[gentoo-commits] repo/gentoo:master commit in: mail-filter/opendkim/ - gentoo-commits

From:	Michael Orlitzky <mjo@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: mail-filter/opendkim/
Date:	Wed, 23 Feb 2022 12:34:18
Message-Id:	`1645619524.77890fca37b6a6d889cd984eb029799652442574.mjo@gentoo`

1

commit:     77890fca37b6a6d889cd984eb029799652442574

2

Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>

3

AuthorDate: Wed Feb 23 12:31:18 2022 +0000

4

Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>

5

CommitDate: Wed Feb 23 12:32:04 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77890fca

7

8

mail-filter/opendkim: update sendmail/libmilter dependency.

9

10

As reported in bug 833778, it would be nice if we could bind to the

11

libmilter subslot with an := dependency. In the existing ebuild, that

12

wasn't possible because we accepted either libmilter || sendmail, and

13

using := within an any-of clause is disallowed.

14

15

Fortunately, the "|| sendmail" portion of that is a relic, for

16

versions of sendmail that don't themselves use libmilter. All versions

17

of mail-mta/sendmail in the tree today do, so we can drop the sendmail

18

portion of that any-of dependency entirely, and then afterwards add

19

the := to libmilter.

20

21

Closes: https://bugs.gentoo.org/833778

22

Reported-by: Daniel M. Weeks <dan <AT> danweeks.net>

23

Package-Manager: Portage-3.0.30, Repoman-3.0.3

24

Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>

25

26

 mail-filter/opendkim/opendkim-2.10.3-r27.ebuild | 254 ++++++++++++++++++++++++

27

 1 file changed, 254 insertions(+)

28

29

diff --git a/mail-filter/opendkim/opendkim-2.10.3-r27.ebuild b/mail-filter/opendkim/opendkim-2.10.3-r27.ebuild

30

new file mode 100644

31

index 000000000000..129a8167f831

32

--- /dev/null

33

+++ b/mail-filter/opendkim/opendkim-2.10.3-r27.ebuild

34

@@ -0,0 +1,254 @@

35

+# Copyright 1999-2022 Gentoo Authors

36

+# Distributed under the terms of the GNU General Public License v2

37

+

38

+EAPI=7

39

+

40

+LUA_COMPAT=( lua5-1 lua5-2 )

41

+

42

+inherit autotools db-use systemd tmpfiles lua-single

43

+

44

+DESCRIPTION="A milter providing DKIM signing and verification"

45

+HOMEPAGE="http://opendkim.org/"

46

+SRC_URI="https://downloads.sourceforge.net/project/opendkim/${P}.tar.gz"

47

+

48

+# The GPL-2 is for the init script, bug 425960.

49

+LICENSE="BSD GPL-2 Sendmail-Open-Source"

50

+SLOT="0"

51

+KEYWORDS="~amd64 ~arm ~arm64 ~x86"

52

+IUSE="berkdb ldap lmdb lua memcached opendbx poll sasl selinux +ssl static-libs stats querycache test unbound"

53

+

54

+BDEPEND="acct-user/opendkim

55

+	test? ( ${LUA_DEPS} )"

56

+

57

+COMMON_DEPEND="mail-filter/libmilter:=

58

+	dev-libs/libbsd

59

+	sys-apps/grep

60

+	ssl? (

61

+		dev-libs/openssl:0=

62

+	)

63

+	berkdb? ( >=sys-libs/db-3.2:* )

64

+	opendbx? ( >=dev-db/opendbx-1.4.0 )

65

+	lua? ( ${LUA_DEPS} )

66

+	ldap? ( net-nds/openldap )

67

+	lmdb? ( dev-db/lmdb )

68

+	memcached? ( dev-libs/libmemcached )

69

+	sasl? ( dev-libs/cyrus-sasl )

70

+	unbound? ( >=net-dns/unbound-1.4.1:= net-dns/dnssec-root )

71

+	!unbound? ( net-libs/ldns )"

72

+

73

+DEPEND="${COMMON_DEPEND}"

74

+

75

+RDEPEND="${COMMON_DEPEND}

76

+	acct-user/opendkim

77

+	sys-process/psmisc

78

+	selinux? ( sec-policy/selinux-dkim )"

79

+

80

+REQUIRED_USE="sasl? ( ldap )

81

+	stats? ( opendbx )

82

+	querycache? ( berkdb )

83

+	lua? ( ${LUA_REQUIRED_USE} )

84

+	test? ( ${LUA_REQUIRED_USE} )"

85

+RESTRICT="!test? ( test )"

86

+

87

+PATCHES=(

88

+	"${FILESDIR}/${P}-openrc.patch"

89

+	"${FILESDIR}/${P}-openssl-1.1.1.patch.r2"

90

+	"${FILESDIR}/${P}-lua-pkgconfig.patch"

91

+	"${FILESDIR}/${P}-lua-pkgconfig-pt2.patch"

92

+	"${FILESDIR}/${P}-define-P-macro-in-libvbr.patch"

93

+	"${FILESDIR}/${P}-fix-libmilter-search.patch"

94

+)

95

+

96

+pkg_setup() {

97

+	use lua && lua-single_pkg_setup

98

+}

99

+

100

+src_prepare() {

101

+	default

102

+	sed -e 's:/var/db/dkim:/var/lib/opendkim:g' \

103

+		-i opendkim/opendkim.conf.sample opendkim/opendkim.conf.simple.in \

104

+		|| die

105

+	sed -e 's:dist_doc_DATA:dist_html_DATA:' \

106

+		-i libopendkim/docs/Makefile.am \

107

+		|| die

108

+

109

+	# The existing hard-coded path under /tmp is vulnerable to exploits

110

+	# since (for example) a user can create a symlink there to a file

111

+	# that portage will clobber. Reported upstream at,

112

+	#

113

+	#   https://github.com/trusteddomainproject/OpenDKIM/issues/113

114

+	#

115

+	sed -e "s:/tmp:${T}:" -i libopendkim/tests/t-testdata.h || die

116

+

117

+	eautoreconf

118

+}

119

+

120

+src_configure() {

121

+	local myconf=()

122

+	if use berkdb ; then

123

+		myconf+=( --with-db-incdir=$(db_includedir) )

124

+	fi

125

+	if use unbound; then

126

+		myconf+=( --with-unbound )

127

+	else

128

+		myconf+=( --with-ldns )

129

+	fi

130

+	if use ldap; then

131

+		myconf+=( $(use_with sasl) )

132

+	fi

133

+

134

+	# We install the our configuration filed under e.g. /etc/opendkim,

135

+	# so the next line is necessary to point the daemon and all of its

136

+	# documentation to the right location by default.

137

+	myconf+=( --sysconfdir="${EPREFIX}/etc/${PN}" )

138

+

139

+	econf \

140

+		$(use_with berkdb db) \

141

+		$(use_with opendbx odbx) \

142

+		$(use_with lua) \

143

+		$(use_enable lua rbl) \

144

+		$(use_with ldap openldap) \

145

+		$(use_with lmdb) \

146

+		$(use_enable poll) \

147

+		$(use_enable querycache query_cache) \

148

+		$(use_enable static-libs static) \

149

+		$(use_enable stats) \

150

+		$(use_with memcached libmemcached) \

151

+		"${myconf[@]}" \

152

+		--enable-filter \

153

+		--with-milter \

154

+		--enable-atps \

155

+		--enable-identity_header \

156

+		--enable-rate_limit \

157

+		--enable-resign \

158

+		--enable-replace_rules \

159

+		--enable-default_sender \

160

+		--enable-sender_macro \

161

+		--enable-vbr \

162

+		--disable-live-testing \

163

+		--with-test-socket="${T}/opendkim.sock"

164

+}

165

+

166

+src_compile() {

167

+	emake runstatedir=/run

168

+}

169

+

170

+src_test() {

171

+	# Needed for now due to the expected sequencing of the setup/cleanup

172

+	# tests, https://github.com/trusteddomainproject/OpenDKIM/issues/110

173

+	emake -j1 check

174

+}

175

+

176

+src_install() {

177

+	default

178

+	find "${D}" -name '*.la' -type f -delete || die

179

+

180

+	dosbin stats/opendkim-reportstats

181

+

182

+	newinitd "${S}/contrib/OpenRC/opendkim.openrc" "${PN}"

183

+	newtmpfiles "${S}/contrib/systemd/opendkim.tmpfiles" "${PN}.conf"

184

+	systemd_newunit "contrib/systemd/opendkim.service" "${PN}.service"

185

+

186

+	dodir /etc/opendkim

187

+	keepdir /var/lib/opendkim

188

+

189

+	# The OpenDKIM data (particularly, your keys) should be read-only to

190

+	# the UserID that the daemon runs as.

191

+	fowners root:opendkim /var/lib/opendkim

192

+	fperms 750 /var/lib/opendkim

193

+

194

+	# Tweak the "simple" example configuration a bit before installing

195

+	# it unconditionally.

196

+	local cf="${T}/opendkim.conf"

197

+	# Some MTAs are known to break DKIM signatures with "simple"

198

+	# canonicalization [1], so we choose the "relaxed" policy

199

+	# over OpenDKIM's current default settings.

200

+	# [1] https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/

201

+	sed -E -e 's:^(Canonicalization)[[:space:]]+.*:\1\trelaxed/relaxed:' \

202

+		"${S}/opendkim/opendkim.conf.simple" >"${cf}" || die

203

+	cat >>"${cf}" <<EOT || die

204

+

205

+# The UMask is really only used for the PID file (root:root) and the

206

+# local UNIX socket, if you're using one. It should be 0117 for the

207

+# socket.

208

+UMask			0117

209

+UserID			opendkim

210

+

211

+# For use with unbound

212

+#TrustAnchorFile	/etc/dnssec/root-anchors.txt

213

+EOT

214

+	insinto /etc/opendkim

215

+	doins "${cf}"

216

+}

217

+

218

+pkg_postinst() {

219

+	tmpfiles_process "${PN}.conf"

220

+	if [[ -z ${REPLACING_VERSION} ]]; then

221

+		elog "If you want to sign your mail messages and need some help"

222

+		elog "please run:"

223

+		elog "	emerge --config ${CATEGORY}/${PN}"

224

+		elog "It will help you create your key and give you hints on how"

225

+		elog "to configure your DNS and MTA."

226

+

227

+		elog "If you are using a local (UNIX) socket, then you will"

228

+		elog "need to make sure that your MTA has read/write access"

229

+		elog "to the socket file. This is best accomplished by creating"

230

+		elog "a completely-new group with only your MTA user and the"

231

+		elog "\"opendkim\" user in it. Step-by-step instructions can be"

232

+		elog "found on our Wiki, at https://wiki.gentoo.org/wiki/OpenDKIM ."

233

+	else

234

+		ewarn "The user account for the OpenDKIM daemon has changed"

235

+		ewarn "from \"milter\" to \"opendkim\" to prevent unrelated services"

236

+		ewarn "from being able to read your private keys. You should"

237

+		ewarn "adjust your existing configuration to use the \"opendkim\""

238

+		ewarn "user and group, and change the permissions on"

239

+		ewarn "${ROOT}/var/lib/opendkim to root:opendkim with mode 0750."

240

+		ewarn "The owner and group of the files within that directory"

241

+		ewarn "will likely need to be adjusted as well."

242

+	fi

243

+}

244

+

245

+pkg_config() {

246

+	local selector keysize pubkey

247

+

248

+	read -p "Enter the selector name (default ${HOSTNAME}): " selector

249

+	[[ -n "${selector}" ]] || selector="${HOSTNAME}"

250

+	if [[ -z "${selector}" ]]; then

251

+		eerror "Oddly enough, you don't have a HOSTNAME."

252

+		return 1

253

+	fi

254

+	if [[ -f "${ROOT}/var/lib/opendkim/${selector}.private" ]]; then

255

+		ewarn "The private key for this selector already exists."

256

+	else

257

+		keysize=1024

258

+		# Generate the private and public keys. Note that opendkim-genkeys

259

+		# sets umask=077 on its own to keep these safe. However, we want

260

+		# them to be readable (only!) to the opendkim user, and we manage

261

+		# that by changing their groups and making everything group-readable.

262

+		opendkim-genkey -b ${keysize} -D "${ROOT}/var/lib/opendkim/" \

263

+			-s "${selector}" -d '(your domain)' && \

264

+			chgrp --no-dereference opendkim \

265

+				"${ROOT}/var/lib/opendkim/${selector}".{private,txt} || \

266

+				{ eerror "Failed to create private and public keys."; return 1; }

267

+		chmod g+r "${ROOT}/var/lib/opendkim/${selector}".{private,txt}

268

+	fi

269

+

270

+	# opendkim selector configuration

271

+	echo

272

+	einfo "Make sure you have the following settings in your /etc/opendkim/opendkim.conf:"

273

+	einfo "  Keyfile /var/lib/opendkim/${selector}.private"

274

+	einfo "  Selector ${selector}"

275

+

276

+	# MTA configuration

277

+	echo

278

+	einfo "If you are using Postfix, add following lines to your main.cf:"

279

+	einfo "  smtpd_milters	   = unix:/run/opendkim/opendkim.sock"

280

+	einfo "  non_smtpd_milters = unix:/run/opendkim/opendkim.sock"

281

+	einfo "  and read http://www.postfix.org/MILTER_README.html"

282

+

283

+	# DNS configuration

284

+	einfo "After you configured your MTA, publish your key by adding this TXT record to your domain:"

285

+	cat "${ROOT}/var/lib/opendkim/${selector}.txt"

286

+	einfo "t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags:"

287

+	einfo "  http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text"

288

+}

1	commit: 77890fca37b6a6d889cd984eb029799652442574
2	Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
3	AuthorDate: Wed Feb 23 12:31:18 2022 +0000
4	Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
5	CommitDate: Wed Feb 23 12:32:04 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77890fca
7
8	mail-filter/opendkim: update sendmail/libmilter dependency.
9
10	As reported in bug 833778, it would be nice if we could bind to the
11	libmilter subslot with an := dependency. In the existing ebuild, that
12	wasn't possible because we accepted either libmilter \|\| sendmail, and
13	using := within an any-of clause is disallowed.
14
15	Fortunately, the "\|\| sendmail" portion of that is a relic, for
16	versions of sendmail that don't themselves use libmilter. All versions
17	of mail-mta/sendmail in the tree today do, so we can drop the sendmail
18	portion of that any-of dependency entirely, and then afterwards add
19	the := to libmilter.
20
21	Closes: https://bugs.gentoo.org/833778
22	Reported-by: Daniel M. Weeks <dan <AT> danweeks.net>
23	Package-Manager: Portage-3.0.30, Repoman-3.0.3
24	Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>
25
26	mail-filter/opendkim/opendkim-2.10.3-r27.ebuild \| 254 ++++++++++++++++++++++++
27	1 file changed, 254 insertions(+)
28
29	diff --git a/mail-filter/opendkim/opendkim-2.10.3-r27.ebuild b/mail-filter/opendkim/opendkim-2.10.3-r27.ebuild
30	new file mode 100644
31	index 000000000000..129a8167f831
32	--- /dev/null
33	+++ b/mail-filter/opendkim/opendkim-2.10.3-r27.ebuild
34	@@ -0,0 +1,254 @@
35	+# Copyright 1999-2022 Gentoo Authors
36	+# Distributed under the terms of the GNU General Public License v2
37	+
38	+EAPI=7
39	+
40	+LUA_COMPAT=( lua5-1 lua5-2 )
41	+
42	+inherit autotools db-use systemd tmpfiles lua-single
43	+
44	+DESCRIPTION="A milter providing DKIM signing and verification"
45	+HOMEPAGE="http://opendkim.org/"
46	+SRC_URI="https://downloads.sourceforge.net/project/opendkim/${P}.tar.gz"
47	+
48	+# The GPL-2 is for the init script, bug 425960.
49	+LICENSE="BSD GPL-2 Sendmail-Open-Source"
50	+SLOT="0"
51	+KEYWORDS="~amd64 ~arm ~arm64 ~x86"
52	+IUSE="berkdb ldap lmdb lua memcached opendbx poll sasl selinux +ssl static-libs stats querycache test unbound"
53	+
54	+BDEPEND="acct-user/opendkim
55	+ test? ( ${LUA_DEPS} )"
56	+
57	+COMMON_DEPEND="mail-filter/libmilter:=
58	+ dev-libs/libbsd
59	+ sys-apps/grep
60	+ ssl? (
61	+ dev-libs/openssl:0=
62	+ )
63	+ berkdb? ( >=sys-libs/db-3.2:* )
64	+ opendbx? ( >=dev-db/opendbx-1.4.0 )
65	+ lua? ( ${LUA_DEPS} )
66	+ ldap? ( net-nds/openldap )
67	+ lmdb? ( dev-db/lmdb )
68	+ memcached? ( dev-libs/libmemcached )
69	+ sasl? ( dev-libs/cyrus-sasl )
70	+ unbound? ( >=net-dns/unbound-1.4.1:= net-dns/dnssec-root )
71	+ !unbound? ( net-libs/ldns )"
72	+
73	+DEPEND="${COMMON_DEPEND}"
74	+
75	+RDEPEND="${COMMON_DEPEND}
76	+ acct-user/opendkim
77	+ sys-process/psmisc
78	+ selinux? ( sec-policy/selinux-dkim )"
79	+
80	+REQUIRED_USE="sasl? ( ldap )
81	+ stats? ( opendbx )
82	+ querycache? ( berkdb )
83	+ lua? ( ${LUA_REQUIRED_USE} )
84	+ test? ( ${LUA_REQUIRED_USE} )"
85	+RESTRICT="!test? ( test )"
86	+
87	+PATCHES=(
88	+ "${FILESDIR}/${P}-openrc.patch"
89	+ "${FILESDIR}/${P}-openssl-1.1.1.patch.r2"
90	+ "${FILESDIR}/${P}-lua-pkgconfig.patch"
91	+ "${FILESDIR}/${P}-lua-pkgconfig-pt2.patch"
92	+ "${FILESDIR}/${P}-define-P-macro-in-libvbr.patch"
93	+ "${FILESDIR}/${P}-fix-libmilter-search.patch"
94	+)
95	+
96	+pkg_setup() {
97	+ use lua && lua-single_pkg_setup
98	+}
99	+
100	+src_prepare() {
101	+ default
102	+ sed -e 's:/var/db/dkim:/var/lib/opendkim:g' \
103	+ -i opendkim/opendkim.conf.sample opendkim/opendkim.conf.simple.in \
104	+ \|\| die
105	+ sed -e 's:dist_doc_DATA:dist_html_DATA:' \
106	+ -i libopendkim/docs/Makefile.am \
107	+ \|\| die
108	+
109	+ # The existing hard-coded path under /tmp is vulnerable to exploits
110	+ # since (for example) a user can create a symlink there to a file
111	+ # that portage will clobber. Reported upstream at,
112	+ #
113	+ # https://github.com/trusteddomainproject/OpenDKIM/issues/113
114	+ #
115	+ sed -e "s:/tmp:${T}:" -i libopendkim/tests/t-testdata.h \|\| die
116	+
117	+ eautoreconf
118	+}
119	+
120	+src_configure() {
121	+ local myconf=()
122	+ if use berkdb ; then
123	+ myconf+=( --with-db-incdir=$(db_includedir) )
124	+ fi
125	+ if use unbound; then
126	+ myconf+=( --with-unbound )
127	+ else
128	+ myconf+=( --with-ldns )
129	+ fi
130	+ if use ldap; then
131	+ myconf+=( $(use_with sasl) )
132	+ fi
133	+
134	+ # We install the our configuration filed under e.g. /etc/opendkim,
135	+ # so the next line is necessary to point the daemon and all of its
136	+ # documentation to the right location by default.
137	+ myconf+=( --sysconfdir="${EPREFIX}/etc/${PN}" )
138	+
139	+ econf \
140	+ $(use_with berkdb db) \
141	+ $(use_with opendbx odbx) \
142	+ $(use_with lua) \
143	+ $(use_enable lua rbl) \
144	+ $(use_with ldap openldap) \
145	+ $(use_with lmdb) \
146	+ $(use_enable poll) \
147	+ $(use_enable querycache query_cache) \
148	+ $(use_enable static-libs static) \
149	+ $(use_enable stats) \
150	+ $(use_with memcached libmemcached) \
151	+ "${myconf[@]}" \
152	+ --enable-filter \
153	+ --with-milter \
154	+ --enable-atps \
155	+ --enable-identity_header \
156	+ --enable-rate_limit \
157	+ --enable-resign \
158	+ --enable-replace_rules \
159	+ --enable-default_sender \
160	+ --enable-sender_macro \
161	+ --enable-vbr \
162	+ --disable-live-testing \
163	+ --with-test-socket="${T}/opendkim.sock"
164	+}
165	+
166	+src_compile() {
167	+ emake runstatedir=/run
168	+}
169	+
170	+src_test() {
171	+ # Needed for now due to the expected sequencing of the setup/cleanup
172	+ # tests, https://github.com/trusteddomainproject/OpenDKIM/issues/110
173	+ emake -j1 check
174	+}
175	+
176	+src_install() {
177	+ default
178	+ find "${D}" -name '*.la' -type f -delete \|\| die
179	+
180	+ dosbin stats/opendkim-reportstats
181	+
182	+ newinitd "${S}/contrib/OpenRC/opendkim.openrc" "${PN}"
183	+ newtmpfiles "${S}/contrib/systemd/opendkim.tmpfiles" "${PN}.conf"
184	+ systemd_newunit "contrib/systemd/opendkim.service" "${PN}.service"
185	+
186	+ dodir /etc/opendkim
187	+ keepdir /var/lib/opendkim
188	+
189	+ # The OpenDKIM data (particularly, your keys) should be read-only to
190	+ # the UserID that the daemon runs as.
191	+ fowners root:opendkim /var/lib/opendkim
192	+ fperms 750 /var/lib/opendkim
193	+
194	+ # Tweak the "simple" example configuration a bit before installing
195	+ # it unconditionally.
196	+ local cf="${T}/opendkim.conf"
197	+ # Some MTAs are known to break DKIM signatures with "simple"
198	+ # canonicalization [1], so we choose the "relaxed" policy
199	+ # over OpenDKIM's current default settings.
200	+ # [1] https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/
201	+ sed -E -e 's:^(Canonicalization)[[:space:]]+.*:\1\trelaxed/relaxed:' \
202	+ "${S}/opendkim/opendkim.conf.simple" >"${cf}" \|\| die
203	+ cat >>"${cf}" <<EOT \|\| die
204	+
205	+# The UMask is really only used for the PID file (root:root) and the
206	+# local UNIX socket, if you're using one. It should be 0117 for the
207	+# socket.
208	+UMask 0117
209	+UserID opendkim
210	+
211	+# For use with unbound
212	+#TrustAnchorFile /etc/dnssec/root-anchors.txt
213	+EOT
214	+ insinto /etc/opendkim
215	+ doins "${cf}"
216	+}
217	+
218	+pkg_postinst() {
219	+ tmpfiles_process "${PN}.conf"
220	+ if [[ -z ${REPLACING_VERSION} ]]; then
221	+ elog "If you want to sign your mail messages and need some help"
222	+ elog "please run:"
223	+ elog " emerge --config ${CATEGORY}/${PN}"
224	+ elog "It will help you create your key and give you hints on how"
225	+ elog "to configure your DNS and MTA."
226	+
227	+ elog "If you are using a local (UNIX) socket, then you will"
228	+ elog "need to make sure that your MTA has read/write access"
229	+ elog "to the socket file. This is best accomplished by creating"
230	+ elog "a completely-new group with only your MTA user and the"
231	+ elog "\"opendkim\" user in it. Step-by-step instructions can be"
232	+ elog "found on our Wiki, at https://wiki.gentoo.org/wiki/OpenDKIM ."
233	+ else
234	+ ewarn "The user account for the OpenDKIM daemon has changed"
235	+ ewarn "from \"milter\" to \"opendkim\" to prevent unrelated services"
236	+ ewarn "from being able to read your private keys. You should"
237	+ ewarn "adjust your existing configuration to use the \"opendkim\""
238	+ ewarn "user and group, and change the permissions on"
239	+ ewarn "${ROOT}/var/lib/opendkim to root:opendkim with mode 0750."
240	+ ewarn "The owner and group of the files within that directory"
241	+ ewarn "will likely need to be adjusted as well."
242	+ fi
243	+}
244	+
245	+pkg_config() {
246	+ local selector keysize pubkey
247	+
248	+ read -p "Enter the selector name (default ${HOSTNAME}): " selector
249	+ [[ -n "${selector}" ]] \|\| selector="${HOSTNAME}"
250	+ if [[ -z "${selector}" ]]; then
251	+ eerror "Oddly enough, you don't have a HOSTNAME."
252	+ return 1
253	+ fi
254	+ if [[ -f "${ROOT}/var/lib/opendkim/${selector}.private" ]]; then
255	+ ewarn "The private key for this selector already exists."
256	+ else
257	+ keysize=1024
258	+ # Generate the private and public keys. Note that opendkim-genkeys
259	+ # sets umask=077 on its own to keep these safe. However, we want
260	+ # them to be readable (only!) to the opendkim user, and we manage
261	+ # that by changing their groups and making everything group-readable.
262	+ opendkim-genkey -b ${keysize} -D "${ROOT}/var/lib/opendkim/" \
263	+ -s "${selector}" -d '(your domain)' && \
264	+ chgrp --no-dereference opendkim \
265	+ "${ROOT}/var/lib/opendkim/${selector}".{private,txt} \|\| \
266	+ { eerror "Failed to create private and public keys."; return 1; }
267	+ chmod g+r "${ROOT}/var/lib/opendkim/${selector}".{private,txt}
268	+ fi
269	+
270	+ # opendkim selector configuration
271	+ echo
272	+ einfo "Make sure you have the following settings in your /etc/opendkim/opendkim.conf:"
273	+ einfo " Keyfile /var/lib/opendkim/${selector}.private"
274	+ einfo " Selector ${selector}"
275	+
276	+ # MTA configuration
277	+ echo
278	+ einfo "If you are using Postfix, add following lines to your main.cf:"
279	+ einfo " smtpd_milters = unix:/run/opendkim/opendkim.sock"
280	+ einfo " non_smtpd_milters = unix:/run/opendkim/opendkim.sock"
281	+ einfo " and read http://www.postfix.org/MILTER_README.html"
282	+
283	+ # DNS configuration
284	+ einfo "After you configured your MTA, publish your key by adding this TXT record to your domain:"
285	+ cat "${ROOT}/var/lib/opendkim/${selector}.txt"
286	+ einfo "t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags:"
287	+ einfo " http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text"
288	+}

Gentoo Archives: gentoo-commits