Bug 153922 - ebuild for mail-filter/dkim-milter
|
Bug#:
153922
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Other
|
Status: RESOLVED
|
Severity: enhancement
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: dragonheart@gentoo.org
|
Reported By: eray.aslan@caf.com.tr
|
|
Component: Ebuilds
|
|
|
URL:
http://sourceforge.net/projects/dkim-milter/
|
|
Summary: ebuild for mail-filter/dkim-milter
|
|
Keywords: REQUEST
|
|
Status Whiteboard:
|
|
Opened: 2006-11-03 05:04 0000
|
With added support in Postfix 2.3 for a milter protocol, it became possible to
use with Postfix many of existing milters (mail filters) that were originally
developed with sendmail in mind. Two popular ones are dkim-milter offering
support for DomainKeys Identified Mail (DKIM) Signatures, and dk-milter,
offering support for Domain-based Email Authentication (DomainKeys).
Gentoo has an ebuild for dk-milter but not for the (more advanced?)
dkim-milter.
Are the Domainkeys and DKIM keys the same? I'm asking since you included the
key generator from dk-milter.
also it would be good the change the bug summary to "mail-filter/dkim-milter
ebuild" or something like that.
(In reply to comment #9)
> Are the Domainkeys and DKIM keys the same? I'm asking since you included the
> key generator from dk-milter.
The key specs are the same AFAIK. I don't see any reason why one would want to
use different keys for dk-milter and dkim-milter. It would result in an extra
DNS lookup on the receiving side. gentxt.sh is just a shell script to generate
the keys. Run it twice with different $selector values if you want to use
different keys for dk-milter and dkim-milter.
> also it would be good the change the bug summary to "mail-filter/dkim-milter
> ebuild" or something like that.
Done.
can you get the dkim-filter to sign and verify ?
i have setup domainkey and only domainkeys signs here even dkim have -b sv
there is a 0.6.0 now if that matters with my problem, nice you maked the
hardwork on initial ebuild here, let make it stable together
(In reply to comment #11)
> can you get the dkim-filter to sign and verify ?
You can use dkim-milter to sign and verify DKIM signatures. If you cannot,
check your mail flow and mta settings.
If on the other hand, you want to use dkim-milter to verify domainkeys
signatures, you need to copy libdk directory (from dk-milter) and change a few
config files. In other words, it is possible but I didn't bother with it
because I ran into problems with dk-milter on amd64. Another mail server with
x86 arch is signing the domainkeys signatures for us.
You can also use dev-perl/Mail-DKIM to verify domainkeys signatures if you are
using spamassassin.
> i have setup domainkey and only domainkeys signs here even dkim have -b sv
> there is a 0.6.0 now if that matters with my problem, nice you maked the
> hardwork on initial ebuild here, let make it stable together
Attached is the ebuild I use for dkim-milter-0.7.1
I think the configuration directory should be set to dkim-filter. If anyone is
using dk-filter they can use a symbolic link.
(In reply to comment #21)
> I think the configuration directory should be set to dkim-filter. If anyone is
> using dk-filter they can use a symbolic link.
Well, it's up to the devs really but I agree now that dkim-milter looks like
the way to go rather than dk-milter. Trivial change. Will upload the files.
Works for me(tm) on amd64.
many thanks Eray,
Added with a couple of changes. please tell me if you disagree with any.
thoughts - given it could be an incoming only service there is really no need
to enforce a key creation in the init script?
(In reply to comment #32)
> many thanks Eray,
> Added with a couple of changes. please tell me if you disagree with any.
Thanks for the commit. Version 2.3.0 is out by the way.
> thoughts - given it could be an incoming only service there is really no need
> to enforce a key creation in the init script?
Perhaps you can make key creation optional with a local USE flag? Anyway, I
think either way is fine.
> Thanks for the commit. Version 2.3.0 is out by the way.
k added. must have justed missed that release.
>
> > thoughts - given it could be an incoming only service there is really no need
> > to enforce a key creation in the init script?
>
> Perhaps you can make key creation optional with a local USE flag? Anyway, I
> think either way is fine.
My preference would be an init script that does a warning (disabled with a
conf.d option) when validating only.
Haven't had the effort to implement this of course.
(In reply to comment #35)
> > Perhaps you can make key creation optional with a local USE flag? Anyway, I
> > think either way is fine.
> My preference would be an init script that does a warning (disabled with a
> conf.d option) when validating only.
I am not sure if I understand you correctly but attached (lighly tested)
dkim-filter.init and dkim-filter.conf files will not refuse to start with key
file missing error if dkim-milter is in verify only mode.
You will have to comment out the line that forces key generation for all users
in the dkim ebuild. Hence key generation will be optional and will be left to
the sysadmin.
Please comment if this was not what you were asking.
