#1 Rebase to 2.11.0-beta2 version
Opened 2 months ago by tkorbar. Modified 2 months ago
rpms/ tkorbar/opendkim master  into  master

file added
+6

@@ -0,0 +1,6 @@ 

+ # OPENDKIM KEY TABLE

+ # To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,

+ # then uncomment the following line and replace example.com with your domain

+ # name, then restart OpenDKIM. Additional keys may be added on separate lines.

+ 

+ #default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private

file added
+102

@@ -0,0 +1,102 @@ 

+ #####################################

+ #FEDORA-SPECIFIC README FOR OPENDKIM#

+ #####################################

+ Last updated: Apr 30, 2015 by Steve Jenkins (steve@stevejenkins.com)

+ 

+ Generating keys for OpenDKIM

+ ============================

+ After installing the opendkim package, you MUST generate a pair of keys (public and private) before

+ attempting to start the opendkim service.

+ 

+ A valid private key must exist in the location expected by /etc/opendkim.conf before the service will start.

+ 

+ A matching public key must be included in your domain's DNS records before remote systems can validate

+ your outgoing mail's DKIM signature.

+ 

+ 

+ Generating Keys Automatically

+ =============================

+ To automatically create a pair of default keys for the local domain, do:

+ 

+ % sudo /usr/sbin/opendkim-default-keygen

+ 

+ The default keygen script will attempt to fetch the local domain name, generate a private and public key for

+ the domain, then save them in /etc/opendkim/keys as default.private and default.txt with the proper

+ ownership and permissions.

+ 

+ NOTE: The default key generation script MUST be run by a privileged user (or root). Otherwise, the resulting

+ private key ownership and permissions will not be correct.

+ 

+ 

+ Generating Keys Manually

+ ========================

+ A privileged user (or root) can manually generate a set of keys by doing the following:

+ 

+ 1) Create a directory to store the new keys:

+ 

+ % sudo mkdir /etc/opendkim/keys/example.com

+ 

+ 2) Generate keys in that directory for a specific domain name and selector:

+ 

+ % sudo /usr/sbin/opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default

+ 

+ 3) Set the proper ownership for the directory and private key:

+ 

+ % sudo chown -R root:opendkim /etc/opendkim/keys/example.com

+ 

+ 4) Set secure permissions for the private key:

+ 

+ % sudo chmod 640 /etc/opendkim/keys/example.com/default.private

+ 

+ 5) Set standard permissions for the public key:

+ 

+ % sudo chmod 644 /etc/opendkim/keys/example.com/default.txt

+ 

+ 

+ Updating Key Location(s) in Configuration Files

+ ===============================================

+ If you run the opendkim-default-keygen script, the default keys will be saved in /etc/opendkim/keys as

+ default.private and default.txt, which is the location expected by the default /etc/opendkim.conf file.

+ 

+ If you manually generate your own keys, you must update the key location and name in /etc/opendkim.conf

+ before attempting to start the opendkim service.

+ 

+ Using OpenDKIM with SQL Datasets

+ ================================

+ OpenDKIM on RedHat-based systems relies on OpenDBX for database access. Depending on which database you use,

+ you may have to manually install one of the following OpenDBX subpackages (all of which are available via yum):

+ 

+ - opendbx-firebird

+ - opendbx-mssql

+ - opendbx-mysql

+ - opendbx-postgresql

+ - opendbx-sqlite 

+ - opendbx-sqlite2

+ - opendbx-sybase

+ 

+ If you have OpenDKIM configured to use SQL datasets on a systemd-based server, it might also be necessary to start

+ the opendkim service after the database servers by referencing your database unit file(s) in the "After" section of

+ the OpenDKIM unit file.

+ 

+ For example, if using both MariaDB and PostgreSQL, in /usr/lib/systemd/system/opendkim.service change:

+ 

+ After=network.target nss-lookup.target syslog.target

+ 

+ to:

+ 

+ After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service

+ 

+ 

+ Additional Configuration Help

+ =============================

+ For help configuring your MTA (Postfix, Sendmail, etc.) with OpenDKIM, setting up DNS records with your

+ public DKIM key, as well as instructions on configuring OpenDKIM to sign outgoing mail for multiple

+ domains, follow the how-to at:

+ 

+ http://wp.me/p1iGgP-ou

+ 

+ Official documentation for OpenDKIM is available at http://opendkim.org/

+ 

+ OpenDKIM mailing lists are available at http://lists.opendkim.org/

+ 

+ ###

file added
+25

@@ -0,0 +1,25 @@ 

+ # OPENDKIM SIGNING TABLE

+ # This table controls how to apply one or more signatures to outgoing messages based

+ # on the address found in the From: header field. In simple terms, this tells

+ # OpenDKIM "how" to apply your keys.

+ 

+ # To use this file, uncomment the SigningTable option in /etc/opendkim.conf,

+ # then uncomment one of the usage examples below and replace example.com with your

+ # domain name, then restart OpenDKIM.

+ 

+ # WILDCARD EXAMPLE

+ # Enables signing for any address on the listed domain(s), but will work only if

+ # "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.

+ # Create additional lines for additional domains.

+ 

+ #*@example.com default._domainkey.example.com

+ 

+ # NON-WILDCARD EXAMPLE

+ # If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then

+ # wildcards will not work. Instead, full user@host is checked first, then simply host,

+ # then user@.domain (with all superdomains checked in sequence, so "foo.example.com"

+ # would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),

+ # then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under

+ # "SigningTable" for more details.

+ 

+ #example.com default._domainkey.example.com

file added
+9

@@ -0,0 +1,9 @@ 

+ # OPENDKIM TRUSTED HOSTS

+ # To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts

+ # option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts

+ # may be added on separate lines (IP addresses, hostnames, or CIDR ranges).

+ # The localhost IP (127.0.0.1) should always be the first entry in this file.

+ 127.0.0.1

+ ::1

+ #host.example.com

+ #192.168.1.0/24

file added
+133

@@ -0,0 +1,133 @@ 

+ ## BASIC OPENDKIM CONFIGURATION FILE

+ ## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more

+ 

+ ## BEFORE running OpenDKIM you must:

+ 

+ ## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM

+ ## - generate keys for your domain (if signing)

+ ## - edit your DNS records to publish your public keys (if signing)

+ 

+ ## See /usr/share/doc/opendkim/INSTALL for detailed instructions.

+ 

+ ## DEPRECATED CONFIGURATION OPTIONS

+ ##

+ ## The following configuration options are no longer valid.  They should be

+ ## removed from your existing configuration file to prevent potential issues.

+ ## Failure to do so may result in opendkim being unable to start.

+ ##

+ ## Removed in 2.10.0:

+ ##   AddAllSignatureResults

+ ##   ADSPAction

+ ##   ADSPNoSuchDomain

+ ##   BogusPolicy

+ ##   DisableADSP

+ ##   LDAPSoftStart

+ ##   LocalADSP

+ ##   NoDiscardableMailTo

+ ##   On-PolicyError

+ ##   SendADSPReports

+ ##   UnprotectedPolicy

+ 

+ ## CONFIGURATION OPTIONS

+ 

+ ##  Specifies the path to the process ID file.

+ PidFile	/var/run/opendkim/opendkim.pid

+ 

+ ##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.

+ ##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing

+ ##  messages.

+ Mode	v

+ 

+ ##  Log activity to the system log.

+ Syslog	yes

+ 

+ ##  Log additional entries indicating successful signing or verification of messages.

+ SyslogSuccess	yes

+ 

+ ##  If logging is enabled, include detailed logging about why or why not a message was

+ ##  signed or verified. This causes an increase in the amount of log data generated

+ ##  for each message, so set this to No (or comment it out) if it gets too noisy.

+ LogWhy	yes

+ 

+ ##  Attempt to become the specified user before starting operations.

+ UserID	opendkim:opendkim

+ 

+ ##  Create a socket through which your MTA can communicate.

+ Socket	inet:8891@localhost

+ 

+ ##  Required to use local socket with MTAs that access the socket as a non-

+ ##  privileged user (e.g. Postfix)

+ Umask	002

+ 

+ ##  This specifies a text file in which to store DKIM transaction statistics.

+ ##  OpenDKIM must be manually compiled with --enable-stats to enable this feature.

+ # Statistics	/var/spool/opendkim/stats.dat

+ 

+ ##  Specifies whether or not the filter should generate report mail back

+ ##  to senders when verification fails and an address for such a purpose

+ ##  is provided. See opendkim.conf(5) for details.

+ SendReports	yes

+ 

+ ##  Specifies the sending address to be used on From: headers of outgoing

+ ##  failure reports.  By default, the e-mail address of the user executing

+ ##  the filter is used (executing_user@hostname).

+ # ReportAddress	"Example.com Postmaster" <postmaster@example.com>

+ 

+ ##  Add a DKIM-Filter header field to messages passing through this filter

+ ##  to identify messages it has processed.

+ SoftwareHeader	yes

+ 

+ ## SIGNING OPTIONS

+ 

+ ##  Selects the canonicalization method(s) to be used when signing messages.

+ Canonicalization	relaxed/relaxed

+ 

+ ##  Domain(s) whose mail should be signed by this filter. Mail from other domains will

+ ##  be verified rather than being signed. Uncomment and use your domain name.

+ ##  This parameter is not required if a SigningTable is in use.

+ # Domain	example.com

+ 

+ ##  Defines the name of the selector to be used when signing messages.

+ Selector	default

+ 

+ ##  Specifies the minimum number of key bits for acceptable keys and signatures.

+ MinimumKeyBits	1024

+ 

+ ##  Gives the location of a private key to be used for signing ALL messages. This

+ ##  directive is ignored if KeyTable is enabled.

+ KeyFile	/etc/opendkim/keys/default.private

+ 

+ ##  Gives the location of a file mapping key names to signing keys. In simple terms,

+ ##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile

+ ##  directive in the configuration file. Requires SigningTable be enabled.

+ # KeyTable	/etc/opendkim/KeyTable

+ 

+ ##  Defines a table used to select one or more signatures to apply to a message based

+ ##  on the address found in the From: header field. In simple terms, this tells

+ ##  OpenDKIM how to use your keys. Requires KeyTable be enabled.

+ # SigningTable	refile:/etc/opendkim/SigningTable

+ 

+ ##  Identifies a set of "external" hosts that may send mail through the server as one

+ ##  of the signing domains without credentials as such.

+ # ExternalIgnoreList	refile:/etc/opendkim/TrustedHosts

+ 

+ ##  Identifies a set "internal" hosts whose mail should be signed rather than verified.

+ # InternalHosts	refile:/etc/opendkim/TrustedHosts

+ 

+ ##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names

+ ##  whose mail should be neither signed nor verified by this filter.  See man

+ ##  page for file format.

+ # PeerList	X.X.X.X

+ 

+ ##  Always oversign From (sign using actual From and a null From to prevent

+ ##  malicious signatures header fields (From and/or others) between the signer

+ ##  and the verifier.  From is oversigned by default in the Fedora package

+ ##  because it is often the identity key used by reputation systems and thus

+ ##  somewhat security sensitive.

+ OversignHeaders	From

+ 

+ ##  Instructs the DKIM library to maintain its own local cache of keys and

+ ##  policies retrieved from DNS, rather than relying on the nameserver for

+ ##  caching service. Useful if the nameserver being used by the filter is

+ ##  not local.

+ # QueryCache	yes

file modified
+24 -370

@@ -1,51 +1,34 @@ 

- %global systemd (0%{?fedora} >= 18) || (0%{?rhel} >= 7)

  %global upname OpenDKIM

  %global bigname OPENDKIM

  

+ %global full_version 2.11.0-Beta2

+ 

  Summary: A DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail

  Name: opendkim

  Version: 2.11.0

- Release: 0.9%{?dist}

+ Release: 0.10%{?dist}

  License: BSD and Sendmail

  URL: http://%{name}.org/

- Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.Alpha0.tar.gz

- 

- # https://sourceforge.net/p/opendkim/patches/35/

- # https://sourceforge.net/p/opendkim/patches/37/

- # Patches rediffed and combined (both modify configure)

- Patch0: %{name}.ticket35+37.patch

+ Source0: https://github.com/trusteddomainproject/OpenDKIM/archive/%{full_version}.tar.gz

+ Source1: opendkim.conf

+ Source2: opendkim.sysconfig

+ Source3: SigningTable

+ Source4: KeyTable

+ Source5: TrustedHosts

+ Source6: README.fedora

  

  # Required for all versions

  Requires: lib%{name}%{?_isa} = %{version}-%{release}

  BuildRequires: openssl-devel, libtool, pkgconfig, libbsd, libbsd-devel, opendbx-devel

  Requires(pre): shadow-utils

  

- %if %systemd

- # Required for systemd

  %{?systemd_requires}

  BuildRequires: systemd

  BuildRequires: libdb-devel, libmemcached-devel

- %else

- # Required for SysV

- Requires(post): chkconfig

- Requires(preun): chkconfig, initscripts

- Requires(postun): initscripts

- BuildRequires: db4-devel

- %endif

- 

- # sendmail-devel renamed for F26+

- %if 0%{?fedora} > 25

+ 

  BuildRequires: sendmail-milter-devel

- %else

- BuildRequires: sendmail-devel

- %endif

  

- %if 0%{?rhel} == 5

- Requires(post): policycoreutils

- %else

  BuildRequires: openldap-devel

- %endif

- 

  

  %description

  %{upname} allows signing and/or verification of email through an open source

@@ -70,20 +53,15 @@ 

  required for developing applications against libopendkim.

  

  %prep

- %autosetup -p1

+ %autosetup -p1 -n %{upname}-%{full_version}

  

  %build

+ autoreconf -iv

  # Always use system libtool instead of pacakge-provided one to

  # properly handle 32 versus 64 bit detection and settings

  %define LIBTOOL LIBTOOL=`which libtool`

  

- %if %systemd

- # Configure with options available to systemd

  %configure --with-odbx --with-db --with-libmemcached --with-openldap --enable-query_cache

- %else

- # Configure with options available to SysV

- %configure --with-odbx --with-db --with-openldap --enable-query_cache

- %endif

  

  # Remove rpath

  sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool

@@ -95,316 +73,21 @@ 

  install -d %{buildroot}%{_sysconfdir}/sysconfig

  install -m 0755 contrib/init/redhat/%{name}-default-keygen %{buildroot}%{_sbindir}/%{name}-default-keygen

  

- %if %systemd

  install -d -m 0755 %{buildroot}%{_unitdir}

  install -m 0644 contrib/systemd/%{name}.service %{buildroot}%{_unitdir}/%{name}.service

- %else

- install -d %{buildroot}%{_initrddir}

- install -m 0755 contrib/init/redhat/%{name} %{buildroot}%{_initrddir}/%{name}

- %endif

- 

- cat > %{buildroot}%{_sysconfdir}/%{name}.conf << 'EOF'

- ## BASIC %{bigname} CONFIGURATION FILE

- ## See %{name}.conf(5) or %{_defaultdocdir}/%{name}/%{name}.conf.sample for more

- 

- ## BEFORE running %{upname} you must:

- 

- ## - make your MTA (Postfix, Sendmail, etc.) aware of %{upname}

- ## - generate keys for your domain (if signing)

- ## - edit your DNS records to publish your public keys (if signing)

- 

- ## See %{_defaultdocdir}/%{name}/INSTALL for detailed instructions.

- 

- ## DEPRECATED CONFIGURATION OPTIONS

- ## 

- ## The following configuration options are no longer valid.  They should be

- ## removed from your existing configuration file to prevent potential issues.

- ## Failure to do so may result in %{name} being unable to start.

- ## 

- ## Removed in 2.10.0:

- ##   AddAllSignatureResults

- ##   ADSPAction

- ##   ADSPNoSuchDomain

- ##   BogusPolicy

- ##   DisableADSP

- ##   LDAPSoftStart

- ##   LocalADSP

- ##   NoDiscardableMailTo

- ##   On-PolicyError

- ##   SendADSPReports

- ##   UnprotectedPolicy

- 

- ## CONFIGURATION OPTIONS

- 

- ##  Specifies the path to the process ID file.

- PidFile	%{_localstatedir}/run/%{name}/%{name}.pid

- 

- ##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.

- ##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing

- ##  messages.

- Mode	v

- 

- ##  Log activity to the system log.

- Syslog	yes

- 

- ##  Log additional entries indicating successful signing or verification of messages.

- SyslogSuccess	yes

- 

- ##  If logging is enabled, include detailed logging about why or why not a message was

- ##  signed or verified. This causes an increase in the amount of log data generated

- ##  for each message, so set this to No (or comment it out) if it gets too noisy.

- LogWhy	yes

- 

- ##  Attempt to become the specified user before starting operations.

- UserID	%{name}:%{name}

- 

- ##  Create a socket through which your MTA can communicate.

- Socket	inet:8891@localhost

- 

- ##  Required to use local socket with MTAs that access the socket as a non-

- ##  privileged user (e.g. Postfix)

- Umask	002

- 

- ##  This specifies a text file in which to store DKIM transaction statistics.

- ##  %{upname} must be manually compiled with --enable-stats to enable this feature.

- # Statistics	%{_localstatedir}/spool/%{name}/stats.dat

- 

- ##  Specifies whether or not the filter should generate report mail back

- ##  to senders when verification fails and an address for such a purpose

- ##  is provided. See opendkim.conf(5) for details.

- SendReports	yes

- 

- ##  Specifies the sending address to be used on From: headers of outgoing

- ##  failure reports.  By default, the e-mail address of the user executing

- ##  the filter is used (executing_user@hostname).

- # ReportAddress	"Example.com Postmaster" <postmaster@example.com>

- 

- ##  Add a DKIM-Filter header field to messages passing through this filter

- ##  to identify messages it has processed.

- SoftwareHeader	yes

- 

- ## SIGNING OPTIONS

- 

- ##  Selects the canonicalization method(s) to be used when signing messages.

- Canonicalization	relaxed/relaxed

- 

- ##  Domain(s) whose mail should be signed by this filter. Mail from other domains will

- ##  be verified rather than being signed. Uncomment and use your domain name.

- ##  This parameter is not required if a SigningTable is in use.

- # Domain	example.com

- 

- ##  Defines the name of the selector to be used when signing messages.

- Selector	default

- 

- ##  Specifies the minimum number of key bits for acceptable keys and signatures.

- MinimumKeyBits	1024

- 

- ##  Gives the location of a private key to be used for signing ALL messages. This

- ##  directive is ignored if KeyTable is enabled.

- KeyFile	%{_sysconfdir}/%{name}/keys/default.private

- 

- ##  Gives the location of a file mapping key names to signing keys. In simple terms,

- ##  this tells %{upname} where to find your keys. If present, overrides any KeyFile

- ##  directive in the configuration file. Requires SigningTable be enabled.

- # KeyTable	%{_sysconfdir}/%{name}/KeyTable

- 

- ##  Defines a table used to select one or more signatures to apply to a message based

- ##  on the address found in the From: header field. In simple terms, this tells

- ##  %{upname} how to use your keys. Requires KeyTable be enabled.

- # SigningTable	refile:%{_sysconfdir}/%{name}/SigningTable

- 

- ##  Identifies a set of "external" hosts that may send mail through the server as one

- ##  of the signing domains without credentials as such.

- # ExternalIgnoreList	refile:%{_sysconfdir}/%{name}/TrustedHosts

- 

- ##  Identifies a set "internal" hosts whose mail should be signed rather than verified.

- # InternalHosts	refile:%{_sysconfdir}/%{name}/TrustedHosts

- 

- ##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names

- ##  whose mail should be neither signed nor verified by this filter.  See man

- ##  page for file format.

- # PeerList	X.X.X.X

- 

- ##  Always oversign From (sign using actual From and a null From to prevent

- ##  malicious signatures header fields (From and/or others) between the signer

- ##  and the verifier.  From is oversigned by default in the Fedora package

- ##  because it is often the identity key used by reputation systems and thus

- ##  somewhat security sensitive.

- OversignHeaders	From

- 

- ##  Instructs the DKIM library to maintain its own local cache of keys and

- ##  policies retrieved from DNS, rather than relying on the nameserver for

- ##  caching service. Useful if the nameserver being used by the filter is

- ##  not local.

- # QueryCache	yes

- EOF

- 

- %{__cat} > %{buildroot}%{_sysconfdir}/sysconfig/%{name} << 'EOF'

- # Set the necessary startup options

- OPTIONS="-x %{_sysconfdir}/%{name}.conf -P %{_localstatedir}/run/%{name}/%{name}.pid"

  

- # Set the default DKIM selector

- DKIM_SELECTOR=default

+ install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/%{name}.conf

  

- # Set the default DKIM key location

- DKIM_KEYDIR=%{_sysconfdir}/%{name}/keys

- EOF

+ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/%{name}

  

  mkdir -p %{buildroot}%{_sysconfdir}/%{name}

- cat > %{buildroot}%{_sysconfdir}/%{name}/SigningTable << 'EOF'

- # %{bigname} SIGNING TABLE

- # This table controls how to apply one or more signatures to outgoing messages based

- # on the address found in the From: header field. In simple terms, this tells

- # %{upname} "how" to apply your keys.

- 

- # To use this file, uncomment the SigningTable option in %{_sysconfdir}/%{name}.conf,

- # then uncomment one of the usage examples below and replace example.com with your

- # domain name, then restart %{upname}.

- 

- # WILDCARD EXAMPLE

- # Enables signing for any address on the listed domain(s), but will work only if

- # "refile:%{_sysconfdir}/%{name}/SigningTable" is included in %{_sysconfdir}/%{name}.conf.

- # Create additional lines for additional domains.

- 

- #*@example.com default._domainkey.example.com

- 

- # NON-WILDCARD EXAMPLE

- # If "file:" (instead of "refile:") is specified in %{_sysconfdir}/%{name}.conf, then

- # wildcards will not work. Instead, full user@host is checked first, then simply host,

- # then user@.domain (with all superdomains checked in sequence, so "foo.example.com"

- # would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),

- # then .domain, then user@*, and finally *. See the %{name}.conf(5) man page under

- # "SigningTable" for more details.

- 

- #example.com default._domainkey.example.com

- EOF

- 

- cat > %{buildroot}%{_sysconfdir}/%{name}/KeyTable << 'EOF'

- # %{bigname} KEY TABLE

- # To use this file, uncomment the #KeyTable option in %{_sysconfdir}/%{name}.conf,

- # then uncomment the following line and replace example.com with your domain

- # name, then restart %{upname}. Additional keys may be added on separate lines.

- 

- #default._domainkey.example.com example.com:default:%{_sysconfdir}/%{name}/keys/default.private

- EOF

- 

- cat > %{buildroot}%{_sysconfdir}/%{name}/TrustedHosts << 'EOF'

- # %{bigname} TRUSTED HOSTS

- # To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts

- # option in %{_sysconfdir}/%{name}.conf then restart %{upname}. Additional hosts

- # may be added on separate lines (IP addresses, hostnames, or CIDR ranges).

- # The localhost IP (127.0.0.1) should always be the first entry in this file.

- 127.0.0.1

- ::1

- #host.example.com

- #192.168.1.0/24

- EOF

- 

- cat > README.fedora << 'EOF'

- #####################################

- #FEDORA-SPECIFIC README FOR %{bigname}#

- #####################################

- Last updated: Apr 30, 2015 by Steve Jenkins (steve@stevejenkins.com)

- 

- Generating keys for %{upname}

- ============================

- After installing the %{name} package, you MUST generate a pair of keys (public and private) before

- attempting to start the %{name} service.

- 

- A valid private key must exist in the location expected by %{_sysconfdir}/%{name}.conf before the service will start.

- 

- A matching public key must be included in your domain's DNS records before remote systems can validate

- your outgoing mail's DKIM signature.

- 

- 

- Generating Keys Automatically

- =============================

- To automatically create a pair of default keys for the local domain, do:

- 

- % sudo %{_sbindir}/%{name}-default-keygen

- 

- The default keygen script will attempt to fetch the local domain name, generate a private and public key for

- the domain, then save them in %{_sysconfdir}/%{name}/keys as default.private and default.txt with the proper

- ownership and permissions.

- 

- NOTE: The default key generation script MUST be run by a privileged user (or root). Otherwise, the resulting

- private key ownership and permissions will not be correct.

- 

- 

- Generating Keys Manually

- ========================

- A privileged user (or root) can manually generate a set of keys by doing the following:

- 

- 1) Create a directory to store the new keys:

- 

- % sudo mkdir %{_sysconfdir}/%{name}/keys/example.com

- 

- 2) Generate keys in that directory for a specific domain name and selector:

+ install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/SigningTable

  

- % sudo %{_sbindir}/%{name}-genkey -D %{_sysconfdir}/%{name}/keys/example.com/ -d example.com -s default

+ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}/KeyTable

  

- 3) Set the proper ownership for the directory and private key:

+ install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/%{name}/TrustedHosts

  

- % sudo chown -R root:%{name} %{_sysconfdir}/%{name}/keys/example.com

- 

- 4) Set secure permissions for the private key:

- 

- % sudo chmod 640 %{_sysconfdir}/%{name}/keys/example.com/default.private

- 

- 5) Set standard permissions for the public key:

- 

- % sudo chmod 644 %{_sysconfdir}/%{name}/keys/example.com/default.txt

- 

- 

- Updating Key Location(s) in Configuration Files

- ===============================================

- If you run the %{name}-default-keygen script, the default keys will be saved in %{_sysconfdir}/%{name}/keys as

- default.private and default.txt, which is the location expected by the default %{_sysconfdir}/%{name}.conf file.

- 

- If you manually generate your own keys, you must update the key location and name in %{_sysconfdir}/%{name}.conf

- before attempting to start the %{name} service.

- 

- 

- Using %upname with SQL Datasets

- ================================

- %upname on RedHat-based systems relies on OpenDBX for database access. Depending on which database you use,

- you may have to manually install one of the following OpenDBX subpackages (all of which are available via yum):

- 

- - opendbx-firebird

- - opendbx-mssql

- - opendbx-mysql

- - opendbx-postgresql

- - opendbx-sqlite 

- - opendbx-sqlite2

- - opendbx-sybase

- 

- If you have %upname configured to use SQL datasets on a systemd-based server, it might also be necessary to start

- the %name service after the database servers by referencing your database unit file(s) in the "After" section of

- the %upname unit file.

- 

- For example, if using both MariaDB and PostgreSQL, in %{_unitdir}/%{name}.service change:

- 

- After=network.target nss-lookup.target syslog.target

- 

- to:

- 

- After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service

- 

- 

- Additional Configuration Help

- =============================

- For help configuring your MTA (Postfix, Sendmail, etc.) with %{upname}, setting up DNS records with your

- public DKIM key, as well as instructions on configuring %{upname} to sign outgoing mail for multiple

- domains, follow the how-to at:

- 

- http://wp.me/p1iGgP-ou

- 

- Official documentation for %{upname} is available at http://%{name}.org/

- 

- %{upname} mailing lists are available at http://lists.%{name}.org/

- 

- ###

- EOF

+ cp %{SOURCE6} ./README.fedora

  

  install -p -d %{buildroot}%{_sysconfdir}/tmpfiles.d

  cat > %{buildroot}%{_sysconfdir}/tmpfiles.d/%{name}.conf <<'EOF'

@@ -434,40 +117,19 @@ 

  exit 0

  

  %post

- %if %systemd

  %systemd_post %{name}.service

- %else

- /sbin/chkconfig --add %{name} || :

- %endif

  

  %preun

- %if %systemd

  %systemd_preun %{name}.service

- %else

- if [ $1 -eq 0 ]; then

- 	service %{name} stop >/dev/null || :

- 	/sbin/chkconfig --del %{name} || :

- fi

- exit 0

- %endif

  

  %postun

- %if %systemd

  %systemd_postun_with_restart %{name}.service

- %else

- if [ "$1" -ge "1" ] ; then

- 	/sbin/service %{name} condrestart >/dev/null 2>&1 || :

- fi

- exit 0

- %endif

- 

- %if %systemd

  # For the switchover from initscript to service file

  %triggerun -- %{name} < 2.8.0-1

  %systemd_post %{name}.service

  /sbin/chkconfig --del %{name} >/dev/null 2>&1 || :

  %systemd_postun_with_restart %{name}.service

- %endif

+ 

  

  %ldconfig_scriptlets -n libopendkim

  

@@ -492,33 +154,25 @@ 

  %dir %attr(0750,%name,%{name}) %{_sysconfdir}/%{name}/keys

  %attr(0755,root,root) %{_sbindir}/%{name}-default-keygen

  

- %if %systemd

  %attr(0644,root,root) %{_unitdir}/%{name}.service

- %else

- %attr(0755,root,root) %{_initrddir}/%{name}

- %endif

  

  %files -n libopendkim

- %if 0%{?_licensedir:1}

  %license LICENSE LICENSE.Sendmail

- %else

- %doc LICENSE LICENSE.Sendmail

- %endif

  %doc README

  %{_libdir}/lib%{name}.so.*

  

  %files -n libopendkim-devel

- %if 0%{?_licensedir:1}

  %license LICENSE LICENSE.Sendmail

- %else

- %doc LICENSE LICENSE.Sendmail

- %endif

  %doc lib%{name}/docs/*.html

  %{_includedir}/%{name}

  %{_libdir}/*.so

  %{_libdir}/pkgconfig/*.pc

  

  %changelog

+ * Mon Nov 18 2019 Tomas Korbar <tkorbar@redhat.com> - 2.11.0-0.10

+ - Rebase to 2.11.0-beta2 version

+ - Clean specfile and move configuration to their own files

+ 

  * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.11.0-0.9

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

  

file added
+8

@@ -0,0 +1,8 @@ 

+ # Set the necessary startup options

+ OPTIONS="-x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid"

+ 

+ # Set the default DKIM selector

+ DKIM_SELECTOR=default

+ 

+ # Set the default DKIM key location

+ DKIM_KEYDIR=/etc/opendkim/keys

@@ -1,173 +0,0 @@ 

- diff -Naur -x opendkim-2.11.0.orig/configure opendkim-2.11.0/configure

- --- opendkim-2.11.0.orig/configure	2015-10-07 16:17:48.000000000 -0700

- +++ opendkim-2.11.0/configure	2016-12-20 18:47:51.662158143 -0800

- @@ -14700,13 +14700,13 @@

-  

-  	for d in $strldirs

-  	do

- -		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for strl.h in $d/strl" >&5

- -$as_echo_n "checking for strl.h in $d/strl... " >&6; }

- -		if test -f $d/strl/strl.h

- +		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for strl.h in $d" >&5

- +$as_echo_n "checking for strl.h in $d... " >&6; }

- +		if test -f $d/strl.h

-  		then

-  			unset ac_cv_header_strl_h

-  			saved_CPPFLAGS="$CPPFLAGS"

- -			CPPFLAGS="$CPPFLAGS -I$d/strl"

- +			CPPFLAGS="$CPPFLAGS -I$d"

-  			for ac_header in strl.h

-  do :

-    ac_fn_c_check_header_mongrel "$LINENO" "strl.h" "ac_cv_header_strl_h" "$ac_includes_default"

- @@ -14724,7 +14724,7 @@

-  

-  		if test x"$strl_h_found" = x"yes"

-  		then

- -			CPPFLAGS="$CPPFLAGS -I$d/strl"

- +			CPPFLAGS="$CPPFLAGS -I$d"

-  			break

-  		fi

-  	done

- @@ -16795,77 +16795,39 @@

-  fi

-  

-  

- -	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5

- -$as_echo_n "checking for library containing SSL_library_init... " >&6; }

- -if ${ac_cv_search_SSL_library_init+:} false; then :

- -  $as_echo_n "(cached) " >&6

- -else

- -  ac_func_search_save_LIBS=$LIBS

- -cat confdefs.h - <<_ACEOF >conftest.$ac_ext

- -/* end confdefs.h.  */

-  

- -/* Override any GCC internal prototype to avoid an error.

- -   Use char because int might match the return type of a GCC

- -   builtin and then its argument prototype would still apply.  */

- -#ifdef __cplusplus

- -extern "C"

- -#endif

- -char SSL_library_init ();

- +	cat confdefs.h - <<_ACEOF >conftest.$ac_ext

- +/* end confdefs.h.  */

- +#include <openssl/ssl.h>

-  int

-  main ()

-  {

- -return SSL_library_init ();

- +SSL_library_init();

-    ;

-    return 0;

-  }

-  _ACEOF

- -for ac_lib in '' ssl; do

- -  if test -z "$ac_lib"; then

- -    ac_res="none required"

- -  else

- -    ac_res=-l$ac_lib

- -    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"

- -  fi

- -  if ac_fn_c_try_link "$LINENO"; then :

- -  ac_cv_search_SSL_library_init=$ac_res

- -fi

- -rm -f core conftest.err conftest.$ac_objext \

- -    conftest$ac_exeext

- -  if ${ac_cv_search_SSL_library_init+:} false; then :

- -  break

- -fi

- -done

- -if ${ac_cv_search_SSL_library_init+:} false; then :

- -

- +if ac_fn_c_try_link "$LINENO"; then :

- +  od_have_ossl="yes";

-  else

- -  ac_cv_search_SSL_library_init=no

- +  od_have_ossl="no";

-  fi

- -rm conftest.$ac_ext

- -LIBS=$ac_func_search_save_LIBS

- -fi

- -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_SSL_library_init" >&5

- -$as_echo "$ac_cv_search_SSL_library_init" >&6; }

- -ac_res=$ac_cv_search_SSL_library_init

- -if test "$ac_res" != no; then :

- -  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"

- -

- -else

- -

- -			if test x"$enable_shared" = x"yes"

- -			then

- -				as_fn_error $? "Cannot build shared opendkim

- -				              against static openssl libraries.

- -				              Configure with --disable-shared

- -				              to get this working or obtain a

- -				              shared libssl library for

- -				              opendkim to use." "$LINENO" 5

- -			fi

- +rm -f core conftest.err conftest.$ac_objext \

- +    conftest$ac_exeext conftest.$ac_ext

- +	if test x"$od_have_ossl" = x"no"

- +	then

- +		if test x"$enable_shared" = x"yes"

- +		then

- +			as_fn_error $? "Cannot build shared opendkim

- +			              against static openssl libraries.

- +			              Configure with --disable-shared

- +			              to get this working or obtain a

- +			              shared libssl library for

- +			              opendkim to use." "$LINENO" 5

- +		fi

-  

- -			# avoid caching issue - last result of SSL_library_init

- -			# shouldn't be cached for this next check

- -			unset ac_cv_search_SSL_library_init

- -			LIBCRYPTO_LIBS="$LIBCRYPTO_LIBS -ldl"

- -			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5

- +		LIBCRYPTO_LIBS="$LIBCRYPTO_LIBS -ldl"

- +		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5

-  $as_echo_n "checking for library containing SSL_library_init... " >&6; }

-  if ${ac_cv_search_SSL_library_init+:} false; then :

-    $as_echo_n "(cached) " >&6

- @@ -16923,10 +16885,7 @@

-    as_fn_error $? "libssl not found" "$LINENO" 5

-  fi

-  

- -

- -

- -fi

- -

- +	fi

-  

-  	ac_fn_c_check_decl "$LINENO" "SHA256_DIGEST_LENGTH" "ac_cv_have_decl_SHA256_DIGEST_LENGTH" "

-  #include <sys/types.h>

- diff -Naur -x opendkim-2.11.0.orig/opendkim/opendkim-crypto.c opendkim-2.11.0/opendkim/opendkim-crypto.c

- --- opendkim-2.11.0.orig/opendkim/opendkim-crypto.c	2013-02-25 13:02:41.000000000 -0800

- +++ opendkim-2.11.0/opendkim/opendkim-crypto.c	2016-12-20 18:47:03.477027225 -0800

- @@ -222,7 +222,11 @@

-  	{

-  		assert(pthread_setspecific(id_key, ptr) == 0);

-  

- +#if OPENSSL_VERSION_NUMBER >= 0x10100000

- +		OPENSSL_thread_stop();

- +#else

-  		ERR_remove_state(0);

- +#endif

-  

-  		free(ptr);

-  

- @@ -392,11 +396,15 @@

-  {

-  	if (crypto_init_done)

-  	{

- +#if OPENSSL_VERSION_NUMBER >= 0x10100000

- +		OPENSSL_thread_stop();

- +#else

-  		CRYPTO_cleanup_all_ex_data();

-  		CONF_modules_free();

-  		EVP_cleanup();

-  		ERR_free_strings();

-  		ERR_remove_state(0);

- +#endif

-  

-  		if (nmutexes > 0)

-  		{

Also clean specfile and move configurations to their own files. I think the specfile will be that way more readable.
Although version 2.11.0-beta2 is still beta, it contains multiple fixes for bugs in 2.10.3 and just a few new features, so i think it is safe to rebase.