From 8fb71c916f648e79897e202076fc5447df07c991 Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Wed, 27 Mar 2019 12:53:38 -0400 Subject: mail-filter/opendkim: use /var/lib/opendkim in pkg_config. The keys that are generated by opendkim-genkey are data, in a sense, and not configuration files. As a result, I think it's more appropriate to store them in /var/lib/opendkim than in /etc/opendkim where they were previously stored. This commit moves the keys, and also tightens the permissions on them a bit so that the "opendkim" user can only read them. Signed-off-by: Michael Orlitzky Package-Manager: Portage-2.3.62, Repoman-2.3.11 --- mail-filter/opendkim/opendkim-2.10.3-r8.ebuild | 28 +++++++++++++++----------- 1 file changed, 16 insertions(+), 12 deletions(-) (limited to 'mail-filter') diff --git a/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild b/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild index c45d7104150b..f2e43b0041fa 100644 --- a/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild +++ b/mail-filter/opendkim/opendkim-2.10.3-r8.ebuild @@ -55,7 +55,7 @@ src_prepare() { # We delete the "Socket" setting because it's overridden by our # conf.d file. - sed -e 's:/var/db/dkim:/etc/opendkim:g' \ + sed -e 's:/var/db/dkim:/var/lib/opendkim:g' \ -e 's:/var/db/opendkim:/var/lib/opendkim:g' \ -e 's:/etc/mail:/etc/opendkim:g' \ -e 's:mailnull:opendkim:g' \ @@ -183,28 +183,32 @@ pkg_config() { local selector keysize pubkey read -p "Enter the selector name (default ${HOSTNAME}): " selector - [[ -n "${selector}" ]] || selector=${HOSTNAME} + [[ -n "${selector}" ]] || selector="${HOSTNAME}" if [[ -z "${selector}" ]]; then eerror "Oddly enough, you don't have a HOSTNAME." return 1 fi - if [[ -f "${ROOT}"etc/opendkim/${selector}.private ]]; then + if [[ -f "${ROOT}var/lib/opendkim/${selector}.private" ]]; then ewarn "The private key for this selector already exists." else keysize=1024 - # generate the private and public keys - opendkim-genkey -b ${keysize} -D "${ROOT}"etc/opendkim/ \ - -s ${selector} -d '(your domain)' && \ - chown opendkim:opendkim \ - "${ROOT}"etc/opendkim/"${selector}".private || \ - { eerror "Failed to create private and public keys." ; return 1; } - chmod go-r "${ROOT}"etc/opendkim/"${selector}".private + # Generate the private and public keys. Note that opendkim-genkeys + # sets umask=077 on its own to keep these safe. However, we want + # them to be readable (only!) to the opendkim user, and we manage + # that by changing their groups and making everything group-readable. + opendkim-genkey -b ${keysize} -D "${ROOT}"var/lib/opendkim/ \ + -s "${selector}" -d '(your domain)' && \ + chgrp --no-dereference opendkim \ + "${ROOT}var/lib/opendkim/${selector}".{private,txt} || \ + { eerror "Failed to create private and public keys." ; + return 1; } + chmod g+r "${ROOT}var/lib/opendkim/${selector}".{private,txt} fi # opendkim selector configuration echo einfo "Make sure you have the following settings in your /etc/opendkim/opendkim.conf:" - einfo " Keyfile /etc/opendkim/${selector}.private" + einfo " Keyfile /var/lib/opendkim/${selector}.private" einfo " Selector ${selector}" # MTA configuration @@ -216,7 +220,7 @@ pkg_config() { # DNS configuration einfo "After you configured your MTA, publish your key by adding this TXT record to your domain:" - cat "${ROOT}"etc/opendkim/${selector}.txt + cat "${ROOT}var/lib/opendkim/${selector}.txt" einfo "t=y signifies you only test the DKIM on your domain. See following page for the complete list of tags:" einfo " http://www.dkim.org/specs/rfc4871-dkimbase.html#key-text" } -- cgit v1.2.3-65-gdbad