From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DE0D7138335 for ; Wed, 27 Mar 2019 17:19:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 65FE3E092C; Wed, 27 Mar 2019 17:19:10 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2B10CE092C for ; Wed, 27 Mar 2019 17:19:10 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 694FD335D1C for ; Wed, 27 Mar 2019 17:19:08 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7F11E593 for ; Wed, 27 Mar 2019 17:19:05 +0000 (UTC) From: "Michael Orlitzky" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michael Orlitzky" Message-ID: <1553707089.8fb71c916f648e79897e202076fc5447df07c991.mjo@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: mail-filter/opendkim/ X-VCS-Repository: repo/gentoo X-VCS-Files: mail-filter/opendkim/opendkim-2.10.3-r8.ebuild X-VCS-Directories: mail-filter/opendkim/ X-VCS-Committer: mjo X-VCS-Committer-Name: Michael Orlitzky X-VCS-Revision: 8fb71c916f648e79897e202076fc5447df07c991 X-VCS-Branch: master Date: Wed, 27 Mar 2019 17:19:05 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 05b8dc35-703e-49be-844e-80d5b9ce3033 X-Archives-Hash: acf8461984979b6a135f3268f1a4bdb5 commit: 8fb71c916f648e79897e202076fc5447df07c991 Author: Michael Orlitzky gentoo org> AuthorDate: Wed Mar 27 16:53:38 2019 +0000 Commit: Michael Orlitzky gentoo org> CommitDate: Wed Mar 27 17:18:09 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fb71c91 mail-filter/opendkim: use /var/lib/opendkim in pkg_config. The keys that are generated by opendkim-genkey are data, in a sense, and not configuration files. As a result, I think it's more appropriate to store them in /var/lib/opendkim than in /etc/opendkim where they were previously stored. This commit moves the keys, and also tightens the permissions on them a bit so that the "opendkim" user can only read them. Signed-off-by: Michael Orlitzky gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.11 mail-filter/opendkim/opendkim-2.10.3-r8.ebuild | 28 +++++++++++++++----------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild b/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild index c45d7104150..f2e43b0041f 100644 --- a/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild +++ b/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild @@ -55,7 +55,7 @@ src_prepare() { # We delete the "Socket" setting because it's overridden by our # conf.d file. - sed -e 's:/var/db/dkim:/etc/opendkim:g' \ + sed -e 's:/var/db/dkim:/var/lib/opendkim:g' \ -e 's:/var/db/opendkim:/var/lib/opendkim:g' \ -e 's:/etc/mail:/etc/opendkim:g' \ -e 's:mailnull:opendkim:g' \ @@ -183,28 +183,32 @@ pkg_config() { local selector keysize pubkey read -p "Enter the selector name (default ${HOSTNAME}): " selector - [[ -n "${selector}" ]] || selector=${HOSTNAME} + [[ -n "${selector}" ]] || selector="${HOSTNAME}" if [[ -z "${selector}" ]]; then eerror "Oddly enough, you don't have a HOSTNAME." return 1 fi - if [[ -f "${ROOT}"etc/opendkim/${selector}.private ]]; then + if [[ -f "${ROOT}var/lib/opendkim/${selector}.private" ]]; then ewarn "The private key for this selector already exists." else keysize=1024 - # generate the private and public keys - opendkim-genkey -b ${keysize} -D "${ROOT}"etc/opendkim/ \ - -s ${selector} -d '(your domain)' && \ - chown opendkim:opendkim \ - "${ROOT}"etc/opendkim/"${selector}".private || \ - { eerror "Failed to create private and public keys." ; return 1; } - chmod go-r "${ROOT}"etc/opendkim/"${selector}".private + # Generate the private and public keys. Note that opendkim-genkeys + # sets umask=077 on its own to keep these safe. However, we want + # them to be readable (only!) to the opendkim user, and we manage + # that by changing their groups and making everything group-readable. + opendkim-genkey -b ${keysize} -D "${ROOT}"var/lib/opendkim/ \ + -s "${selector}" -d '(your domain)' && \ + chgrp --no-dereference opendkim \ + "${ROOT}var/lib/opendkim/${selector}".{private,txt} || \ + { eerror "Failed to create private and public keys." ; + return 1; } + chmod g+r "${ROOT}var/lib/opendkim/${selector}".{private,txt} fi # opendkim selector configuration echo einfo "Make sure you have the following settings in your /etc/opendkim/opendkim.conf:" - einfo " Keyfile /etc/opendkim/${selector}.private" + einfo " Keyfile /var/lib/opendkim/${selector}.private" einfo " Selector ${selector}" # MTA configuration @@ -216,7 +220,7 @@ pkg_config() { # DNS configuration einfo "After you configured your MTA, publish your key by adding this TXT record to your domain:" - cat "${ROOT}"etc/opendkim/${selector}.txt + cat "${ROOT}var/lib/opendkim/${selector}.txt" einfo "t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags:" einfo " http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text" }