1 |
commit: 95a67b7125a6fd3b8ef970d7c6f66b9bec91cfcc |
2 |
Author: Ralph Seichter <github <AT> seichter <DOT> de> |
3 |
AuthorDate: Fri Mar 29 18:45:11 2019 +0000 |
4 |
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Mar 31 19:02:48 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95a67b71 |
7 |
|
8 |
mail-filter/opendkim: Added pre-start configuration checks |
9 |
|
10 |
Added pre-start configuration checks for OpenRC and systemd. |
11 |
|
12 |
Signed-off-by: Ralph Seichter <gentoo <AT> seichter.de> |
13 |
Closes: https://bugs.gentoo.org/622604 |
14 |
Package-Manager: Portage-2.3.62, Repoman-2.3.11 |
15 |
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org> |
16 |
|
17 |
mail-filter/opendkim/files/opendkim.init.r6 | 77 +++++++++ |
18 |
mail-filter/opendkim/files/opendkim.service.r4 | 16 ++ |
19 |
mail-filter/opendkim/opendkim-2.10.3-r9.ebuild | 223 +++++++++++++++++++++++++ |
20 |
3 files changed, 316 insertions(+) |
21 |
|
22 |
diff --git a/mail-filter/opendkim/files/opendkim.init.r6 b/mail-filter/opendkim/files/opendkim.init.r6 |
23 |
new file mode 100644 |
24 |
index 00000000000..95aa971fd88 |
25 |
--- /dev/null |
26 |
+++ b/mail-filter/opendkim/files/opendkim.init.r6 |
27 |
@@ -0,0 +1,77 @@ |
28 |
+#!/sbin/openrc-run |
29 |
+# Copyright 1999-2019 Gentoo Authors |
30 |
+# Distributed under the terms of the GNU General Public License v2 |
31 |
+ |
32 |
+CONFFILE="/etc/opendkim/${RC_SVCNAME}.conf" |
33 |
+required_files="${CONFFILE}" |
34 |
+ |
35 |
+command="/usr/sbin/opendkim" |
36 |
+pidfile="/run/${RC_SVCNAME}.pid" |
37 |
+command_args="-P ${pidfile} -x ${CONFFILE} -p ${OPENDKIM_SOCKET}" |
38 |
+ |
39 |
+depend() { |
40 |
+ use dns logger net |
41 |
+ before mta |
42 |
+} |
43 |
+ |
44 |
+check_cfg() { |
45 |
+ # |
46 |
+ # The opendkim.conf man page says, |
47 |
+ # |
48 |
+ # For parameters that are Boolean in nature, only the first byte |
49 |
+ # of the value is processed... For negative values, the following |
50 |
+ # are accepted: "F", "f", "N", "n", "0".' |
51 |
+ # |
52 |
+ if grep --quiet '^[[:space:]]*Background[[:space:]]\+[FfNn0]' \ |
53 |
+ "${CONFFILE}"; then |
54 |
+ eerror "${RC_SVCNAME} cannot run in the foreground!" |
55 |
+ return 1 |
56 |
+ fi |
57 |
+ if ! ${command} -n ${command_args}; then |
58 |
+ eerror "Configuration check failed" |
59 |
+ return 1 |
60 |
+ fi |
61 |
+} |
62 |
+ |
63 |
+start_pre() { |
64 |
+ # If this isn't a restart, make sure that the user's config isn't |
65 |
+ # busted before we try to start the daemon (this will produce |
66 |
+ # better error messages than if we just try to start it blindly). |
67 |
+ # |
68 |
+ # If, on the other hand, this *is* a restart, then the stop_pre |
69 |
+ # action will have ensured that the config is usable and we don't |
70 |
+ # need to do that again. |
71 |
+ if [ "${RC_CMD}" != "restart" ]; then |
72 |
+ check_cfg || return $? |
73 |
+ fi |
74 |
+ |
75 |
+ if [ -S "${OPENDKIM_SOCKET}" ] && ! fuser -s "${OPENDKIM_SOCKET}"; then |
76 |
+ # Remove stalled Unix socket if no other process is |
77 |
+ # using it |
78 |
+ if ! rm "${UNIX_SOCKET}"; then |
79 |
+ eerror "failed to remove stale unix socket ${OPENDKIM_SOCKET}" |
80 |
+ return 2 |
81 |
+ fi |
82 |
+ fi |
83 |
+ |
84 |
+ # This relies on the "local:" prefix being there, but the conf.d |
85 |
+ # file explicitly states that it's not optional (contrary to what |
86 |
+ # the opendkim(8) man page says). |
87 |
+ if [ "${OPENDKIM_SOCKET#local:}" != "${OPENDKIM_SOCKET}" ]; then |
88 |
+ # The socket begins with "local:" |
89 |
+ OPENDKIM_SOCKET_PATH="${OPENDKIM_SOCKET#local:}" |
90 |
+ OPENDKIM_SOCKET_DIR="${OPENDKIM_SOCKET_PATH%/*}" |
91 |
+ |
92 |
+ # This is dangerous, but there's a big warning about it |
93 |
+ # in the conf.d file. |
94 |
+ checkpath --directory --owner opendkim "${OPENDKIM_SOCKET_DIR}" |
95 |
+ fi |
96 |
+} |
97 |
+ |
98 |
+stop_pre() { |
99 |
+ # If this is a restart, check to make sure the user's config |
100 |
+ # isn't busted before we stop the running daemon. |
101 |
+ if [ "${RC_CMD}" = "restart" ]; then |
102 |
+ check_cfg || return $? |
103 |
+ fi |
104 |
+} |
105 |
|
106 |
diff --git a/mail-filter/opendkim/files/opendkim.service.r4 b/mail-filter/opendkim/files/opendkim.service.r4 |
107 |
new file mode 100644 |
108 |
index 00000000000..8c366007c00 |
109 |
--- /dev/null |
110 |
+++ b/mail-filter/opendkim/files/opendkim.service.r4 |
111 |
@@ -0,0 +1,16 @@ |
112 |
+[Unit] |
113 |
+Description=DomainKeys Identified Mail (DKIM) Milter |
114 |
+Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html |
115 |
+After=network.target nss-lookup.target syslog.target |
116 |
+ |
117 |
+[Service] |
118 |
+ExecStartPre=/usr/sbin/opendkim -n -f -x /etc/opendkim/opendkim.conf -p $OPENDKIM_SOCKET |
119 |
+ExecStart=/usr/sbin/opendkim -f -x /etc/opendkim/opendkim.conf -p $OPENDKIM_SOCKET |
120 |
+ExecReload=/bin/kill -USR1 $MAINPID |
121 |
+RuntimeDirectory=opendkim |
122 |
+RuntimeDirectoryMode=0750 |
123 |
+User=opendkim |
124 |
+Group=opendkim |
125 |
+ |
126 |
+[Install] |
127 |
+WantedBy=multi-user.target |
128 |
|
129 |
diff --git a/mail-filter/opendkim/opendkim-2.10.3-r9.ebuild b/mail-filter/opendkim/opendkim-2.10.3-r9.ebuild |
130 |
new file mode 100644 |
131 |
index 00000000000..841184ed46b |
132 |
--- /dev/null |
133 |
+++ b/mail-filter/opendkim/opendkim-2.10.3-r9.ebuild |
134 |
@@ -0,0 +1,223 @@ |
135 |
+# Copyright 1999-2019 Gentoo Authors |
136 |
+# Distributed under the terms of the GNU General Public License v2 |
137 |
+ |
138 |
+EAPI=6 |
139 |
+ |
140 |
+inherit autotools db-use eutils systemd user |
141 |
+ |
142 |
+DESCRIPTION="A milter providing DKIM signing and verification" |
143 |
+HOMEPAGE="http://opendkim.org/" |
144 |
+SRC_URI="mirror://sourceforge/opendkim/${P}.tar.gz" |
145 |
+ |
146 |
+# The GPL-2 is for the init script, bug 425960. |
147 |
+LICENSE="BSD GPL-2 Sendmail-Open-Source" |
148 |
+SLOT="0" |
149 |
+KEYWORDS="~amd64 ~arm ~x86" |
150 |
+IUSE="+berkdb gnutls ldap libressl lmdb lua memcached opendbx poll sasl selinux +ssl static-libs unbound" |
151 |
+ |
152 |
+DEPEND="|| ( mail-filter/libmilter mail-mta/sendmail ) |
153 |
+ dev-libs/libbsd |
154 |
+ ssl? ( |
155 |
+ !libressl? ( dev-libs/openssl:0= ) |
156 |
+ libressl? ( dev-libs/libressl:0= ) |
157 |
+ ) |
158 |
+ berkdb? ( >=sys-libs/db-3.2:* ) |
159 |
+ opendbx? ( >=dev-db/opendbx-1.4.0 ) |
160 |
+ lua? ( dev-lang/lua:* ) |
161 |
+ ldap? ( net-nds/openldap ) |
162 |
+ lmdb? ( dev-db/lmdb ) |
163 |
+ memcached? ( dev-libs/libmemcached ) |
164 |
+ sasl? ( dev-libs/cyrus-sasl ) |
165 |
+ unbound? ( >=net-dns/unbound-1.4.1:= net-dns/dnssec-root ) |
166 |
+ !unbound? ( net-libs/ldns ) |
167 |
+ gnutls? ( >=net-libs/gnutls-3.3 )" |
168 |
+ |
169 |
+RDEPEND="${DEPEND} |
170 |
+ sys-process/psmisc |
171 |
+ selinux? ( sec-policy/selinux-dkim ) |
172 |
+" |
173 |
+ |
174 |
+REQUIRED_USE="sasl? ( ldap )" |
175 |
+ |
176 |
+PATCHES=( |
177 |
+ "${FILESDIR}/${P}-gnutls-3.4.patch" |
178 |
+ "${FILESDIR}/${P}-openssl-1.1.1.patch" |
179 |
+) |
180 |
+ |
181 |
+pkg_setup() { |
182 |
+ # This user can read your private keys, and must therefore not be |
183 |
+ # shared with any other package. |
184 |
+ enewuser opendkim |
185 |
+} |
186 |
+ |
187 |
+src_prepare() { |
188 |
+ default |
189 |
+ |
190 |
+ # We delete the "Socket" setting because it's overridden by our |
191 |
+ # conf.d file. |
192 |
+ sed -e 's:/var/db/dkim:/var/lib/opendkim:g' \ |
193 |
+ -e '/^[[:space:]]*Socket/d' \ |
194 |
+ -i opendkim/opendkim.conf.sample opendkim/opendkim.conf.simple.in \ |
195 |
+ stats/opendkim-reportstats{,.in} || die |
196 |
+ |
197 |
+ sed -i -e 's:dist_doc_DATA:dist_html_DATA:' libopendkim/docs/Makefile.am \ |
198 |
+ || die |
199 |
+ |
200 |
+ # TODO: what purpose does this serve, do the tests even get run? |
201 |
+ sed -e "/sock.*mt.getcwd/s:mt.getcwd():${T}:" \ |
202 |
+ -i opendkim/tests/*.lua || die |
203 |
+ |
204 |
+ eautoreconf |
205 |
+} |
206 |
+ |
207 |
+src_configure() { |
208 |
+ local myconf=() |
209 |
+ if use berkdb ; then |
210 |
+ myconf+=( |
211 |
+ $(db_includedir) |
212 |
+ --with-db-incdir=${myconf#-I} |
213 |
+ --enable-popauth |
214 |
+ --enable-query_cache |
215 |
+ --enable-stats |
216 |
+ ) |
217 |
+ fi |
218 |
+ if use unbound; then |
219 |
+ myconf+=( --with-unbound ) |
220 |
+ else |
221 |
+ myconf+=( --with-ldns ) |
222 |
+ fi |
223 |
+ if use ldap; then |
224 |
+ myconf+=( $(use_with sasl) ) |
225 |
+ fi |
226 |
+ econf \ |
227 |
+ $(use_with berkdb db) \ |
228 |
+ $(use_with opendbx odbx) \ |
229 |
+ $(use_with lua) \ |
230 |
+ $(use_enable lua rbl) \ |
231 |
+ $(use_with ldap openldap) \ |
232 |
+ $(use_with lmdb) \ |
233 |
+ $(use_enable poll) \ |
234 |
+ $(use_enable static-libs static) \ |
235 |
+ $(use_with gnutls) \ |
236 |
+ $(use_with memcached libmemcached) \ |
237 |
+ "${myconf[@]}" \ |
238 |
+ --enable-filter \ |
239 |
+ --enable-atps \ |
240 |
+ --enable-identity_header \ |
241 |
+ --enable-rate_limit \ |
242 |
+ --enable-resign \ |
243 |
+ --enable-replace_rules \ |
244 |
+ --enable-default_sender \ |
245 |
+ --enable-sender_macro \ |
246 |
+ --enable-vbr \ |
247 |
+ --disable-live-testing |
248 |
+} |
249 |
+ |
250 |
+src_install() { |
251 |
+ default |
252 |
+ prune_libtool_files |
253 |
+ |
254 |
+ dosbin stats/opendkim-reportstats |
255 |
+ |
256 |
+ newinitd "${FILESDIR}/opendkim.init.r6" opendkim |
257 |
+ newconfd "${FILESDIR}/opendkim.confd" opendkim |
258 |
+ systemd_newunit "${FILESDIR}/opendkim.service.r4" opendkim.service |
259 |
+ systemd_install_serviced "${FILESDIR}/${PN}.service.conf" "${PN}.service" |
260 |
+ |
261 |
+ dodir /etc/opendkim |
262 |
+ keepdir /var/lib/opendkim |
263 |
+ |
264 |
+ # The OpenDKIM data (particularly, your keys) should be read-only to |
265 |
+ # the UserID that the daemon runs as. |
266 |
+ fowners root:opendkim /var/lib/opendkim |
267 |
+ fperms 750 /var/lib/opendkim |
268 |
+ |
269 |
+ # Strip the comments out of the "simple" example configuration... |
270 |
+ grep ^[^#] "${S}"/opendkim/opendkim.conf.simple \ |
271 |
+ > "${T}/opendkim.conf" || die |
272 |
+ |
273 |
+ # and tweak it a bit before installing it unconditionally. |
274 |
+ echo "# For use with unbound" >> "${T}/opendkim.conf" || die |
275 |
+ echo "#TrustAnchorFile /etc/dnssec/root-anchors.txt" \ |
276 |
+ >> "${T}/opendkim.conf" || die |
277 |
+ echo UserID opendkim >> "${T}/opendkim.conf" || die |
278 |
+ insinto /etc/opendkim |
279 |
+ doins "${T}/opendkim.conf" |
280 |
+} |
281 |
+ |
282 |
+pkg_postinst() { |
283 |
+ if [[ -z ${REPLACING_VERSION} ]]; then |
284 |
+ elog "If you want to sign your mail messages and need some help" |
285 |
+ elog "please run:" |
286 |
+ elog " emerge --config ${CATEGORY}/${PN}" |
287 |
+ elog "It will help you create your key and give you hints on how" |
288 |
+ elog "to configure your DNS and MTA." |
289 |
+ |
290 |
+ # TODO: This is tricky, we really need a good wiki page showing |
291 |
+ # how to share a local socket with an MTA! |
292 |
+ elog "If you are using a local (UNIX) socket, then you will" |
293 |
+ elog "need to make sure that your MTA has read/write access" |
294 |
+ elog "to the socket file. This is best accomplished by creating" |
295 |
+ elog "a completely-new group with only your MTA user and the " |
296 |
+ elog "\"opendkim\" user in it. You would then set \"UMask 0112\"" |
297 |
+ elog "in your opendkim.conf, and switch the primary group of your" |
298 |
+ elog "\"opendkim\" user to the group that you just created. The" |
299 |
+ elog "last step is necessary for the socket to be created as the" |
300 |
+ elog "new group (and not as group \"opendkim\")". |
301 |
+ else |
302 |
+ ewarn "The user account for the OpenDKIM daemon has changed" |
303 |
+ ewarn "from \"milter\" to \"opendkim\" to prevent unrelated services" |
304 |
+ ewarn "from being able to read your private keys. You should" |
305 |
+ ewarn "adjust your existing configuration to use the \"opendkim\"" |
306 |
+ ewarn "user and group, and change the permissions on" |
307 |
+ ewarn "${ROOT}var/lib/opendkim to root:opendkim with mode 0750." |
308 |
+ ewarn "The owner and group of the files within that directory" |
309 |
+ ewarn "will likely need to be adjusted as well." |
310 |
+ fi |
311 |
+} |
312 |
+ |
313 |
+pkg_config() { |
314 |
+ local selector keysize pubkey |
315 |
+ |
316 |
+ read -p "Enter the selector name (default ${HOSTNAME}): " selector |
317 |
+ [[ -n "${selector}" ]] || selector="${HOSTNAME}" |
318 |
+ if [[ -z "${selector}" ]]; then |
319 |
+ eerror "Oddly enough, you don't have a HOSTNAME." |
320 |
+ return 1 |
321 |
+ fi |
322 |
+ if [[ -f "${ROOT}var/lib/opendkim/${selector}.private" ]]; then |
323 |
+ ewarn "The private key for this selector already exists." |
324 |
+ else |
325 |
+ keysize=1024 |
326 |
+ # Generate the private and public keys. Note that opendkim-genkeys |
327 |
+ # sets umask=077 on its own to keep these safe. However, we want |
328 |
+ # them to be readable (only!) to the opendkim user, and we manage |
329 |
+ # that by changing their groups and making everything group-readable. |
330 |
+ opendkim-genkey -b ${keysize} -D "${ROOT}"var/lib/opendkim/ \ |
331 |
+ -s "${selector}" -d '(your domain)' && \ |
332 |
+ chgrp --no-dereference opendkim \ |
333 |
+ "${ROOT}var/lib/opendkim/${selector}".{private,txt} || \ |
334 |
+ { eerror "Failed to create private and public keys." ; |
335 |
+ return 1; } |
336 |
+ chmod g+r "${ROOT}var/lib/opendkim/${selector}".{private,txt} |
337 |
+ fi |
338 |
+ |
339 |
+ # opendkim selector configuration |
340 |
+ echo |
341 |
+ einfo "Make sure you have the following settings in your /etc/opendkim/opendkim.conf:" |
342 |
+ einfo " Keyfile /var/lib/opendkim/${selector}.private" |
343 |
+ einfo " Selector ${selector}" |
344 |
+ |
345 |
+ # MTA configuration |
346 |
+ echo |
347 |
+ einfo "If you are using Postfix, add following lines to your main.cf:" |
348 |
+ einfo " smtpd_milters = unix:/run/opendkim/opendkim.sock" |
349 |
+ einfo " non_smtpd_milters = unix:/run/opendkim/opendkim.sock" |
350 |
+ einfo " and read http://www.postfix.org/MILTER_README.html" |
351 |
+ |
352 |
+ # DNS configuration |
353 |
+ einfo "After you configured your MTA, publish your key by adding this TXT record to your domain:" |
354 |
+ cat "${ROOT}var/lib/opendkim/${selector}.txt" |
355 |
+ einfo "t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags:" |
356 |
+ einfo " http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text" |
357 |
+} |