1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
|
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
LUA_COMPAT=( lua5-1 lua5-2 )
inherit autotools db-use systemd tmpfiles lua-single
DESCRIPTION="A milter providing DKIM signing and verification"
HOMEPAGE="http://opendkim.org/"
SRC_URI="https://downloads.sourceforge.net/project/opendkim/${P}.tar.gz"
# The GPL-2 is for the init script, bug 425960.
LICENSE="BSD GPL-2 Sendmail-Open-Source"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~x86"
IUSE="berkdb ldap lmdb lua memcached opendbx poll sasl selinux +ssl static-libs stats querycache test unbound"
BDEPEND="acct-user/opendkim
test? ( ${LUA_DEPS} )"
COMMON_DEPEND="mail-filter/libmilter:=
dev-libs/libbsd
sys-apps/grep
ssl? (
dev-libs/openssl:0=
)
berkdb? ( >=sys-libs/db-3.2:* )
opendbx? ( >=dev-db/opendbx-1.4.0 )
lua? ( ${LUA_DEPS} )
ldap? ( net-nds/openldap:= )
lmdb? ( dev-db/lmdb:= )
memcached? ( dev-libs/libmemcached )
sasl? ( dev-libs/cyrus-sasl )
unbound? ( >=net-dns/unbound-1.4.1:= net-dns/dnssec-root )"
DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}
acct-user/opendkim
sys-process/psmisc
selinux? ( sec-policy/selinux-dkim )"
REQUIRED_USE="sasl? ( ldap )
stats? ( opendbx )
querycache? ( berkdb )
lua? ( ${LUA_REQUIRED_USE} )
test? ( ${LUA_REQUIRED_USE} )"
RESTRICT="!test? ( test )"
PATCHES=(
"${FILESDIR}/${P}-openrc.patch"
"${FILESDIR}/${P}-openssl-1.1.1.patch.r2"
"${FILESDIR}/${P}-lua-pkgconfig.patch"
"${FILESDIR}/${P}-lua-pkgconfig-pt2.patch"
"${FILESDIR}/${P}-define-P-macro-in-libvbr.patch"
"${FILESDIR}/${P}-fix-libmilter-search.patch"
"${FILESDIR}/${P}-snprintf-include.patch"
"${FILESDIR}/${P}-c-std.patch"
)
pkg_setup() {
use lua && lua-single_pkg_setup
}
src_prepare() {
default
sed -e 's:/var/db/dkim:/var/lib/opendkim:g' \
-i opendkim/opendkim.conf.sample opendkim/opendkim.conf.simple.in \
|| die
sed -e 's:dist_doc_DATA:dist_html_DATA:' \
-i libopendkim/docs/Makefile.am \
|| die
# The existing hard-coded path under /tmp is vulnerable to exploits
# since (for example) a user can create a symlink there to a file
# that portage will clobber. Reported upstream at,
#
# https://github.com/trusteddomainproject/OpenDKIM/issues/113
#
sed -e "s:/tmp:${T}:" -i libopendkim/tests/t-testdata.h || die
eautoreconf
}
src_configure() {
local myconf=()
if use berkdb ; then
myconf+=( --with-db-incdir=$(db_includedir) )
fi
if use ldap; then
myconf+=( $(use_with sasl) )
fi
# We install the our configuration filed under e.g. /etc/opendkim,
# so the next line is necessary to point the daemon and all of its
# documentation to the right location by default.
myconf+=( --sysconfdir="${EPREFIX}/etc/${PN}" )
econf \
$(use_with berkdb db) \
$(use_with opendbx odbx) \
$(use_with lua) \
$(use_enable lua rbl) \
$(use_with ldap openldap) \
$(use_with lmdb) \
$(use_enable poll) \
$(use_enable querycache query_cache) \
$(use_enable static-libs static) \
$(use_enable stats) \
$(use_with memcached libmemcached) \
$(use_with unbound) \
"${myconf[@]}" \
--enable-filter \
--with-milter \
--enable-atps \
--enable-identity_header \
--enable-rate_limit \
--enable-resign \
--enable-replace_rules \
--enable-default_sender \
--enable-sender_macro \
--enable-vbr \
--disable-live-testing \
--with-test-socket="${T}/opendkim.sock"
}
src_compile() {
emake runstatedir=/run
}
src_test() {
# Needed for now due to the expected sequencing of the setup/cleanup
# tests, https://github.com/trusteddomainproject/OpenDKIM/issues/110
emake -j1 check
}
src_install() {
default
find "${D}" -name '*.la' -type f -delete || die
dosbin stats/opendkim-reportstats
newinitd "${S}/contrib/OpenRC/opendkim.openrc" "${PN}"
newtmpfiles "${S}/contrib/systemd/opendkim.tmpfiles" "${PN}.conf"
systemd_newunit "contrib/systemd/opendkim.service" "${PN}.service"
dodir /etc/opendkim
keepdir /var/lib/opendkim
# The OpenDKIM data (particularly, your keys) should be read-only to
# the UserID that the daemon runs as.
fowners root:opendkim /var/lib/opendkim
fperms 750 /var/lib/opendkim
# Tweak the "simple" example configuration a bit before installing
# it unconditionally.
local cf="${T}/opendkim.conf"
# Some MTAs are known to break DKIM signatures with "simple"
# canonicalization [1], so we choose the "relaxed" policy
# over OpenDKIM's current default settings.
# [1] https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/
sed -E -e 's:^(Canonicalization)[[:space:]]+.*:\1\trelaxed/relaxed:' \
"${S}/opendkim/opendkim.conf.simple" >"${cf}" || die
cat >>"${cf}" <<EOT || die
# The UMask is really only used for the PID file (root:root) and the
# local UNIX socket, if you're using one. It should be 0117 for the
# socket.
UMask 0117
UserID opendkim
# For use with unbound
#TrustAnchorFile /etc/dnssec/root-anchors.txt
EOT
insinto /etc/opendkim
doins "${cf}"
}
pkg_postinst() {
tmpfiles_process "${PN}.conf"
if [[ -z ${REPLACING_VERSION} ]]; then
elog "If you want to sign your mail messages and need some help"
elog "please run:"
elog " emerge --config ${CATEGORY}/${PN}"
elog "It will help you create your key and give you hints on how"
elog "to configure your DNS and MTA."
elog "If you are using a local (UNIX) socket, then you will"
elog "need to make sure that your MTA has read/write access"
elog "to the socket file. This is best accomplished by creating"
elog "a completely-new group with only your MTA user and the"
elog "\"opendkim\" user in it. Step-by-step instructions can be"
elog "found on our Wiki, at https://wiki.gentoo.org/wiki/OpenDKIM ."
else
ewarn "The user account for the OpenDKIM daemon has changed"
ewarn "from \"milter\" to \"opendkim\" to prevent unrelated services"
ewarn "from being able to read your private keys. You should"
ewarn "adjust your existing configuration to use the \"opendkim\""
ewarn "user and group, and change the permissions on"
ewarn "${ROOT}/var/lib/opendkim to root:opendkim with mode 0750."
ewarn "The owner and group of the files within that directory"
ewarn "will likely need to be adjusted as well."
fi
}
pkg_config() {
local selector keysize pubkey
read -p "Enter the selector name (default ${HOSTNAME}): " selector
[[ -n "${selector}" ]] || selector="${HOSTNAME}"
if [[ -z "${selector}" ]]; then
eerror "Oddly enough, you don't have a HOSTNAME."
return 1
fi
if [[ -f "${ROOT}/var/lib/opendkim/${selector}.private" ]]; then
ewarn "The private key for this selector already exists."
else
keysize=1024
# Generate the private and public keys. Note that opendkim-genkeys
# sets umask=077 on its own to keep these safe. However, we want
# them to be readable (only!) to the opendkim user, and we manage
# that by changing their groups and making everything group-readable.
opendkim-genkey -b ${keysize} -D "${ROOT}/var/lib/opendkim/" \
-s "${selector}" -d '(your domain)' && \
chgrp --no-dereference opendkim \
"${ROOT}/var/lib/opendkim/${selector}".{private,txt} || \
{ eerror "Failed to create private and public keys."; return 1; }
chmod g+r "${ROOT}/var/lib/opendkim/${selector}".{private,txt}
fi
# opendkim selector configuration
echo
einfo "Make sure you have the following settings in your /etc/opendkim/opendkim.conf:"
einfo " Keyfile /var/lib/opendkim/${selector}.private"
einfo " Selector ${selector}"
# MTA configuration
echo
einfo "If you are using Postfix, add following lines to your main.cf:"
einfo " smtpd_milters = unix:/run/opendkim/opendkim.sock"
einfo " non_smtpd_milters = unix:/run/opendkim/opendkim.sock"
einfo " and read http://www.postfix.org/MILTER_README.html"
# DNS configuration
einfo "After you configured your MTA, publish your key by adding this TXT record to your domain:"
cat "${ROOT}/var/lib/opendkim/${selector}.txt"
einfo "t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags:"
einfo " http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text"
}
|