Re: OpenDKIM now available in Fedora & EPEL testing repos

From: Daniel Black <daniel.subs_at_internode.on.net>
Date: Sat, 27 Aug 2011 19:00:54 +1000

On Sat, 27 Aug 2011 03:30:18 AM Todd Lyons wrote:
> On Fri, Aug 26, 2011 at 7:47 AM, Steve Jenkins <stevejenkins_at_gmail.com>
wrote:
> >> Very good point, I never noticed that. Steve, it's typical for a
> >> package with an init script that requires some user customization of
> >> startup parameters to:
> >> 1. Create a %{sysconfdir}/sysconfig/%{name} file which will contain
> >> simply: 2. And then in the init script, after you set any default
> >> options,

works for me...

> > Yep. That's a great idea from Daniel. After 2.4.2-3 gets pushed out of
> > the testing repos to the stable ones....
> Understood.
here too.


> >> Ah, yeah, we need to handle selinux scenarios too. I hate SELinux. :-(

Its good and generally painless provided the packagers do the work to things
make it work :-)
...

> > "I maintain in Fedora spamass-milter and milter-regex, and I also have
> > local packages for smf-spf and smf-sav. I have SELinux policy for all
> > of these, and wrote the milter policy in SELinux reference policy,
> > which is what Fedora's SELinux policy is based on.
> >
> > "Please let me know if I can be of help."
>
> DING DING, we have a WINNER! I nominate him to help us unless Dan
> beats him to it.

I'd take this Fedora maintainer up on this. In essence its mainly a milter
problem in general needs a distro wide solutoin.

Sendmail and postfix need to be allowed to access selinux port contexts (
http://wiki.centos.org/HowTos/SELinux section 5.4 ) OR opendkim needs to use
setsockcreatecon ( http://www.nixway.net/index.php?manitem&mid=11729 ) before
setting up the listening port (that sendmail/postfix can access though
permissions defined on those packages).

As selinux context is needed on unix sockets created by milters that the
mailservers need to connect to as well. Given its opendkim that creates the
linux socket it probably needs to be created in the right selinux context (
setfscreatecon ) and restore it afterwards rather than the section 7 of the
centos wiki.

If the desired solution is to make opendkim selinux aware I can get some
opendkim patches for making it selinux aware if you'd like.

ref: http://www.spinics.net/lists/selinux/msg10746.html

If some stricter selinux policies are attempted I'd get a context for the RSA
private key that only opendkim can read.

Given opendkim needs only to write a limited set of files
(DiagnosticDirectory, QueryCache) perhaps some restrictions here to prevent an
exploit making the most of a wide discressionaly access (group=mail).

The paths used need to be planned out and documented in the config file
though.

Also need to take into the permissions opendkim uses - execute on sendmail
(arf-dkim-reporting), reading of various map types (though libraries like lua
and libdb is still just a file read).

A couple of selinux booleans should exist to allow opendkim to connect to the
various db types supported by opendbx and ldap.

Network wise opendkim uses DNS to this needs a rule.

I think that's most of the permissions covered.

> I found a small bug and possibly a change that at least deserves
> consideration. We have stats capability enabled by default in the
> binary, but not in the config file:
> 1. In opendkim.conf, the statistics directive is commented out. This
> is good because the defined stats directory is /var/opendkim/stats,
> which does not exist because /var/opendkim is not owned by the
> opendkim package. This is what /var/spool/opendkim was created for,
> so the path in the config file (even though it's commented out) should
> be changed to /var/spool/opendkim.

yep.

> 2. In the same vein, the filename "stats" could be very confusing to
> someone looking at this for the first time. I ask that you consider
> naming it stats.txt to clearly indicate to people that it's just a
> plain text file.

agree.

> 3. Since we enable stats by default, we should include the script and
> readme for stats:
> %doc contrib/stats/README.opendkim-reportstats
> install contrib/stats/opendkim-reportstats to
> %{prefix}/bin/opendkim-reportstats
> modify the opendkim-reportstats to use the defaults you specify in #1
> and #2 above. Use either or sed or awk or whatever you can to make
> that work. I can give you simple command if necessary.

README installed also references /var/db.. for keys too.
Received on Sat Aug 27 2011 - 09:01:13 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:33:11 PST