Suggested upgrade to opendmarc

S

sjohn

Hi
I hope this is the right place to post this.

I've been setting up a mail stack on FreeBSD and didn't see options for setting the permissions if using a unix socket with postfix.

FreeBSD Email Setup #1 - 06 SPF DMARC And DKIM

Growing Figs in Zone 6a
okfigs.com okfigs.com

Most of the files in /usr/local/etc/rc.d have configuation options you can tweak in /etc/rc.conf but I ran into an issue with permission so added this to the file.
/etc/rc.conf
opendmarc_enable="YES"
opendmarc_runas="opendmarc: opendmarc"
opendmarc_socketspec="unix:/var/spool/postfix/opendmarc/opendmarc.sock"
opendmarc_socketperms="0770"

/usr/local/etc/rc.d/opendmarc
opendmarc_socketperms=${opendmarc_socketperms-"0770"}
if [ -S ${opendmarc_socketspec##local:} ] ; then
chmod -R ${opendmarc_socketperms} ${opendmarc_socketspec##local:} > /dev/null 2>&1
elif [ -S ${opendmarc_socketspec##unix:} ] ; then
chmod -R ${opendmarc_socketperms} ${opendmarc_socketspec##unix:} > /dev/null 2>&1
fi

This might not be the best way to do it but I don't have much experience creating unix sockets with user and permissions, but it works and would be good to implement so opendmarc can run as user opendmarc and postfix can write to the socket.

Thanks, John
 
It's definitely bad practice to edit system files like RC scripts manually because the moment you install an update then your changes get immediately overwritten, and that can result in highly unwanted behavior.

There should also be no need... I don't run OpenDMARC myself but did take a peek at the (patched) work directory and when looking at opendmarc(8) I noticed options like -p (= specify the used socket) and -u (= run using a specific UID and/or GID). So why not use those as options for the daemon to start?

Then all you have to do is add a dedicated directory for the socket, optionally restrict access to specific userid's and you should be all set.
 
I didn't think of that but true, upgrades will break it. I didn't see any flags that modify the permisssions of the socket though, so there doesn't seem to be a solution without modifying the system script.This is not part of the script, but what I added. opendmarc_socketperms=${opendmarc_socketperms-"0770"}. Understand in my case I want
to run as user opendmarc and have user postfix able to read and write to the socket. I guess I could just make the user postfix , if I change to opendmarc:postfix the group still can't write to the socket since the mode is set to 750... The flags you propose to use won't change the mode of the socket.

But with that note, I have added the modifications to a comment section of my /etc/rc.conf .. so if I break it with an upgrade I can easily fix it.

Again, I think it would be great if the changes I have proposed made it way into the package and add functionality which will persistent through upgrades.
 
You must log in or register to reply here.
Back
Top