['/etc/exim4/dkim'],
+ notify => Service['exim4'],
+ }
+ }
+
+ if ( $mediawiki_relay == "true" ) {
+ file { '/etc/exim4/dkim/wikimedia.org-wiki-mail.key':
+ ensure => present,
+ owner => 'root',
+ group => 'Debian-exim',
+ mode => '0440',
+ content =>
'puppet:///private/dkim/wikimedia.org-wiki-mail.key',
+ require => File['/etc/exim4/dkim'],
+ notify => Service['exim4'],
+ }
}
if ( $enable_mailman == "true" ) {
diff --git a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
index 7ce2707..804231c 100644
--- a/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
+++ b/templates/exim/exim4.conf.SMTP_IMAP_MM.erb
@@ -665,6 +665,10 @@
remote_smtp:
driver = smtp
hosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0
+ dkim_domain = wikimedia.org
+ dkim_selector = wikimedia
+ dkim_private_key = /etc/exim4/dkim/wikimedia.org-wikimedia.key
+ dkim_canon = relaxed
<% if (enable_otrs_server == "false" ) -%>
interface = <; <%= outbound_ips.join(" ; ") %>
<% end -%>
@@ -676,6 +680,10 @@
hosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0
interface = <; <%= list_outbound_ips.join(" ; ") %>
helo_data = lists.wikimedia.org
+ dkim_domain = lists.wikimedia.org
+ dkim_selector = wikimedia
+ dkim_private_key = /etc/exim4/dkim/lists.wikimedia.org-wikimedia.key
+ dkim_canon = relaxed
<% end -%>
<% if mediawiki_relay == "true" -%>
@@ -685,6 +693,10 @@
hosts_avoid_tls = <; 0.0.0.0/0 ; 0::0/0
interface = WIKI_INTERFACE
helo_data = <; wiki-mail.wikimedia.org ; lists.wikimedia.org
+ dkim_domain = wikimedia.org
+ dkim_selector = wiki-mail
+ dkim_private_key = /etc/exim4/dkim/wikimedia.org-wiki-mail.key
+ dkim_canon = relaxed
<% end -%>
# Generic pipe local delivery transport (for use by alias/forward files)
--
To view, visit https://gerrit.wikimedia.org/r/79754
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I727cf3c894b99cff761c6822d719a755f7cd9cbc
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon <fai...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
