Mageia Bugzilla – Attachment 13917 Details for
Bug 32089
opendkim: no Postfix easy integration, useless sysconfig file, non traversable dirs, unclear doc and duplicate definition of opendkim-default-keygen
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
Improvements to validate
opendkim.diff (text/plain), 10.43 KB, created by
Raphael Gertz
on 2023-07-10 04:45:51 CEST
(
hide
)
Description:
Improvements to validate
Filename:
MIME Type:
Creator:
Raphael Gertz
Created:
2023-07-10 04:45:51 CEST
Size:
10.43 KB
patch
obsolete
>Index: SPECS/opendkim.spec >=================================================================== >--- SPECS/opendkim.spec (révision 1841496) >+++ SPECS/opendkim.spec (copie de travail) >@@ -1,14 +1,18 @@ > %define major 10 > %define libname %mklibname opendkim %{major} > %define develname %mklibname opendkim -d >+%define bigname OpenDKIM >+#% define bigversion 2-11-0-Beta2 >+%define postfixdir %{_var}/spool/postfix > > Name: opendkim > Version: 2.10.3 >-Release: %mkrel 13 >+Release: %mkrel 18 > Summary: DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail > Group: System/Servers > License: BSD and Sendmail >-URL: http://www.opendkim.org/ >+URL: http://www.opendkim.org >+#Source0: https://github.com/trusteddomainproject/OpenDKIM/archive/refs/tags/rel-% {name}-% {bigversion}.tar.gz > Source0: https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz > Patch0: openssl_1.1.0_compat.patch > Patch1: opendkim-2.10.3-fix-pidfile-path.patch >@@ -61,14 +65,14 @@ > %install > %make_install > install -d %{buildroot}%{_sysconfdir} >-install -d %{buildroot}%{_sysconfdir}/sysconfig > install -m 0755 contrib/init/redhat/%{name}-default-keygen %{buildroot}%{_sbindir}/%{name}-default-keygen > > install -d -m 0755 %{buildroot}%{_unitdir} > install -m 0644 contrib/systemd/%{name}.service %{buildroot}%{_unitdir}/%{name}.service >+perl -pi -e 's|^(ExecReload=)|ExecStartPost=+%{_bindir}/systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf\n$1|' %{buildroot}%{_unitdir}/%{name}.service > > cat > %{buildroot}%{_sysconfdir}/%{name}.conf << 'EOF' >-## BASIC OpenDKIM CONFIGURATION FILE >+## BASIC %{bigname} CONFIGURATION FILE > ## See %{name}.conf(5) or %{_defaultdocdir}/%{name}/%{name}.conf.sample for more > > ## BEFORE running opendkim you must: >@@ -102,14 +106,15 @@ > LogWhy yes > > ## Attempt to become the specified user before starting operations. >-UserID %{name}:%{name} >+# UserID %{name}:%{name} > > ## Create a socket through which your MTA can communicate. >-Socket inet:8891@localhost >+#Socket inet:8891@localhost >+Socket local:%{postfixdir}%{_rundir}/%{name}/%{name}.sock > > ## Required to use local socket with MTAs that access the socket as a non- > ## privileged user (e.g. Postfix) >-Umask 002 >+# UMask 022 > > ## This specifies a text file in which to store DKIM transaction statistics. > ## opendkim must be manually compiled with --enable-stats to enable this feature. >@@ -185,20 +190,9 @@ > # QueryCache yes > EOF > >-%{__cat} > %{buildroot}%{_sysconfdir}/sysconfig/%{name} << 'EOF' >-# Set the necessary startup options >-OPTIONS="" >- >-# Set the default DKIM selector >-DKIM_SELECTOR=default >- >-# Set the default DKIM key location >-DKIM_KEYDIR=%{_sysconfdir}/%{name}/keys >-EOF >- > install -d %{buildroot}%{_sysconfdir}/%{name} > cat > %{buildroot}%{_sysconfdir}/%{name}/SigningTable << 'EOF' >-# OpenDKIM SIGNING TABLE >+# %{bigname} SIGNING TABLE > # This table controls how to apply one or more signatures to outgoing messages based > # on the address found in the From: header field. In simple terms, this tells > # opendkim "how" to apply your keys. >@@ -247,112 +241,56 @@ > EOF > > cat > README.urpmi << 'EOF' >-Generating keys for OpenDKIM >-============================ >-After installing the opendkim package, a default pair of keys (private and >-public) is generated for the local domain, using the automatic key generation >-procedure detailed below. The public key must be included in your domain's DNS >-records before remote systems can validate your outgoing mail's DKIM signature. >+%{bigname} is now installed. > >-This initial pair of keys may be regenerated later, or completed with >-additional pair of keys, using any of the following procedures. >+Configuration keys in %{_sysconfdir}/%{name}.conf: >+#Change default operating mode set to sign and verify if required >+Mode sv >+#KeyTable used to declare domain and key matching pairs >+KeyTable %{_sysconfdir}/%{name}/KeyTable >+#SigningTable used to declare address and domain matching pairs >+SigningTable refile:%{_sysconfdir}/%{name}/SigningTable >+#Change socket type if required >+# Socket inet:8891@localhost >+Socket local:%{postfixdir}%{_rundir}/%{name}/%{name}.sock > >-Generating Keys Automatically >-============================= >-To automatically create a pair of default keys for the local domain, do: >+Configure message filter in %{_sysconfdir}/postfix/main.cf: >+# smtpd_milters = inet:localhost:8891 >+smtpd_milters = unix:%{_rundir}/%{name}/%{name}.sock >+non_smtpd_milters = $smtpd_milters >+milter_default_action = accept >+milter_protocol = 6 > >-% sudo %{_sbindir}/%{name}-default-keygen >+Enable the service with: >+# systemctl enable %{name}.service > >-The default keygen script will attempt to fetch the local domain name, generate >-a private and public key for the domain, then save them in >-%{_sysconfdir}/%{name}/keys as default.private and default.txt with the proper >-ownership and permissions. >+Start the service with: >+# systemctl restart %{name}.service > >-NOTE: The default key generation script MUST be run by a privileged user (or >-root). Otherwise, the resulting private key ownership and permissions will not >-be correct. >+Generating keys manually: >+# mkdir -m 0755 %{_sysconfdir}/%{name}/keys/example.com >+# %{_sbindir}/%{name}-genkey -D %{_sysconfdir}/%{name}/keys/example.com/ -d example.com -s default >+# chown -R root:%{name} %{_sysconfdir}/%{name}/keys/example.com/default.{private,txt} >+# chmod 0640 %{_sysconfdir}/%{name}/keys/example.com/default.private >+# chmod 0644 %{_sysconfdir}/%{name}/keys/example.com/default.txt > >-Generating Keys Manually >-======================== >-A privileged user (or root) can manually generate a set of keys by doing the following: >+Using opendkim with SQL Datasets: >+# urpmi opendbx-(firebird|mssql|mysql|postgresql|sqlite|sqlite2|sybase) >+It will require to configure to start after the database service in %{_unitdir}/%{name}.service: >+After=network.target nss-lookup.target syslog.target (mysqld|postgresql).service > >-1) Create a directory to store the new keys: >- >-% sudo mkdir %{_sysconfdir}/%{name}/keys/example.com >- >-2) Generate keys in that directory for a specific domain name and selector: >- >-% sudo %{_sbindir}/%{name}-genkey -D %{_sysconfdir}/%{name}/keys/example.com/ -d example.com -s default >- >-3) Set the proper ownership for the directory and private key: >- >-% sudo chown -R root:%{name} %{_sysconfdir}/%{name}/keys/example.com >- >-4) Set secure permissions for the private key: >- >-% sudo chmod 640 %{_sysconfdir}/%{name}/keys/example.com/default.private >- >-5) Set standard permissions for the public key: >- >-% sudo chmod 644 %{_sysconfdir}/%{name}/keys/example.com/default.txt >- >- >-Updating Key Location(s) in Configuration Files >-=============================================== >-If you run the %{name}-default-keygen script, the default keys will be saved in %{_sysconfdir}/%{name}/keys as >-default.private and default.txt, which is the location expected by the default %{_sysconfdir}/%{name}.conf file. >- >-If you manually generate your own keys, you must update the key location and name in %{_sysconfdir}/%{name}.conf >-before attempting to start the %{name} service. >- >- >-Using opendkim with SQL Datasets >-================================ >-opendkim on Mageia relies on OpenDBX for database access. Depending on which >-database you use, you may have to manually install one of the following OpenDBX >-subpackages: >- >-- opendbx-firebird >-- opendbx-mssql >-- opendbx-mysql >-- opendbx-postgresql >-- opendbx-sqlite >-- opendbx-sqlite2 >-- opendbx-sybase >- >-If you have opendkim configured to use SQL datasets on a systemd-based server, >-it might also be necessary to start the opendkim service after the database >-servers by referencing your database unit file(s) in the "After" section of the >-opendkim unit file. >- >-For example, if using both MariaDB and PostgreSQL, in %{_unitdir}/%{name}.service change: >- >-After=network.target nss-lookup.target syslog.target >- >-to: >- >-After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service >- >- >-Additional Configuration Help >-============================= >-For help configuring your MTA (Postfix, Sendmail, etc.) with opendkim, setting >-up DNS records with your public DKIM key, as well as instructions on >-configuring opendkim to sign outgoing mail for multiple domains, follow the >-how-to at: >- >+Additional configuration help: >+https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ > http://wp.me/p1iGgP-ou >- >-Official documentation for opendkim is available at http://opendkim.org/ >- >-opendkim mailing lists are available at http://lists.opendkim.org/ >- >-### >+http://opendkim.org >+http://lists.opendkim.org > EOF > > install -p -d %{buildroot}%{_tmpfilesdir} > cat > %{buildroot}%{_tmpfilesdir}/%{name}.conf <<'EOF' >-D /run/%{name} 0750 %{name} %{name} - >+d %{_rundir}/%{name} 0755 %{name} %{name} - >+d %{postfixdir}%{_rundir}/%{name} 0755 %{name} %{name} - >+z %{postfixdir}%{_rundir}/%{name}/%{name}.sock 0664 %{name} postfix - > EOF > > rm -rf %{buildroot}%{_prefix}/share/doc/%{name} >@@ -362,7 +300,7 @@ > install -d %{buildroot}%{_localstatedir}/spool/%{name} > install -d %{buildroot}/run/%{name} > install -d %{buildroot}%{_sysconfdir}/%{name} >-install -d -m 750 %{buildroot}%{_sysconfdir}/%{name}/keys >+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/keys > > install -m 755 stats/%{name}-reportstats %{buildroot}%{_prefix}/sbin/%{name}-reportstats > sed -i \ >@@ -397,15 +335,13 @@ > %config(noreplace) %{_sysconfdir}/%{name}.conf > %config(noreplace) %{_tmpfilesdir}/%{name}.conf > %dir %{_sysconfdir}/%{name} >-%dir %attr(0755,root,opendkim) %{_sysconfdir}/%{name}/keys >+%dir %{_sysconfdir}/%{name}/keys > %config(noreplace) %attr(0640,root,opendkim) %{_sysconfdir}/%{name}/SigningTable > %config(noreplace) %attr(0640,root,opendkim) %{_sysconfdir}/%{name}/KeyTable > %config(noreplace) %attr(0640,root,opendkim) %{_sysconfdir}/%{name}/TrustedHosts >-%config(noreplace) %{_sysconfdir}/sysconfig/%{name} > %{_sbindir}/* > %{_mandir}/*/* > %dir %attr(-,opendkim,opendkim) %{_localstatedir}/spool/%{name} >-%{_sbindir}/%{name}-default-keygen > %{_unitdir}/%{name}.service > > %files -n %{libname} >Index: SOURCES/opendkim-2.10.3-change-default-crypto-settings.patch >=================================================================== >--- SOURCES/opendkim-2.10.3-change-default-crypto-settings.patch (révision 1841496) >+++ SOURCES/opendkim-2.10.3-change-default-crypto-settings.patch (copie de travail) >@@ -6,7 +6,7 @@ > ## > > -my $bits = 1024; >-+my $bits = 4096; >++my $bits = 2048; > my $domain = "example.com"; > my $version = "example.com"; > my $outdir = ".";
Index: SPECS/opendkim.spec =================================================================== --- SPECS/opendkim.spec (révision 1841496) +++ SPECS/opendkim.spec (copie de travail) @@ -1,14 +1,18 @@ %define major 10 %define libname %mklibname opendkim %{major} %define develname %mklibname opendkim -d +%define bigname OpenDKIM +#% define bigversion 2-11-0-Beta2 +%define postfixdir %{_var}/spool/postfix Name: opendkim Version: 2.10.3 -Release: %mkrel 13 +Release: %mkrel 18 Summary: DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail Group: System/Servers License: BSD and Sendmail -URL: http://www.opendkim.org/ +URL: http://www.opendkim.org +#Source0: https://github.com/trusteddomainproject/OpenDKIM/archive/refs/tags/rel-% {name}-% {bigversion}.tar.gz Source0: https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Patch0: openssl_1.1.0_compat.patch Patch1: opendkim-2.10.3-fix-pidfile-path.patch @@ -61,14 +65,14 @@ %install %make_install install -d %{buildroot}%{_sysconfdir} -install -d %{buildroot}%{_sysconfdir}/sysconfig install -m 0755 contrib/init/redhat/%{name}-default-keygen %{buildroot}%{_sbindir}/%{name}-default-keygen install -d -m 0755 %{buildroot}%{_unitdir} install -m 0644 contrib/systemd/%{name}.service %{buildroot}%{_unitdir}/%{name}.service +perl -pi -e 's|^(ExecReload=)|ExecStartPost=+%{_bindir}/systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf\n$1|' %{buildroot}%{_unitdir}/%{name}.service cat > %{buildroot}%{_sysconfdir}/%{name}.conf << 'EOF' -## BASIC OpenDKIM CONFIGURATION FILE +## BASIC %{bigname} CONFIGURATION FILE ## See %{name}.conf(5) or %{_defaultdocdir}/%{name}/%{name}.conf.sample for more ## BEFORE running opendkim you must: @@ -102,14 +106,15 @@ LogWhy yes ## Attempt to become the specified user before starting operations. -UserID %{name}:%{name} +# UserID %{name}:%{name} ## Create a socket through which your MTA can communicate. -Socket inet:8891@localhost +#Socket inet:8891@localhost +Socket local:%{postfixdir}%{_rundir}/%{name}/%{name}.sock ## Required to use local socket with MTAs that access the socket as a non- ## privileged user (e.g. Postfix) -Umask 002 +# UMask 022 ## This specifies a text file in which to store DKIM transaction statistics. ## opendkim must be manually compiled with --enable-stats to enable this feature. @@ -185,20 +190,9 @@ # QueryCache yes EOF -%{__cat} > %{buildroot}%{_sysconfdir}/sysconfig/%{name} << 'EOF' -# Set the necessary startup options -OPTIONS="" - -# Set the default DKIM selector -DKIM_SELECTOR=default - -# Set the default DKIM key location -DKIM_KEYDIR=%{_sysconfdir}/%{name}/keys -EOF - install -d %{buildroot}%{_sysconfdir}/%{name} cat > %{buildroot}%{_sysconfdir}/%{name}/SigningTable << 'EOF' -# OpenDKIM SIGNING TABLE +# %{bigname} SIGNING TABLE # This table controls how to apply one or more signatures to outgoing messages based # on the address found in the From: header field. In simple terms, this tells # opendkim "how" to apply your keys. @@ -247,112 +241,56 @@ EOF cat > README.urpmi << 'EOF' -Generating keys for OpenDKIM -============================ -After installing the opendkim package, a default pair of keys (private and -public) is generated for the local domain, using the automatic key generation -procedure detailed below. The public key must be included in your domain's DNS -records before remote systems can validate your outgoing mail's DKIM signature. +%{bigname} is now installed. -This initial pair of keys may be regenerated later, or completed with -additional pair of keys, using any of the following procedures. +Configuration keys in %{_sysconfdir}/%{name}.conf: +#Change default operating mode set to sign and verify if required +Mode sv +#KeyTable used to declare domain and key matching pairs +KeyTable %{_sysconfdir}/%{name}/KeyTable +#SigningTable used to declare address and domain matching pairs +SigningTable refile:%{_sysconfdir}/%{name}/SigningTable +#Change socket type if required +# Socket inet:8891@localhost +Socket local:%{postfixdir}%{_rundir}/%{name}/%{name}.sock -Generating Keys Automatically -============================= -To automatically create a pair of default keys for the local domain, do: +Configure message filter in %{_sysconfdir}/postfix/main.cf: +# smtpd_milters = inet:localhost:8891 +smtpd_milters = unix:%{_rundir}/%{name}/%{name}.sock +non_smtpd_milters = $smtpd_milters +milter_default_action = accept +milter_protocol = 6 -% sudo %{_sbindir}/%{name}-default-keygen +Enable the service with: +# systemctl enable %{name}.service -The default keygen script will attempt to fetch the local domain name, generate -a private and public key for the domain, then save them in -%{_sysconfdir}/%{name}/keys as default.private and default.txt with the proper -ownership and permissions. +Start the service with: +# systemctl restart %{name}.service -NOTE: The default key generation script MUST be run by a privileged user (or -root). Otherwise, the resulting private key ownership and permissions will not -be correct. +Generating keys manually: +# mkdir -m 0755 %{_sysconfdir}/%{name}/keys/example.com +# %{_sbindir}/%{name}-genkey -D %{_sysconfdir}/%{name}/keys/example.com/ -d example.com -s default +# chown -R root:%{name} %{_sysconfdir}/%{name}/keys/example.com/default.{private,txt} +# chmod 0640 %{_sysconfdir}/%{name}/keys/example.com/default.private +# chmod 0644 %{_sysconfdir}/%{name}/keys/example.com/default.txt -Generating Keys Manually -======================== -A privileged user (or root) can manually generate a set of keys by doing the following: +Using opendkim with SQL Datasets: +# urpmi opendbx-(firebird|mssql|mysql|postgresql|sqlite|sqlite2|sybase) +It will require to configure to start after the database service in %{_unitdir}/%{name}.service: +After=network.target nss-lookup.target syslog.target (mysqld|postgresql).service -1) Create a directory to store the new keys: - -% sudo mkdir %{_sysconfdir}/%{name}/keys/example.com - -2) Generate keys in that directory for a specific domain name and selector: - -% sudo %{_sbindir}/%{name}-genkey -D %{_sysconfdir}/%{name}/keys/example.com/ -d example.com -s default - -3) Set the proper ownership for the directory and private key: - -% sudo chown -R root:%{name} %{_sysconfdir}/%{name}/keys/example.com - -4) Set secure permissions for the private key: - -% sudo chmod 640 %{_sysconfdir}/%{name}/keys/example.com/default.private - -5) Set standard permissions for the public key: - -% sudo chmod 644 %{_sysconfdir}/%{name}/keys/example.com/default.txt - - -Updating Key Location(s) in Configuration Files -=============================================== -If you run the %{name}-default-keygen script, the default keys will be saved in %{_sysconfdir}/%{name}/keys as -default.private and default.txt, which is the location expected by the default %{_sysconfdir}/%{name}.conf file. - -If you manually generate your own keys, you must update the key location and name in %{_sysconfdir}/%{name}.conf -before attempting to start the %{name} service. - - -Using opendkim with SQL Datasets -================================ -opendkim on Mageia relies on OpenDBX for database access. Depending on which -database you use, you may have to manually install one of the following OpenDBX -subpackages: - -- opendbx-firebird -- opendbx-mssql -- opendbx-mysql -- opendbx-postgresql -- opendbx-sqlite -- opendbx-sqlite2 -- opendbx-sybase - -If you have opendkim configured to use SQL datasets on a systemd-based server, -it might also be necessary to start the opendkim service after the database -servers by referencing your database unit file(s) in the "After" section of the -opendkim unit file. - -For example, if using both MariaDB and PostgreSQL, in %{_unitdir}/%{name}.service change: - -After=network.target nss-lookup.target syslog.target - -to: - -After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service - - -Additional Configuration Help -============================= -For help configuring your MTA (Postfix, Sendmail, etc.) with opendkim, setting -up DNS records with your public DKIM key, as well as instructions on -configuring opendkim to sign outgoing mail for multiple domains, follow the -how-to at: - +Additional configuration help: +https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ http://wp.me/p1iGgP-ou - -Official documentation for opendkim is available at http://opendkim.org/ - -opendkim mailing lists are available at http://lists.opendkim.org/ - -### +http://opendkim.org +http://lists.opendkim.org EOF install -p -d %{buildroot}%{_tmpfilesdir} cat > %{buildroot}%{_tmpfilesdir}/%{name}.conf <<'EOF' -D /run/%{name} 0750 %{name} %{name} - +d %{_rundir}/%{name} 0755 %{name} %{name} - +d %{postfixdir}%{_rundir}/%{name} 0755 %{name} %{name} - +z %{postfixdir}%{_rundir}/%{name}/%{name}.sock 0664 %{name} postfix - EOF rm -rf %{buildroot}%{_prefix}/share/doc/%{name} @@ -362,7 +300,7 @@ install -d %{buildroot}%{_localstatedir}/spool/%{name} install -d %{buildroot}/run/%{name} install -d %{buildroot}%{_sysconfdir}/%{name} -install -d -m 750 %{buildroot}%{_sysconfdir}/%{name}/keys +install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/keys install -m 755 stats/%{name}-reportstats %{buildroot}%{_prefix}/sbin/%{name}-reportstats sed -i \ @@ -397,15 +335,13 @@ %config(noreplace) %{_sysconfdir}/%{name}.conf %config(noreplace) %{_tmpfilesdir}/%{name}.conf %dir %{_sysconfdir}/%{name} -%dir %attr(0755,root,opendkim) %{_sysconfdir}/%{name}/keys +%dir %{_sysconfdir}/%{name}/keys %config(noreplace) %attr(0640,root,opendkim) %{_sysconfdir}/%{name}/SigningTable %config(noreplace) %attr(0640,root,opendkim) %{_sysconfdir}/%{name}/KeyTable %config(noreplace) %attr(0640,root,opendkim) %{_sysconfdir}/%{name}/TrustedHosts -%config(noreplace) %{_sysconfdir}/sysconfig/%{name} %{_sbindir}/* %{_mandir}/*/* %dir %attr(-,opendkim,opendkim) %{_localstatedir}/spool/%{name} -%{_sbindir}/%{name}-default-keygen %{_unitdir}/%{name}.service %files -n %{libname} Index: SOURCES/opendkim-2.10.3-change-default-crypto-settings.patch =================================================================== --- SOURCES/opendkim-2.10.3-change-default-crypto-settings.patch (révision 1841496) +++ SOURCES/opendkim-2.10.3-change-default-crypto-settings.patch (copie de travail) @@ -6,7 +6,7 @@ ## -my $bits = 1024; -+my $bits = 4096; ++my $bits = 2048; my $domain = "example.com"; my $version = "example.com"; my $outdir = ".";
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 32089
: 13917