Changes

I don't believe the duplication will bring much confusion but, more importantly, some parts of the manual configuration (e.g. RemoveOldSignatures) are not present in the new documentation...
anarcat · 34924b66
--- a/service/email.md
+++ b/service/email.md
@@ -75,12 +75,12 @@ Interestingly, ran by [sparkpost](https://www.sparkpost.com/).
 Hosts which generate outbound mail should be configured to add `DKIM-Signature`
 headers. This is done by including the `profile::postfix::dkim` class on Puppet
 nodes which handle mail and configuring Postfix's `main.cf` to use it as a
-milter. When the node's `mail_processing` flag is set to true, this is done
-automatically.
+milter. When the node's `profile::postfix::mail_processing` flag is
+set to true, this is done automatically.

 This class will install the `opendkim` and `opendkim-tools` packages, manage
 the `/etc/opendkim.conf` configuration file, generate a private key under
-`/etc/opendkim/keys` and set up what is needed for opendkim and postfix to
+`/etc/opendkim/keys` and set up what is needed for OpenDKIM and Postfix to
 communicate.

 By default, the class configures OpenDKIM to only sign email where the sender
@@ -149,6 +149,122 @@ host uses a subdomain in its mail sender domain, eg. `foo.torproject.org` then
 we need to add a new DNS entry by copying the `eugeni` DKIM key DNS entry
 `2022-eugeni._domainkey` to a new DNS entry `2022-eugeni._domainkey.foo`.

+#### Manual DKIM configuration (deprecated)
+
+This is a rushed OpenDKIM deployment procedure that was used in
+[tpo/tpa/team#40981][] and [tpo/tpa/team#40988][] (eugeni and
+submit-01). It has been added to Puppet in [tpo/tpa/team#40989][].
+
+This procedure is DEPRECATED. Hosts MUST be configured with Puppet
+(above) instead. The procedure is kept only for historical reference.
+
+ 1. install OpenDKIM:
+
+        apt install opendkim opendkim-tools
+
+ 2. ensure you have those lines in `/etc/opendkim.conf`:
+
+        LogWhy          yes
+        Mode            s # sign only, use sv to also check incoming
+        Domain          torproject.org
+        Selector        2022-submit-01 # 2022-submit-01._domainkey.torproject.org
+        Keyfile         /etc/opendkim/keys/2022-submit-01.private
+        Socket          local:/var/spool/postfix/opendkim/opendkim.sock
+
+    Note that the `Selector` and `Domain` fields are prone to change
+    if the server is sending mail from more than one domain. For
+    example, on `crm-int-01`, we also put `crm-int-01.torproject.org`
+    and `crm.torproject.org` in there. The selector is also based on
+    the year of creation (`2022` in this case) and the short hostname
+    of the server the key belongs to (`submit-01`) so that we don't
+    have to copy that private key around.
+
+ 3. generate the keys and directories:
+
+        mkdir -p /etc/opendkim/keys &&
+        mkdir /var/spool/postfix/opendkim &&
+        chown opendkim /var/spool/postfix/opendkim &&
+        opendkim-genkey --directory=/etc/opendkim/keys/ --selector=2022-submit-01 --domain=torproject.org --verbose
+
+ 4. grant Postfix access to the OpenDKIM socket:
+
+        adduser postfix opendkim
+
+ 5. restart the server:
+
+        service opendkim restart
+
+ 6. add the keys from `/etc/opendkim/keys/2022-submit-01.txt` into
+    DNS, e.g.:
+
+        2022-submit-01._domainkey       IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; "
+                  "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6iJa25pvx5qatYV4u44zolHLMiqkWZBvF6UJcX8hrSNES/aw/k4zXiliChs3eUtGHjf5aSNC6TrOndfQqRxMxNn+XhSEsUa6zFhZeeAOIi0A3TPRd5qL8aWfHH2NtHZAnZ5lodkA6HjJ/HpyrJvFuyuJ94yNL/bjvRWu+bMwixBIYr6znDoJYGTPC5YHZt48bJgvg3lAb3vIwD"
+                  "bkBw+bMkZCbRjSQuOM52pg6uQLSBiBeQHqWkSd03vp4A906jWaMLDHMfVZDDrXLg+QG2nAOoJmZ0l5argoIRiEG/8GO72FI2dEKJaXgXYqpSXGCtzZJNIr8schHFZBirZBLljbEwIDAQAB" )  ; ----- DKIM key 2022-submit-01 for torproject.org
+
+    if you had a subdomain prefix (e.g. in [tpo/tpa/team#40981][] we
+    used `crm.tpo`), make sure the `_domainkey` is under that prefix:
+
+        2022._domainkey.crm IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; "
+                  "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtSNGCjHmZnGrnBb9nCsPUc6MjZd5QueGKV+iXwcRNfU0LapFZMi5t7WE/kTPJsRWIF8AMHymNqLA5835m5LwaBBXZdu1utNARKSXDzGsEjxuDiAnSqD0Rb1px1JA+Eex0RC3thYZuyIIAxK31pXxJt2mowXtrhIkuKFB2YpE0yUudKuDZIZZ3YNH025czK/jFLD6TH+5xD9Cej"
+                  "H0MB6tE4O41rCjZUjSZ7Ar7BjVID6foCmlbr/3EG7dbzQv6YqH19OX6YgL0UMfG2RhvhWEUNYghS6K88vTelnHx/ShUzIeu05jd6mi9OLCA/Hl2bFRsa0f1ttHKpnzuC+ecn0sWwIDAQAB" )  ; ----- DKIM key 2022 for crm.torproject.org
+
+ 7. then test the key with:
+
+        opendkim-testkey -d torproject.org -s 2022-submit-01 -vv
+
+    ... which should show, once DNS propagated:
+
+        root@submit-01:/etc/opendkim/keys# opendkim-testkey -d torproject.org -s 2022-submit-01 -vv
+        opendkim-testkey: using default configfile /etc/opendkim.conf
+        opendkim-testkey: key loaded from /etc/opendkim/keys/2022-submit-01.private
+        opendkim-testkey: checking key '2022-submit-01._domainkey.torproject.org'
+        opendkim-testkey: key secure
+
+    If you see `record not found`, it's because the DNS record wasn't
+    found. See if DNS has propagated properly, maybe flush negative
+    responses with `unbound-control flush-negative`.
+
+    The `keys not secure` message means you are not using DNSSEC,
+    which should *not* happen in our configuration. Investigate if you
+    do see the warning.
+
+ 8. stop puppet to keep it from messing with the Puppet config
+
+        puppet agent --disable 'rush opendkim deployment by hand, tpo/tpa/team#40988'
+
+ 8. hook into postfix:
+
+        postconf -e milter_default_action=accept &&
+        postconf -e smtpd_milters=local:opendkim/opendkim.sock &&
+        postconf -e non_smtpd_milters=local:opendkim/opendkim.sock
+
+ 9. reload postfix (warning: this will retry the queue)
+
+        service postfix reload
+
+ 10. [test outgoing mail](#testing-outgoing-mail):
+
+        echo "this is a test email" | mail -r postmaster@torproject.org -s 'test email from anarcat' -- check-auth@verifier.port25.com
+
+[tpo/tpa/team#40981]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40981
+[tpo/tpa/team#40988]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40988
+[tpo/tpa/team#40989]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40989
+
+If you get double OpenDKIM signatures, consider adding
+`receive_override_options=no_milters` to the server in `master.cf`, if
+already does some content filtering. 
+
+It's possible that some mail doesn't get signed when injected from
+Mailman, consider changing the `InternalHosts` to:
+
+    InternalHosts   eugeni.torproject.org,lists.torproject.org,127.0.0.1,::1,localhost # cargo-culted, to remove?
+
+If the signatures come from another server and cause problems (for
+example with Mailman), you can strip those with:
+
+    # strip incoming sigs, typically from submit-01 or other servers on mailman
+    RemoveOldSignatures yes
+
 ### SPF records

 In [tpo/tpa/team#40990](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40990), anarcat deployed "soft" [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) records