--- dkimproxy-1.0.1.orig/debian/control +++ dkimproxy-1.0.1/debian/control @@ -0,0 +1,23 @@ +Source: dkimproxy +Section: mail +Priority: optional +Maintainer: Thomas Goirand +Build-Depends: debhelper (>= 5) +Build-Depends-Indep: autotools-dev, liberror-perl, libnet-server-perl, libmail-dkim-perl (>= 0.29) +Standards-Version: 3.8.0 +Dm-Upload-Allowed: yes +Homepage: http://dkimproxy.sourceforge.net/ + +Package: dkimproxy +Architecture: all +Depends: ${perl:Depends}, ${misc:Depends}, libtext-wrapper-perl, libmail-dkim-perl (>= 0.29), libnet-server-perl, adduser, lsb-base, openssl, liberror-perl +Recommends: amavisd-new +Replaces: dkfilter +Conflicts: dkfilter +Description: an SMTP-proxy that signs and/or verifies emails, using the Mail::DKIM module + DKIMproxy is an SMTP-proxy that signs and/or verifies emails, using the + Mail::DKIM module. It is designed for Postfix, but should work with any mail + server. It comprises two separate proxies, an "outbound" proxy for signing + outgoing email, and an "inbound" proxy for verifying signatures of incoming + email. With Postfix, the proxies can operate as either Before-Queue or + After-Queue content filters. --- dkimproxy-1.0.1.orig/debian/README.Debian +++ dkimproxy-1.0.1/debian/README.Debian @@ -0,0 +1,142 @@ +dkimproxy for Debian +-------------------- + +This is some general notes about using dkproxy under Debian, this also includes +notes for integration with Amavisd (along with DTC). + +IMPORTANT: Note that you will NEED to have either Amavis or Postfix listening +to the port 10024 so that dkimproxy.in can send the filtered messages back to +your MTA. Please read further. + +1) Installation without amavisd-new (or other filters) + + +### Stuff to add to /etc/postfix/master.cf ### + +# +# Before-filter SMTP server. Receive mail from the network and +# pass it to the content filter on localhost port 10026. +# +smtp inet n - n - - smtpd + -o smtpd_proxy_filter=127.0.0.1:10026 + -o smtpd_client_connection_count_limit=5 +# +# After-filter SMTP server. Receive mail from the content filter on +# localhost port 10027. +# +127.0.0.1:10027 inet n - n - - smtpd + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + -o smtpd_client_restrictions= + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions= + -o mynetworks=127.0.0.0/8 + -o receive_override_options=no_unknown_recipient_checks + +# +# modify the default submission service to specify a content filter +# and restrict it to local clients and SASL authenticated clients only +# +submission inet n - n - - smtpd + -o smtpd_etrn_restrictions=reject + -o smtpd_sasl_auth_enable=yes + -o content_filter=dkimsign:[127.0.0.1]:10028 + -o receive_override_options=no_address_mappings + -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + +# +# specify the location of the DomainKeys signing filter +# +dkimsign unix - - n - 10 smtp + -o smtp_send_xforward_command=yes + -o smtp_discard_ehlo_keywords=8bitmime + +# +# service for accepting messages FROM the DomainKeys signing filter +# +127.0.0.1:10029 inet n - n - 10 smtpd + -o content_filter= + -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks + -o smtpd_helo_restrictions= + -o smtpd_client_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + +# For Postfix to sign mails sent out using Webmails or other locally delivered mail +pickup fifo n - n 60 1 pickup + -o content_filter=dkimsign:127.0.0.1:10028 + +2) For integration with amavisd-new: + Following just the steps for DTC integration, but omit 3bi). + +3) For integration with DTC: + +a) Follow step 2 (as amavisd-new is a part of the default DTC installation) + +b) Change /etc/init.d/dkimproxy for the following (i is to retrieve the list of +valid domains for signing, ii is to make dkimproxy.in pipe back into amavisd) +i) DOMAIN=`cat /var/lib/dtc/etc/local_domains | tr \\\r\\\n ,,` +ii) DKIMPROXY_IN_ARGS="--hostname=$DKIM_HOSTNAME 127.0.0.1:10026 127.0.0.1:10024" + +c) Apply the following configuration to the /etc/postfix/master.cf +# change for DomainKeys +# +# modify the default submission service to specify a content filter +# and restrict it to local clients and SASL authenticated clients only +# +submission inet n - n - - smtpd + -o smtpd_etrn_restrictions=reject + -o smtpd_sasl_auth_enable=yes + -o content_filter=dkimsign:[127.0.0.1]:10028 + -o receive_override_options=no_address_mappings + -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject + +# +# specify the location of the DomainKeys signing filter +# +dkimsign unix - - n - 10 smtp + -o smtp_send_xforward_command=yes + -o smtp_discard_ehlo_keywords=8bitmime + +# +# service for accepting messages FROM the DomainKeys signing filter +# +127.0.0.1:10029 inet n - n - 10 smtpd + -o content_filter= + -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks + -o smtpd_helo_restrictions= + -o smtpd_client_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + +# For Postfix to sign mails sent out using Webmails or other locally delivered mail +pickup fifo n - n 60 1 pickup + -o content_filter=dkimsign:127.0.0.1:10028 + +d) Add the following to the last smtpd_recipient_restrictions stanza (before the last permit): +check_sender_access regexp:/etc/postfix/filter_10026_catchall + +Create the file /etc/postfix/filter_10026_catchall with the following contents: +/^/ FILTER dkimsign:[127.0.0.1]:10026 + +e) Change the default filter action to be the signing filter (the dkimsign +verification, for incoming mail, is done as a FILTER applied to the recipient +restrictions): +content_filter = smtp-amavis:[127.0.0.1]:10028 + +OTHER INFO FOR DKIMPROXY + +### THIS CODE WILL GENERATE THE DOMAINKEY ENTRY FOR DNS ### + +KEY=`grep -v "PUBLIC" /var/lib/dkimproxy/public.key | tr -d \\n` +SELECTOR=postfix +DOMAIN=packrat.datalexsin.local +NSRECORD="$SELECTOR._domainkey IN TXT \"k=rsa; p=$KEY; t=y\"" +echo $NSRECORD + + -- Damien Mascord Mon, 18 Feb 2008 06:16:06 +0000 --- dkimproxy-1.0.1.orig/debian/docs +++ dkimproxy-1.0.1/debian/docs @@ -0,0 +1,6 @@ +AUTHORS +README +smtpprox.ChangeLog +smtpprox.README +smtpprox.TODO +TODO --- dkimproxy-1.0.1.orig/debian/dirs +++ dkimproxy-1.0.1/debian/dirs @@ -0,0 +1,4 @@ +etc/dkimproxy +var/lib/dkimproxy +usr/sbin +usr/share/perl5 --- dkimproxy-1.0.1.orig/debian/postinst +++ dkimproxy-1.0.1/debian/postinst @@ -0,0 +1,35 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# add the user and group for dkimproxy to operate +addgroup --system dkimproxy +adduser --system dkimproxy --ingroup dkimproxy --home /var/lib/dkimproxy --no-create-home + +# if we don't have a private key yet in /var/lib/dkimproxy/private.key, generate a private and public key +if [ ! -e /var/lib/dkimproxy/private.key ]; then + openssl genrsa -out /var/lib/dkimproxy/private.key 1024 + openssl rsa -in /var/lib/dkimproxy/private.key -pubout -out /var/lib/dkimproxy/public.key +fi +chmod 644 /var/lib/dkimproxy/public.key +chown root:dkimproxy /var/lib/dkimproxy/public.key + +chmod 640 /var/lib/dkimproxy/private.key +chown dkimproxy:dkimproxy /var/lib/dkimproxy/private.key + +#DEBHELPER# + +exit 0 --- dkimproxy-1.0.1.orig/debian/init.d +++ dkimproxy-1.0.1/debian/init.d @@ -0,0 +1,123 @@ +#!/bin/sh +# +# Copyright (C) 2005 Messiah College. +# Copyright (C) 2008 Thomas Goirand + +### BEGIN INIT INFO +# Provides: dkimproxy +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Domain key filter init script +# Description: dkimproxy is an SMTP-proxy designed for Postfix. It +# implements DKIM message signing and verification. +# It comprises two separate filters, an "outbound" filter +# for signing outgoing email, and an "inbound" filter for +# verifying signatures of incoming email. The filters can +# operate as either Before-Queue or After-Queue Postfix +# content filters. +### END INIT INFO + +. /lib/lsb/init-functions + +DKIMPROXYUSER=dkimproxy +DKIMPROXYGROUP=dkimproxy +DKIMPROXY_OUT_PRIVKEY="/var/lib/dkimproxy/private.key" + +DKIM_HOSTNAME=`hostname -f` + +# Get the host domains dynamically. You can change this to the location where +# you have your virtual table here, or best: ehance this script to support more +# situations with packages others than DTC +HOST_DOMAIN=`hostname -d` +if [ -f /var/lib/dtc/etc/local_domains ] ; then + DTC_DOMAIN=`cat /var/lib/dtc/etc/local_domains | tr \\\r\\\n ,,` + DTC_DOMAIN=`echo ${DTC_DOMAIN} | grep -v ^${HOST_DOMAIN}` +else + DTC_DOMAIN="" +fi +DOMAIN=${DTC_DOMAIN}${HOST_DOMAIN} + +DKIMPROXY_IN_ARGS="--hostname=${DKIM_HOSTNAME} --conf_file /etc/dkimproxy/dkimproxy_in.conf --user=${DKIMPROXYUSER} --group=${DKIMPROXYGROUP}" +DKIMPROXY_OUT_ARGS="--domain=${DOMAIN} --method=simple --conf_file /etc/dkimproxy/dkimproxy_out.conf --user=${DKIMPROXYUSER} --group=${DKIMPROXYGROUP}" + +DKIMPROXY_IN_BIN="/usr/sbin/dkimproxy.in" +DKIMPROXY_OUT_BIN="/usr/sbin/dkimproxy.out" +PIDDKIMPROXY_IN="/var/run/dkimproxy.in" +PIDDKIMPROXY_OUT="/var/run/dkimproxy.out" + +if [ -x /sbin/start-stop-daemon ] ; then + STRT_STP_DMN=/sbin/start-stop-daemon +else + STRT_STP_DMN=`which start-stop-daemon` +fi +if [ -z "${STRT_STP_DMN}" ] ; then + echo "Can't find the start-stop-daemon binary" +fi + +case "$1" in + start) + log_daemon_msg "Starting inbound DomainKeys-filter" "dkimproxy.in" + ${STRT_STP_DMN} --background --make-pidfile --start -p ${PIDDKIMPROXY_IN} -u ${DKIMPROXYUSER} -g ${DKIMPROXYGROUP} -x ${DKIMPROXY_IN_BIN} -- ${DKIMPROXY_IN_ARGS} + RETVAL=$? + START_ERROR=${RETVAL} + log_end_msg ${RETVAL} + if ! [ "${RETVAL}" -eq 0 ] ; then + exit ${RETVAL} + fi + + log_daemon_msg "Starting outbound DomainKeys-filter" "dkimproxy.out" + ${STRT_STP_DMN} --background --make-pidfile --start -p ${PIDDKIMPROXY_OUT} -u ${DKIMPROXYUSER} -g ${DKIMPROXYGROUP} -x ${DKIMPROXY_OUT_BIN} -- ${DKIMPROXY_OUT_ARGS} + RETVAL=$? + log_end_msg ${RETVAL} + if ! [ "${RETVAL}" -eq 0 -a "${START_ERROR}" -eq 0 ] ; then + if ! [ ${RETVAL} -eq 0 ] ; then + echo "Error ${RETVAL} when starting ${DKIMPROXY_IN_BIN}" + fi + if ! [ "${START_ERROR}" -eq 0 ] ; then + echo "Error ${START_ERROR} when starting ${DKIMPROXY_OUT_BIN}" + fi + fi + ;; + + stop) + log_daemon_msg "Shutting down inbound DomainKeys-filter" "dkimproxy.in" + ${STRT_STP_DMN} --stop -p ${PIDDKIMPROXY_IN} + RETVALIN=$? + log_end_msg ${RETVALIN} + log_daemon_msg "Shutting down outbound DomainKeys-filter" "dkimproxy.out" + ${STRT_STP_DMN} --stop -p ${PIDDKIMPROXY_OUT} + RETVALOUT=$? + log_end_msg ${RETVALOUT} + if ! [ ${RETVALIN} -eq 0 -a ${RETVALOUT} -eq 0 ]; then + if ! [ ${RETVALIN} -eq 0 ] ; then + echo "Error ${RETVALIN} when shutting down ${PIDDKIMPROXY_IN}" + fi + if ! [ "${RETVALOUT}" -eq 0 ] ; then + echo "Error ${RETVALOUT} when shutting down ${PIDDKIMPROXY_OUT}" + fi + fi + ;; + force-reload) + $0 stop + sleep 1 + $0 start + ;; + reload) + $0 stop + sleep 1 + $0 start + ;; + restart) + $0 stop + sleep 1 + $0 start + ;; + *) + echo "Usage: $0 {start|stop|restart|reload|force-reload}" + exit 1 + ;; +esac + +exit 0 --- dkimproxy-1.0.1.orig/debian/rules +++ dkimproxy-1.0.1/debian/rules @@ -0,0 +1,73 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +DK_PKGNAME=dkimproxy + +config.status: configure + dh_testdir + cp -f /usr/share/misc/config.sub . + cp -f /usr/share/misc/config.guess . + # Note: this is quite hackish, but this is the most simple way that + # I have found to have this package install in /usr/share/perl5 + # directly without too much trouble. + ./configure --prefix=/usr --sysconfdir=/etc + +clean: + dh_testdir + dh_testroot + dh_clean + + [ ! -f Makefile ] || $(MAKE) distclean + rm -f config.sub config.guess + rm -f build-stamp debian/files config.status config.cache config.log + +install: config.status + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/$DK_PKGNAME. + $(MAKE) DESTDIR=$(CURDIR)/debian/$(DK_PKGNAME) install + # I send these config files in /etc/dkimproxy even if BY DEFAULT the + # init script doesn't use them (just in case somebody wants to + # modify the init script) + mv $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy_in.conf.example $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy/dkimproxy_in.conf + mv $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy_out.conf.example $(CURDIR)/debian/$(DK_PKGNAME)/etc/dkimproxy/dkimproxy_out.conf + # The perl libs have nothing to do in usr/lib ... + mv $(CURDIR)/debian/$(DK_PKGNAME)/usr/lib/* $(CURDIR)/debian/$(DK_PKGNAME)/usr/share/perl5 + rmdir $(CURDIR)/debian/$(DK_PKGNAME)/usr/lib + mv $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkim_responder.pl $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkim_responder + mv $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkimverify.pl $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkimproxy-verify + mv $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkimsign.pl $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkimsign + # These are deamons, they have nothing to do in /usr/bin !!! + mv $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkimproxy.in $(CURDIR)/debian/$(DK_PKGNAME)/usr/sbin + mv $(CURDIR)/debian/$(DK_PKGNAME)/usr/bin/dkimproxy.out $(CURDIR)/debian/$(DK_PKGNAME)/usr/sbin + +binary-indep: install + + dh_testdir + dh_testroot + dh_installchangelogs NEWS + dh_installdocs + dh_installexamples + dh_installinit + dh_installman --language=C + dh_link + dh_strip + dh_compress + dh_fixperms + dh_perl + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary-arch: install + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary install --- dkimproxy-1.0.1.orig/debian/watch +++ dkimproxy-1.0.1/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://dkimproxy.sourceforge.net/ dkimproxy-(.*).tar.gz --- dkimproxy-1.0.1.orig/debian/copyright +++ dkimproxy-1.0.1/debian/copyright @@ -0,0 +1,61 @@ +This package was debianized by Thomas Goirand on +Mon, 25 Feb 2008 04:27:49 +0000 + +Original source may be found at: http://dkimproxy.sourceforge.net/ + +Upstream Author: Jason Long + +Uses code from smtpprox: + http://bent.latency.net/smtpprox/ + Bennett Todd + +and code from Mail::DomainKeys: + http://killa.net/infosec/Mail-DomainKeys/ + Anthony D. Urso + +Files: debian/* +Copyright: (C) 2008, Damien Mascord + (C) 2008, Thomas Goirand +License: LGPL-2.1 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 + USA + +File: * +Copyright: (C) 2005-2007 Jason Long + (C) 2001 Morgan Stanley Dean Witter + (C) 2005-2006 Messiah College +License: GPL v2 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 + USA + +On Debian systems, the complete text of the GNU Lesser General Public +License v2.1 can be found in /usr/share/common-licenses/LGPL-2.1. + +On Debian systems, the complete text of the GNU Public License can be +found in /usr/share/common-licenses/GPL-2. --- dkimproxy-1.0.1.orig/debian/compat +++ dkimproxy-1.0.1/debian/compat @@ -0,0 +1 @@ +5 --- dkimproxy-1.0.1.orig/debian/manpages +++ dkimproxy-1.0.1/debian/manpages @@ -0,0 +1,5 @@ +debian/man/dkimproxy.in.8 +debian/man/dkimproxy.out.8 +debian/man/dkim_responder.1 +debian/man/dkimsign.1 +debian/man/dkimproxy-verify.1 --- dkimproxy-1.0.1.orig/debian/changelog +++ dkimproxy-1.0.1/debian/changelog @@ -0,0 +1,56 @@ +dkimproxy (1.0.1-8) unstable; urgency=low + + * Added a patch given by upstream so that dkimproxy continues to work if + syslogd is not running. + * Renamed /usr/bin/dkimverify to dkimproxy-verify so it doesn't conflicts + with dkimverify from python-dkim (Closes: #509045). + + -- Thomas Goirand Fri, 19 Dec 2008 18:03:22 +0800 + +dkimproxy (1.0.1-7) unstable; urgency=low + + * Better Unix rights for the keys in /var/lib/dkimproxy + + -- Thomas Goirand Mon, 18 Aug 2008 13:08:09 +0800 + +dkimproxy (1.0.1-6) unstable; urgency=low + + * The previous version was introducing a bug in the init script (a space + missing in the dkimproxy.out arguments), this corrects it. + + -- Thomas Goirand Sat, 19 Apr 2008 04:23:49 +0000 + +dkimproxy (1.0.1-5) unstable; urgency=low + + * dkimproxy now runs under the privileges of it's user, and the private key + has now lower rights so only root can read it (Closes: #476576). + + -- Thomas Goirand Fri, 18 Apr 2008 08:21:14 +0000 + +dkimproxy (1.0.1-4) unstable; urgency=low + + * Now uses the port 10024 by default, as this is the one of Amavis. + * Now recommends Amavis + + -- Thomas Goirand Fri, 11 Apr 2008 10:58:01 +0000 + +dkimproxy (1.0.1-3) unstable; urgency=low + + * Now uses a config file (Closes: #473882). + + -- Thomas Goirand Sun, 6 Apr 2008 16:56:47 +0800 + +dkimproxy (1.0.1-2) unstable; urgency=low + + * Now search for the start-stop-daemon in /sbin by default, as it's not + always in the current path (case of DTC restarting dkimproxy in it's + cron job). + + -- Thomas Goirand Wed, 26 Mar 2008 18:11:18 +0800 + +dkimproxy (1.0.1-1) unstable; urgency=low + + * Initial release (Closes: #468287) + + -- Thomas Goirand Mon, 25 Feb 2008 04:27:49 +0000 + --- dkimproxy-1.0.1.orig/debian/man/dkimsign.1 +++ dkimproxy-1.0.1/debian/man/dkimsign.1 @@ -0,0 +1,29 @@ +.TH dkimsign 1 + +.SH NAME +dkimsign \- computes a DKIM signature for an email message + +.SH SYNOPSIS + dkimsign.pl [options] < original_email.txt + options: + \-\-method=METHOD + \-\-selector=SELECTOR + \-\-debug\-canonicalization=FILE + + dkimsign \-\-help + to see a full description of the various options + +.SH OPTIONS + +.B \-\-method +Determines the desired canonicalization method. Possible values are +simple, simple/simple, simple/relaxed, relaxed, relaxed/relaxed, +relaxed/simple. + +.B \-\-debug\-canonicalization +Outputs the canonicalized message to the specified file, in addition +to computing the DKIM signature. This is helpful for debugging +canonicalization methods. + +.SH "SEE ALSO" +dkimproxy.in(8), dkimproxy.out(8), dkimproxy-verify(1), dkim_responder(1) --- dkimproxy-1.0.1.orig/debian/man/dkimproxy-verify.1 +++ dkimproxy-1.0.1/debian/man/dkimproxy-verify.1 @@ -0,0 +1,13 @@ +.TH dkimproxy-verify 1 + +.SH NAME +dkimproxy-verify \- insert here a description + +.SH DESCRIPTION +The dkimproxy verify script that is bundled with DKIMproxy is not a component +of the proxy itself. It's just useful in terms of troubleshooting a signature. + +This man page is a stub, please contribute. + +.SH "SEE ALSO" +dkimproxy.in(8), dkimproxy.out(8), dkimsign(1), dkim_responder(1) --- dkimproxy-1.0.1.orig/debian/man/dkim_responder.1 +++ dkimproxy-1.0.1/debian/man/dkim_responder.1 @@ -0,0 +1,10 @@ +.TH dk_responder 1 + +.SH NAME +dk_responder \- filters incoming email traffic according to the domain keys specifications + +.SH DESCRIPTION +This man page is a stub, please contribute + +.SH "SEE ALSO" +dkimproxy.in(8), dkimproxy.out(8), dkimsign(1), dkimproxy-verify(1) --- dkimproxy-1.0.1.orig/debian/man/dkimproxy.in.8 +++ dkimproxy-1.0.1/debian/man/dkimproxy.in.8 @@ -0,0 +1,112 @@ +.TH dkimproxy.in 8 + +.SH NAME +dkimproxy.in \- SMTP proxy for verifying DKIM signatures + +.SH DESCRIPTION + +dkimproxy.in listens on the IP address and TCP port specified by its +first argument (the "listen" port), and sends the traffic it receives +onto the second argument (the "relay" port), with messages getting +verified and having an "Authentication\-Results" header added to them. + +.SH SYNOPSIS + + dkimproxy.in [options] LISTENADDR:PORT RELAYADDR:PORT + smtp options: + \-\-conf_file=FILENAME + \-\-listen=LISTENADDR:PORT + \-\-relay=RELAYADDR:PORT + \-\-reject\-error + + verification options: + \-\-reject\-fail + \-\-hostname=HOSTNAME + + daemon options: + \-\-daemonize + \-\-user=USER + \-\-group=GROUP + \-\-pidfile=PIDFILE + +.SH OPTIONS + +.B \-\-daemonize + +If specified, the server will run in the background. + +.B \-\-group=GROUP + +If specified, the daemonized process will setgid() to the specified GROUP. + +.B \-\-hostname=HOSTNAME + +Overrides the hostname used in the Authentication\-Results header. +This header gets added to every verified message. +Use this option if the hostname that appears is not fully qualified +or you want to use an alternate name. + +.B \-\-pidfile=PIDFILE + +Creates a PID file (a file containing the PID of the process) for +the daemonized process. This makes it possible to check the status +of the process, and to cleanly shut it down. + +.B \-\-reject\-error + +This option specifies what to do if an error occurs during verification +of a message. If this option is specified, the message will be rejected +with an SMTP error code. This will result in the MTA sending the message +to try again later, or bounce it back to the sender (depending on the +exact error code used). If this option is not specified, the message +will be passed through with an error listed in the Authentication\-Results +header instead of the verification results. + +.B \-\-reject-fail + +This option specifies what to do if verification fails and the sender +signing policy says to reject the message. If this option is specified, +the message will be rejected with an SMTP error code. +This will result in the sending MTA to +bounce the message back to the sender. If this option is not specified, +the message will pass through as normal. + +.B \-\-user=USER + +If specified, the daemonized process will setuid() to USER after +completing any necessary privileged operations, but before accepting +connections. + +.SH EXAMPLE + +For example, if dkimproxy.in is started with: + + dkimproxy.in \-\-reject\-fail \-\-reject\-error 127.0.0.1:10025 127.0.0.1:10026 + +the proxy will listen on port 10025 and send the verified messages to +some other SMTP service on port 10026. + +.SH CONFIGURATION FILE + +Parameters can be stored in a separate file instead of specifying +them all on the command line. Use the conf_file option to specify +the path to the configuration file, e.g. + + dkimproxy.in \-\-conf_file=/etc/dkimproxy_in.conf + +The format of the configuration file is one option per line: +name of the option, space, then the value of the option. E.g. + + # this is an example config file + listen 127.0.0.1:10025 + relay 127.0.0.1:10026 + hostname myhost.example.com + reject_fail + +is equivalent to + + dkimproxy.out \-\-hostname=myhost.example.com \-\-reject\-fail \ + 127.0.0.1:10025 127.0.0.1:10026 + +.SH "SEE ALSO" +dkimproxy.out(8), dkim_responder(1), dkimsign(1), dkimproxy-verify(1) --- dkimproxy-1.0.1.orig/debian/man/dkimproxy.out.8 +++ dkimproxy-1.0.1/debian/man/dkimproxy.out.8 @@ -0,0 +1,197 @@ +.TH dkimproxy.out 8 + +.SH NAME +dkimproxy.out \- SMTP proxy for adding DKIM signatures to email + +.SH DESCRIPTION + +dkimproxy.out listens on the IP address and TCP port specified by its +first argument (the "listen" port), and sends the traffic it receives +onto the second argument (the "relay" port), with messages getting +modified to have a DKIM or DomainKeys signature. + +.SH SYNOPSIS + + dkimproxy.out [options] \-\-keyfile=FILENAME \-\-selector=SELECTOR \ + \-\-domain=DOMAIN LISTENADDR:PORT RELAYADDR:PORT + smtp options: + \-\-conf_file=FILENAME + \-\-listen=LISTENADDR:PORT + \-\-relay=RELAYADDR:PORT + \-\-reject\-error + + signing options: + \-\-signature=dkim|domainkeys + \-\-keyfile=FILENAME + \-\-selector=SELECTOR + \-\-method=simple|nowsp|relaxed|nofws + \-\-domain=DOMAIN + + daemon options: + \-\-daemonize + \-\-user=USER + \-\-group=GROUP + \-\-pidfile=PIDFILE + + dkimproxy.out \-\-help + to see a full description of the various options + +.SH OPTIONS + +.B \-\-daemonize + +If specified, the server will run in the background. + +.B \-\-domain=DOMAIN + +Use this argument to specify what domain(s) you can sign for. You may +specify multiple domains by separating them with commas. If a single +domain is specified, DKIMproxy will always use that domain to sign, +if it can. If multiple domains are specified, DKIMproxy will try to +match the domain to the message's sender, and only generate a signature +that will match the sender's domain. + +.B \-\-group=GROUP + +If specified, the daemonized process will setgid() to the specified GROUP. + +.B \-\-keyfile=FILENAME + +This is a required argument. Use it to specify the filename containing +the private key used in signing outgoing messages. For messages to +verify, you will need to publish the corresponding public key in +DNS, using the selector name specified by C<\-\-selector>, under +the domain(s) specified in C<\-\-domain>. + +.B \-\-method=simple|nowsp|relaxed|nofws + +This option specifies the canonicalization algorithm to use for signing +messages. For DKIM signatures, the options are C, C, or +C; the default is C. For DomainKeys signatures, the +options are C and C; the default is C. + +.B \-\-pidfile=PIDFILE + +Creates a PID file (a file containing the PID of the process) for +the daemonized process. This makes it possible to check the status +of the process, and to cleanly shut it down. + +.B \-\-reject\-error + +This option specifies what to do if an error occurs during signing +of a message. If this option is specified, the message will be rejected +with an SMTP error code. This will result in the MTA sending the message +to try again later, or bounce it back to the sender (depending on the +exact error code used). If this option is not specified, the message +will be allowed to pass through without having a signature added. + +.B \-\-selector=SELECTOR + +This is a required argument. Use it to specify the name of the key +selector. + +.B \-\-sender_map=FILENAME + +If specified, the named file provides signature parameters depending +on what sender is found in the message. See the section below titled +L. + +.B \-\-signature=dkim|domainkeys + +This specifies what type of signature to add. Use C to sign with +IETF standardized DKIM signatures. Use C to sign with +the older, but more common, Yahoo! DomainKeys signatures. +The default is C. + +This parameter can be specified more than once to add more than one +signature to the message. In addition, per signature parameters can be +specified by enclosing the comma separated options in parenthesis after +the signature type, e.g. + + \-\-signature=dkim(c=relaxed,key=private.key) + +The syntax for specifying per signature options is described in more +detail in the section below titled L. + +.B \-\-user=USER + +If specified, the daemonized process will setuid() to USER after +completing any necessary privileged operations, but before accepting +connections. + +.SH EXAMPLE + +For example, if dkimproxy.out is started with: + + dkimproxy.out \-\-keyfile=private.key \-\-selector=postfix \ + \-\-domain=example.org 127.0.0.1:10027 127.0.0.1:10028 + +the proxy will listen on port 10027 and send the signed messages to +some other SMTP service on port 10028. + +.SH CONFIGURATION FILE + +Parameters can be stored in a separate file instead of specifying +them all on the command line. Use the C option to specify +the path to the configuration file, e.g. + + dkimproxy.out \-\-conf_file=/etc/dkimproxy_out.conf + +The format of the configuration file is one option per line: +name of the option, space, then the value of the option. E.g. + + # this is an example config file + domain example.org,example.com + keyfile private.key + selector postfix + signature dkim + +is equivalent to + + dkimproxy.out \-\-domain=example.org,example.com \-\-keyfile=private.key \ + \-\-selector=postfix \-\-signature=dkim + +.SH SENDER MAP FILE + +If you want to use different signature properties depending on the +sender of the message being signed, use a "sender map file". This +is a lookup file containing sender email addresses on the left +and signature properties on the right. E.g. + + # sign my mail with a EXAMPLE.COM dkim signature + jason@long.name dkim(d=example.com) + + # sign WIDGET.EXAMPLE mail with a default domainkeys signature + widget.example domainkeys + + # sign EXAMPLE.ORG mail with both a domainkeys and dkim signature + example.org dkim(c=relaxed,a=rsa\-sha256), domainkeys(c=nofws) + +Right hand values in a sender map file is a comma separated list of +signature types. Each signature type may have a comma separated list +of parameters enclosed in parenthesis. The following signature +parameters are recognized: + +.B key + +the private key file to use + +.B a + +the algorithm to use + +.B c + +the canonicalization method to use + +.B d + +the domain to use, default is to use the domain matched + +.B s + +the selector to use + +.SH "SEE ALSO" + +dkimproxy.in(8), dkim_responder(8), dkimsign(8), dkimproxy-verify(8) --- dkimproxy-1.0.1.orig/scripts/dkimproxy_in.conf.example +++ dkimproxy-1.0.1/scripts/dkimproxy_in.conf.example @@ -1,5 +1,5 @@ # specify what address/port DKIMproxy should listen on -listen 127.0.0.1:10025 +listen 127.0.0.1:10026 # specify what address/port DKIMproxy forwards mail to -relay 127.0.0.1:10026 +relay 127.0.0.1:10024 --- dkimproxy-1.0.1.orig/scripts/dkimproxy_out.conf.example +++ dkimproxy-1.0.1/scripts/dkimproxy_out.conf.example @@ -1,18 +1,20 @@ # specify what address/port DKIMproxy should listen on -listen 127.0.0.1:10027 +listen 127.0.0.1:10028 # specify what address/port DKIMproxy forwards mail to -relay 127.0.0.1:10028 +relay 127.0.0.1:10029 # specify what domains DKIMproxy can sign for (comma-separated, no spaces) -domain example.org +# Note that this is set in /etc/init.d/dkimproxy in this Debian package +# unactivate it there if you want to use the config file +#domain example.org # specify what signatures to add signature dkim(c=relaxed) signature domainkeys(c=nofws) # specify location of the private key -keyfile /full/path/to/private.key +keyfile /var/lib/dkimproxy/private.key # specify the selector (i.e. the name of the key record put in DNS) -selector selector1 +selector postfix --- dkimproxy-1.0.1.orig/scripts/dkimproxy.in +++ dkimproxy-1.0.1/scripts/dkimproxy.in @@ -138,9 +138,16 @@ # create an object for sending the outgoing SMTP commands # (and the verified message) - my $client = MSDW::SMTP::Client->new( + my $client = eval { MSDW::SMTP::Client->new( interface => $self->{server}->{relay_host}, - port => $self->{server}->{relay_port}); + port => $self->{server}->{relay_port}) }; + if (my $E = $@) + { + chomp $E; + print "421 Internal error (Next hop is down)\n"; + die "$E\n"; + } + return $client; } @@ -148,10 +155,25 @@ { my $self = shift; - print STDERR "got new connection\n"; + # try to determine peer's address + use Socket; + my $peersockaddr = getpeername(STDOUT); + my ($port, $iaddr) = sockaddr_in($peersockaddr); + $ENV{REMOTE_ADDR} = inet_ntoa($iaddr); # initialize syslog - openlog("dkimproxy.in", "cons,pid", "mail"); + eval + { + openlog("dkimproxy.in", "perror,pid,ndelay", "mail"); + syslog("debug", '%s', "connect from $ENV{REMOTE_ADDR}"); + }; + if (my $E = $@) + { + chomp $E; + print "421 Internal error (Syslog is down)\n"; + die "$E\n"; + } + $self->{debug} = $debugtrace; $self->SUPER::process_request; @@ -187,7 +209,8 @@ { my $E = $@; chomp $E; - syslog("warning", '%s', "verify error: $E"); + $E =~ s/\n/ /gs; + eval { syslog("warning", '%s', "verify error: $E") }; print STDERR "verify error: $E\n"; $verify_result = "temperror"; $verify_detail = "$verify_result ($E)"; --- dkimproxy-1.0.1.orig/scripts/dkimproxy.out +++ dkimproxy-1.0.1/scripts/dkimproxy.out @@ -256,9 +256,15 @@ # create an object for sending the outgoing SMTP commands # (and the signed message) - my $client = MSDW::SMTP::Client->new( + my $client = eval { MSDW::SMTP::Client->new( interface => $self->{server}->{relay_host}, - port => $self->{server}->{relay_port}); + port => $self->{server}->{relay_port}) }; + if (my $E = $@) + { + chomp $E; + print "421 Internal error (Next hop is down)\n"; + die "$E\n"; + } return $client; } @@ -266,8 +272,25 @@ { my $self = shift; + # try to determine peer's address + use Socket; + my $peersockaddr = getpeername(STDOUT); + my ($port, $iaddr) = sockaddr_in($peersockaddr); + $ENV{REMOTE_ADDR} = inet_ntoa($iaddr); + # initialize syslog - openlog("dkimproxy.out", "cons,pid", "mail"); + eval + { + openlog("dkimproxy.out", "perror,pid,ndelay", "mail"); + syslog("debug", '%s', "connect from $ENV{REMOTE_ADDR}"); + }; + if (my $E = $@) + { + chomp $E; + print "421 Internal error (Syslog is down)\n"; + die "$E\n"; + } + $self->{debug} = $debugtrace; $self->SUPER::process_request; @@ -322,7 +345,8 @@ { my $E = $@; chomp $E; - syslog("warning", '%s', "signing error: $E"); + $E =~ s/\n/ /gs; + eval { syslog("warning", '%s', "signing error: $E") }; print STDERR "Warning: signing error: $E\n"; $result = "temperror"; $result_detail = "$result ($E)";