From bef349fb49583b1d4249af3f490d02db049066d5 Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Wed, 27 Mar 2019 10:36:32 -0400 Subject: mail-filter/opendkim: new revision with a dedicated "opendkim" user. Prior to this revision, the OpenDKIM daemon would run as the "milter" user, which is a username shared by a few other related packages. However, that user has the ability to read your private DKIM signing keys, and no other services should have access to those. Thus, sharing the user account creates a security risk. In the new revision, a dedicated "opendkim" user is created for the OpenDKIM daemon. The configuration, OpenRC service script, and systemd service files have all been updated with the new user name. In addition, the permissions on /var/lib/opendkim have been tightened so members of the "opendkim" group can only read it by default. The daemon does not need to modify your keys, in particular, and should not be able to. One downside to this is that the "Statistics" configuration directive that was enabled by default with USE=berkdb will no longer work out-of-the-box. It will still work, but the administrator will need to grant write access to the file that he designates for the statistics data. But since it won't work without some extra fiddling, it has been removed from the configuration file that we install. An ewarn notifies users who are upgrading of the account name change. Closes: https://bugs.gentoo.org/629888 Signed-off-by: Michael Orlitzky Package-Manager: Portage-2.3.62, Repoman-2.3.11 --- mail-filter/opendkim/files/opendkim-r2.service | 15 ++ mail-filter/opendkim/files/opendkim.init.r4 | 55 +++++++ mail-filter/opendkim/opendkim-2.10.3-r5.ebuild | 198 ------------------------ mail-filter/opendkim/opendkim-2.10.3-r6.ebuild | 205 +++++++++++++++++++++++++ 4 files changed, 275 insertions(+), 198 deletions(-) create mode 100644 mail-filter/opendkim/files/opendkim-r2.service create mode 100644 mail-filter/opendkim/files/opendkim.init.r4 delete mode 100644 mail-filter/opendkim/opendkim-2.10.3-r5.ebuild create mode 100644 mail-filter/opendkim/opendkim-2.10.3-r6.ebuild (limited to 'mail-filter/opendkim') diff --git a/mail-filter/opendkim/files/opendkim-r2.service b/mail-filter/opendkim/files/opendkim-r2.service new file mode 100644 index 000000000000..006ff822d7f9 --- /dev/null +++ b/mail-filter/opendkim/files/opendkim-r2.service @@ -0,0 +1,15 @@ +[Unit] +Description=DomainKeys Identified Mail (DKIM) Milter +Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html +After=network.target nss-lookup.target syslog.target + +[Service] +ExecStart=/usr/sbin/opendkim -f -x /etc/opendkim/opendkim.conf +ExecReload=/bin/kill -USR1 $MAINPID +RuntimeDirectory=opendkim +RuntimeDirectoryMode=0750 +User=opendkim +Group=opendkim + +[Install] +WantedBy=multi-user.target diff --git a/mail-filter/opendkim/files/opendkim.init.r4 b/mail-filter/opendkim/files/opendkim.init.r4 new file mode 100644 index 000000000000..8c349b85dd31 --- /dev/null +++ b/mail-filter/opendkim/files/opendkim.init.r4 @@ -0,0 +1,55 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +CONFFILE=/etc/opendkim/${SVCNAME}.conf + +depend() { + use dns logger net + before mta +} + +check_cfg() { + + PIDFILE=$(sed -ne 's/^[[:space:]]*PidFile[[:space:]]\+//p' "${CONFFILE}") + local PIDDIR="${PIDFILE%/*}" + if [ ! -d "${PIDDIR}" ] ; then + checkpath -q -d -o opendkim:opendkim -m 0755 "${PIDDIR}" || return 1 + fi + if [ ! -f "${CONFFILE}" ] ; then + eerror "Configuration file ${CONFFILE} is missing" + return 1 + fi + if [ -z "${PIDFILE}" ] ; then + eerror "Configuration file needs PidFile setting - recommend adding 'PidFile /var/run/opendkim/${SVCNAME}.pid' to ${CONFFILE}" + return 1 + fi + + if egrep -q '^[[:space:]]*Background[[:space:]]+no' "${CONFFILE}" ; then + eerror "${SVCNAME} service cannot run with Background key set to yes!" + return 1 + fi +} + +start() { + check_cfg || return 1 + + # Remove stalled Unix socket if no other process is using it + local UNIX_SOCKET=$(sed -ne 's/^[[:space:]]*Socket[[:space:]]\+\(unix\|local\)://p' "${CONFFILE}") + + if [ -S "${UNIX_SOCKET}" ] && ! fuser -s "${UNIX_SOCKET}"; then + rm "${UNIX_SOCKET}" + fi + + ebegin "Starting OpenDKIM" + start-stop-daemon --start --pidfile "${PIDFILE}" \ + --exec /usr/sbin/opendkim -- -x "${CONFFILE}" + eend $? +} + +stop() { + check_cfg || return 1 + ebegin "Stopping OpenDKIM" + start-stop-daemon --stop --pidfile "${PIDFILE}" + eend $? +} diff --git a/mail-filter/opendkim/opendkim-2.10.3-r5.ebuild b/mail-filter/opendkim/opendkim-2.10.3-r5.ebuild deleted file mode 100644 index fe0d7c091a71..000000000000 --- a/mail-filter/opendkim/opendkim-2.10.3-r5.ebuild +++ /dev/null @@ -1,198 +0,0 @@ -# Copyright 1999-2019 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit autotools db-use eutils systemd user - -DESCRIPTION="A milter-based application to provide DKIM signing and verification" -HOMEPAGE="http://opendkim.org" -SRC_URI="mirror://sourceforge/opendkim/${P}.tar.gz" - -# The GPL-2 is for the init script, bug 425960. -LICENSE="BSD GPL-2 Sendmail-Open-Source" -SLOT="0" -KEYWORDS="~amd64 ~arm ~x86" -IUSE="+berkdb gnutls ldap libressl lmdb lua memcached opendbx poll sasl selinux +ssl static-libs unbound" - -DEPEND="|| ( mail-filter/libmilter mail-mta/sendmail ) - dev-libs/libbsd - ssl? ( - !libressl? ( dev-libs/openssl:0= ) - libressl? ( dev-libs/libressl:0= ) - ) - berkdb? ( >=sys-libs/db-3.2:* ) - opendbx? ( >=dev-db/opendbx-1.4.0 ) - lua? ( dev-lang/lua:* ) - ldap? ( net-nds/openldap ) - lmdb? ( dev-db/lmdb ) - memcached? ( dev-libs/libmemcached ) - sasl? ( dev-libs/cyrus-sasl ) - unbound? ( >=net-dns/unbound-1.4.1:= net-dns/dnssec-root ) - !unbound? ( net-libs/ldns ) - gnutls? ( >=net-libs/gnutls-3.3 )" - -RDEPEND="${DEPEND} - sys-process/psmisc - selinux? ( sec-policy/selinux-dkim ) -" - -REQUIRED_USE="sasl? ( ldap )" - -PATCHES=( - "${FILESDIR}/${P}-gnutls-3.4.patch" - "${FILESDIR}/${P}-openssl-1.1.1.patch" -) - -pkg_setup() { - enewgroup milter - # mail-milter/spamass-milter creates milter user with this home directory - # For consistency reasons, milter user must be created here with this home directory - # even though this package doesn't need a home directory for this user (#280571) - enewuser milter -1 -1 /var/lib/milter milter -} - -src_prepare() { - default - - sed -i -e 's:/var/db/dkim:/etc/opendkim:g' \ - -e 's:/var/db/opendkim:/var/lib/opendkim:g' \ - -e 's:/etc/mail:/etc/opendkim:g' \ - -e 's:mailnull:milter:g' \ - -e 's:^#[[:space:]]*PidFile.*:PidFile /run/opendkim/opendkim.pid:' \ - opendkim/opendkim.conf.sample opendkim/opendkim.conf.simple.in \ - stats/opendkim-reportstats{,.in} || die - - sed -i -e 's:dist_doc_DATA:dist_html_DATA:' libopendkim/docs/Makefile.am \ - || die - - sed -i -e '/sock.*mt.getcwd/s:mt.getcwd():"/tmp":' opendkim/tests/*.lua - sed -i -e '/sock.*mt.getcwd/s:mt.getcwd():"/proc/self/cwd":' opendkim/tests/*.lua - - eautoreconf -} - -src_configure() { - local myconf=() - if use berkdb ; then - myconf+=( - $(db_includedir) - --with-db-incdir=${myconf#-I} - --enable-popauth - --enable-query_cache - --enable-stats - ) - fi - if use unbound; then - myconf+=( --with-unbound ) - else - myconf+=( --with-ldns ) - fi - if use ldap; then - myconf+=( $(use_with sasl) ) - fi - econf \ - $(use_with berkdb db) \ - $(use_with opendbx odbx) \ - $(use_with lua) \ - $(use_enable lua rbl) \ - $(use_with ldap openldap) \ - $(use_with lmdb) \ - $(use_enable poll) \ - $(use_enable static-libs static) \ - $(use_with gnutls) \ - $(use_with memcached libmemcached) \ - "${myconf[@]}" \ - --enable-filter \ - --enable-atps \ - --enable-identity_header \ - --enable-rate_limit \ - --enable-resign \ - --enable-replace_rules \ - --enable-default_sender \ - --enable-sender_macro \ - --enable-vbr \ - --disable-live-testing - #--with-test-socket=/tmp/opendkim-$(echo ${RANDOM})-S - #--disable-rpath -} - -src_install() { - default - prune_libtool_files - - dosbin stats/opendkim-reportstats - - newinitd "${FILESDIR}/opendkim.init.r3" opendkim - systemd_newunit "${FILESDIR}/opendkim-r1.service" opendkim.service - - dodir /etc/opendkim - keepdir /var/lib/opendkim - fowners milter:milter /var/lib/opendkim - - # default configuration - if [ ! -f "${ROOT}"/etc/opendkim/opendkim.conf ]; then - grep ^[^#] "${S}"/opendkim/opendkim.conf.simple \ - > "${D}"/etc/opendkim/opendkim.conf - if use unbound; then - echo TrustAnchorFile /etc/dnssec/root-anchors.txt >> "${D}"/etc/opendkim/opendkim.conf - fi - echo UserID milter >> "${D}"/etc/opendkim/opendkim.conf - if use berkdb; then - echo Statistics /var/lib/opendkim/stats.dat >> \ - "${D}"/etc/opendkim/opendkim.conf - fi - fi -} - -pkg_postinst() { - if [[ -z ${REPLACING_VERSION} ]]; then - elog "If you want to sign your mail messages and need some help" - elog "please run:" - elog " emerge --config ${CATEGORY}/${PN}" - elog "It will help you create your key and give you hints on how" - elog "to configure your DNS and MTA." - fi -} - -pkg_config() { - local selector keysize pubkey - - read -p "Enter the selector name (default ${HOSTNAME}): " selector - [[ -n "${selector}" ]] || selector=${HOSTNAME} - if [[ -z "${selector}" ]]; then - eerror "Oddly enough, you don't have a HOSTNAME." - return 1 - fi - if [[ -f "${ROOT}"etc/opendkim/${selector}.private ]]; then - ewarn "The private key for this selector already exists." - else - keysize=1024 - # generate the private and public keys - opendkim-genkey -b ${keysize} -D "${ROOT}"etc/opendkim/ \ - -s ${selector} -d '(your domain)' && \ - chown milter:milter \ - "${ROOT}"etc/opendkim/"${selector}".private || \ - { eerror "Failed to create private and public keys." ; return 1; } - chmod go-r "${ROOT}"etc/opendkim/"${selector}".private - fi - - # opendkim selector configuration - echo - einfo "Make sure you have the following settings in your /etc/opendkim/opendkim.conf:" - einfo " Keyfile /etc/opendkim/${selector}.private" - einfo " Selector ${selector}" - - # MTA configuration - echo - einfo "If you are using Postfix, add following lines to your main.cf:" - einfo " smtpd_milters = unix:/var/run/opendkim/opendkim.sock" - einfo " non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock" - einfo " and read http://www.postfix.org/MILTER_README.html" - - # DNS configuration - einfo "After you configured your MTA, publish your key by adding this TXT record to your domain:" - cat "${ROOT}"etc/opendkim/${selector}.txt - einfo "t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags:" - einfo " http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text" -} diff --git a/mail-filter/opendkim/opendkim-2.10.3-r6.ebuild b/mail-filter/opendkim/opendkim-2.10.3-r6.ebuild new file mode 100644 index 000000000000..f82109150545 --- /dev/null +++ b/mail-filter/opendkim/opendkim-2.10.3-r6.ebuild @@ -0,0 +1,205 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit autotools db-use eutils systemd user + +DESCRIPTION="A milter-based application to provide DKIM signing and verification" +HOMEPAGE="http://opendkim.org" +SRC_URI="mirror://sourceforge/opendkim/${P}.tar.gz" + +# The GPL-2 is for the init script, bug 425960. +LICENSE="BSD GPL-2 Sendmail-Open-Source" +SLOT="0" +KEYWORDS="~amd64 ~arm ~x86" +IUSE="+berkdb gnutls ldap libressl lmdb lua memcached opendbx poll sasl selinux +ssl static-libs unbound" + +DEPEND="|| ( mail-filter/libmilter mail-mta/sendmail ) + dev-libs/libbsd + ssl? ( + !libressl? ( dev-libs/openssl:0= ) + libressl? ( dev-libs/libressl:0= ) + ) + berkdb? ( >=sys-libs/db-3.2:* ) + opendbx? ( >=dev-db/opendbx-1.4.0 ) + lua? ( dev-lang/lua:* ) + ldap? ( net-nds/openldap ) + lmdb? ( dev-db/lmdb ) + memcached? ( dev-libs/libmemcached ) + sasl? ( dev-libs/cyrus-sasl ) + unbound? ( >=net-dns/unbound-1.4.1:= net-dns/dnssec-root ) + !unbound? ( net-libs/ldns ) + gnutls? ( >=net-libs/gnutls-3.3 )" + +RDEPEND="${DEPEND} + sys-process/psmisc + selinux? ( sec-policy/selinux-dkim ) +" + +REQUIRED_USE="sasl? ( ldap )" + +PATCHES=( + "${FILESDIR}/${P}-gnutls-3.4.patch" + "${FILESDIR}/${P}-openssl-1.1.1.patch" +) + +pkg_setup() { + # This user can read your private keys, and must therefore not be + # shared with any other package. + enewuser opendkim +} + +src_prepare() { + default + + sed -i -e 's:/var/db/dkim:/etc/opendkim:g' \ + -e 's:/var/db/opendkim:/var/lib/opendkim:g' \ + -e 's:/etc/mail:/etc/opendkim:g' \ + -e 's:mailnull:opendkim:g' \ + -e 's:^#[[:space:]]*PidFile.*:PidFile /run/opendkim/opendkim.pid:' \ + opendkim/opendkim.conf.sample opendkim/opendkim.conf.simple.in \ + stats/opendkim-reportstats{,.in} || die + + sed -i -e 's:dist_doc_DATA:dist_html_DATA:' libopendkim/docs/Makefile.am \ + || die + + sed -i -e '/sock.*mt.getcwd/s:mt.getcwd():"/tmp":' opendkim/tests/*.lua + sed -i -e '/sock.*mt.getcwd/s:mt.getcwd():"/proc/self/cwd":' opendkim/tests/*.lua + + eautoreconf +} + +src_configure() { + local myconf=() + if use berkdb ; then + myconf+=( + $(db_includedir) + --with-db-incdir=${myconf#-I} + --enable-popauth + --enable-query_cache + --enable-stats + ) + fi + if use unbound; then + myconf+=( --with-unbound ) + else + myconf+=( --with-ldns ) + fi + if use ldap; then + myconf+=( $(use_with sasl) ) + fi + econf \ + $(use_with berkdb db) \ + $(use_with opendbx odbx) \ + $(use_with lua) \ + $(use_enable lua rbl) \ + $(use_with ldap openldap) \ + $(use_with lmdb) \ + $(use_enable poll) \ + $(use_enable static-libs static) \ + $(use_with gnutls) \ + $(use_with memcached libmemcached) \ + "${myconf[@]}" \ + --enable-filter \ + --enable-atps \ + --enable-identity_header \ + --enable-rate_limit \ + --enable-resign \ + --enable-replace_rules \ + --enable-default_sender \ + --enable-sender_macro \ + --enable-vbr \ + --disable-live-testing + #--with-test-socket=/tmp/opendkim-$(echo ${RANDOM})-S + #--disable-rpath +} + +src_install() { + default + prune_libtool_files + + dosbin stats/opendkim-reportstats + + newinitd "${FILESDIR}/opendkim.init.r4" opendkim + systemd_newunit "${FILESDIR}/opendkim-r2.service" opendkim.service + + dodir /etc/opendkim + keepdir /var/lib/opendkim + + # The OpenDKIM data (particularly, your keys) should be read-only to + # the UserID that the daemon runs as. + fowners root:opendkim /var/lib/opendkim + fperms 750 /var/lib/opendkim + + # default configuration + if [ ! -f "${ROOT}"/etc/opendkim/opendkim.conf ]; then + grep ^[^#] "${S}"/opendkim/opendkim.conf.simple \ + > "${D}"/etc/opendkim/opendkim.conf + if use unbound; then + echo TrustAnchorFile /etc/dnssec/root-anchors.txt >> "${D}"/etc/opendkim/opendkim.conf + fi + echo UserID opendkim >> "${D}"/etc/opendkim/opendkim.conf + fi +} + +pkg_postinst() { + if [[ -z ${REPLACING_VERSION} ]]; then + elog "If you want to sign your mail messages and need some help" + elog "please run:" + elog " emerge --config ${CATEGORY}/${PN}" + elog "It will help you create your key and give you hints on how" + elog "to configure your DNS and MTA." + else + ewarn "The user account for the OpenDKIM daemon has changed" + ewarn "from \"milter\" to \"opendkim\" to prevent unrelated services" + ewarn "from being able to read your private keys. You should" + ewarn "adjust your existing configuration to use the \"opendkim\"" + ewarn "user and group, and change the permissions on" + ewarn "${ROOT}var/lib/opendkim to root:opendkim with mode 0750." + ewarn "The owner and group of the files within that directory" + ewarn "will likely need to be adjusted as well." + fi +} + +pkg_config() { + local selector keysize pubkey + + read -p "Enter the selector name (default ${HOSTNAME}): " selector + [[ -n "${selector}" ]] || selector=${HOSTNAME} + if [[ -z "${selector}" ]]; then + eerror "Oddly enough, you don't have a HOSTNAME." + return 1 + fi + if [[ -f "${ROOT}"etc/opendkim/${selector}.private ]]; then + ewarn "The private key for this selector already exists." + else + keysize=1024 + # generate the private and public keys + opendkim-genkey -b ${keysize} -D "${ROOT}"etc/opendkim/ \ + -s ${selector} -d '(your domain)' && \ + chown opendkim:opendkim \ + "${ROOT}"etc/opendkim/"${selector}".private || \ + { eerror "Failed to create private and public keys." ; return 1; } + chmod go-r "${ROOT}"etc/opendkim/"${selector}".private + fi + + # opendkim selector configuration + echo + einfo "Make sure you have the following settings in your /etc/opendkim/opendkim.conf:" + einfo " Keyfile /etc/opendkim/${selector}.private" + einfo " Selector ${selector}" + + # MTA configuration + echo + einfo "If you are using Postfix, add following lines to your main.cf:" + einfo " smtpd_milters = unix:/var/run/opendkim/opendkim.sock" + einfo " non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock" + einfo " and read http://www.postfix.org/MILTER_README.html" + + # DNS configuration + einfo "After you configured your MTA, publish your key by adding this TXT record to your domain:" + cat "${ROOT}"etc/opendkim/${selector}.txt + einfo "t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags:" + einfo " http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text" +} -- cgit v1.2.3-65-gdbad