diff options
author | Matt Domsch <matt@domsch.com> | 2020-12-11 08:51:04 -0600 |
---|---|---|
committer | Matt Domsch <matt@domsch.com> | 2020-12-11 08:51:04 -0600 |
commit | e5c78a1722a44ff565eca2aafbb1d4a357fc4c94 (patch) | |
tree | f79169feb1e7d7952a1d3e92014628e3d3054c49 /opendkim.spec | |
parent | 23c44503445ae92c958bf31cacbf9cf886db4bf6 (diff) | |
parent | 6fc72129854bce13b4f36c069f2929ec6753ba04 (diff) | |
download | opendkim_EL6-e5c78a1722a44ff565eca2aafbb1d4a357fc4c94.tar.gz |
Merge branch 'master' into epel8
Diffstat (limited to 'opendkim.spec')
-rw-r--r-- | opendkim.spec | 429 |
1 files changed, 51 insertions, 378 deletions
diff --git a/opendkim.spec b/opendkim.spec index a884fb4..139737b 100644 --- a/opendkim.spec +++ b/opendkim.spec @@ -1,52 +1,37 @@ -%global systemd (0%{?fedora} >= 18) || (0%{?rhel} >= 7) %global upname OpenDKIM %global bigname OPENDKIM +%global full_version 2.11.0-Beta2 + Summary: A DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail Name: opendkim Version: 2.11.0 -Release: 0.11%{?dist} +Release: 0.17%{?dist} License: BSD and Sendmail URL: http://%{name}.org/ -Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.Alpha0.tar.gz +Source0: https://github.com/trusteddomainproject/OpenDKIM/archive/%{full_version}.tar.gz +Source1: opendkim.conf +Source2: opendkim.sysconfig +Source3: SigningTable +Source4: KeyTable +Source5: TrustedHosts +Source6: README.fedora -# https://sourceforge.net/p/opendkim/patches/35/ -# https://sourceforge.net/p/opendkim/patches/37/ -# Patches rediffed and combined (both modify configure) -Patch0: %{name}.ticket35+37.patch -Patch1: %{name}.lua_load_dump.patch +# https://github.com/trusteddomainproject/OpenDKIM/pull/70 +Patch0: 0001-support-for-lua-5.3.patch # Required for all versions Requires: lib%{name}%{?_isa} = %{version}-%{release} BuildRequires: openssl-devel, libtool, pkgconfig, libbsd, libbsd-devel, opendbx-devel, lua-devel Requires(pre): shadow-utils -%if %systemd -# Required for systemd %{?systemd_requires} BuildRequires: systemd BuildRequires: libdb-devel, libmemcached-devel -%else -# Required for SysV -Requires(post): chkconfig -Requires(preun): chkconfig, initscripts -Requires(postun): initscripts -BuildRequires: db4-devel -%endif - -# sendmail-devel renamed for F26+ -%if 0%{?fedora} > 25 + BuildRequires: sendmail-milter-devel -%else -BuildRequires: sendmail-devel -%endif -%if 0%{?rhel} == 5 -Requires(post): policycoreutils -%else BuildRequires: openldap-devel -%endif - %description %{upname} allows signing and/or verification of email through an open source @@ -71,20 +56,15 @@ This package contains the static libraries, headers, and other support files required for developing applications against libopendkim. %prep -%autosetup -p1 +%autosetup -p1 -n %{upname}-%{full_version} %build +autoreconf -iv # Always use system libtool instead of pacakge-provided one to # properly handle 32 versus 64 bit detection and settings %define LIBTOOL LIBTOOL=`which libtool` -%if %systemd -# Configure with options available to systemd %configure --with-odbx --with-db --with-libmemcached --with-openldap --enable-query_cache --with-lua -%else -# Configure with options available to SysV -%configure --with-odbx --with-db --with-openldap --enable-query_cache --with-lua -%endif # Remove rpath sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool @@ -96,320 +76,25 @@ install -d %{buildroot}%{_sysconfdir} install -d %{buildroot}%{_sysconfdir}/sysconfig install -m 0755 contrib/init/redhat/%{name}-default-keygen %{buildroot}%{_sbindir}/%{name}-default-keygen -%if %systemd install -d -m 0755 %{buildroot}%{_unitdir} install -m 0644 contrib/systemd/%{name}.service %{buildroot}%{_unitdir}/%{name}.service -%else -install -d %{buildroot}%{_initrddir} -install -m 0755 contrib/init/redhat/%{name} %{buildroot}%{_initrddir}/%{name} -%endif - -cat > %{buildroot}%{_sysconfdir}/%{name}.conf << 'EOF' -## BASIC %{bigname} CONFIGURATION FILE -## See %{name}.conf(5) or %{_defaultdocdir}/%{name}/%{name}.conf.sample for more - -## BEFORE running %{upname} you must: - -## - make your MTA (Postfix, Sendmail, etc.) aware of %{upname} -## - generate keys for your domain (if signing) -## - edit your DNS records to publish your public keys (if signing) - -## See %{_defaultdocdir}/%{name}/INSTALL for detailed instructions. - -## DEPRECATED CONFIGURATION OPTIONS -## -## The following configuration options are no longer valid. They should be -## removed from your existing configuration file to prevent potential issues. -## Failure to do so may result in %{name} being unable to start. -## -## Removed in 2.10.0: -## AddAllSignatureResults -## ADSPAction -## ADSPNoSuchDomain -## BogusPolicy -## DisableADSP -## LDAPSoftStart -## LocalADSP -## NoDiscardableMailTo -## On-PolicyError -## SendADSPReports -## UnprotectedPolicy - -## CONFIGURATION OPTIONS - -## Specifies the path to the process ID file. -PidFile %{_localstatedir}/run/%{name}/%{name}.pid - -## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. -## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing -## messages. -Mode v - -## Log activity to the system log. -Syslog yes - -## Log additional entries indicating successful signing or verification of messages. -SyslogSuccess yes - -## If logging is enabled, include detailed logging about why or why not a message was -## signed or verified. This causes an increase in the amount of log data generated -## for each message, so set this to No (or comment it out) if it gets too noisy. -LogWhy yes - -## Attempt to become the specified user before starting operations. -UserID %{name}:%{name} - -## Create a socket through which your MTA can communicate. -Socket inet:8891@localhost - -## Required to use local socket with MTAs that access the socket as a non- -## privileged user (e.g. Postfix) -Umask 002 - -## This specifies a text file in which to store DKIM transaction statistics. -## %{upname} must be manually compiled with --enable-stats to enable this feature. -# Statistics %{_localstatedir}/spool/%{name}/stats.dat - -## Specifies whether or not the filter should generate report mail back -## to senders when verification fails and an address for such a purpose -## is provided. See opendkim.conf(5) for details. -SendReports yes - -## Specifies the sending address to be used on From: headers of outgoing -## failure reports. By default, the e-mail address of the user executing -## the filter is used (executing_user@hostname). -# ReportAddress "Example.com Postmaster" <postmaster@example.com> - -## Add a DKIM-Filter header field to messages passing through this filter -## to identify messages it has processed. -SoftwareHeader yes - -## SIGNING OPTIONS - -## Selects the canonicalization method(s) to be used when signing messages. -Canonicalization relaxed/relaxed - -## Domain(s) whose mail should be signed by this filter. Mail from other domains will -## be verified rather than being signed. Uncomment and use your domain name. -## This parameter is not required if a SigningTable is in use. -# Domain example.com - -## Defines the name of the selector to be used when signing messages. -Selector default - -## Specifies the minimum number of key bits for acceptable keys and signatures. -MinimumKeyBits 1024 - -## Gives the location of a private key to be used for signing ALL messages. This -## directive is ignored if KeyTable is enabled. -KeyFile %{_sysconfdir}/%{name}/keys/default.private - -## Gives the location of a file mapping key names to signing keys. In simple terms, -## this tells %{upname} where to find your keys. If present, overrides any KeyFile -## directive in the configuration file. Requires SigningTable be enabled. -# KeyTable %{_sysconfdir}/%{name}/KeyTable - -## Defines a table used to select one or more signatures to apply to a message based -## on the address found in the From: header field. In simple terms, this tells -## %{upname} how to use your keys. Requires KeyTable be enabled. -# SigningTable refile:%{_sysconfdir}/%{name}/SigningTable - -## Identifies a set of "external" hosts that may send mail through the server as one -## of the signing domains without credentials as such. -# ExternalIgnoreList refile:%{_sysconfdir}/%{name}/TrustedHosts - -## Identifies a set "internal" hosts whose mail should be signed rather than verified. -# InternalHosts refile:%{_sysconfdir}/%{name}/TrustedHosts - -## Contains a list of IP addresses, CIDR blocks, hostnames or domain names -## whose mail should be neither signed nor verified by this filter. See man -## page for file format. -# PeerList X.X.X.X - -## Always oversign From (sign using actual From and a null From to prevent -## malicious signatures header fields (From and/or others) between the signer -## and the verifier. From is oversigned by default in the Fedora package -## because it is often the identity key used by reputation systems and thus -## somewhat security sensitive. -OversignHeaders From - -## Instructs the DKIM library to maintain its own local cache of keys and -## policies retrieved from DNS, rather than relying on the nameserver for -## caching service. Useful if the nameserver being used by the filter is -## not local. -# QueryCache yes -EOF - -%{__cat} > %{buildroot}%{_sysconfdir}/sysconfig/%{name} << 'EOF' -# Set the necessary startup options -OPTIONS="-x %{_sysconfdir}/%{name}.conf -P %{_localstatedir}/run/%{name}/%{name}.pid" -# Set the default DKIM selector -DKIM_SELECTOR=default +install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/%{name}.conf -# Set the default DKIM key location -DKIM_KEYDIR=%{_sysconfdir}/%{name}/keys -EOF +install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/%{name} mkdir -p %{buildroot}%{_sysconfdir}/%{name} -cat > %{buildroot}%{_sysconfdir}/%{name}/SigningTable << 'EOF' -# %{bigname} SIGNING TABLE -# This table controls how to apply one or more signatures to outgoing messages based -# on the address found in the From: header field. In simple terms, this tells -# %{upname} "how" to apply your keys. - -# To use this file, uncomment the SigningTable option in %{_sysconfdir}/%{name}.conf, -# then uncomment one of the usage examples below and replace example.com with your -# domain name, then restart %{upname}. - -# WILDCARD EXAMPLE -# Enables signing for any address on the listed domain(s), but will work only if -# "refile:%{_sysconfdir}/%{name}/SigningTable" is included in %{_sysconfdir}/%{name}.conf. -# Create additional lines for additional domains. - -#*@example.com default._domainkey.example.com - -# NON-WILDCARD EXAMPLE -# If "file:" (instead of "refile:") is specified in %{_sysconfdir}/%{name}.conf, then -# wildcards will not work. Instead, full user@host is checked first, then simply host, -# then user@.domain (with all superdomains checked in sequence, so "foo.example.com" -# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"), -# then .domain, then user@*, and finally *. See the %{name}.conf(5) man page under -# "SigningTable" for more details. - -#example.com default._domainkey.example.com -EOF - -cat > %{buildroot}%{_sysconfdir}/%{name}/KeyTable << 'EOF' -# %{bigname} KEY TABLE -# To use this file, uncomment the #KeyTable option in %{_sysconfdir}/%{name}.conf, -# then uncomment the following line and replace example.com with your domain -# name, then restart %{upname}. Additional keys may be added on separate lines. - -#default._domainkey.example.com example.com:default:%{_sysconfdir}/%{name}/keys/default.private -EOF - -cat > %{buildroot}%{_sysconfdir}/%{name}/TrustedHosts << 'EOF' -# %{bigname} TRUSTED HOSTS -# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts -# option in %{_sysconfdir}/%{name}.conf then restart %{upname}. Additional hosts -# may be added on separate lines (IP addresses, hostnames, or CIDR ranges). -# The localhost IP (127.0.0.1) should always be the first entry in this file. -127.0.0.1 -::1 -#host.example.com -#192.168.1.0/24 -EOF - -cat > README.fedora << 'EOF' -##################################### -#FEDORA-SPECIFIC README FOR %{bigname}# -##################################### -Last updated: Apr 30, 2015 by Steve Jenkins (steve@stevejenkins.com) - -Generating keys for %{upname} -============================ -After installing the %{name} package, you MUST generate a pair of keys (public and private) before -attempting to start the %{name} service. - -A valid private key must exist in the location expected by %{_sysconfdir}/%{name}.conf before the service will start. - -A matching public key must be included in your domain's DNS records before remote systems can validate -your outgoing mail's DKIM signature. - - -Generating Keys Automatically -============================= -To automatically create a pair of default keys for the local domain, do: - -% sudo %{_sbindir}/%{name}-default-keygen - -The default keygen script will attempt to fetch the local domain name, generate a private and public key for -the domain, then save them in %{_sysconfdir}/%{name}/keys as default.private and default.txt with the proper -ownership and permissions. - -NOTE: The default key generation script MUST be run by a privileged user (or root). Otherwise, the resulting -private key ownership and permissions will not be correct. - - -Generating Keys Manually -======================== -A privileged user (or root) can manually generate a set of keys by doing the following: - -1) Create a directory to store the new keys: - -% sudo mkdir %{_sysconfdir}/%{name}/keys/example.com - -2) Generate keys in that directory for a specific domain name and selector: - -% sudo %{_sbindir}/%{name}-genkey -D %{_sysconfdir}/%{name}/keys/example.com/ -d example.com -s default - -3) Set the proper ownership for the directory and private key: - -% sudo chown -R root:%{name} %{_sysconfdir}/%{name}/keys/example.com +install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/SigningTable -4) Set secure permissions for the private key: +install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}/KeyTable -% sudo chmod 640 %{_sysconfdir}/%{name}/keys/example.com/default.private +install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/%{name}/TrustedHosts -5) Set standard permissions for the public key: +cp %{SOURCE6} ./README.fedora -% sudo chmod 644 %{_sysconfdir}/%{name}/keys/example.com/default.txt - - -Updating Key Location(s) in Configuration Files -=============================================== -If you run the %{name}-default-keygen script, the default keys will be saved in %{_sysconfdir}/%{name}/keys as -default.private and default.txt, which is the location expected by the default %{_sysconfdir}/%{name}.conf file. - -If you manually generate your own keys, you must update the key location and name in %{_sysconfdir}/%{name}.conf -before attempting to start the %{name} service. - - -Using %upname with SQL Datasets -================================ -%upname on RedHat-based systems relies on OpenDBX for database access. Depending on which database you use, -you may have to manually install one of the following OpenDBX subpackages (all of which are available via yum): - -- opendbx-firebird -- opendbx-mssql -- opendbx-mysql -- opendbx-postgresql -- opendbx-sqlite -- opendbx-sqlite2 -- opendbx-sybase - -If you have %upname configured to use SQL datasets on a systemd-based server, it might also be necessary to start -the %name service after the database servers by referencing your database unit file(s) in the "After" section of -the %upname unit file. - -For example, if using both MariaDB and PostgreSQL, in %{_unitdir}/%{name}.service change: - -After=network.target nss-lookup.target syslog.target - -to: - -After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service - - -Additional Configuration Help -============================= -For help configuring your MTA (Postfix, Sendmail, etc.) with %{upname}, setting up DNS records with your -public DKIM key, as well as instructions on configuring %{upname} to sign outgoing mail for multiple -domains, follow the how-to at: - -http://wp.me/p1iGgP-ou - -Official documentation for %{upname} is available at http://%{name}.org/ - -%{upname} mailing lists are available at http://lists.%{name}.org/ - -### -EOF - -install -p -d %{buildroot}%{_sysconfdir}/tmpfiles.d -cat > %{buildroot}%{_sysconfdir}/tmpfiles.d/%{name}.conf <<'EOF' -D %{_localstatedir}/run/%{name} 0700 %{name} %{name} - +install -p -d %{buildroot}/usr/lib/tmpfiles.d +cat > %{buildroot}/usr/lib/tmpfiles.d/%{name}.conf <<'EOF' +D %{_rundir}/%{name} 0750 %{name} %{name} - EOF rm -r %{buildroot}%{_prefix}/share/doc/%{name} @@ -417,7 +102,7 @@ rm %{buildroot}%{_libdir}/*.a rm %{buildroot}%{_libdir}/*.la mkdir -p %{buildroot}%{_localstatedir}/spool/%{name} -mkdir -p %{buildroot}%{_localstatedir}/run/%{name} +mkdir -p %{buildroot}%{_rundir}/%{name} mkdir -p %{buildroot}%{_sysconfdir}/%{name} mkdir %{buildroot}%{_sysconfdir}/%{name}/keys @@ -430,45 +115,24 @@ chmod 0644 contrib/convert/convert_keylist.sh %pre getent group %{name} >/dev/null || groupadd -r %{name} getent passwd %{name} >/dev/null || \ - useradd -r -g %{name} -G mail -d %{_localstatedir}/run/%{name} -s /sbin/nologin \ + useradd -r -g %{name} -G mail -d %{_rundir}/%{name} -s /sbin/nologin \ -c "%{upname} Milter" %{name} exit 0 %post -%if %systemd %systemd_post %{name}.service -%else -/sbin/chkconfig --add %{name} || : -%endif %preun -%if %systemd %systemd_preun %{name}.service -%else -if [ $1 -eq 0 ]; then - service %{name} stop >/dev/null || : - /sbin/chkconfig --del %{name} || : -fi -exit 0 -%endif %postun -%if %systemd %systemd_postun_with_restart %{name}.service -%else -if [ "$1" -ge "1" ] ; then - /sbin/service %{name} condrestart >/dev/null 2>&1 || : -fi -exit 0 -%endif - -%if %systemd # For the switchover from initscript to service file %triggerun -- %{name} < 2.8.0-1 %systemd_post %{name}.service /sbin/chkconfig --del %{name} >/dev/null 2>&1 || : %systemd_postun_with_restart %{name}.service -%endif + %ldconfig_scriptlets -n libopendkim @@ -480,7 +144,7 @@ exit 0 %doc %{name}/README contrib/lua/*.lua %doc README.fedora %config(noreplace) %{_sysconfdir}/%{name}.conf -%config(noreplace) %{_sysconfdir}/tmpfiles.d/%{name}.conf +%config(noreplace) /usr/lib/tmpfiles.d/%{name}.conf %config(noreplace) %attr(0640,%{name},%{name}) %{_sysconfdir}/%{name}/SigningTable %config(noreplace) %attr(0640,%{name},%{name}) %{_sysconfdir}/%{name}/KeyTable %config(noreplace) %attr(0640,%{name},%{name}) %{_sysconfdir}/%{name}/TrustedHosts @@ -489,38 +153,47 @@ exit 0 %{_sbindir}/* %{_mandir}/*/* %dir %attr(-,%{name},%{name}) %{_localstatedir}/spool/%{name} -%dir %attr(0775,%{name},%{name}) %{_localstatedir}/run/%{name} +%dir %attr(0750,%{name},%{name}) %{_rundir}/%{name} %dir %attr(-,root,%{name}) %{_sysconfdir}/%{name} -%dir %attr(0750,%name,%{name}) %{_sysconfdir}/%{name}/keys +%dir %attr(0750,root,%{name}) %{_sysconfdir}/%{name}/keys %attr(0755,root,root) %{_sbindir}/%{name}-default-keygen -%if %systemd %attr(0644,root,root) %{_unitdir}/%{name}.service -%else -%attr(0755,root,root) %{_initrddir}/%{name} -%endif %files -n libopendkim -%if 0%{?_licensedir:1} %license LICENSE LICENSE.Sendmail -%else -%doc LICENSE LICENSE.Sendmail -%endif %doc README %{_libdir}/lib%{name}.so.* %files -n libopendkim-devel -%if 0%{?_licensedir:1} %license LICENSE LICENSE.Sendmail -%else -%doc LICENSE LICENSE.Sendmail -%endif %doc lib%{name}/docs/*.html %{_includedir}/%{name} %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %changelog +* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.11.0-0.17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jun 24 2020 Tomas Korbar <tkorbar@redhat.com> - 2.11.0-0.16 +- Change location of tmpfiles definiton (#1736767) + +* Wed Jun 24 2020 Tomas Korbar <tkorbar@redhat.com> - 2.11.0-0.15 +- Change permissions of /var/run/opendkim directory (#1744391) + +* Wed Jun 24 2020 Tomas Korbar <tkorbar@redhat.com> - 2.11.0-0.14 +- Change ownership of the keys directory to root (#1711713) + +* Wed Jun 24 2020 Tomas Korbar <tkorbar@redhat.com> - 2.11.0-0.13 +- Change /run/opendkim permissions to group writable +- Improve the patch which adds support for lua +- Credit: mdomsch + +* Mon Jun 22 2020 Tomas Korbar <tkorbar@redhat.com> - 2.11.0-0.12 +- Rebase to 2.11.0-beta2 version +- Clean specfile and move configuration to their own files + * Fri Apr 24 2020 Tomas Korbar <tkorbar@redhat.com> - 2.11.0-0.11 - Rebuilt with lua support - Credit: Breno Brand Fernandes brandfbb@gmail.com |