diff options
author | Michael Orlitzky <mjo@gentoo.org> | 2022-02-23 07:31:18 -0500 |
---|---|---|
committer | Michael Orlitzky <mjo@gentoo.org> | 2022-02-23 07:32:04 -0500 |
commit | 77890fca37b6a6d889cd984eb029799652442574 (patch) | |
tree | c315548289e7f024e7d09ff480e86afd360ab8df /mail-filter | |
parent | sys-kernel/vanilla-sources: Linux version bumps (diff) | |
download | gentoo-77890fca37b6a6d889cd984eb029799652442574.tar.gz gentoo-77890fca37b6a6d889cd984eb029799652442574.tar.bz2 gentoo-77890fca37b6a6d889cd984eb029799652442574.zip |
mail-filter/opendkim: update sendmail/libmilter dependency.
As reported in bug 833778, it would be nice if we could bind to the
libmilter subslot with an := dependency. In the existing ebuild, that
wasn't possible because we accepted either libmilter || sendmail, and
using := within an any-of clause is disallowed.
Fortunately, the "|| sendmail" portion of that is a relic, for
versions of sendmail that don't themselves use libmilter. All versions
of mail-mta/sendmail in the tree today do, so we can drop the sendmail
portion of that any-of dependency entirely, and then afterwards add
the := to libmilter.
Closes: https://bugs.gentoo.org/833778
Reported-by: Daniel M. Weeks <dan@danweeks.net>
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Diffstat (limited to 'mail-filter')
-rw-r--r-- | mail-filter/opendkim/opendkim-2.10.3-r27.ebuild | 254 |
1 files changed, 254 insertions, 0 deletions
diff --git a/mail-filter/opendkim/opendkim-2.10.3-r27.ebuild b/mail-filter/opendkim/opendkim-2.10.3-r27.ebuild new file mode 100644 index 000000000000..129a8167f831 --- /dev/null +++ b/mail-filter/opendkim/opendkim-2.10.3-r27.ebuild @@ -0,0 +1,254 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +LUA_COMPAT=( lua5-1 lua5-2 ) + +inherit autotools db-use systemd tmpfiles lua-single + +DESCRIPTION="A milter providing DKIM signing and verification" +HOMEPAGE="http://opendkim.org/" +SRC_URI="https://downloads.sourceforge.net/project/opendkim/${P}.tar.gz" + +# The GPL-2 is for the init script, bug 425960. +LICENSE="BSD GPL-2 Sendmail-Open-Source" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~x86" +IUSE="berkdb ldap lmdb lua memcached opendbx poll sasl selinux +ssl static-libs stats querycache test unbound" + +BDEPEND="acct-user/opendkim + test? ( ${LUA_DEPS} )" + +COMMON_DEPEND="mail-filter/libmilter:= + dev-libs/libbsd + sys-apps/grep + ssl? ( + dev-libs/openssl:0= + ) + berkdb? ( >=sys-libs/db-3.2:* ) + opendbx? ( >=dev-db/opendbx-1.4.0 ) + lua? ( ${LUA_DEPS} ) + ldap? ( net-nds/openldap ) + lmdb? ( dev-db/lmdb ) + memcached? ( dev-libs/libmemcached ) + sasl? ( dev-libs/cyrus-sasl ) + unbound? ( >=net-dns/unbound-1.4.1:= net-dns/dnssec-root ) + !unbound? ( net-libs/ldns )" + +DEPEND="${COMMON_DEPEND}" + +RDEPEND="${COMMON_DEPEND} + acct-user/opendkim + sys-process/psmisc + selinux? ( sec-policy/selinux-dkim )" + +REQUIRED_USE="sasl? ( ldap ) + stats? ( opendbx ) + querycache? ( berkdb ) + lua? ( ${LUA_REQUIRED_USE} ) + test? ( ${LUA_REQUIRED_USE} )" +RESTRICT="!test? ( test )" + +PATCHES=( + "${FILESDIR}/${P}-openrc.patch" + "${FILESDIR}/${P}-openssl-1.1.1.patch.r2" + "${FILESDIR}/${P}-lua-pkgconfig.patch" + "${FILESDIR}/${P}-lua-pkgconfig-pt2.patch" + "${FILESDIR}/${P}-define-P-macro-in-libvbr.patch" + "${FILESDIR}/${P}-fix-libmilter-search.patch" +) + +pkg_setup() { + use lua && lua-single_pkg_setup +} + +src_prepare() { + default + sed -e 's:/var/db/dkim:/var/lib/opendkim:g' \ + -i opendkim/opendkim.conf.sample opendkim/opendkim.conf.simple.in \ + || die + sed -e 's:dist_doc_DATA:dist_html_DATA:' \ + -i libopendkim/docs/Makefile.am \ + || die + + # The existing hard-coded path under /tmp is vulnerable to exploits + # since (for example) a user can create a symlink there to a file + # that portage will clobber. Reported upstream at, + # + # https://github.com/trusteddomainproject/OpenDKIM/issues/113 + # + sed -e "s:/tmp:${T}:" -i libopendkim/tests/t-testdata.h || die + + eautoreconf +} + +src_configure() { + local myconf=() + if use berkdb ; then + myconf+=( --with-db-incdir=$(db_includedir) ) + fi + if use unbound; then + myconf+=( --with-unbound ) + else + myconf+=( --with-ldns ) + fi + if use ldap; then + myconf+=( $(use_with sasl) ) + fi + + # We install the our configuration filed under e.g. /etc/opendkim, + # so the next line is necessary to point the daemon and all of its + # documentation to the right location by default. + myconf+=( --sysconfdir="${EPREFIX}/etc/${PN}" ) + + econf \ + $(use_with berkdb db) \ + $(use_with opendbx odbx) \ + $(use_with lua) \ + $(use_enable lua rbl) \ + $(use_with ldap openldap) \ + $(use_with lmdb) \ + $(use_enable poll) \ + $(use_enable querycache query_cache) \ + $(use_enable static-libs static) \ + $(use_enable stats) \ + $(use_with memcached libmemcached) \ + "${myconf[@]}" \ + --enable-filter \ + --with-milter \ + --enable-atps \ + --enable-identity_header \ + --enable-rate_limit \ + --enable-resign \ + --enable-replace_rules \ + --enable-default_sender \ + --enable-sender_macro \ + --enable-vbr \ + --disable-live-testing \ + --with-test-socket="${T}/opendkim.sock" +} + +src_compile() { + emake runstatedir=/run +} + +src_test() { + # Needed for now due to the expected sequencing of the setup/cleanup + # tests, https://github.com/trusteddomainproject/OpenDKIM/issues/110 + emake -j1 check +} + +src_install() { + default + find "${D}" -name '*.la' -type f -delete || die + + dosbin stats/opendkim-reportstats + + newinitd "${S}/contrib/OpenRC/opendkim.openrc" "${PN}" + newtmpfiles "${S}/contrib/systemd/opendkim.tmpfiles" "${PN}.conf" + systemd_newunit "contrib/systemd/opendkim.service" "${PN}.service" + + dodir /etc/opendkim + keepdir /var/lib/opendkim + + # The OpenDKIM data (particularly, your keys) should be read-only to + # the UserID that the daemon runs as. + fowners root:opendkim /var/lib/opendkim + fperms 750 /var/lib/opendkim + + # Tweak the "simple" example configuration a bit before installing + # it unconditionally. + local cf="${T}/opendkim.conf" + # Some MTAs are known to break DKIM signatures with "simple" + # canonicalization [1], so we choose the "relaxed" policy + # over OpenDKIM's current default settings. + # [1] https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/ + sed -E -e 's:^(Canonicalization)[[:space:]]+.*:\1\trelaxed/relaxed:' \ + "${S}/opendkim/opendkim.conf.simple" >"${cf}" || die + cat >>"${cf}" <<EOT || die + +# The UMask is really only used for the PID file (root:root) and the +# local UNIX socket, if you're using one. It should be 0117 for the +# socket. +UMask 0117 +UserID opendkim + +# For use with unbound +#TrustAnchorFile /etc/dnssec/root-anchors.txt +EOT + insinto /etc/opendkim + doins "${cf}" +} + +pkg_postinst() { + tmpfiles_process "${PN}.conf" + if [[ -z ${REPLACING_VERSION} ]]; then + elog "If you want to sign your mail messages and need some help" + elog "please run:" + elog " emerge --config ${CATEGORY}/${PN}" + elog "It will help you create your key and give you hints on how" + elog "to configure your DNS and MTA." + + elog "If you are using a local (UNIX) socket, then you will" + elog "need to make sure that your MTA has read/write access" + elog "to the socket file. This is best accomplished by creating" + elog "a completely-new group with only your MTA user and the" + elog "\"opendkim\" user in it. Step-by-step instructions can be" + elog "found on our Wiki, at https://wiki.gentoo.org/wiki/OpenDKIM ." + else + ewarn "The user account for the OpenDKIM daemon has changed" + ewarn "from \"milter\" to \"opendkim\" to prevent unrelated services" + ewarn "from being able to read your private keys. You should" + ewarn "adjust your existing configuration to use the \"opendkim\"" + ewarn "user and group, and change the permissions on" + ewarn "${ROOT}/var/lib/opendkim to root:opendkim with mode 0750." + ewarn "The owner and group of the files within that directory" + ewarn "will likely need to be adjusted as well." + fi +} + +pkg_config() { + local selector keysize pubkey + + read -p "Enter the selector name (default ${HOSTNAME}): " selector + [[ -n "${selector}" ]] || selector="${HOSTNAME}" + if [[ -z "${selector}" ]]; then + eerror "Oddly enough, you don't have a HOSTNAME." + return 1 + fi + if [[ -f "${ROOT}/var/lib/opendkim/${selector}.private" ]]; then + ewarn "The private key for this selector already exists." + else + keysize=1024 + # Generate the private and public keys. Note that opendkim-genkeys + # sets umask=077 on its own to keep these safe. However, we want + # them to be readable (only!) to the opendkim user, and we manage + # that by changing their groups and making everything group-readable. + opendkim-genkey -b ${keysize} -D "${ROOT}/var/lib/opendkim/" \ + -s "${selector}" -d '(your domain)' && \ + chgrp --no-dereference opendkim \ + "${ROOT}/var/lib/opendkim/${selector}".{private,txt} || \ + { eerror "Failed to create private and public keys."; return 1; } + chmod g+r "${ROOT}/var/lib/opendkim/${selector}".{private,txt} + fi + + # opendkim selector configuration + echo + einfo "Make sure you have the following settings in your /etc/opendkim/opendkim.conf:" + einfo " Keyfile /var/lib/opendkim/${selector}.private" + einfo " Selector ${selector}" + + # MTA configuration + echo + einfo "If you are using Postfix, add following lines to your main.cf:" + einfo " smtpd_milters = unix:/run/opendkim/opendkim.sock" + einfo " non_smtpd_milters = unix:/run/opendkim/opendkim.sock" + einfo " and read http://www.postfix.org/MILTER_README.html" + + # DNS configuration + einfo "After you configured your MTA, publish your key by adding this TXT record to your domain:" + cat "${ROOT}/var/lib/opendkim/${selector}.txt" + einfo "t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags:" + einfo " http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text" +} |