Gentoo Archives: gentoo-commits

From: Michael Orlitzky <mjo@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: mail-filter/opendkim/, mail-filter/opendkim/files/
Date: Sun, 31 Mar 2019 19:03:47
Message-Id: 1554058968.95a67b7125a6fd3b8ef970d7c6f66b9bec91cfcc.mjo@gentoo
1 commit: 95a67b7125a6fd3b8ef970d7c6f66b9bec91cfcc
2 Author: Ralph Seichter <github <AT> seichter <DOT> de>
3 AuthorDate: Fri Mar 29 18:45:11 2019 +0000
4 Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
5 CommitDate: Sun Mar 31 19:02:48 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95a67b71
7
8 mail-filter/opendkim: Added pre-start configuration checks
9
10 Added pre-start configuration checks for OpenRC and systemd.
11
12 Signed-off-by: Ralph Seichter <gentoo <AT> seichter.de>
13 Closes: https://bugs.gentoo.org/622604
14 Package-Manager: Portage-2.3.62, Repoman-2.3.11
15 Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>
16
17 mail-filter/opendkim/files/opendkim.init.r6 | 77 +++++++++
18 mail-filter/opendkim/files/opendkim.service.r4 | 16 ++
19 mail-filter/opendkim/opendkim-2.10.3-r9.ebuild | 223 +++++++++++++++++++++++++
20 3 files changed, 316 insertions(+)
21
22 diff --git a/mail-filter/opendkim/files/opendkim.init.r6 b/mail-filter/opendkim/files/opendkim.init.r6
23 new file mode 100644
24 index 00000000000..95aa971fd88
25 --- /dev/null
26 +++ b/mail-filter/opendkim/files/opendkim.init.r6
27 @@ -0,0 +1,77 @@
28 +#!/sbin/openrc-run
29 +# Copyright 1999-2019 Gentoo Authors
30 +# Distributed under the terms of the GNU General Public License v2
31 +
32 +CONFFILE="/etc/opendkim/${RC_SVCNAME}.conf"
33 +required_files="${CONFFILE}"
34 +
35 +command="/usr/sbin/opendkim"
36 +pidfile="/run/${RC_SVCNAME}.pid"
37 +command_args="-P ${pidfile} -x ${CONFFILE} -p ${OPENDKIM_SOCKET}"
38 +
39 +depend() {
40 + use dns logger net
41 + before mta
42 +}
43 +
44 +check_cfg() {
45 + #
46 + # The opendkim.conf man page says,
47 + #
48 + # For parameters that are Boolean in nature, only the first byte
49 + # of the value is processed... For negative values, the following
50 + # are accepted: "F", "f", "N", "n", "0".'
51 + #
52 + if grep --quiet '^[[:space:]]*Background[[:space:]]\+[FfNn0]' \
53 + "${CONFFILE}"; then
54 + eerror "${RC_SVCNAME} cannot run in the foreground!"
55 + return 1
56 + fi
57 + if ! ${command} -n ${command_args}; then
58 + eerror "Configuration check failed"
59 + return 1
60 + fi
61 +}
62 +
63 +start_pre() {
64 + # If this isn't a restart, make sure that the user's config isn't
65 + # busted before we try to start the daemon (this will produce
66 + # better error messages than if we just try to start it blindly).
67 + #
68 + # If, on the other hand, this *is* a restart, then the stop_pre
69 + # action will have ensured that the config is usable and we don't
70 + # need to do that again.
71 + if [ "${RC_CMD}" != "restart" ]; then
72 + check_cfg || return $?
73 + fi
74 +
75 + if [ -S "${OPENDKIM_SOCKET}" ] && ! fuser -s "${OPENDKIM_SOCKET}"; then
76 + # Remove stalled Unix socket if no other process is
77 + # using it
78 + if ! rm "${UNIX_SOCKET}"; then
79 + eerror "failed to remove stale unix socket ${OPENDKIM_SOCKET}"
80 + return 2
81 + fi
82 + fi
83 +
84 + # This relies on the "local:" prefix being there, but the conf.d
85 + # file explicitly states that it's not optional (contrary to what
86 + # the opendkim(8) man page says).
87 + if [ "${OPENDKIM_SOCKET#local:}" != "${OPENDKIM_SOCKET}" ]; then
88 + # The socket begins with "local:"
89 + OPENDKIM_SOCKET_PATH="${OPENDKIM_SOCKET#local:}"
90 + OPENDKIM_SOCKET_DIR="${OPENDKIM_SOCKET_PATH%/*}"
91 +
92 + # This is dangerous, but there's a big warning about it
93 + # in the conf.d file.
94 + checkpath --directory --owner opendkim "${OPENDKIM_SOCKET_DIR}"
95 + fi
96 +}
97 +
98 +stop_pre() {
99 + # If this is a restart, check to make sure the user's config
100 + # isn't busted before we stop the running daemon.
101 + if [ "${RC_CMD}" = "restart" ]; then
102 + check_cfg || return $?
103 + fi
104 +}
105
106 diff --git a/mail-filter/opendkim/files/opendkim.service.r4 b/mail-filter/opendkim/files/opendkim.service.r4
107 new file mode 100644
108 index 00000000000..8c366007c00
109 --- /dev/null
110 +++ b/mail-filter/opendkim/files/opendkim.service.r4
111 @@ -0,0 +1,16 @@
112 +[Unit]
113 +Description=DomainKeys Identified Mail (DKIM) Milter
114 +Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
115 +After=network.target nss-lookup.target syslog.target
116 +
117 +[Service]
118 +ExecStartPre=/usr/sbin/opendkim -n -f -x /etc/opendkim/opendkim.conf -p $OPENDKIM_SOCKET
119 +ExecStart=/usr/sbin/opendkim -f -x /etc/opendkim/opendkim.conf -p $OPENDKIM_SOCKET
120 +ExecReload=/bin/kill -USR1 $MAINPID
121 +RuntimeDirectory=opendkim
122 +RuntimeDirectoryMode=0750
123 +User=opendkim
124 +Group=opendkim
125 +
126 +[Install]
127 +WantedBy=multi-user.target
128
129 diff --git a/mail-filter/opendkim/opendkim-2.10.3-r9.ebuild b/mail-filter/opendkim/opendkim-2.10.3-r9.ebuild
130 new file mode 100644
131 index 00000000000..841184ed46b
132 --- /dev/null
133 +++ b/mail-filter/opendkim/opendkim-2.10.3-r9.ebuild
134 @@ -0,0 +1,223 @@
135 +# Copyright 1999-2019 Gentoo Authors
136 +# Distributed under the terms of the GNU General Public License v2
137 +
138 +EAPI=6
139 +
140 +inherit autotools db-use eutils systemd user
141 +
142 +DESCRIPTION="A milter providing DKIM signing and verification"
143 +HOMEPAGE="http://opendkim.org/"
144 +SRC_URI="mirror://sourceforge/opendkim/${P}.tar.gz"
145 +
146 +# The GPL-2 is for the init script, bug 425960.
147 +LICENSE="BSD GPL-2 Sendmail-Open-Source"
148 +SLOT="0"
149 +KEYWORDS="~amd64 ~arm ~x86"
150 +IUSE="+berkdb gnutls ldap libressl lmdb lua memcached opendbx poll sasl selinux +ssl static-libs unbound"
151 +
152 +DEPEND="|| ( mail-filter/libmilter mail-mta/sendmail )
153 + dev-libs/libbsd
154 + ssl? (
155 + !libressl? ( dev-libs/openssl:0= )
156 + libressl? ( dev-libs/libressl:0= )
157 + )
158 + berkdb? ( >=sys-libs/db-3.2:* )
159 + opendbx? ( >=dev-db/opendbx-1.4.0 )
160 + lua? ( dev-lang/lua:* )
161 + ldap? ( net-nds/openldap )
162 + lmdb? ( dev-db/lmdb )
163 + memcached? ( dev-libs/libmemcached )
164 + sasl? ( dev-libs/cyrus-sasl )
165 + unbound? ( >=net-dns/unbound-1.4.1:= net-dns/dnssec-root )
166 + !unbound? ( net-libs/ldns )
167 + gnutls? ( >=net-libs/gnutls-3.3 )"
168 +
169 +RDEPEND="${DEPEND}
170 + sys-process/psmisc
171 + selinux? ( sec-policy/selinux-dkim )
172 +"
173 +
174 +REQUIRED_USE="sasl? ( ldap )"
175 +
176 +PATCHES=(
177 + "${FILESDIR}/${P}-gnutls-3.4.patch"
178 + "${FILESDIR}/${P}-openssl-1.1.1.patch"
179 +)
180 +
181 +pkg_setup() {
182 + # This user can read your private keys, and must therefore not be
183 + # shared with any other package.
184 + enewuser opendkim
185 +}
186 +
187 +src_prepare() {
188 + default
189 +
190 + # We delete the "Socket" setting because it's overridden by our
191 + # conf.d file.
192 + sed -e 's:/var/db/dkim:/var/lib/opendkim:g' \
193 + -e '/^[[:space:]]*Socket/d' \
194 + -i opendkim/opendkim.conf.sample opendkim/opendkim.conf.simple.in \
195 + stats/opendkim-reportstats{,.in} || die
196 +
197 + sed -i -e 's:dist_doc_DATA:dist_html_DATA:' libopendkim/docs/Makefile.am \
198 + || die
199 +
200 + # TODO: what purpose does this serve, do the tests even get run?
201 + sed -e "/sock.*mt.getcwd/s:mt.getcwd():${T}:" \
202 + -i opendkim/tests/*.lua || die
203 +
204 + eautoreconf
205 +}
206 +
207 +src_configure() {
208 + local myconf=()
209 + if use berkdb ; then
210 + myconf+=(
211 + $(db_includedir)
212 + --with-db-incdir=${myconf#-I}
213 + --enable-popauth
214 + --enable-query_cache
215 + --enable-stats
216 + )
217 + fi
218 + if use unbound; then
219 + myconf+=( --with-unbound )
220 + else
221 + myconf+=( --with-ldns )
222 + fi
223 + if use ldap; then
224 + myconf+=( $(use_with sasl) )
225 + fi
226 + econf \
227 + $(use_with berkdb db) \
228 + $(use_with opendbx odbx) \
229 + $(use_with lua) \
230 + $(use_enable lua rbl) \
231 + $(use_with ldap openldap) \
232 + $(use_with lmdb) \
233 + $(use_enable poll) \
234 + $(use_enable static-libs static) \
235 + $(use_with gnutls) \
236 + $(use_with memcached libmemcached) \
237 + "${myconf[@]}" \
238 + --enable-filter \
239 + --enable-atps \
240 + --enable-identity_header \
241 + --enable-rate_limit \
242 + --enable-resign \
243 + --enable-replace_rules \
244 + --enable-default_sender \
245 + --enable-sender_macro \
246 + --enable-vbr \
247 + --disable-live-testing
248 +}
249 +
250 +src_install() {
251 + default
252 + prune_libtool_files
253 +
254 + dosbin stats/opendkim-reportstats
255 +
256 + newinitd "${FILESDIR}/opendkim.init.r6" opendkim
257 + newconfd "${FILESDIR}/opendkim.confd" opendkim
258 + systemd_newunit "${FILESDIR}/opendkim.service.r4" opendkim.service
259 + systemd_install_serviced "${FILESDIR}/${PN}.service.conf" "${PN}.service"
260 +
261 + dodir /etc/opendkim
262 + keepdir /var/lib/opendkim
263 +
264 + # The OpenDKIM data (particularly, your keys) should be read-only to
265 + # the UserID that the daemon runs as.
266 + fowners root:opendkim /var/lib/opendkim
267 + fperms 750 /var/lib/opendkim
268 +
269 + # Strip the comments out of the "simple" example configuration...
270 + grep ^[^#] "${S}"/opendkim/opendkim.conf.simple \
271 + > "${T}/opendkim.conf" || die
272 +
273 + # and tweak it a bit before installing it unconditionally.
274 + echo "# For use with unbound" >> "${T}/opendkim.conf" || die
275 + echo "#TrustAnchorFile /etc/dnssec/root-anchors.txt" \
276 + >> "${T}/opendkim.conf" || die
277 + echo UserID opendkim >> "${T}/opendkim.conf" || die
278 + insinto /etc/opendkim
279 + doins "${T}/opendkim.conf"
280 +}
281 +
282 +pkg_postinst() {
283 + if [[ -z ${REPLACING_VERSION} ]]; then
284 + elog "If you want to sign your mail messages and need some help"
285 + elog "please run:"
286 + elog " emerge --config ${CATEGORY}/${PN}"
287 + elog "It will help you create your key and give you hints on how"
288 + elog "to configure your DNS and MTA."
289 +
290 + # TODO: This is tricky, we really need a good wiki page showing
291 + # how to share a local socket with an MTA!
292 + elog "If you are using a local (UNIX) socket, then you will"
293 + elog "need to make sure that your MTA has read/write access"
294 + elog "to the socket file. This is best accomplished by creating"
295 + elog "a completely-new group with only your MTA user and the "
296 + elog "\"opendkim\" user in it. You would then set \"UMask 0112\""
297 + elog "in your opendkim.conf, and switch the primary group of your"
298 + elog "\"opendkim\" user to the group that you just created. The"
299 + elog "last step is necessary for the socket to be created as the"
300 + elog "new group (and not as group \"opendkim\")".
301 + else
302 + ewarn "The user account for the OpenDKIM daemon has changed"
303 + ewarn "from \"milter\" to \"opendkim\" to prevent unrelated services"
304 + ewarn "from being able to read your private keys. You should"
305 + ewarn "adjust your existing configuration to use the \"opendkim\""
306 + ewarn "user and group, and change the permissions on"
307 + ewarn "${ROOT}var/lib/opendkim to root:opendkim with mode 0750."
308 + ewarn "The owner and group of the files within that directory"
309 + ewarn "will likely need to be adjusted as well."
310 + fi
311 +}
312 +
313 +pkg_config() {
314 + local selector keysize pubkey
315 +
316 + read -p "Enter the selector name (default ${HOSTNAME}): " selector
317 + [[ -n "${selector}" ]] || selector="${HOSTNAME}"
318 + if [[ -z "${selector}" ]]; then
319 + eerror "Oddly enough, you don't have a HOSTNAME."
320 + return 1
321 + fi
322 + if [[ -f "${ROOT}var/lib/opendkim/${selector}.private" ]]; then
323 + ewarn "The private key for this selector already exists."
324 + else
325 + keysize=1024
326 + # Generate the private and public keys. Note that opendkim-genkeys
327 + # sets umask=077 on its own to keep these safe. However, we want
328 + # them to be readable (only!) to the opendkim user, and we manage
329 + # that by changing their groups and making everything group-readable.
330 + opendkim-genkey -b ${keysize} -D "${ROOT}"var/lib/opendkim/ \
331 + -s "${selector}" -d '(your domain)' && \
332 + chgrp --no-dereference opendkim \
333 + "${ROOT}var/lib/opendkim/${selector}".{private,txt} || \
334 + { eerror "Failed to create private and public keys." ;
335 + return 1; }
336 + chmod g+r "${ROOT}var/lib/opendkim/${selector}".{private,txt}
337 + fi
338 +
339 + # opendkim selector configuration
340 + echo
341 + einfo "Make sure you have the following settings in your /etc/opendkim/opendkim.conf:"
342 + einfo " Keyfile /var/lib/opendkim/${selector}.private"
343 + einfo " Selector ${selector}"
344 +
345 + # MTA configuration
346 + echo
347 + einfo "If you are using Postfix, add following lines to your main.cf:"
348 + einfo " smtpd_milters = unix:/run/opendkim/opendkim.sock"
349 + einfo " non_smtpd_milters = unix:/run/opendkim/opendkim.sock"
350 + einfo " and read http://www.postfix.org/MILTER_README.html"
351 +
352 + # DNS configuration
353 + einfo "After you configured your MTA, publish your key by adding this TXT record to your domain:"
354 + cat "${ROOT}var/lib/opendkim/${selector}.txt"
355 + einfo "t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags:"
356 + einfo " http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text"
357 +}