diff options
| author | Tomas Korbar <tkorbar@redhat.com> | 2019-11-18 11:55:22 +0100 |
|---|---|---|
| committer | Tomas Korbar <tkorbar@redhat.com> | 2020-06-22 12:59:56 +0200 |
| commit | f8683dd52e37aa99b744993fc35177585a9b612b (patch) | |
| tree | f32ea6d8c4a8c22356f621fe3e621f815f8695a5 | |
| parent | 8236067cb6a024bc1588826b6ad4fce788ba9909 (diff) | |
| download | opendkim_EL6-f8683dd52e37aa99b744993fc35177585a9b612b.tar.gz | |
Rebase to 2.11.0-beta2 version
Clean specfile and move configuration to their own files
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | KeyTable | 6 | ||||
| -rw-r--r-- | README.fedora | 102 | ||||
| -rw-r--r-- | SigningTable | 25 | ||||
| -rw-r--r-- | TrustedHosts | 9 | ||||
| -rw-r--r-- | opendkim.conf | 133 | ||||
| -rw-r--r-- | opendkim.spec | 395 | ||||
| -rw-r--r-- | opendkim.sysconfig | 8 | ||||
| -rw-r--r-- | opendkim.ticket35+37.patch | 173 | ||||
| -rw-r--r-- | sources | 2 |
10 files changed, 310 insertions, 544 deletions
@@ -25,3 +25,4 @@ /opendkim-2.10.3.tar.gz /opendkim.ticket226.patch /opendkim-2.11.0.Alpha0.tar.gz +/opendkim-2.11.0-0.12.fc33.src.rpm diff --git a/KeyTable b/KeyTable new file mode 100644 index 0000000..e804d68 --- /dev/null +++ b/KeyTable @@ -0,0 +1,6 @@ +# OPENDKIM KEY TABLE +# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf, +# then uncomment the following line and replace example.com with your domain +# name, then restart OpenDKIM. Additional keys may be added on separate lines. + +#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private diff --git a/README.fedora b/README.fedora new file mode 100644 index 0000000..da173c2 --- /dev/null +++ b/README.fedora @@ -0,0 +1,102 @@ +##################################### +#FEDORA-SPECIFIC README FOR OPENDKIM# +##################################### +Last updated: Apr 30, 2015 by Steve Jenkins (steve@stevejenkins.com) + +Generating keys for OpenDKIM +============================ +After installing the opendkim package, you MUST generate a pair of keys (public and private) before +attempting to start the opendkim service. + +A valid private key must exist in the location expected by /etc/opendkim.conf before the service will start. + +A matching public key must be included in your domain's DNS records before remote systems can validate +your outgoing mail's DKIM signature. + + +Generating Keys Automatically +============================= +To automatically create a pair of default keys for the local domain, do: + +% sudo /usr/sbin/opendkim-default-keygen + +The default keygen script will attempt to fetch the local domain name, generate a private and public key for +the domain, then save them in /etc/opendkim/keys as default.private and default.txt with the proper +ownership and permissions. + +NOTE: The default key generation script MUST be run by a privileged user (or root). Otherwise, the resulting +private key ownership and permissions will not be correct. + + +Generating Keys Manually +======================== +A privileged user (or root) can manually generate a set of keys by doing the following: + +1) Create a directory to store the new keys: + +% sudo mkdir /etc/opendkim/keys/example.com + +2) Generate keys in that directory for a specific domain name and selector: + +% sudo /usr/sbin/opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default + +3) Set the proper ownership for the directory and private key: + +% sudo chown -R root:opendkim /etc/opendkim/keys/example.com + +4) Set secure permissions for the private key: + +% sudo chmod 640 /etc/opendkim/keys/example.com/default.private + +5) Set standard permissions for the public key: + +% sudo chmod 644 /etc/opendkim/keys/example.com/default.txt + + +Updating Key Location(s) in Configuration Files +=============================================== +If you run the opendkim-default-keygen script, the default keys will be saved in /etc/opendkim/keys as +default.private and default.txt, which is the location expected by the default /etc/opendkim.conf file. + +If you manually generate your own keys, you must update the key location and name in /etc/opendkim.conf +before attempting to start the opendkim service. + +Using OpenDKIM with SQL Datasets +================================ +OpenDKIM on RedHat-based systems relies on OpenDBX for database access. Depending on which database you use, +you may have to manually install one of the following OpenDBX subpackages (all of which are available via yum): + +- opendbx-firebird +- opendbx-mssql +- opendbx-mysql +- opendbx-postgresql +- opendbx-sqlite +- opendbx-sqlite2 +- opendbx-sybase + +If you have OpenDKIM configured to use SQL datasets on a systemd-based server, it might also be necessary to start +the opendkim service after the database servers by referencing your database unit file(s) in the "After" section of +the OpenDKIM unit file. + +For example, if using both MariaDB and PostgreSQL, in /usr/lib/systemd/system/opendkim.service change: + +After=network.target nss-lookup.target syslog.target + +to: + +After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service + + +Additional Configuration Help +============================= +For help configuring your MTA (Postfix, Sendmail, etc.) with OpenDKIM, setting up DNS records with your +public DKIM key, as well as instructions on configuring OpenDKIM to sign outgoing mail for multiple +domains, follow the how-to at: + +http://wp.me/p1iGgP-ou + +Official documentation for OpenDKIM is available at http://opendkim.org/ + +OpenDKIM mailing lists are available at http://lists.opendkim.org/ + +### diff --git a/SigningTable b/SigningTable new file mode 100644 index 0000000..e8161a1 --- /dev/null +++ b/SigningTable @@ -0,0 +1,25 @@ +# OPENDKIM SIGNING TABLE +# This table controls how to apply one or more signatures to outgoing messages based +# on the address found in the From: header field. In simple terms, this tells +# OpenDKIM "how" to apply your keys. + +# To use this file, uncomment the SigningTable option in /etc/opendkim.conf, +# then uncomment one of the usage examples below and replace example.com with your +# domain name, then restart OpenDKIM. + +# WILDCARD EXAMPLE +# Enables signing for any address on the listed domain(s), but will work only if +# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf. +# Create additional lines for additional domains. + +#*@example.com default._domainkey.example.com + +# NON-WILDCARD EXAMPLE +# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then +# wildcards will not work. Instead, full user@host is checked first, then simply host, +# then user@.domain (with all superdomains checked in sequence, so "foo.example.com" +# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"), +# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under +# "SigningTable" for more details. + +#example.com default._domainkey.example.com diff --git a/TrustedHosts b/TrustedHosts new file mode 100644 index 0000000..7a086d4 --- /dev/null +++ b/TrustedHosts @@ -0,0 +1,9 @@ +# OPENDKIM TRUSTED HOSTS +# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts +# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts +# may be added on separate lines (IP addresses, hostnames, or CIDR ranges). +# The localhost IP (127.0.0.1) should always be the first entry in this file. +127.0.0.1 +::1 +#host.example.com +#192.168.1.0/24 diff --git a/opendkim.conf b/opendkim.conf new file mode 100644 index 0000000..ed2c3de --- /dev/null +++ b/opendkim.conf @@ -0,0 +1,133 @@ +## BASIC OPENDKIM CONFIGURATION FILE +## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more + +## BEFORE running OpenDKIM you must: + +## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM +## - generate keys for your domain (if signing) +## - edit your DNS records to publish your public keys (if signing) + +## See /usr/share/doc/opendkim/INSTALL for detailed instructions. + +## DEPRECATED CONFIGURATION OPTIONS +## +## The following configuration options are no longer valid. They should be +## removed from your existing configuration file to prevent potential issues. +## Failure to do so may result in opendkim being unable to start. +## +## Removed in 2.10.0: +## AddAllSignatureResults +## ADSPAction +## ADSPNoSuchDomain +## BogusPolicy +## DisableADSP +## LDAPSoftStart +## LocalADSP +## NoDiscardableMailTo +## On-PolicyError +## SendADSPReports +## UnprotectedPolicy + +## CONFIGURATION OPTIONS + +## Specifies the path to the process ID file. +PidFile /var/run/opendkim/opendkim.pid + +## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. +## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing +## messages. +Mode v + +## Log activity to the system log. +Syslog yes + +## Log additional entries indicating successful signing or verification of messages. +SyslogSuccess yes + +## If logging is enabled, include detailed logging about why or why not a message was +## signed or verified. This causes an increase in the amount of log data generated +## for each message, so set this to No (or comment it out) if it gets too noisy. +LogWhy yes + +## Attempt to become the specified user before starting operations. +UserID opendkim:opendkim + +## Create a socket through which your MTA can communicate. +Socket inet:8891@localhost + +## Required to use local socket with MTAs that access the socket as a non- +## privileged user (e.g. Postfix) +Umask 002 + +## This specifies a text file in which to store DKIM transaction statistics. +## OpenDKIM must be manually compiled with --enable-stats to enable this feature. +# Statistics /var/spool/opendkim/stats.dat + +## Specifies whether or not the filter should generate report mail back +## to senders when verification fails and an address for such a purpose +## is provided. See opendkim.conf(5) for details. +SendReports yes + +## Specifies the sending address to be used on From: headers of outgoing +## failure reports. By default, the e-mail address of the user executing +## the filter is used (executing_user@hostname). +# ReportAddress "Example.com Postmaster" <postmaster@example.com> + +## Add a DKIM-Filter header field to messages passing through this filter +## to identify messages it has processed. +SoftwareHeader yes + +## SIGNING OPTIONS + +## Selects the canonicalization method(s) to be used when signing messages. +Canonicalization relaxed/relaxed + +## Domain(s) whose mail should be signed by this filter. Mail from other domains will +## be verified rather than being signed. Uncomment and use your domain name. +## This parameter is not required if a SigningTable is in use. +# Domain example.com + +## Defines the name of the selector to be used when signing messages. +Selector default + +## Specifies the minimum number of key bits for acceptable keys and signatures. +MinimumKeyBits 1024 + +## Gives the location of a private key to be used for signing ALL messages. This +## directive is ignored if KeyTable is enabled. +KeyFile /etc/opendkim/keys/default.private + +## Gives the location of a file mapping key names to signing keys. In simple terms, +## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile +## directive in the configuration file. Requires SigningTable be enabled. +# KeyTable /etc/opendkim/KeyTable + +## Defines a table used to select one or more signatures to apply to a message based +## on the address found in the From: header field. In simple terms, this tells +## OpenDKIM how to use your keys. Requires KeyTable be enabled. +# SigningTable refile:/etc/opendkim/SigningTable + +## Identifies a set of "external" hosts that may send mail through the server as one +## of the signing domains without credentials as such. +# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts + +## Identifies a set "internal" hosts whose mail should be signed rather than verified. +# InternalHosts refile:/etc/opendkim/TrustedHosts + +## Contains a list of IP addresses, CIDR blocks, hostnames or domain names +## whose mail should be neither signed nor verified by this filter. See man +## page for file format. +# PeerList X.X.X.X + +## Always oversign From (sign using actual From and a null From to prevent +## malicious signatures header fields (From and/or others) between the signer +## and the verifier. From is oversigned by default in the Fedora package +## because it is often the identity key used by reputation systems and thus +## somewhat security sensitive. +OversignHeaders From + +## Instructs the DKIM library to maintain its own local cache of keys and +## policies retrieved from DNS, rather than relying on the nameserver for +## caching service. Useful if the nameserver being used by the filter is +## not local. +# QueryCache yes diff --git a/opendkim.spec b/opendkim.spec index a884fb4..17c7da5 100644 --- a/opendkim.spec +++ b/opendkim.spec @@ -1,52 +1,36 @@ -%global systemd (0%{?fedora} >= 18) || (0%{?rhel} >= 7) %global upname OpenDKIM %global bigname OPENDKIM +%global full_version 2.11.0-Beta2 + Summary: A DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail Name: opendkim Version: 2.11.0 -Release: 0.11%{?dist} +Release: 0.12%{?dist} License: BSD and Sendmail URL: http://%{name}.org/ -Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.Alpha0.tar.gz +Source0: https://github.com/trusteddomainproject/OpenDKIM/archive/%{full_version}.tar.gz +Source1: opendkim.conf +Source2: opendkim.sysconfig +Source3: SigningTable +Source4: KeyTable +Source5: TrustedHosts +Source6: README.fedora -# https://sourceforge.net/p/opendkim/patches/35/ -# https://sourceforge.net/p/opendkim/patches/37/ -# Patches rediffed and combined (both modify configure) -Patch0: %{name}.ticket35+37.patch -Patch1: %{name}.lua_load_dump.patch +Patch0: opendkim.lua_load_dump.patch # Required for all versions Requires: lib%{name}%{?_isa} = %{version}-%{release} BuildRequires: openssl-devel, libtool, pkgconfig, libbsd, libbsd-devel, opendbx-devel, lua-devel Requires(pre): shadow-utils -%if %systemd -# Required for systemd %{?systemd_requires} BuildRequires: systemd BuildRequires: libdb-devel, libmemcached-devel -%else -# Required for SysV -Requires(post): chkconfig -Requires(preun): chkconfig, initscripts -Requires(postun): initscripts -BuildRequires: db4-devel -%endif - -# sendmail-devel renamed for F26+ -%if 0%{?fedora} > 25 + BuildRequires: sendmail-milter-devel -%else -BuildRequires: sendmail-devel -%endif -%if 0%{?rhel} == 5 -Requires(post): policycoreutils -%else BuildRequires: openldap-devel -%endif - %description %{upname} allows signing and/or verification of email through an open source @@ -71,20 +55,15 @@ This package contains the static libraries, headers, and other support files required for developing applications against libopendkim. %prep -%autosetup -p1 +%autosetup -p1 -n %{upname}-%{full_version} %build +autoreconf -iv # Always use system libtool instead of pacakge-provided one to # properly handle 32 versus 64 bit detection and settings %define LIBTOOL LIBTOOL=`which libtool` -%if %systemd -# Configure with options available to systemd %configure --with-odbx --with-db --with-libmemcached --with-openldap --enable-query_cache --with-lua -%else -# Configure with options available to SysV -%configure --with-odbx --with-db --with-openldap --enable-query_cache --with-lua -%endif # Remove rpath sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool @@ -96,316 +75,21 @@ install -d %{buildroot}%{_sysconfdir} install -d %{buildroot}%{_sysconfdir}/sysconfig install -m 0755 contrib/init/redhat/%{name}-default-keygen %{buildroot}%{_sbindir}/%{name}-default-keygen -%if %systemd install -d -m 0755 %{buildroot}%{_unitdir} install -m 0644 contrib/systemd/%{name}.service %{buildroot}%{_unitdir}/%{name}.service -%else -install -d %{buildroot}%{_initrddir} -install -m 0755 contrib/init/redhat/%{name} %{buildroot}%{_initrddir}/%{name} -%endif - -cat > %{buildroot}%{_sysconfdir}/%{name}.conf << 'EOF' -## BASIC %{bigname} CONFIGURATION FILE -## See %{name}.conf(5) or %{_defaultdocdir}/%{name}/%{name}.conf.sample for more - -## BEFORE running %{upname} you must: - -## - make your MTA (Postfix, Sendmail, etc.) aware of %{upname} -## - generate keys for your domain (if signing) -## - edit your DNS records to publish your public keys (if signing) - -## See %{_defaultdocdir}/%{name}/INSTALL for detailed instructions. - -## DEPRECATED CONFIGURATION OPTIONS -## -## The following configuration options are no longer valid. They should be -## removed from your existing configuration file to prevent potential issues. -## Failure to do so may result in %{name} being unable to start. -## -## Removed in 2.10.0: -## AddAllSignatureResults -## ADSPAction -## ADSPNoSuchDomain -## BogusPolicy -## DisableADSP -## LDAPSoftStart -## LocalADSP -## NoDiscardableMailTo -## On-PolicyError -## SendADSPReports -## UnprotectedPolicy - -## CONFIGURATION OPTIONS - -## Specifies the path to the process ID file. -PidFile %{_localstatedir}/run/%{name}/%{name}.pid - -## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. -## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing -## messages. -Mode v - -## Log activity to the system log. -Syslog yes - -## Log additional entries indicating successful signing or verification of messages. -SyslogSuccess yes - -## If logging is enabled, include detailed logging about why or why not a message was -## signed or verified. This causes an increase in the amount of log data generated -## for each message, so set this to No (or comment it out) if it gets too noisy. -LogWhy yes - -## Attempt to become the specified user before starting operations. -UserID %{name}:%{name} - -## Create a socket through which your MTA can communicate. -Socket inet:8891@localhost - -## Required to use local socket with MTAs that access the socket as a non- -## privileged user (e.g. Postfix) -Umask 002 - -## This specifies a text file in which to store DKIM transaction statistics. -## %{upname} must be manually compiled with --enable-stats to enable this feature. -# Statistics %{_localstatedir}/spool/%{name}/stats.dat - -## Specifies whether or not the filter should generate report mail back -## to senders when verification fails and an address for such a purpose -## is provided. See opendkim.conf(5) for details. -SendReports yes - -## Specifies the sending address to be used on From: headers of outgoing -## failure reports. By default, the e-mail address of the user executing -## the filter is used (executing_user@hostname). -# ReportAddress "Example.com Postmaster" <postmaster@example.com> - -## Add a DKIM-Filter header field to messages passing through this filter -## to identify messages it has processed. -SoftwareHeader yes - -## SIGNING OPTIONS - -## Selects the canonicalization method(s) to be used when signing messages. -Canonicalization relaxed/relaxed - -## Domain(s) whose mail should be signed by this filter. Mail from other domains will -## be verified rather than being signed. Uncomment and use your domain name. -## This parameter is not required if a SigningTable is in use. -# Domain example.com - -## Defines the name of the selector to be used when signing messages. -Selector default - -## Specifies the minimum number of key bits for acceptable keys and signatures. -MinimumKeyBits 1024 - -## Gives the location of a private key to be used for signing ALL messages. This -## directive is ignored if KeyTable is enabled. -KeyFile %{_sysconfdir}/%{name}/keys/default.private - -## Gives the location of a file mapping key names to signing keys. In simple terms, -## this tells %{upname} where to find your keys. If present, overrides any KeyFile -## directive in the configuration file. Requires SigningTable be enabled. -# KeyTable %{_sysconfdir}/%{name}/KeyTable - -## Defines a table used to select one or more signatures to apply to a message based -## on the address found in the From: header field. In simple terms, this tells -## %{upname} how to use your keys. Requires KeyTable be enabled. -# SigningTable refile:%{_sysconfdir}/%{name}/SigningTable - -## Identifies a set of "external" hosts that may send mail through the server as one -## of the signing domains without credentials as such. -# ExternalIgnoreList refile:%{_sysconfdir}/%{name}/TrustedHosts - -## Identifies a set "internal" hosts whose mail should be signed rather than verified. -# InternalHosts refile:%{_sysconfdir}/%{name}/TrustedHosts - -## Contains a list of IP addresses, CIDR blocks, hostnames or domain names -## whose mail should be neither signed nor verified by this filter. See man -## page for file format. -# PeerList X.X.X.X - -## Always oversign From (sign using actual From and a null From to prevent -## malicious signatures header fields (From and/or others) between the signer -## and the verifier. From is oversigned by default in the Fedora package -## because it is often the identity key used by reputation systems and thus -## somewhat security sensitive. -OversignHeaders From -## Instructs the DKIM library to maintain its own local cache of keys and -## policies retrieved from DNS, rather than relying on the nameserver for -## caching service. Useful if the nameserver being used by the filter is -## not local. -# QueryCache yes -EOF +install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/%{name}.conf -%{__cat} > %{buildroot}%{_sysconfdir}/sysconfig/%{name} << 'EOF' -# Set the necessary startup options -OPTIONS="-x %{_sysconfdir}/%{name}.conf -P %{_localstatedir}/run/%{name}/%{name}.pid" - -# Set the default DKIM selector -DKIM_SELECTOR=default - -# Set the default DKIM key location -DKIM_KEYDIR=%{_sysconfdir}/%{name}/keys -EOF +install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/%{name} mkdir -p %{buildroot}%{_sysconfdir}/%{name} -cat > %{buildroot}%{_sysconfdir}/%{name}/SigningTable << 'EOF' -# %{bigname} SIGNING TABLE -# This table controls how to apply one or more signatures to outgoing messages based -# on the address found in the From: header field. In simple terms, this tells -# %{upname} "how" to apply your keys. - -# To use this file, uncomment the SigningTable option in %{_sysconfdir}/%{name}.conf, -# then uncomment one of the usage examples below and replace example.com with your -# domain name, then restart %{upname}. - -# WILDCARD EXAMPLE -# Enables signing for any address on the listed domain(s), but will work only if -# "refile:%{_sysconfdir}/%{name}/SigningTable" is included in %{_sysconfdir}/%{name}.conf. -# Create additional lines for additional domains. - -#*@example.com default._domainkey.example.com - -# NON-WILDCARD EXAMPLE -# If "file:" (instead of "refile:") is specified in %{_sysconfdir}/%{name}.conf, then -# wildcards will not work. Instead, full user@host is checked first, then simply host, -# then user@.domain (with all superdomains checked in sequence, so "foo.example.com" -# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"), -# then .domain, then user@*, and finally *. See the %{name}.conf(5) man page under -# "SigningTable" for more details. - -#example.com default._domainkey.example.com -EOF - -cat > %{buildroot}%{_sysconfdir}/%{name}/KeyTable << 'EOF' -# %{bigname} KEY TABLE -# To use this file, uncomment the #KeyTable option in %{_sysconfdir}/%{name}.conf, -# then uncomment the following line and replace example.com with your domain -# name, then restart %{upname}. Additional keys may be added on separate lines. - -#default._domainkey.example.com example.com:default:%{_sysconfdir}/%{name}/keys/default.private -EOF - -cat > %{buildroot}%{_sysconfdir}/%{name}/TrustedHosts << 'EOF' -# %{bigname} TRUSTED HOSTS -# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts -# option in %{_sysconfdir}/%{name}.conf then restart %{upname}. Additional hosts -# may be added on separate lines (IP addresses, hostnames, or CIDR ranges). -# The localhost IP (127.0.0.1) should always be the first entry in this file. -127.0.0.1 -::1 -#host.example.com -#192.168.1.0/24 -EOF - -cat > README.fedora << 'EOF' -##################################### -#FEDORA-SPECIFIC README FOR %{bigname}# -##################################### -Last updated: Apr 30, 2015 by Steve Jenkins (steve@stevejenkins.com) - -Generating keys for %{upname} -============================ -After installing the %{name} package, you MUST generate a pair of keys (public and private) before -attempting to start the %{name} service. - -A valid private key must exist in the location expected by %{_sysconfdir}/%{name}.conf before the service will start. - -A matching public key must be included in your domain's DNS records before remote systems can validate -your outgoing mail's DKIM signature. - - -Generating Keys Automatically -============================= -To automatically create a pair of default keys for the local domain, do: - -% sudo %{_sbindir}/%{name}-default-keygen - -The default keygen script will attempt to fetch the local domain name, generate a private and public key for -the domain, then save them in %{_sysconfdir}/%{name}/keys as default.private and default.txt with the proper -ownership and permissions. - -NOTE: The default key generation script MUST be run by a privileged user (or root). Otherwise, the resulting -private key ownership and permissions will not be correct. - - -Generating Keys Manually -======================== -A privileged user (or root) can manually generate a set of keys by doing the following: - -1) Create a directory to store the new keys: - -% sudo mkdir %{_sysconfdir}/%{name}/keys/example.com - -2) Generate keys in that directory for a specific domain name and selector: +install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/SigningTable -% sudo %{_sbindir}/%{name}-genkey -D %{_sysconfdir}/%{name}/keys/example.com/ -d example.com -s default +install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}/KeyTable -3) Set the proper ownership for the directory and private key: +install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/%{name}/TrustedHosts -% sudo chown -R root:%{name} %{_sysconfdir}/%{name}/keys/example.com - -4) Set secure permissions for the private key: - -% sudo chmod 640 %{_sysconfdir}/%{name}/keys/example.com/default.private - -5) Set standard permissions for the public key: - -% sudo chmod 644 %{_sysconfdir}/%{name}/keys/example.com/default.txt - - -Updating Key Location(s) in Configuration Files -=============================================== -If you run the %{name}-default-keygen script, the default keys will be saved in %{_sysconfdir}/%{name}/keys as -default.private and default.txt, which is the location expected by the default %{_sysconfdir}/%{name}.conf file. - -If you manually generate your own keys, you must update the key location and name in %{_sysconfdir}/%{name}.conf -before attempting to start the %{name} service. - - -Using %upname with SQL Datasets -================================ -%upname on RedHat-based systems relies on OpenDBX for database access. Depending on which database you use, -you may have to manually install one of the following OpenDBX subpackages (all of which are available via yum): - -- opendbx-firebird -- opendbx-mssql -- opendbx-mysql -- opendbx-postgresql -- opendbx-sqlite -- opendbx-sqlite2 -- opendbx-sybase - -If you have %upname configured to use SQL datasets on a systemd-based server, it might also be necessary to start -the %name service after the database servers by referencing your database unit file(s) in the "After" section of -the %upname unit file. - -For example, if using both MariaDB and PostgreSQL, in %{_unitdir}/%{name}.service change: - -After=network.target nss-lookup.target syslog.target - -to: - -After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service - - -Additional Configuration Help -============================= -For help configuring your MTA (Postfix, Sendmail, etc.) with %{upname}, setting up DNS records with your -public DKIM key, as well as instructions on configuring %{upname} to sign outgoing mail for multiple -domains, follow the how-to at: - -http://wp.me/p1iGgP-ou - -Official documentation for %{upname} is available at http://%{name}.org/ - -%{upname} mailing lists are available at http://lists.%{name}.org/ - -### -EOF +cp %{SOURCE6} ./README.fedora install -p -d %{buildroot}%{_sysconfdir}/tmpfiles.d cat > %{buildroot}%{_sysconfdir}/tmpfiles.d/%{name}.conf <<'EOF' @@ -435,40 +119,19 @@ getent passwd %{name} >/dev/null || \ exit 0 %post -%if %systemd %systemd_post %{name}.service -%else -/sbin/chkconfig --add %{name} || : -%endif %preun -%if %systemd %systemd_preun %{name}.service -%else -if [ $1 -eq 0 ]; then - service %{name} stop >/dev/null || : - /sbin/chkconfig --del %{name} || : -fi -exit 0 -%endif %postun -%if %systemd %systemd_postun_with_restart %{name}.service -%else -if [ "$1" -ge "1" ] ; then - /sbin/service %{name} condrestart >/dev/null 2>&1 || : -fi -exit 0 -%endif - -%if %systemd # For the switchover from initscript to service file %triggerun -- %{name} < 2.8.0-1 %systemd_post %{name}.service /sbin/chkconfig --del %{name} >/dev/null 2>&1 || : %systemd_postun_with_restart %{name}.service -%endif + %ldconfig_scriptlets -n libopendkim @@ -494,33 +157,25 @@ exit 0 %dir %attr(0750,%name,%{name}) %{_sysconfdir}/%{name}/keys %attr(0755,root,root) %{_sbindir}/%{name}-default-keygen -%if %systemd %attr(0644,root,root) %{_unitdir}/%{name}.service -%else -%attr(0755,root,root) %{_initrddir}/%{name} -%endif %files -n libopendkim -%if 0%{?_licensedir:1} %license LICENSE LICENSE.Sendmail -%else -%doc LICENSE LICENSE.Sendmail -%endif %doc README %{_libdir}/lib%{name}.so.* %files -n libopendkim-devel -%if 0%{?_licensedir:1} %license LICENSE LICENSE.Sendmail -%else -%doc LICENSE LICENSE.Sendmail -%endif %doc lib%{name}/docs/*.html %{_includedir}/%{name} %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %changelog +* Mon Jun 22 2020 Tomas Korbar <tkorbar@redhat.com> - 2.11.0-0.12 +- Rebase to 2.11.0-beta2 version +- Clean specfile and move configuration to their own files + * Fri Apr 24 2020 Tomas Korbar <tkorbar@redhat.com> - 2.11.0-0.11 - Rebuilt with lua support - Credit: Breno Brand Fernandes brandfbb@gmail.com diff --git a/opendkim.sysconfig b/opendkim.sysconfig new file mode 100644 index 0000000..0d51cce --- /dev/null +++ b/opendkim.sysconfig @@ -0,0 +1,8 @@ +# Set the necessary startup options +OPTIONS="-x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid" + +# Set the default DKIM selector +DKIM_SELECTOR=default + +# Set the default DKIM key location +DKIM_KEYDIR=/etc/opendkim/keys diff --git a/opendkim.ticket35+37.patch b/opendkim.ticket35+37.patch deleted file mode 100644 index 68115a1..0000000 --- a/opendkim.ticket35+37.patch +++ /dev/null @@ -1,173 +0,0 @@ -diff -Naur -x opendkim-2.11.0.orig/configure opendkim-2.11.0/configure ---- opendkim-2.11.0.orig/configure 2015-10-07 16:17:48.000000000 -0700 -+++ opendkim-2.11.0/configure 2016-12-20 18:47:51.662158143 -0800 -@@ -14700,13 +14700,13 @@ - - for d in $strldirs - do -- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for strl.h in $d/strl" >&5 --$as_echo_n "checking for strl.h in $d/strl... " >&6; } -- if test -f $d/strl/strl.h -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for strl.h in $d" >&5 -+$as_echo_n "checking for strl.h in $d... " >&6; } -+ if test -f $d/strl.h - then - unset ac_cv_header_strl_h - saved_CPPFLAGS="$CPPFLAGS" -- CPPFLAGS="$CPPFLAGS -I$d/strl" -+ CPPFLAGS="$CPPFLAGS -I$d" - for ac_header in strl.h - do : - ac_fn_c_check_header_mongrel "$LINENO" "strl.h" "ac_cv_header_strl_h" "$ac_includes_default" -@@ -14724,7 +14724,7 @@ - - if test x"$strl_h_found" = x"yes" - then -- CPPFLAGS="$CPPFLAGS -I$d/strl" -+ CPPFLAGS="$CPPFLAGS -I$d" - break - fi - done -@@ -16795,77 +16795,39 @@ - fi - - -- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5 --$as_echo_n "checking for library containing SSL_library_init... " >&6; } --if ${ac_cv_search_SSL_library_init+:} false; then : -- $as_echo_n "(cached) " >&6 --else -- ac_func_search_save_LIBS=$LIBS --cat confdefs.h - <<_ACEOF >conftest.$ac_ext --/* end confdefs.h. */ - --/* Override any GCC internal prototype to avoid an error. -- Use char because int might match the return type of a GCC -- builtin and then its argument prototype would still apply. */ --#ifdef __cplusplus --extern "C" --#endif --char SSL_library_init (); -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include <openssl/ssl.h> - int - main () - { --return SSL_library_init (); -+SSL_library_init(); - ; - return 0; - } - _ACEOF --for ac_lib in '' ssl; do -- if test -z "$ac_lib"; then -- ac_res="none required" -- else -- ac_res=-l$ac_lib -- LIBS="-l$ac_lib $ac_func_search_save_LIBS" -- fi -- if ac_fn_c_try_link "$LINENO"; then : -- ac_cv_search_SSL_library_init=$ac_res --fi --rm -f core conftest.err conftest.$ac_objext \ -- conftest$ac_exeext -- if ${ac_cv_search_SSL_library_init+:} false; then : -- break --fi --done --if ${ac_cv_search_SSL_library_init+:} false; then : -- -+if ac_fn_c_try_link "$LINENO"; then : -+ od_have_ossl="yes"; - else -- ac_cv_search_SSL_library_init=no -+ od_have_ossl="no"; - fi --rm conftest.$ac_ext --LIBS=$ac_func_search_save_LIBS --fi --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_SSL_library_init" >&5 --$as_echo "$ac_cv_search_SSL_library_init" >&6; } --ac_res=$ac_cv_search_SSL_library_init --if test "$ac_res" != no; then : -- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" -- --else -- -- if test x"$enable_shared" = x"yes" -- then -- as_fn_error $? "Cannot build shared opendkim -- against static openssl libraries. -- Configure with --disable-shared -- to get this working or obtain a -- shared libssl library for -- opendkim to use." "$LINENO" 5 -- fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+ if test x"$od_have_ossl" = x"no" -+ then -+ if test x"$enable_shared" = x"yes" -+ then -+ as_fn_error $? "Cannot build shared opendkim -+ against static openssl libraries. -+ Configure with --disable-shared -+ to get this working or obtain a -+ shared libssl library for -+ opendkim to use." "$LINENO" 5 -+ fi - -- # avoid caching issue - last result of SSL_library_init -- # shouldn't be cached for this next check -- unset ac_cv_search_SSL_library_init -- LIBCRYPTO_LIBS="$LIBCRYPTO_LIBS -ldl" -- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5 -+ LIBCRYPTO_LIBS="$LIBCRYPTO_LIBS -ldl" -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5 - $as_echo_n "checking for library containing SSL_library_init... " >&6; } - if ${ac_cv_search_SSL_library_init+:} false; then : - $as_echo_n "(cached) " >&6 -@@ -16923,10 +16885,7 @@ - as_fn_error $? "libssl not found" "$LINENO" 5 - fi - -- -- --fi -- -+ fi - - ac_fn_c_check_decl "$LINENO" "SHA256_DIGEST_LENGTH" "ac_cv_have_decl_SHA256_DIGEST_LENGTH" " - #include <sys/types.h> -diff -Naur -x opendkim-2.11.0.orig/opendkim/opendkim-crypto.c opendkim-2.11.0/opendkim/opendkim-crypto.c ---- opendkim-2.11.0.orig/opendkim/opendkim-crypto.c 2013-02-25 13:02:41.000000000 -0800 -+++ opendkim-2.11.0/opendkim/opendkim-crypto.c 2016-12-20 18:47:03.477027225 -0800 -@@ -222,7 +222,11 @@ - { - assert(pthread_setspecific(id_key, ptr) == 0); - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000 -+ OPENSSL_thread_stop(); -+#else - ERR_remove_state(0); -+#endif - - free(ptr); - -@@ -392,11 +396,15 @@ - { - if (crypto_init_done) - { -+#if OPENSSL_VERSION_NUMBER >= 0x10100000 -+ OPENSSL_thread_stop(); -+#else - CRYPTO_cleanup_all_ex_data(); - CONF_modules_free(); - EVP_cleanup(); - ERR_free_strings(); - ERR_remove_state(0); -+#endif - - if (nmutexes > 0) - { @@ -1 +1 @@ -SHA512 (opendkim-2.11.0.Alpha0.tar.gz) = d370fa0ab5f335338f86ce5afb0b8c13cce80c4ac5da18d0f6af6e5227e909adacd0d0e7766c0cb6ecc30803a27cd469a9e22a8b7b37f4dee47d632dbce5f832 +SHA512 (opendkim-2.11.0-0.12.fc33.src.rpm) = 4c667fdc949e7130e5735a16d2db2517cd4225e2faff4ea1541e2d7e2eff6445e91161622a7a36e4517eeb180e0c9ea66dc2b57b17bc74423e7a2b8ab78cfa1c |