--- dkimproxy-1.4.1.orig/debian/docs +++ dkimproxy-1.4.1/debian/docs @@ -0,0 +1,6 @@ +AUTHORS +README +smtpprox.ChangeLog +smtpprox.README +smtpprox.TODO +TODO --- dkimproxy-1.4.1.orig/debian/copyright +++ dkimproxy-1.4.1/debian/copyright @@ -0,0 +1,61 @@ +This package was debianized by Thomas Goirand on +Mon, 25 Feb 2008 04:27:49 +0000 + +Original source may be found at: http://dkimproxy.sourceforge.net/ + +Upstream Author: Jason Long , + +Uses code from smtpprox: + http://bent.latency.net/smtpprox/ + Bennett Todd + +and code from Mail::DomainKeys: + http://killa.net/infosec/Mail-DomainKeys/ + Anthony D. Urso + +Files: debian/* +Copyright: (C) 2008, 2009 Damien Mascord + (C) 2008, 2009 Thomas Goirand +License: LGPL-2.1 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 + USA + +File: * +Copyright: (C) 2005-2009 Jason Long + (C) 2001 Morgan Stanley Dean Witter + (C) 2005-2006 Messiah College +License: GPL v2 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 + USA + +On Debian systems, the complete text of the GNU Lesser General Public +License v2.1 can be found in /usr/share/common-licenses/LGPL-2.1. + +On Debian systems, the complete text of the GNU Public License can be +found in /usr/share/common-licenses/GPL-2. --- dkimproxy-1.4.1.orig/debian/manpages +++ dkimproxy-1.4.1/debian/manpages @@ -0,0 +1,3 @@ +debian/man/dkimproxy.in.8 +debian/man/dkimproxy.out.8 +debian/man/dkim_responder.1 --- dkimproxy-1.4.1.orig/debian/dirs +++ dkimproxy-1.4.1/debian/dirs @@ -0,0 +1,4 @@ +etc/dkimproxy +var/lib/dkimproxy +usr/sbin +usr/share/perl5 --- dkimproxy-1.4.1.orig/debian/compat +++ dkimproxy-1.4.1/debian/compat @@ -0,0 +1 @@ +7 --- dkimproxy-1.4.1.orig/debian/defaults +++ dkimproxy-1.4.1/debian/defaults @@ -0,0 +1,52 @@ +# Default configuration for dkimproxy. + +# which daemons whould be run; anything other than '1' will disable a daemon +# default: 1 +#RUN_DKIMPROXY_OUT=1 +#RUN_DKIMPROXY_IN=1 + + + +# The following variables specify configuration to be passed as arguments to +# the dkimproxy daemons. If a variable is commented out, the default value +# within the /etc/init.d/dkimproxy script will be used. If a variable is unset +# or set to an empty value, the corresponding argument will be omitted from +# the dkimproxy command line, and dkimproxy is free to read a value from its +# own configuration file or use its own default value. + +# configuration file to use for dkimproxy.in +# default: "/etc/dkimproxy/dkimproxy_in.conf" +#DKIMPROXY_IN_CONF="/etc/dkimproxy/dkimproxy_in.conf" + +# configuration file to use for dkimproxy.out +# default: "/etc/dkimproxy/dkimproxy_out.conf" +#DKIMPROXY_OUT_CONF="/etc/dkimproxy/dkimproxy_out.conf" + +# user and group of the dkimproxy daemons +# default: dkimproxy +#DKIMPROXYUSER=dkimproxy +#DKIMPROXYGROUP=dkimproxy + +# private key to use for signing +# default: "/var/lib/dkimproxy/private.key" +#DKIMPROXY_OUT_PRIVKEY="/var/lib/dkimproxy/private.key" + +# hostname for verification "Authentication-Results" header +# Feel free to use hostname -f if that fits you, but then make +# sure that your DNS dkim key entry is setup accordingly with +# something like _domainkey.mx.example.com +# default: `hostname -d` +#DKIM_HOSTNAME=`hostname -d` + +# domains to sign for; specify multiple domains separated by commas +# default: `hostname -d` and domains parsed from /var/lib/dtc/etc/local_domains +#DOMAIN=`hostname -d` + +# Number of pre-forked process that dkimproxy should keep ready for action. +# The best value for performances is 5 on a single core server. It would +# seem reasonable to add at least one process per core on your server. +# Each process will take about 2MB of RAM, so with a value of 2 for both +# the in and the out daemon, dkimproxy will use 10/12 MB of RAM. +# default: 5 +#DKIMPROXY_IN_MIN_SERVERS=5 +#DKIMPROXY_OUT_MIN_SERVERS=5 --- dkimproxy-1.4.1.orig/debian/control +++ dkimproxy-1.4.1/debian/control @@ -0,0 +1,27 @@ +Source: dkimproxy +Section: mail +Priority: optional +Maintainer: Thomas Goirand +Build-Depends: debhelper (>= 7) +Build-Depends-Indep: autotools-dev, liberror-perl, libnet-server-perl, libmail-dkim-perl (>= 0.34) +Standards-Version: 3.9.1 +Vcs-Browser: http://git.debian.org/?p=users/zigo/dkimproxy.git +Vcs-Git: http://git.debian.org/git/users/zigo/dkimproxy.git +Homepage: http://dkimproxy.sourceforge.net/ + +Package: dkimproxy +Architecture: all +Depends: ${perl:Depends}, ${misc:Depends}, libtext-wrapper-perl, libmail-dkim-perl (>= 0.34), libnet-server-perl, adduser, ssl-cert, lsb-base, openssl, liberror-perl +Recommends: amavisd-new +Replaces: dkfilter +Conflicts: dkfilter +Description: an SMTP-proxy that signs and/or verifies emails, using the Mail::DKIM module + DKIMproxy is an SMTP-proxy that signs and/or verifies emails, using the + Mail::DKIM module. It is designed for Postfix, but should work with any mail + server. It comprises two separate proxies, an "outbound" proxy for signing + outgoing email, and an "inbound" proxy for verifying signatures of incoming + email (administrators can decide if they want to run both, or only one of + them). With Postfix, the proxies can operate as either Before-Queue or + After-Queue content filters, and they also can be chained with content + filter proxies like Amavis, which is the current default configuration of + the package. --- dkimproxy-1.4.1.orig/debian/rules +++ dkimproxy-1.4.1/debian/rules @@ -0,0 +1,95 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +DK_PKGNAME=dkimproxy + +config.status: configure + dh_testdir + cp -f /usr/share/misc/config.sub . + cp -f /usr/share/misc/config.guess . + # Note: this is quite hackish, but this is the most simple way that + # I have found to have this package install in /usr/share/perl5 + # directly without too much trouble. + ./configure --prefix=/usr --sysconfdir=/etc + +clean: + dh_testdir + dh_testroot + dh_clean + + [ ! -f Makefile ] || $(MAKE) distclean + rm -f config.sub config.guess + rm -f build-stamp debian/files config.status config.cache config.log + +install: config.status + dh_testdir + dh_testroot + dh_prep + dh_installdirs + + # Add here commands to install the package into debian/$DK_PKGNAME. + $(MAKE) DESTDIR=$(CURDIR)/debian/$(DK_PKGNAME) install + + # Remove double-defined man pages, since the upstream author generate some + # since version 1.2 + rm debian/dkimproxy/usr/share/man/man8/dkimproxy_in.8 debian/dkimproxy/usr/share/man/man8/dkimproxy_out.8 + + # I send these config files in /etc/dkimproxy even if BY DEFAULT the + # init script doesn't use them (just in case somebody wants to + # modify the init script) + mv $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy_in.conf.example $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy/dkimproxy_in.conf + mv $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy_out.conf.example $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy/dkimproxy_out.conf + + # Set the port numbers as it used to be in Lenny, and as it is for + # Amavisd compatibility by default. + sed -i "s/10026/10024/" $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy/dkimproxy_in.conf + sed -i "s/10025/10026/" $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy/dkimproxy_in.conf + sed -i "s/10028/10029/" $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy/dkimproxy_out.conf + sed -i "s/10027/10028/" $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy/dkimproxy_out.conf + + # Default in Lenny was postfix as selector name, so we keep it + sed -i "s/selector1/postfix/" $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy/dkimproxy_out.conf + + # The key is given as parameter, so we don't want it in the config file AS WELL. + sed -i "s/keyfile/#keyfile/" $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy/dkimproxy_out.conf + + # The perl libs have nothing to do in usr/lib ... + mv $(CURDIR)/debian/$(DK_PKGNAME)/usr/lib/* $(CURDIR)/debian/$(DK_PKGNAME)/usr/share/perl5 + rmdir $(CURDIR)/debian/$(DK_PKGNAME)/usr/lib + mv $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkim_responder.pl $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkim_responder + + # These are deamons, they have nothing to do in /usr/bin !!! + mv $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkimproxy.in $(CURDIR)/debian/$(DK_PKGNAME)/usr/sbin + mv $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkimproxy.out $(CURDIR)/debian/$(DK_PKGNAME)/usr/sbin + + # Install the dkim default file + install -D -m 0644 debian/defaults $(CURDIR)/debian/$(DK_PKGNAME)/etc/default/dkimproxy + + +binary-indep: install + + dh_testdir + dh_testroot + dh_installchangelogs NEWS + dh_installdocs + dh_installexamples + dh_installinit + dh_installman --language=C + dh_link var/lib/dkimproxy/private.key etc/ssl/private/dkimproxy.key + dh_strip + dh_compress + dh_fixperms + dh_perl + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary-arch: install + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary install --- dkimproxy-1.4.1.orig/debian/changelog +++ dkimproxy-1.4.1/debian/changelog @@ -0,0 +1,154 @@ +dkimproxy (1.4.1-3) unstable; urgency=low + + * Fixes the --conf_file= parameter in init script (LP: 706953). + + -- Thomas Goirand Thu, 24 Mar 2011 17:35:33 +0800 + +dkimproxy (1.4.1-2) unstable; urgency=low + + * Now deleting /var/lib/dkimproxy (containing our public and private key + pair) if postrm is called with purge argument (Closes: #618558). + + -- Thomas Goirand Sat, 19 Mar 2011 14:37:10 +0800 + +dkimproxy (1.4.1-1) unstable; urgency=low + + * New upstraem version. + * Standard-Version is now 3.9.1. + * Removed Dm-Upload-Allowed flag (as I'm a DD now...). + * Now depends on debhelper >= 7. + * Applied typo bugfix patch in /etc/default/dkimproxy and in init.d script + (Closes: #611516). + * Falls back to "localdomain" if no FQDN is setup correctly in the system + thanks to Corey Hickey (Closes: #611513). + * Exists silently if /usr/sbin/dkimproxy.{in,out} aren't found as executable + on the system (Closes: #595700). + * Added Vcs-Git and Vcs-Browser fields. + * debian/rules do not need to rm dkimverify.pl and dkimsign.pl anymore as + they are also removed upstream. + * Now using dh_prep instead of dh_clean -k. + + -- Thomas Goirand Tue, 15 Mar 2011 13:58:44 +0800 + +dkimproxy (1.2-7) unstable; urgency=low + + * Added a "picture" in the README.Debian to make it more easy to understand. + * Now using my zigo@debian.org email address as maintainer. + + -- Thomas Goirand Wed, 06 Oct 2010 18:08:05 +0800 + +dkimproxy (1.2-6) unstable; urgency=low + + * Correction for some Unix rights in the postinst. + + -- Thomas Goirand Tue, 22 Jun 2010 17:04:41 +0800 + +dkimproxy (1.2-5) unstable; urgency=low + + * v1.2-5: Now depends on the ssl-cert package. + * v1.2-5: Added the dkimproxy user to the ssl-cert group. + * v1.2-5: Using root:ssl-cert for the dkimproxy keys ownership + (Closes: #525665). + * v1.2-5: Symlink /var/lib/dkimproxy/private.key and + /etc/ssl/private/dkimproxy.key + * v1.2-5: Bumped Standard-Version + * v1.2-5: Now shipping only one version of the daemons manpage, as since the + upstream author generate its own it was shipped twice in dkimproxy 1.2-x. + * v1.2-4: Fixed the $DOMAIN part of the init.d script. + * v1.2-4: Corrected a typo in debian/defaults + * v1.2-4: Added --min_servers param description in the dkimproxy manpage. + * v1.2-4: Added DKIMPROXY_{IN,OUT}_MIN_SERVERS option in debian/defaults and + the init.d script now uses it. Default is set to 5, which is optimized for + a single core server, as discuss in upstream mailinglist. + + -- Thomas Goirand Wed, 19 May 2010 16:07:50 +0800 + +dkimproxy (1.2-3) unstable; urgency=low + + * v1.2-1: + - New upstream version. + - This new version removes dkimverify and dkimsign as they are already in + the libmail-dkim-perl package in a newer version, also now, man pages of + dkimproxy are referencing the pages of libmail-dkim-perl (Closes: #539497). + - Fixes the README.Debian (Closes: #534650) + - Fixed the watch file according to the new download page. + - Now there's a /etc/default/dkimproxy where you can decide which proxy to + start (dkimproxy.in, dkimproxy.out or both), where you store the private + key for outbound signing, which username to run the daemon under, and + what domain to use for signing (Closes: #519220, #493816). + * v1.2-2: + - Sets the parameters back like where they was in the Lenny version. + * v1.2-3 + - hostname -d is now the default again for outgoing signing, as it's + otherwise breaking previous installs and that it really seems to be the + obvious "normal" setup with _domainkey.example.com holding the key entry. + + -- Thomas Goirand Thu, 17 Dec 2009 14:01:29 +0800 + +dkimproxy (1.0.1-8.1) unstable; urgency=medium + + * Non-maintainer upload. + * Rename /usr/bin/dkimsign to dkimproxy-sign to avoid conflict with + python-dkim dkimsign (Closes: #511037) + - Rename debian/man/dkimsign.1 to dkimproxy-sign + - Update debian/manpages + - Correct references to dkimsign.1 in the packages other man pages + + -- Scott Kitterman Mon, 12 Jan 2009 22:49:01 -0500 + +dkimproxy (1.0.1-8) unstable; urgency=low + + * Added a patch given by upstream so that dkimproxy continues to work if + syslogd is not running. + * Renamed /usr/bin/dkimverify to dkimproxy-verify so it doesn't conflicts + with dkimverify from python-dkim (Closes: #509045). + + -- Thomas Goirand Fri, 19 Dec 2008 18:03:22 +0800 + +dkimproxy (1.0.1-7) unstable; urgency=low + + * Better Unix rights for the keys in /var/lib/dkimproxy + + -- Thomas Goirand Mon, 18 Aug 2008 13:08:09 +0800 + +dkimproxy (1.0.1-6) unstable; urgency=low + + * The previous version was introducing a bug in the init script (a space + missing in the dkimproxy.out arguments), this corrects it. + + -- Thomas Goirand Sat, 19 Apr 2008 04:23:49 +0000 + +dkimproxy (1.0.1-5) unstable; urgency=low + + * dkimproxy now runs under the privileges of it's user, and the private key + has now lower rights so only root can read it (Closes: #476576). + + -- Thomas Goirand Fri, 18 Apr 2008 08:21:14 +0000 + +dkimproxy (1.0.1-4) unstable; urgency=low + + * Now uses the port 10024 by default, as this is the one of Amavis. + * Now recommends Amavis + + -- Thomas Goirand Fri, 11 Apr 2008 10:58:01 +0000 + +dkimproxy (1.0.1-3) unstable; urgency=low + + * Now uses a config file (Closes: #473882). + + -- Thomas Goirand Sun, 6 Apr 2008 16:56:47 +0800 + +dkimproxy (1.0.1-2) unstable; urgency=low + + * Now search for the start-stop-daemon in /sbin by default, as it's not + always in the current path (case of DTC restarting dkimproxy in it's + cron job). + + -- Thomas Goirand Wed, 26 Mar 2008 18:11:18 +0800 + +dkimproxy (1.0.1-1) unstable; urgency=low + + * Initial release (Closes: #468287) + + -- Thomas Goirand Mon, 25 Feb 2008 04:27:49 +0000 + --- dkimproxy-1.4.1.orig/debian/watch +++ dkimproxy-1.4.1/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://sf.net/dkimproxy/dkimproxy-(.+)\.tar\.gz --- dkimproxy-1.4.1.orig/debian/init.d +++ dkimproxy-1.4.1/debian/init.d @@ -0,0 +1,224 @@ +#!/bin/sh +# +# Copyright (C) 2005 Messiah College. +# Copyright (C) 2008 Thomas Goirand + +### BEGIN INIT INFO +# Provides: dkimproxy +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Domain key filter init script +# Description: dkimproxy is an SMTP-proxy designed for Postfix. It +# implements DKIM message signing and verification. +# It comprises two separate filters, an "outbound" filter +# for signing outgoing email, and an "inbound" filter for +# verifying signatures of incoming email. The filters can +# operate as either Before-Queue or After-Queue Postfix +# content filters. +### END INIT INFO + +. /lib/lsb/init-functions + +if [ -e /etc/default/dkimproxy ] ; then + . /etc/default/dkimproxy +fi + +### START OF CONFIGURATION READINGS FROM /etc/default/dkimproxy ### +# Check if dkimproxy in or out has been disabled +RUN_DKOUT=1 +RUN_DKIN=1 +if [ -n "${RUN_DKIMPROXY_OUT}" ] ; then + if ! [ ${RUN_DKIMPROXY_OUT} -eq 1 ] ; then + RUN_DKOUT=0 + fi +fi +if [ -n "${RUN_DKIMPROXY_IN}" ] ; then + if ! [ "${RUN_DKIMPROXY_IN}" -eq 1 ] ; then + RUN_DKIN=0 + fi +fi + +# Check if the path to dkimproxy in or out has been overwritten +DKIN_CONF=/etc/dkimproxy/dkimproxy_in.conf +DKOUT_CONF=/etc/dkimproxy/dkimproxy_out.conf +if [ -n "${DKIMPROXY_IN_CONF}" ] ; then + DKIN_CONF=${DKIMPROXY_IN_CONF} +fi +if [ -n "${DKIMPROXY_OUT_CONF}" ] ; then + DKOUT_CONF=${DKIMPROXY_OUT_CONF} +fi + +# Check if the path to the private key has been overwritten +# In fact, if no value, then set the default... +if [ -z "${DKIMPROXY_OUT_PRIVKEY}" ] ; then + DKIMPROXY_OUT_PRIVKEY="/var/lib/dkimproxy/private.key" +fi + +# Set the default number of process to prefork. +if [ -z "${DKIMPROXY_IN_MIN_SERVERS}" ] ; then + DKIMPROXY_IN_MIN_SERVERS=5 +fi +if [ -z "${DKIMPROXY_OUT_MIN_SERVERS}" ] ; then + DKIMPROXY_OUT_MIN_SERVERS=5 +fi + +# Check if the path to the hostname has been overwritten +# In fact, if no value, then set the default... +if [ -z "${DKIM_HOSTNAME}" ] ; then + DKIM_HOSTNAME=`hostname -d` +fi +if [ -z "${DKIM_HOSTNAME}" ] ; then + echo 'Warning: no domain name from `hostname -d`, using "localdomain".' + DKIM_HOSTNAME=localdomain +fi + +# Get the host domains dynamically. You can change this to the location where +# you have your virtual table here, or best: ehance this script to support more +# situations with packages others than DTC +HOST_DOMAIN=${DKIM_HOSTNAME} +if [ -z "${DOMAIN}" ] ; then + if [ -f /var/lib/dtc/etc/local_domains ] ; then + DTC_DOMAIN=`cat /var/lib/dtc/etc/local_domains | grep -v ^${HOST_DOMAIN} | tr \\\r\\\n ,,` + else + DTC_DOMAIN="" + fi +fi +DOMAIN=${DTC_DOMAIN}${HOST_DOMAIN} + +# Configure usernames to run under +if [ -z "${DKIMPROXYUSER}" ] ; then + DKIMPROXYUSER=dkimproxy +fi +if [ -z "${DKIMPROXYGROUP}" ] ; then + DKIMPROXYGROUP=dkimproxy +fi + +### END OF CONFIGURATION READINGS FROM /etc/default/dkimproxy ### + +DKIMPROXY_IN_BIN="/usr/sbin/dkimproxy.in" +DKIMPROXY_OUT_BIN="/usr/sbin/dkimproxy.out" +PIDDKIMPROXY_IN="/var/run/dkimproxy.in" +PIDDKIMPROXY_OUT="/var/run/dkimproxy.out" + +COMMON_ARGS="--user=${DKIMPROXYUSER} --group=${DKIMPROXYGROUP} --daemonize" +DKIMPROXY_IN_ARGS="--hostname=${DKIM_HOSTNAME} --conf_file=${DKIN_CONF} ${COMMON_ARGS} --pidfile=${PIDDKIMPROXY_IN} --min_servers=${DKIMPROXY_IN_MIN_SERVERS}" +DKIMPROXY_OUT_ARGS="--domain=${DOMAIN} --method=simple --conf_file=${DKOUT_CONF} --keyfile=${DKIMPROXY_OUT_PRIVKEY} ${COMMON_ARGS} --pidfile=${PIDDKIMPROXY_OUT} --signature=dkim --signature=domainkeys --min_servers=${DKIMPROXY_OUT_MIN_SERVERS}" + +if [ -x /sbin/start-stop-daemon ] ; then + STRT_STP_DMN=/sbin/start-stop-daemon +else + STRT_STP_DMN=`which start-stop-daemon` +fi +if [ -z "${STRT_STP_DMN}" ] ; then + echo "Can't find the start-stop-daemon binary" +fi + +case "$1" in +start) + START_ERROR=0 + RETVAL=0 + if [ -x ${DKIMPROXY_IN_BIN} ] ; then + if [ "${RUN_DKIN}" -eq 1 ] ; then + log_daemon_msg "Starting inbound DomainKeys-filter" "dkimproxy.in" + #echo "${DKIMPROXY_IN_BIN} ${DKIMPROXY_IN_ARGS}" + ${DKIMPROXY_IN_BIN} ${DKIMPROXY_IN_ARGS} + RETVAL=$? + START_ERROR=${RETVAL} + log_end_msg ${RETVAL} + if ! [ "${RETVAL}" -eq 0 ] ; then + exit ${RETVAL} + fi + else + echo "DomainKeys-filter dkimproxy.in disabled in /etc/default/dkimproxy" + fi + fi + + if [ -x ${DKIMPROXY_OUT_BIN} ] ; then + if [ "${RUN_DKOUT}" -eq 1 ] ; then + log_daemon_msg "Starting outbound DomainKeys-signing" "dkimproxy.out" + #echo ${DKIMPROXY_OUT_BIN} ${DKIMPROXY_OUT_ARGS} + ${DKIMPROXY_OUT_BIN} ${DKIMPROXY_OUT_ARGS} + #${STRT_STP_DMN} --background --make-pidfile --start -p ${PIDDKIMPROXY_OUT} -u ${DKIMPROXYUSER} -g ${DKIMPROXYGROUP} -x ${DKIMPROXY_OUT_BIN} -- ${DKIMPROXY_OUT_ARGS} + RETVAL=$? + log_end_msg ${RETVAL} + else + echo "DomainKeys-signing dkimproxy.out disabled in /etc/default/dkimproxy" + fi + fi + if ! [ "${RETVAL}" -eq 0 -a "${START_ERROR}" -eq 0 ] ; then + if ! [ ${START_ERROR} -eq 0 ] ; then + echo "Error ${START_ERROR} when starting ${DKIMPROXY_IN_BIN}" + fi + if ! [ "${RETVAL}" -eq 0 ] ; then + echo "Error ${RETVAL} when starting ${DKIMPROXY_OUT_BIN}" + fi + fi + ;; + +stop) + RETVALIN=0 + RETVALOUT=0 + if [ -x ${DKIMPROXY_IN_BIN} ] ; then + if [ "${RUN_DKIN}" -eq 1 ] ; then + log_daemon_msg "Shutting down inbound DomainKeys-filter" "dkimproxy.in" + if [ -f "${PIDDKIMPROXY_IN}" ] ; then + kill `cat ${PIDDKIMPROXY_IN}` + RETVALIN=$? + else + echo -n " ${PIDDKIMPROXY_IN} not found " + RETVALIN=1 + fi + log_end_msg ${RETVALIN} + else + echo "DomainKeys-filter dkimproxy.in disabled in /etc/default/dkimproxy" + fi + fi + if [ -x ${DKIMPROXY_OUT_BIN} ] ; then + if [ "${RUN_DKOUT}" -eq 1 ] ; then + log_daemon_msg "Shutting down outbound DomainKeys-filter" "dkimproxy.out" + if [ -f "${PIDDKIMPROXY_OUT}" ] ; then + kill `cat ${PIDDKIMPROXY_OUT}` + RETVALOUT=$? + else + echo -n " ${PIDDKIMPROXY_OUT} not found " + RETVALOUT=1 + fi + log_end_msg ${RETVALOUT} + else + echo "DomainKeys-signing dkimproxy.out disabled in /etc/default/dkimproxy" + fi + fi + rm -f "${PIDDKIMPROXY_IN}" "${PIDDKIMPROXY_OUT}" + if ! [ ${RETVALIN} -eq 0 -a ${RETVALOUT} -eq 0 ]; then + if ! [ ${RETVALIN} -eq 0 ] ; then + echo "Error ${RETVALIN} when shutting down ${PIDDKIMPROXY_IN}" + fi + if ! [ "${RETVALOUT}" -eq 0 ] ; then + echo "Error ${RETVALOUT} when shutting down ${PIDDKIMPROXY_OUT}" + fi + fi + ;; +force-reload) + $0 stop + sleep 1 + $0 start + ;; +reload) + $0 stop + sleep 1 + $0 start + ;; +restart) + $0 stop + sleep 1 + $0 start + ;; +*) + echo "Usage: $0 {start|stop|restart|reload|force-reload}" + exit 1 + ;; +esac + +exit 0 --- dkimproxy-1.4.1.orig/debian/postrm +++ dkimproxy-1.4.1/debian/postrm @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +# If purging, then we should delete the folder containing our keys +if [ "$1" = "purge" ] ; then + rm -rf /var/lib/dkimproxy +fi + +#DEBHELPER# + +exit 0 --- dkimproxy-1.4.1.orig/debian/README.Debian +++ dkimproxy-1.4.1/debian/README.Debian @@ -0,0 +1,174 @@ +dkimproxy for Debian +-------------------- + +This is some general notes about using dkproxy under Debian, this also includes +notes for integration with Amavisd. Note that if you use dkimproxy with DTC, +everything will be be configured for you, so you don't need to read this file. + +IMPORTANT: Note that you will NEED to have either Amavis or Postfix listening +to the port 10024 so that dkimproxy.in can send the filtered messages back to +your MTA. Please read further. + +1) General principle when using DKIMproxy +----------------------------------------- + +DKIMproxy is in fact an SMTP server by itself. The way to use it is to have +it bind to a port, so that postfix sends emails to it for scanning/signing. + +When it come to signing, it's done the following way. Ports are written +bellow each programs for a better understanding. + +Postfix----->Dkimproxy----->Postfix + 25 + 587 in=10027 in=10029 + 10027 out=10029 + +As for incoming emails, if you use DKIMproxy without a content scanner +(like Amavis), it goes like this: + +Postfix----->Dkimproxy----->Postfix + 25 in=10026 10024 +out=10026 out=10024 + +If you want to use a content filter, then you should do this way: + +Postfix----->Dkimproxy----->Amavis------------------>Postfix + 25 in=10026 | |---->ClamAV 10028 +out=10026 out=10024 ------->SpamAssassin + in=10024 + out=10028 + +If you resepect the above, you will not have to change any of the default ports +for DKIMproxy or Amavis, so it is recommended to not change these ports. + +What's below will describe how to configure postfix in order to have what is +above up and running. This does not covers how to setup amavis, clamav or +spamassassin. It covers postfix only, but you might be able to use dkimproxy +with any MTA that supports inbound and outbound SMTP proxies. + +2) Setting-up the outbound signing system +----------------------------------------- +2.a) master.cf addition: +------------------------ +# +# specify the location of the DomainKeys signing filter +# +dkimsign unix - - n - 10 smtp + -o smtp_send_xforward_command=yes + -o smtp_discard_ehlo_keywords=8bitmime + +# +# service for accepting messages FROM the DomainKeys signing filter +# as every checks must have been performed before sending emails to +# the signer proxy, we overwrite all restrictions and allow all. +# +127.0.0.1:10029 inet n - n - 10 smtpd + -o content_filter= + -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks + -o smtpd_helo_restrictions= + -o smtpd_client_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + +# +# modify the default submission service to specify a content filter +# and restrict it to local clients and SASL authenticated clients only +# +submission inet n - n - - smtpd + -o smtpd_etrn_restrictions=reject + -o smtpd_sasl_auth_enable=yes + -o content_filter=dkimsign:[127.0.0.1]:10028 + -o receive_override_options=no_address_mappings + -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + + +# For Postfix to sign mails sent out using Webmails or other locally delivered mail +pickup fifo n - n 60 1 pickup + -o content_filter=dkimsign:127.0.0.1:10028 + +2.b) main.cf addition: +---------------------- +Then in your main.cf, add: +content_filter=dkimsign:[127.0.0.1]:10028 + +This will use dkimsign as content filter, always, and we will overwrite it for +inbound checking (see later). + +3) Installation of inbound checking without amavisd-new (or other filters): +--------------------------------------------------------------------------- +3.a) Addition to master.cf: +--------------------------- +Stuff to add to /etc/postfix/master.cf to add inbound filtering: +# +# Before-filter SMTP server. Receive mail from the network and +# pass it to the content filter on localhost port 10026. +# +smtp inet n - n - - smtpd + -o smtpd_proxy_filter=127.0.0.1:10026 + -o smtpd_client_connection_count_limit=5 + +3.b) Setting-up amavisd-new in master.cf: +----------------------------------------- +If you are running amavis, then you might have something like this: + +smtp-amavis unix - - - - 2 smtp + -o smtp_data_done_timeout=1200 + -o smtp_send_xforward_command=yes + -o disable_dns_lookups=yes + -o max_use=20 + +127.0.0.1:10025 inet n - - - - smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_client_restrictions= + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o strict_rfc821_envelopes=yes + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_client_connection_count_limit=0 + -o smtpd_client_connection_rate_limit=0 + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks + + + +4) For integration with amavisd-new: +------------------------------------ +a) Apply the following configuration to the /etc/postfix/master.cf: +------------------------------------------------------------------- + +b) Add the following to the last smtpd_recipient_restrictions stanza : +---------------------------------------------------------------------- +This is to be put before the last permit: + +check_sender_access regexp:/etc/postfix/filter_10026_catchall + +Create the file /etc/postfix/filter_10026_catchall with the following contents: +/^/ FILTER dkimsign:[127.0.0.1]:10026 + +c) Change the default filter action to be the signing filter: +------------------------------------------------------------- +The dkimsign verification, for incoming mail, is done as a FILTER applied to +the recipient restrictions: + +content_filter = smtp-amavis:[127.0.0.1]:10028 + +4) Other info for DKIMproxy +--------------------------- +This code will generate the domainkey entry for your DNS: + +#!/bin/sh + +KEY=`grep -v "PUBLIC" /var/lib/dkimproxy/public.key | tr -d \\n` +SELECTOR=postfix +DOMAIN=packrat.datalexsin.local +NSRECORD="$SELECTOR._domainkey IN TXT \"k=rsa; p=$KEY; t=y\"" +echo $NSRECORD + + -- Damien Mascord Mon, 18 Feb 2008 06:16:06 +0000 --- dkimproxy-1.4.1.orig/debian/postinst +++ dkimproxy-1.4.1/debian/postinst @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# add the user and group for dkimproxy to operate +addgroup --system dkimproxy +adduser --system dkimproxy --ingroup dkimproxy --home /var/lib/dkimproxy --no-create-home + +# if we don't have a private key yet in /var/lib/dkimproxy/private.key, generate a private and public key +if [ ! -e /var/lib/dkimproxy/private.key ]; then + openssl genrsa -out /var/lib/dkimproxy/private.key 1024 + openssl rsa -in /var/lib/dkimproxy/private.key -pubout -out /var/lib/dkimproxy/public.key +fi +# Make sure it's not world readable, but still accessible by both dkimproxy and the ssl-cert group +chmod 644 /var/lib/dkimproxy/public.key +chmod 640 /var/lib/dkimproxy/private.key +if getent group ssl-cert >/dev/null ; then + adduser dkimproxy ssl-cert || true + chown root:ssl-cert /var/lib/dkimproxy/public.key /var/lib/dkimproxy/private.key + chown dkimproxy:ssl-cert /var/lib/dkimproxy +else + chown root:dkimproxy /var/lib/dkimproxy/public.key /var/lib/dkimproxy/private.key +fi + +#DEBHELPER# + +exit 0 --- dkimproxy-1.4.1.orig/debian/man/dkimproxy.in.8 +++ dkimproxy-1.4.1/debian/man/dkimproxy.in.8 @@ -0,0 +1,117 @@ +.TH dkimproxy.in 8 + +.SH NAME +dkimproxy.in \- SMTP proxy for verifying DKIM signatures + +.SH DESCRIPTION + +dkimproxy.in listens on the IP address and TCP port specified by its +first argument (the "listen" port), and sends the traffic it receives +onto the second argument (the "relay" port), with messages getting +verified and having an "Authentication\-Results" header added to them. + +.SH SYNOPSIS + + dkimproxy.in [options] LISTENADDR:PORT RELAYADDR:PORT + smtp options: + \-\-conf_file=FILENAME + \-\-listen=LISTENADDR:PORT + \-\-relay=RELAYADDR:PORT + \-\-reject\-error + + verification options: + \-\-reject\-fail + \-\-hostname=HOSTNAME + + daemon options: + \-\-daemonize + \-\-user=USER + \-\-group=GROUP + \-\-pidfile=PIDFILE + \-\-min_servers=NUM + +.SH OPTIONS + +.B \-\-daemonize + +If specified, the server will run in the background. + +.B \-\-group=GROUP + +If specified, the daemonized process will setgid() to the specified GROUP. + +.B \-\-hostname=HOSTNAME + +Overrides the hostname used in the Authentication\-Results header. +This header gets added to every verified message. +Use this option if the hostname that appears is not fully qualified +or you want to use an alternate name. + +.B \-\-pidfile=PIDFILE + +Creates a PID file (a file containing the PID of the process) for +the daemonized process. This makes it possible to check the status +of the process, and to cleanly shut it down. + +.B \-\-reject\-error + +This option specifies what to do if an error occurs during verification +of a message. If this option is specified, the message will be rejected +with an SMTP error code. This will result in the MTA sending the message +to try again later, or bounce it back to the sender (depending on the +exact error code used). If this option is not specified, the message +will be passed through with an error listed in the Authentication\-Results +header instead of the verification results. + +.B \-\-reject-fail + +This option specifies what to do if verification fails and the sender +signing policy says to reject the message. If this option is specified, +the message will be rejected with an SMTP error code. +This will result in the sending MTA to +bounce the message back to the sender. If this option is not specified, +the message will pass through as normal. + +.B \-\-user=USER + +If specified, the daemonized process will setuid() to USER after +completing any necessary privileged operations, but before accepting +connections. + +.B \-\-min_servers=NUM + +Number of process that DKIMproxy shall spawn and get ready for filtering. + +.SH EXAMPLE + +For example, if dkimproxy.in is started with: + + dkimproxy.in \-\-reject\-fail \-\-reject\-error 127.0.0.1:10025 127.0.0.1:10026 + +the proxy will listen on port 10025 and send the verified messages to +some other SMTP service on port 10026. + +.SH CONFIGURATION FILE + +Parameters can be stored in a separate file instead of specifying +them all on the command line. Use the conf_file option to specify +the path to the configuration file, e.g. + + dkimproxy.in \-\-conf_file=/etc/dkimproxy_in.conf + +The format of the configuration file is one option per line: +name of the option, space, then the value of the option. E.g. + + # this is an example config file + listen 127.0.0.1:10025 + relay 127.0.0.1:10026 + hostname myhost.example.com + reject_fail + +is equivalent to + + dkimproxy.out \-\-hostname=myhost.example.com \-\-reject\-fail \ + 127.0.0.1:10025 127.0.0.1:10026 + +.SH "SEE ALSO" +dkimproxy.out(8), dkim_responder(1), dkimsign(1), dkimverify(1) --- dkimproxy-1.4.1.orig/debian/man/dkimproxy.out.8 +++ dkimproxy-1.4.1/debian/man/dkimproxy.out.8 @@ -0,0 +1,202 @@ +.TH dkimproxy.out 8 + +.SH NAME +dkimproxy.out \- SMTP proxy for adding DKIM signatures to email + +.SH DESCRIPTION + +dkimproxy.out listens on the IP address and TCP port specified by its +first argument (the "listen" port), and sends the traffic it receives +onto the second argument (the "relay" port), with messages getting +modified to have a DKIM or DomainKeys signature. + +.SH SYNOPSIS + + dkimproxy.out [options] \-\-keyfile=FILENAME \-\-selector=SELECTOR \ + \-\-domain=DOMAIN LISTENADDR:PORT RELAYADDR:PORT + smtp options: + \-\-conf_file=FILENAME + \-\-listen=LISTENADDR:PORT + \-\-relay=RELAYADDR:PORT + \-\-reject\-error + + signing options: + \-\-signature=dkim|domainkeys + \-\-keyfile=FILENAME + \-\-selector=SELECTOR + \-\-method=simple|nowsp|relaxed|nofws + \-\-domain=DOMAIN + + daemon options: + \-\-daemonize + \-\-user=USER + \-\-group=GROUP + \-\-pidfile=PIDFILE + \-\-min_servers=NUM + + dkimproxy.out \-\-help + to see a full description of the various options + +.SH OPTIONS + +.B \-\-daemonize + +If specified, the server will run in the background. + +.B \-\-domain=DOMAIN + +Use this argument to specify what domain(s) you can sign for. You may +specify multiple domains by separating them with commas. If a single +domain is specified, DKIMproxy will always use that domain to sign, +if it can. If multiple domains are specified, DKIMproxy will try to +match the domain to the message's sender, and only generate a signature +that will match the sender's domain. + +.B \-\-group=GROUP + +If specified, the daemonized process will setgid() to the specified GROUP. + +.B \-\-keyfile=FILENAME + +This is a required argument. Use it to specify the filename containing +the private key used in signing outgoing messages. For messages to +verify, you will need to publish the corresponding public key in +DNS, using the selector name specified by C<\-\-selector>, under +the domain(s) specified in C<\-\-domain>. + +.B \-\-method=simple|nowsp|relaxed|nofws + +This option specifies the canonicalization algorithm to use for signing +messages. For DKIM signatures, the options are C, C, or +C; the default is C. For DomainKeys signatures, the +options are C and C; the default is C. + +.B \-\-pidfile=PIDFILE + +Creates a PID file (a file containing the PID of the process) for +the daemonized process. This makes it possible to check the status +of the process, and to cleanly shut it down. + +.B \-\-reject\-error + +This option specifies what to do if an error occurs during signing +of a message. If this option is specified, the message will be rejected +with an SMTP error code. This will result in the MTA sending the message +to try again later, or bounce it back to the sender (depending on the +exact error code used). If this option is not specified, the message +will be allowed to pass through without having a signature added. + +.B \-\-selector=SELECTOR + +This is a required argument. Use it to specify the name of the key +selector. + +.B \-\-sender_map=FILENAME + +If specified, the named file provides signature parameters depending +on what sender is found in the message. See the section below titled +L. + +.B \-\-signature=dkim|domainkeys + +This specifies what type of signature to add. Use C to sign with +IETF standardized DKIM signatures. Use C to sign with +the older, but more common, Yahoo! DomainKeys signatures. +The default is C. + +This parameter can be specified more than once to add more than one +signature to the message. In addition, per signature parameters can be +specified by enclosing the comma separated options in parenthesis after +the signature type, e.g. + + \-\-signature=dkim(c=relaxed,key=private.key) + +The syntax for specifying per signature options is described in more +detail in the section below titled L. + +.B \-\-user=USER + +If specified, the daemonized process will setuid() to USER after +completing any necessary privileged operations, but before accepting +connections. + +.B \-\-min_servers=NUM + +Number of process that DKIMproxy shall spawn and get ready for signing. + +.SH EXAMPLE + +For example, if dkimproxy.out is started with: + + dkimproxy.out \-\-keyfile=private.key \-\-selector=postfix \ + \-\-domain=example.org 127.0.0.1:10027 127.0.0.1:10028 + +the proxy will listen on port 10027 and send the signed messages to +some other SMTP service on port 10028. + +.SH CONFIGURATION FILE + +Parameters can be stored in a separate file instead of specifying +them all on the command line. Use the C option to specify +the path to the configuration file, e.g. + + dkimproxy.out \-\-conf_file=/etc/dkimproxy_out.conf + +The format of the configuration file is one option per line: +name of the option, space, then the value of the option. E.g. + + # this is an example config file + domain example.org,example.com + keyfile private.key + selector postfix + signature dkim + +is equivalent to + + dkimproxy.out \-\-domain=example.org,example.com \-\-keyfile=private.key \ + \-\-selector=postfix \-\-signature=dkim + +.SH SENDER MAP FILE + +If you want to use different signature properties depending on the +sender of the message being signed, use a "sender map file". This +is a lookup file containing sender email addresses on the left +and signature properties on the right. E.g. + + # sign my mail with a EXAMPLE.COM dkim signature + jason@long.name dkim(d=example.com) + + # sign WIDGET.EXAMPLE mail with a default domainkeys signature + widget.example domainkeys + + # sign EXAMPLE.ORG mail with both a domainkeys and dkim signature + example.org dkim(c=relaxed,a=rsa\-sha256), domainkeys(c=nofws) + +Right hand values in a sender map file is a comma separated list of +signature types. Each signature type may have a comma separated list +of parameters enclosed in parenthesis. The following signature +parameters are recognized: + +.B key + +the private key file to use + +.B a + +the algorithm to use + +.B c + +the canonicalization method to use + +.B d + +the domain to use, default is to use the domain matched + +.B s + +the selector to use + +.SH "SEE ALSO" + +dkimproxy.in(8), dkim_responder(8), dkimsign(8), dkimverify(8) --- dkimproxy-1.4.1.orig/debian/man/dkim_responder.1 +++ dkimproxy-1.4.1/debian/man/dkim_responder.1 @@ -0,0 +1,10 @@ +.TH dk_responder 1 + +.SH NAME +dk_responder \- filters incoming email traffic according to the domain keys specifications + +.SH DESCRIPTION +This man page is a stub, please contribute + +.SH "SEE ALSO" +dkimproxy.in(8), dkimproxy.out(8), dkimsign(1), dkimverify(1) --- dkimproxy-1.4.1.orig/debian/source/format +++ dkimproxy-1.4.1/debian/source/format @@ -0,0 +1 @@ +1.0