commit: 8fb71c916f648e79897e202076fc5447df07c991
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 27 16:53:38 2019 +0000
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Wed Mar 27 17:18:09 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fb71c91
mail-filter/opendkim: use /var/lib/opendkim in pkg_config.
The keys that are generated by opendkim-genkey are data, in a sense,
and not configuration files. As a result, I think it's more appropriate
to store them in /var/lib/opendkim than in /etc/opendkim where they were
previously stored. This commit moves the keys, and also tightens the
permissions on them a bit so that the "opendkim" user can only read them.
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>
Package-Manager: Portage-2.3.62, Repoman-2.3.11
mail-filter/opendkim/opendkim-2.10.3-r8.ebuild | 28 +++++++++++++++-----------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild
b/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild
index c45d7104150..f2e43b0041f 100644
--- a/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild
+++ b/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild
@@ -55,7 +55,7 @@ src_prepare() {
# We delete the "Socket" setting because it's overridden by our
# conf.d file.
- sed -e 's:/var/db/dkim:/etc/opendkim:g' \
+ sed -e 's:/var/db/dkim:/var/lib/opendkim:g' \
-e 's:/var/db/opendkim:/var/lib/opendkim:g' \
-e 's:/etc/mail:/etc/opendkim:g' \
-e 's:mailnull:opendkim:g' \
@@ -183,28 +183,32 @@ pkg_config() {
local selector keysize pubkey
read -p "Enter the selector name (default ${HOSTNAME}): " selector
- [[ -n "${selector}" ]] || selector=${HOSTNAME}
+ [[ -n "${selector}" ]] || selector="${HOSTNAME}"
if [[ -z "${selector}" ]]; then
eerror "Oddly enough, you don't have a HOSTNAME."
return 1
fi
- if [[ -f "${ROOT}"etc/opendkim/${selector}.private ]]; then
+ if [[ -f "${ROOT}var/lib/opendkim/${selector}.private" ]]; then
ewarn "The private key for this selector already exists."
else
keysize=1024
- # generate the private and public keys
- opendkim-genkey -b ${keysize} -D "${ROOT}"etc/opendkim/ \
- -s ${selector} -d '(your domain)' && \
- chown opendkim:opendkim \
- "${ROOT}"etc/opendkim/"${selector}".private || \
- { eerror "Failed to create private and public
keys." ; return 1; }
- chmod go-r "${ROOT}"etc/opendkim/"${selector}".private
+ # Generate the private and public keys. Note that
opendkim-genkeys
+ # sets umask=077 on its own to keep these safe. However, we want
+ # them to be readable (only!) to the opendkim user, and we
manage
+ # that by changing their groups and making everything
group-readable.
+ opendkim-genkey -b ${keysize} -D "${ROOT}"var/lib/opendkim/ \
+ -s "${selector}" -d '(your domain)' && \
+ chgrp --no-dereference opendkim \
+
"${ROOT}var/lib/opendkim/${selector}".{private,txt} || \
+ { eerror "Failed to create private and public
keys." ;
+ return 1; }
+ chmod g+r "${ROOT}var/lib/opendkim/${selector}".{private,txt}
fi
# opendkim selector configuration
echo
einfo "Make sure you have the following settings in your
/etc/opendkim/opendkim.conf:"
- einfo " Keyfile /etc/opendkim/${selector}.private"
+ einfo " Keyfile /var/lib/opendkim/${selector}.private"
einfo " Selector ${selector}"
# MTA configuration
@@ -216,7 +220,7 @@ pkg_config() {
# DNS configuration
einfo "After you configured your MTA, publish your key by adding this
TXT record to your domain:"
- cat "${ROOT}"etc/opendkim/${selector}.txt
+ cat "${ROOT}var/lib/opendkim/${selector}.txt"
einfo "t=y signifies you only test the DKIM on your domain. See
following page for the complete list of tags:"
einfo " http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text";
}
