With added support in Postfix 2.3 for a milter protocol, it became possible to use with Postfix many of existing milters (mail filters) that were originally developed with sendmail in mind. Two popular ones are dkim-milter offering support for DomainKeys Identified Mail (DKIM) Signatures, and dk-milter, offering support for Domain-based Email Authentication (DomainKeys). Gentoo has an ebuild for dk-milter but not for the (more advanced?) dkim-milter.
Created attachment 104854 [details] ebuild for dkim-milter-0.5.2
Created attachment 104855 [details] generic conf.d file to be placed under files directory for the dkim-milter ebuild
Created attachment 104856 [details] generic init.d file to be placed under files directory for the dkim-milter ebuild
Created attachment 104857 [details] helps the user create keys. taken from dk-milter ebuild. place under files dir as wel
Created attachment 104859 [details] patch file for dkim-milter/Makefile.m4
Created attachment 104860 [details] patch file for libdkim/Makefile.m4
Created attachment 104861 [details] patch file for libdkim/Makefile.m4
(In reply to comment #7) > Created an attachment (id=104861) [edit] > patch file for libdkim/Makefile.m4 Sorry for the duplicate file. Anyway that is all the files needed for the ebuild.
Are the Domainkeys and DKIM keys the same? I'm asking since you included the key generator from dk-milter. also it would be good the change the bug summary to "mail-filter/dkim-milter ebuild" or something like that.
(In reply to comment #9) > Are the Domainkeys and DKIM keys the same? I'm asking since you included the > key generator from dk-milter. The key specs are the same AFAIK. I don't see any reason why one would want to use different keys for dk-milter and dkim-milter. It would result in an extra DNS lookup on the receiving side. gentxt.sh is just a shell script to generate the keys. Run it twice with different $selector values if you want to use different keys for dk-milter and dkim-milter. > also it would be good the change the bug summary to "mail-filter/dkim-milter > ebuild" or something like that. Done.
can you get the dkim-filter to sign and verify ? i have setup domainkey and only domainkeys signs here even dkim have -b sv there is a 0.6.0 now if that matters with my problem, nice you maked the hardwork on initial ebuild here, let make it stable together
(In reply to comment #11) > can you get the dkim-filter to sign and verify ? You can use dkim-milter to sign and verify DKIM signatures. If you cannot, check your mail flow and mta settings. If on the other hand, you want to use dkim-milter to verify domainkeys signatures, you need to copy libdk directory (from dk-milter) and change a few config files. In other words, it is possible but I didn't bother with it because I ran into problems with dk-milter on amd64. Another mail server with x86 arch is signing the domainkeys signatures for us. You can also use dev-perl/Mail-DKIM to verify domainkeys signatures if you are using spamassassin. > i have setup domainkey and only domainkeys signs here even dkim have -b sv > there is a 0.6.0 now if that matters with my problem, nice you maked the > hardwork on initial ebuild here, let make it stable together Attached is the ebuild I use for dkim-milter-0.7.1
Created attachment 119194 [details] ebuild for dkim-milter 0.7.1
Created attachment 119196 [details] /etc/conf.d/dkim-filter file
Created attachment 119198 [details] /etc/init.d/dkim-filter file
Created attachment 119202 [details] config file for gentoo
Instead of passing MANROOT=/usr/share/man/man to make during src_install, consider setting confMANROOT in the site config file - see http://www.erikberg.com/notes/dkimsiteconfigm4.html for an example of this.
(In reply to comment #17) > Instead of passing MANROOT=/usr/share/man/man to make during src_install, > consider setting confMANROOT in the site config file - see > http://www.erikberg.com/notes/dkimsiteconfigm4.html for an example of this. Right. See the attached files and thanks for the comment.
Created attachment 121684 [details] dkim-milter-1.0.0.ebuild
Created attachment 121685 [details] files/site.config.m4 file
I think the configuration directory should be set to dkim-filter. If anyone is using dk-filter they can use a symbolic link.
(In reply to comment #21) > I think the configuration directory should be set to dkim-filter. If anyone is > using dk-filter they can use a symbolic link. Well, it's up to the devs really but I agree now that dkim-milter looks like the way to go rather than dk-milter. Trivial change. Will upload the files.
Created attachment 121726 [details] dkim-milter-1.0.0.ebuild
Created attachment 121727 [details] files/dkim-filter.conf
Created attachment 121728 [details] files/dkim-filter.init
Also please check http://bugs.gentoo.org/show_bug.cgi?id=178501 for an updated libmilter ebuild with possible poll() support.
Works for me(tm) on amd64.
Created attachment 124532 [details] version bump
Created attachment 124534 [details] site.config.m4 version bump
Created attachment 126618 [details] dkim-milter-2.0.0.ebuild
Created attachment 126619 [details] site.config.m4 for version 2.0.0
many thanks Eray, Added with a couple of changes. please tell me if you disagree with any. thoughts - given it could be an incoming only service there is really no need to enforce a key creation in the init script?
enjoy
(In reply to comment #32) > many thanks Eray, > Added with a couple of changes. please tell me if you disagree with any. Thanks for the commit. Version 2.3.0 is out by the way. > thoughts - given it could be an incoming only service there is really no need > to enforce a key creation in the init script? Perhaps you can make key creation optional with a local USE flag? Anyway, I think either way is fine.
> Thanks for the commit. Version 2.3.0 is out by the way. k added. must have justed missed that release. > > > thoughts - given it could be an incoming only service there is really no need > > to enforce a key creation in the init script? > > Perhaps you can make key creation optional with a local USE flag? Anyway, I > think either way is fine. My preference would be an init script that does a warning (disabled with a conf.d option) when validating only. Haven't had the effort to implement this of course.
(In reply to comment #35) > > Perhaps you can make key creation optional with a local USE flag? Anyway, I > > think either way is fine. > My preference would be an init script that does a warning (disabled with a > conf.d option) when validating only. I am not sure if I understand you correctly but attached (lighly tested) dkim-filter.init and dkim-filter.conf files will not refuse to start with key file missing error if dkim-milter is in verify only mode. You will have to comment out the line that forces key generation for all users in the dkim ebuild. Hence key generation will be optional and will be left to the sysadmin. Please comment if this was not what you were asking.
Created attachment 132961 [details] dkim-filter.conf
Created attachment 132962 [details] dkim-filter.init
