From 36fba0b438ef8f5f7c2f2f8127711a917f95c59d Mon Sep 17 00:00:00 2001 From: root Date: Mon, 5 Nov 2018 19:36:10 +0100 Subject: [PATCH] committing changes in /etc after apt run Package changes: +dns-root-data 2018013001 all +libevent-2.1-6 2.1.8-stable-4build1 amd64 +liblua5.1-0 5.1.5-8.1build2 amd64 +libmemcached11 1.0.18-4.2 amd64 +libmilter1.0.1 8.15.2-10 amd64 +libopendbx1 1.4.6-11 amd64 +libopendbx1-sqlite3 1.4.6-11 amd64 +libopendkim11 2.11.0~alpha-11build1 amd64 +librbl1 2.11.0~alpha-11build1 amd64 +libunbound2 1.6.7-1ubuntu2.2 amd64 +libvbr2 2.11.0~alpha-11build1 amd64 +opendkim 2.11.0~alpha-11build1 amd64 +opendkim-tools 2.11.0~alpha-11build1 amd64 --- .etckeeper | 10 + default/opendkim | 22 +++ dkimkeys/README.PrivateKeys | 14 ++ group | 1 + group- | 1 + gshadow | 1 + gshadow- | 1 + init.d/opendkim | 177 ++++++++++++++++++ mail/m4/opendkim.m4 | 2 + opendkim.conf | 80 ++++++++ passwd | 1 + passwd- | 3 +- rc0.d/K01opendkim | 1 + rc1.d/K01opendkim | 1 + rc2.d/S01opendkim | 1 + rc3.d/S01opendkim | 1 + rc4.d/S01opendkim | 1 + rc5.d/S01opendkim | 1 + rc6.d/K01opendkim | 1 + shadow | 1 + shadow- | 1 + .../multi-user.target.wants/opendkim.service | 1 + 22 files changed, 322 insertions(+), 1 deletion(-) create mode 100644 default/opendkim create mode 100644 dkimkeys/README.PrivateKeys create mode 100755 init.d/opendkim create mode 100644 mail/m4/opendkim.m4 create mode 100644 opendkim.conf create mode 120000 rc0.d/K01opendkim create mode 120000 rc1.d/K01opendkim create mode 120000 rc2.d/S01opendkim create mode 120000 rc3.d/S01opendkim create mode 120000 rc4.d/S01opendkim create mode 120000 rc5.d/S01opendkim create mode 120000 rc6.d/K01opendkim create mode 120000 systemd/system/multi-user.target.wants/opendkim.service diff --git a/.etckeeper b/.etckeeper index 9c5da7130..405eadfb6 100755 --- a/.etckeeper +++ b/.etckeeper @@ -517,6 +517,7 @@ maybe chmod 0644 'default/locale' maybe chmod 0644 'default/motd-news' maybe chmod 0644 'default/networkd-dispatcher' maybe chmod 0644 'default/nss' +maybe chmod 0644 'default/opendkim' maybe chmod 0644 'default/redis-server' maybe chmod 0644 'default/rsync' maybe chmod 0644 'default/rsyslog' @@ -536,6 +537,10 @@ maybe chmod 0644 'dhcp/dhclient-exit-hooks.d/timesyncd' maybe chmod 0644 'dhcp/dhclient.conf' maybe chmod 0755 'dictionaries-common' maybe chmod 0644 'dictionaries-common/ispell-default' +maybe chown 'opendkim' 'dkimkeys' +maybe chgrp 'opendkim' 'dkimkeys' +maybe chmod 0700 'dkimkeys' +maybe chmod 0644 'dkimkeys/README.PrivateKeys' maybe chmod 0755 'dovecot' maybe chmod 0770 'dovecot/dovecot-sql.conf' maybe chmod 0644 'dovecot/dovecot.conf' @@ -709,6 +714,7 @@ maybe chmod 0755 'init.d/irqbalance' maybe chmod 0755 'init.d/keyboard-setup.sh' maybe chmod 0755 'init.d/kmod' maybe chmod 0755 'init.d/mysql' +maybe chmod 0755 'init.d/opendkim' maybe chmod 0755 'init.d/plymouth' maybe chmod 0755 'init.d/plymouth-log' maybe chmod 0755 'init.d/postfix' @@ -990,6 +996,9 @@ maybe chmod 0644 'ltrace.conf' maybe chmod 0444 'machine-id' maybe chmod 0644 'magic' maybe chmod 0644 'magic.mime' +maybe chmod 0755 'mail' +maybe chmod 0755 'mail/m4' +maybe chmod 0644 'mail/m4/opendkim.m4' maybe chmod 0644 'mailcap' maybe chmod 0644 'mailcap.order' maybe chmod 0644 'mailname' @@ -1036,6 +1045,7 @@ maybe chmod 0755 'newt' maybe chmod 0644 'newt/palette.original' maybe chmod 0644 'newt/palette.ubuntu' maybe chmod 0644 'nsswitch.conf' +maybe chmod 0644 'opendkim.conf' maybe chmod 0755 'opt' maybe chmod 0644 'pam.conf' maybe chmod 0755 'pam.d' diff --git a/default/opendkim b/default/opendkim new file mode 100644 index 000000000..ffb2a021e --- /dev/null +++ b/default/opendkim @@ -0,0 +1,22 @@ +# Command-line options specified here will override the contents of +# /etc/opendkim.conf. See opendkim(8) for a complete list of options. +#DAEMON_OPTS="" +# Change to /var/spool/postfix/var/run/opendkim to use a Unix socket with +# postfix in a chroot: +#RUNDIR=/var/spool/postfix/var/run/opendkim +RUNDIR=/var/run/opendkim +# +# Uncomment to specify an alternate socket +# Note that setting this will override any Socket value in opendkim.conf +# default: +SOCKET=local:$RUNDIR/opendkim.sock +# listen on all interfaces on port 54321: +#SOCKET=inet:54321 +# listen on loopback on port 12345: +#SOCKET=inet:12345@localhost +# listen on 192.0.2.1 on port 12345: +#SOCKET=inet:12345@192.0.2.1 +USER=opendkim +GROUP=opendkim +PIDFILE=$RUNDIR/$NAME.pid +EXTRAAFTER= diff --git a/dkimkeys/README.PrivateKeys b/dkimkeys/README.PrivateKeys new file mode 100644 index 000000000..1e9104aa7 --- /dev/null +++ b/dkimkeys/README.PrivateKeys @@ -0,0 +1,14 @@ +This directory is for storing private keys associated with DKIM signing with +opendkim. + +Here is advice from upstream + +(4) Store the private key in a safe place. We generally use a path like + /var/db/dkim/SELECTOR.key.pem (where "SELECTOR" is the name you chose). + The /var/db/dkim directory and the associated .pem file should be owned by + the user that will be executing the filter (preferably not the + superuser) and be mode 0700 and 0600 respectively. + +In Debian, we use /etc/dkimkeys by default and the directory permissions and +ownership are set correctly. Ensure that the private key is owned by the +opendkim user and the permissions are 0600. diff --git a/group b/group index 45a6cbda0..7ca7f3174 100644 --- a/group +++ b/group @@ -56,3 +56,4 @@ postdrop:x:116: vmail:x:1000: dovecot:x:117: dovenull:x:118: +opendkim:x:119: diff --git a/group- b/group- index ce507e6da..45a6cbda0 100644 --- a/group- +++ b/group- @@ -55,3 +55,4 @@ postfix:x:115: postdrop:x:116: vmail:x:1000: dovecot:x:117: +dovenull:x:118: diff --git a/gshadow b/gshadow index 27e115e9a..c8eccb7b9 100644 --- a/gshadow +++ b/gshadow @@ -56,3 +56,4 @@ postdrop:!:: vmail:!:: dovecot:!:: dovenull:!:: +opendkim:!:: diff --git a/gshadow- b/gshadow- index e9f947bc9..27e115e9a 100644 --- a/gshadow- +++ b/gshadow- @@ -55,3 +55,4 @@ postfix:!:: postdrop:!:: vmail:!:: dovecot:!:: +dovenull:!:: diff --git a/init.d/opendkim b/init.d/opendkim new file mode 100755 index 000000000..c4b8b08c7 --- /dev/null +++ b/init.d/opendkim @@ -0,0 +1,177 @@ +#! /bin/sh +# +### BEGIN INIT INFO +# Provides: opendkim +# Required-Start: $syslog $time $local_fs $remote_fs $named $network +# Required-Stop: $syslog $time $local_fs $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start the OpenDKIM service +# Description: Enable DKIM signing and verification provided by OpenDKIM +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/opendkim +NAME=opendkim +DESC="OpenDKIM" + +# How long to wait for the process to die on stop/restart +stoptimeout=5 + +test -x $DAEMON || exit 0 + +# Include LSB provided init functions +. /lib/lsb/init-functions + + + +# Include opendkim defaults if available +if [ -f /etc/default/opendkim ] ; then + . /etc/default/opendkim +fi + +pathfind() { + OLDIFS="$IFS" + IFS=: + for p in $PATH; do + if [ -x "$p/$*" ]; then + IFS="$OLDIFS" + return 0 + fi + done + IFS="$OLDIFS" + return 1 +} + +USER=$USER +GROUP=$GROUP +PIDFILE=$RUNDIR/$NAME.pid + +if [ -f /etc/opendkim.conf ]; then + CONFIG_SOCKET=`awk '$1 == "Socket" { print $2 }' /etc/opendkim.conf` +fi + +# This can be set via Socket option in config file, so it's not required +if [ -n "$SOCKET" -a -z "$CONFIG_SOCKET" ]; then + DAEMON_OPTS="-p $SOCKET $DAEMON_OPTS" +fi + +DAEMON_OPTS="-x /etc/opendkim.conf -u $USER -P $PIDFILE $DAEMON_OPTS" + +start() { + # Create the run directory if it doesn't exist + if [ ! -d "$RUNDIR" ]; then + install -o "$USER" -g "$GROUP" -m 755 -d "$RUNDIR" || exit 2 + if pathfind restorecon; then restorecon "$RUNDIR" + fi + fi + # Clean up stale sockets + if [ -f "$PIDFILE" ]; then + pid=`cat $PIDFILE` + if ! ps -C "$NAME" -s "$pid" >/dev/null; then + rm "$PIDFILE" + TMPSOCKET="" + if [ -n "$SOCKET" ]; then + TMPSOCKET="$SOCKET" + elif [ -n "$CONFIG_SOCKET" ]; then + TMPSOCKET="$CONFIG_SOCKET" + fi + if [ -n "$TMPSOCKET" ]; then + # UNIX sockets may be specified with or without the + # local: prefix; handle both + t=`echo $SOCKET | cut -d: -f1` + s=`echo $SOCKET | cut -d: -f2` + if [ -e "$s" -a -S "$s" ]; then + if [ "$t" = "$s" -o "$t" = "local" ]; then + rm "$s" + fi + fi + fi + fi + fi + start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test -- $DAEMON_OPTS || exit 1 + start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- $DAEMON_OPTS || exit 2 + # Detect exit status 78 (configuration error) + ret=$? + if [ $ret -eq 78 ]; then + echo "See /usr/share/doc/opendkim/README.Debian for help" + echo "Starting for DKIM verification only" + DAEMON_OPTS="-b v $DAEMON_OPTS" + start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- $DAEMON_OPTS + exit 0 + elif [ $ret -ne 0 ]; then + exit $ret + fi +} + +stop() { + start-stop-daemon --stop --retry "$stoptimeout" --exec "$DAEMON" + [ "$?" = 2 ] && exit 2 +} + +reload() { + start-stop-daemon --stop --signal USR1 --exec "$DAEMON" +} + +status() { + local pidfile daemon name status + + pidfile= + OPTIND=1 + while getopts p: opt ; do + case "$opt" in + p) pidfile="$OPTARG";; + esac + done + shift $(($OPTIND - 1)) + + if [ -n "$pidfile" ]; then + pidfile="-p $pidfile" + fi + daemon="$1" + name="$2" + + status="0" + pidofproc $pidfile $daemon >/dev/null || status="$?" + if [ "$status" = 0 ]; then + log_success_msg "$name is running" + return 0 + else + log_failure_msg "$name is not running" + exit $status + fi +} + +case "$1" in + start) + echo -n "Starting $DESC: " + start + echo "$NAME." + ;; + stop) + echo -n "Stopping $DESC: " + stop + echo "$NAME." + ;; + restart) + echo -n "Restarting $DESC: " + stop + start + echo "$NAME." + ;; + reload|force-reload) + echo -n "Restarting $DESC: " + reload + echo "$NAME." + ;; + status) + status $DAEMON $NAME + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|restart|reload|force-reload|status}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/mail/m4/opendkim.m4 b/mail/m4/opendkim.m4 new file mode 100644 index 000000000..bf9edfaf3 --- /dev/null +++ b/mail/m4/opendkim.m4 @@ -0,0 +1,2 @@ +INPUT_MAIL_FILTER(`opendkim', + `S=local:/var/run/opendkim/opendkim.sock, F=, T=S:4m;R:4m;E:10m')dnl diff --git a/opendkim.conf b/opendkim.conf new file mode 100644 index 000000000..afc808ccd --- /dev/null +++ b/opendkim.conf @@ -0,0 +1,80 @@ +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +# Log to syslog +Syslog yes +# Required to use local socket with MTAs that access the socket as a non- +# privileged user (e.g. Postfix) +UMask 007 + +# Sign for example.com with key in /etc/dkimkeys/dkim.key using +# selector '2007' (e.g. 2007._domainkey.example.com) +#Domain example.com +#KeyFile /etc/dkimkeys/dkim.key +#Selector 2007 + +# Commonly-used options; the commented-out versions show the defaults. +#Canonicalization simple +#Mode sv +#SubDomains no + +# Socket smtp://localhost +# +# ## Socket socketspec +# ## +# ## Names the socket where this filter should listen for milter connections +# ## from the MTA. Required. Should be in one of these forms: +# ## +# ## inet:port@address to listen on a specific interface +# ## inet:port to listen on all interfaces +# ## local:/path/to/socket to listen on a UNIX domain socket +# +#Socket inet:8892@localhost +Socket local:/var/run/opendkim/opendkim.sock + +## PidFile filename +### default (none) +### +### Name of the file where the filter should write its pid before beginning +### normal operations. +# +PidFile /var/run/opendkim/opendkim.pid + + +# Always oversign From (sign using actual From and a null From to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From + +## ResolverConfiguration filename +## default (none) +## +## Specifies a configuration file to be passed to the Unbound library that +## performs DNS queries applying the DNSSEC protocol. See the Unbound +## documentation at http://unbound.net for the expected content of this file. +## The results of using this and the TrustAnchorFile setting at the same +## time are undefined. +## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested +## unbound package + +# ResolverConfiguration /etc/unbound/unbound.conf + +## TrustAnchorFile filename +## default (none) +## +## Specifies a file from which trust anchor data should be read when doing +## DNS queries and applying the DNSSEC protocol. See the Unbound documentation +## at http://unbound.net for the expected format of this file. + +TrustAnchorFile /usr/share/dns/root.key + +## Userid userid +### default (none) +### +### Change to user "userid" before starting normal operation? May include +### a group ID as well, separated from the userid by a colon. +# +UserID opendkim diff --git a/passwd b/passwd index a8c627bd3..4d76b66da 100644 --- a/passwd +++ b/passwd @@ -30,3 +30,4 @@ postfix:x:110:115::/var/spool/postfix:/usr/sbin/nologin vmail:x:1000:1000:vmail,,,:/var/vmail:/bin/bash dovecot:x:111:117:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin dovenull:x:112:118:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin +opendkim:x:113:119::/var/run/opendkim:/usr/sbin/nologin diff --git a/passwd- b/passwd- index 53643b517..4d76b66da 100644 --- a/passwd- +++ b/passwd- @@ -29,4 +29,5 @@ lool:x:109:114::/opt/lool:/usr/sbin/nologin postfix:x:110:115::/var/spool/postfix:/usr/sbin/nologin vmail:x:1000:1000:vmail,,,:/var/vmail:/bin/bash dovecot:x:111:117:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin -dovenull:x:112:118::/nonexistent:/usr/sbin/nologin +dovenull:x:112:118:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin +opendkim:x:113:119::/var/run/opendkim:/usr/sbin/nologin diff --git a/rc0.d/K01opendkim b/rc0.d/K01opendkim new file mode 120000 index 000000000..9ade01c15 --- /dev/null +++ b/rc0.d/K01opendkim @@ -0,0 +1 @@ +../init.d/opendkim \ No newline at end of file diff --git a/rc1.d/K01opendkim b/rc1.d/K01opendkim new file mode 120000 index 000000000..9ade01c15 --- /dev/null +++ b/rc1.d/K01opendkim @@ -0,0 +1 @@ +../init.d/opendkim \ No newline at end of file diff --git a/rc2.d/S01opendkim b/rc2.d/S01opendkim new file mode 120000 index 000000000..9ade01c15 --- /dev/null +++ b/rc2.d/S01opendkim @@ -0,0 +1 @@ +../init.d/opendkim \ No newline at end of file diff --git a/rc3.d/S01opendkim b/rc3.d/S01opendkim new file mode 120000 index 000000000..9ade01c15 --- /dev/null +++ b/rc3.d/S01opendkim @@ -0,0 +1 @@ +../init.d/opendkim \ No newline at end of file diff --git a/rc4.d/S01opendkim b/rc4.d/S01opendkim new file mode 120000 index 000000000..9ade01c15 --- /dev/null +++ b/rc4.d/S01opendkim @@ -0,0 +1 @@ +../init.d/opendkim \ No newline at end of file diff --git a/rc5.d/S01opendkim b/rc5.d/S01opendkim new file mode 120000 index 000000000..9ade01c15 --- /dev/null +++ b/rc5.d/S01opendkim @@ -0,0 +1 @@ +../init.d/opendkim \ No newline at end of file diff --git a/rc6.d/K01opendkim b/rc6.d/K01opendkim new file mode 120000 index 000000000..9ade01c15 --- /dev/null +++ b/rc6.d/K01opendkim @@ -0,0 +1 @@ +../init.d/opendkim \ No newline at end of file diff --git a/shadow b/shadow index 1ab330a14..30015a157 100644 --- a/shadow +++ b/shadow @@ -30,3 +30,4 @@ postfix:*:17836:0:99999:7::: vmail:!:17840:0:99999:7::: dovecot:*:17840:0:99999:7::: dovenull:*:17840:0:99999:7::: +opendkim:*:17840:0:99999:7::: diff --git a/shadow- b/shadow- index 1ab330a14..30015a157 100644 --- a/shadow- +++ b/shadow- @@ -30,3 +30,4 @@ postfix:*:17836:0:99999:7::: vmail:!:17840:0:99999:7::: dovecot:*:17840:0:99999:7::: dovenull:*:17840:0:99999:7::: +opendkim:*:17840:0:99999:7::: diff --git a/systemd/system/multi-user.target.wants/opendkim.service b/systemd/system/multi-user.target.wants/opendkim.service new file mode 120000 index 000000000..fc6cd89ac --- /dev/null +++ b/systemd/system/multi-user.target.wants/opendkim.service @@ -0,0 +1 @@ +/lib/systemd/system/opendkim.service \ No newline at end of file -- 2.43.0