From: Tom Hughes <tom@compton.nu>
Date: Sun, 1 Mar 2020 15:55:40 +0000 (+0000)
Subject: Add support for DKIM signing of outgoing mail
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/19ca76c7c5e79cbb4e497b937376bffcb42d85fc

Add support for DKIM signing of outgoing mail
---

diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb
index e0fd75de3..6af07c8e1 100644
--- a/cookbooks/exim/recipes/default.rb
+++ b/cookbooks/exim/recipes/default.rb
@@ -115,6 +115,32 @@ file "/etc/exim4/blocked-senders" do
   mode 0o644
 end
 
+if node[:exim][:dkim_selectors]
+  keys = data_bag_item("exim", "dkim")
+
+  template "/etc/exim4/dkim-selectors" do
+    owner "root"
+    source "dkim-selectors.erb"
+    group "Debian-exim"
+    mode 0o644
+  end
+
+  directory "/etc/exim4/dkim-keys" do
+    owner "root"
+    group "Debian-exim"
+    mode 0o755
+  end
+
+  node[:exim][:dkim_selectors].each do |domain, selector|
+    file "/etc/exim4/dkim-keys/#{domain}" do
+      content keys[domain].join("\n")
+      owner "root"
+      group "Debian-exim"
+      mode 0o640
+    end
+  end
+end
+
 template "/etc/exim4/exim4.conf" do
   source "exim4.conf.erb"
   owner "root"
diff --git a/cookbooks/exim/templates/default/dkim-selectors.erb b/cookbooks/exim/templates/default/dkim-selectors.erb
new file mode 100644
index 000000000..13078faad
--- /dev/null
+++ b/cookbooks/exim/templates/default/dkim-selectors.erb
@@ -0,0 +1,3 @@
+<% node[:exim][:dkim_selectors].each do |domain, selector| -%>
+<%= domain %>: <%= selector %>
+<% end -%>
diff --git a/cookbooks/exim/templates/default/exim4.conf.erb b/cookbooks/exim/templates/default/exim4.conf.erb
index df725a8ae..ab832999d 100644
--- a/cookbooks/exim/templates/default/exim4.conf.erb
+++ b/cookbooks/exim/templates/default/exim4.conf.erb
@@ -678,7 +678,7 @@ smarthost:
 dnslookup:
   driver = dnslookup
   domains = ! +local_domains
-  transport = remote_smtp
+  transport = signed_smtp
   same_domain_copy_routing = yes
   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
   no_more
@@ -706,6 +706,19 @@ remote_smtp:
   tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%LATEST_RECORD_VERSION
 
 
+# This transport is used for delivering DKIM signed messages over SMTP connections.
+
+signed_smtp:
+  driver = smtp
+  dkim_domain = ${lc:${domain:$h_from:}}
+  dkim_selector = ${lookup{$dkim_domain}lsearch{/etc/exim4/dkim-selectors}{$value}}
+  dkim_private_key = /etc/exim4/dkim-keys/${dkim_domain}
+  dkim_identity = ${lc:${address:$h_from:}}
+  # dkim_timestamps = 1209600
+  multi_domain = false
+  tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%LATEST_RECORD_VERSION
+
+
 # This transport is used for handling pipe deliveries generated by alias or
 # .forward files. If the pipe generates any standard output, it is returned
 # to the sender of the message as a delivery error. Set return_fail_output
diff --git a/roles/mail.rb b/roles/mail.rb
index 516c2b89e..99fcf1a08 100644
--- a/roles/mail.rb
+++ b/roles/mail.rb
@@ -46,6 +46,9 @@ default_attributes(
         :host => "ridley.ucl.openstreetmap.org"
       }
     },
+    :dkim_selectors => {
+      "openstreetmap.org" => "20200301"
+    },
     :aliases => {
       "abuse" => "root",
       "postmaster" => "root",