Re: Two new files for contrib/init/redhat

From: Steve Jenkins <stevejenkins_at_gmail.com>
Date: Fri, 22 Feb 2013 20:24:47 -0800

On Fri, Feb 22, 2013 at 8:05 PM, Murray S. Kucherawy <msk_at_blackops.org>wrote:

> On Fri, 22 Feb 2013, Scott Kitterman wrote:
>
>> Why do this? To be useful the public key needs to be in the DKIM record
>> in DNS. Generating a key a startup doesn't actually accomplish anything
>> useful, does it?
>>
>
> I imagine what it enables is immediate signing ability, insofar as you
> will be able to generate signed mail. But, of course, the admin will need
> to generate and publish a matching public key before verification will be
> possible. If it's not already done, the public key (preferably in the form
> of a TXT line in zone file format) should be left someplace for the
> operator to pick up and do the needful.


Exactly. The public key (as created by opendkim-genkey) sits alongside the
private key in the /etc/opendkim/keys directory. Default selector name is,
well... default: default.private and default.txt. All that's needed is to
cat default.txt and then copy and paste it directly into their zone file or
whatever other DNS management interface they use.

The feedback I've received from users of previous versions of the package
(where the keygen routine was built into the SysV init file) is that they
appreciate having the keys generated, put in the right dir, and secure
permissions set automagically. Previous packages have done this default
keygen since the first version of the package, with no complaints. I'm
hesitant to remove that functionality now. This new script isn't new
functionality - it's just moving that function out to a separate file as
required by systemd.

For those who know enough about DKIM to know they don't want the keys
generated on startup, or who want a different default selector or keydir
can simply change the appropriate lines in the EnvironmentFile
(/etc/sysconfig/opendkim), which looks like this:

# Determine whether default DKIM keys are automatically created on start
AUTOCREATE_DKIM_KEYS=YES

# Set the default DKIM selector
DKIM_SELECTOR=default

# Set the default DKIM key location
DKIM_KEYDIR=%{_sysconfdir}/%{name}/keys


> I think they could both initially live in contrib/init/redhat - I move
>>> them
>>> where needed in the SPEC file (#1 will go in /usr/sbin and #2 will go in
>>> /lib/systemd/system/opendkim.**service)
>>>
>>
>> Debian will soon support multiple init systems, one of which will be
>> systemd,
>> and I imagine other distros will support systemd as well. I'm not sure
>> what
>> to do with it now, but eventually this isn't going to be just a Fedora
>> thing.
>>
>
> Maybe the service file should live in contrib/init/systemd or
> contrib/systemd?


That location's cool with me. I'll be grabbing it them from there and
stuffing it into the appropriate directory anyway. :)

SteveJ
Received on Sat Feb 23 2013 - 04:25:01 PST