[rpms/postsrsd] epel10: NUR and config update

[rpms/postsrsd] epel10: NUR and config update

[@ 2026-06-06 19:58 UTC (permalink / raw)]

A new commit has been pushed.

Repo   : rpms/postsrsd
Branch : epel10
Commit : be193669cdc96778ccfab1e2cd68957140299149
Author : Marc Dequènes (Duck) <duck@redhat.com>
Date   : 2023-01-10T17:12:40+09:00
Stats  : +177/-8 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/postsrsd/c/be193669cdc96778ccfab1e2cd68957140299149?branch=epel10

Log:
NUR and config update

---
diff --git a/postsrsd.conf b/postsrsd.conf
new file mode 100644
index 0000000..99c67b2
--- /dev/null
+++ b/postsrsd.conf
@@ -0,0 +1,169 @@
+# PostSRSd example configuration file
+# Copyright 2022 Timo Röhling
+# SPDX-License-Identifier: FSFUL
+#
+# The copyright holder gives unlimited permission to copy, distribute and modify
+# this file.
+
+# Local domains
+# Your local domains need not be rewritten, so PostSRSd has to know about them.
+#
+# Example:
+#     domains = { "example.com", "example.org", "example.net" }
+#
+domains = {}
+
+# Local domains (file storage)
+# Instead of listing your local domains directly, you can also write them to a
+# file and have PostSRSd read it. This is particularly useful if you have a
+# large number of domains for which you need to act as mail forwarder.
+#
+# Example:
+#     domains-file = "/etc/postsrsd.domains"
+#
+#domains-file =
+
+# Dedicated SRS rewrite domain.
+# The local domain which is used to create the ephemeral SRS envelope
+# addresses. It is recommended that you use a dedicated mail domain for SRS if
+# you serve multiple unrelated domains (e.g. for your customers), to prevent
+# privacy issues. If unset, the first configured local domain is used.
+#
+# Example:
+#     srs-domain = "srs.example.com"
+#
+#srs-domain =
+
+# Socketmap lookup table for Postfix integration.
+# Traditionally, PostSRSd interacts with Postfix through the canonicalization
+# lookup tables of the cleanup daemon. If you use a unix socket, be aware that
+# most Postfix instances will jail their cleanup daemon in a /var/spool/postfix
+# chroot, so no other path will be visible to them.
+#
+# Examples:
+#     socketmap = unix:/var/spool/postfix/srs
+#     socketmap = inet:localhost:10003
+#
+socketmap = unix:/var/spool/postfix/srs
+
+# Socketmap connection keep-alive timeout.
+# After PostSRSd has served a socketmap request, it will keep the connection
+# open for a while longer, in case Postfix has additional queries. PostSRSd
+# will close the connection after the configured time (in seconds) has expired.
+#
+# Examples:
+#     keep-alive = 30
+#
+keep-alive = 30
+
+# Milter endpoint for MTA integration.
+# PostSRSd can act as a milter to rewrite envelope addresses if it has been
+# built with milter support.
+#
+# Examples:
+#     milter = unix:/var/spool/postfix/srs_milter
+#     milter = inet:localhost:9997
+#
+#milter =
+
+# Original envelope sender handling.
+# When the envelope sender is rewritten, the original address can either be
+# embedded in the rewritten address, or stored in a local database. Embedding
+# makes PostSRSd work fully stateless, but the full sender address needs to fit
+# into the localpart of the embedded address, effectively limiting the length
+# of forwardable sender addresses to 51 octets. Storing the sender address in a
+# database circumvents this problem, but makes PostSRSd vulnerable to an
+# attacker sending vast amounts of emails with fake sender addresses, all of
+# which need to be stored in the database.
+#
+# If you are unsure which option suits your use-case best, the vast majority of
+# mail addresses will be relatively short, so you should pick "embedded".
+#
+# Examples:
+#     original-envelope = embedded
+#     original-envelope = database
+#
+original-envelope = embedded
+
+# Database for envelope sender storage.
+# If you decide to store envelope senders in a database, this database will be
+# used. The option is ignored if original-envelope is set to "embedded". Also
+# note that PostSRSd needs to be built with SQLite or Redis support for this.
+#
+# Also note that you need to put the SQLite database into the chroot directory
+# if you jail PostSRSd; otherwise, the database file will not be accessible.
+#
+# Examples:
+#     envelope-database = "redis:localhost:6379"
+#
+# Note from the packager:
+#   currently we're using /run to setup the database, but with the above requirement that mean a SQLite database is not possible as /run is not permanent
+
+# Secret keys for signing and verifying SRS addresses.
+# Rewritten addresses are tagged with a truncated HMAC-SHA1 signature, to
+# prevent tampering and forged envelope addresses. You can have more than
+# one signing secret; each line of the secrets file is considered one secret
+# key. If an incoming signature matches any key, it is accepted. Outgoing
+# signatures will always be generated with the first configured secret.
+#
+# For security reasons, you should also make sure that the file is owned and
+# only accessible by root (chmod 600).
+#
+secrets-file = "/etc/postsrsd.secret"
+
+# SRS tag separator
+# This is the character following the initial SRS0 or SRS1 tag of a generated
+# sender address. Valid separators are "=", "+", and "-". Unless you have a
+# very good reason, you should leave this setting at its default.
+#
+separator = "="
+
+# SRS hash signature length
+# Any SRS address will be signed with a truncated hash to prevent tampering and
+# ensure that only legitimate email bounces will be returned to sender. The
+# default length provides adequate security without taking up too much valuable
+# space. Unless you know what you are doing, you should leave this setting at
+# its default.
+#
+# WARNING: You can break your mail server (or worse, turn it into a spam relay)
+# if you mess up this setting.
+#
+hash-length = 4
+
+# SRS minimum acceptable hash signature length
+# This is the mininum signature length that PostSRSd considers valid. It is a
+# separate setting because if you decide to increase the hash length, you may
+# want to keep accepting the shorter hashes for a 24 hour grace period. Again,
+# Unless you know what you are doing, you should leave this setting at its
+# default.
+#
+# WARNING: You can break your mail server (or worse, turn it into a spam relay)
+# if you mess up this setting.
+#
+hash-minimum = 4
+
+# Always rewrite sender addresses
+# You can force PostSRSd to rewrite any sender address, even if it has been
+# rewritten already. You probably do not want to do this, though.
+#
+always-rewrite = off
+
+# Execute PostSRSd as unprivileged user
+# If you set this highly recommended option, PostSRSd will drop root
+# privileges and switch to the configured user before it enters the main loop
+# to handle untrusted input.
+#
+unprivileged-user = "nobody"
+
+# Execute PostSRSd in chroot jail
+# If you set this highly recommended option, PostSRSd will jail itself
+# in the given directory, which adds an additional layer of protection
+# against the exploitation of security bugs in PostSRSd.
+#
+chroot-dir = "/run/postsrsd"
+
+# Syslog
+# PostSRSd writes log messages to stderr. If you enable this option, PostSRSd
+# will also send all messages to the syslog mail facility.
+#
+syslog = off

diff --git a/postsrsd.spec b/postsrsd.spec
index 25e5335..afb23e8 100644
--- a/postsrsd.spec
+++ b/postsrsd.spec
@@ -3,19 +3,21 @@
 %undefine __cmake_in_source_build
 
 Name:           postsrsd
-Version:        1.12
-Release:        3%{?dist}
+Version:        2.0.2
+Release:        1%{?dist}
 Summary:        Sender Rewriting Scheme (SRS) provider
 
 License:        GPLv2+
 URL:            https://github.com/roehling/postsrsd
 Source0:        https://github.com/roehling/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
+Source1:        postsrsd.conf
 
 BuildRequires: make
 BuildRequires:     cmake
 BuildRequires:     gcc
 BuildRequires:     help2man
 BuildRequires:     selinux-policy-devel
+BuildRequires:     libconfuse-devel
 %{?systemd_requires}
 BuildRequires:     systemd
 Requires(post):    policycoreutils
@@ -61,17 +63,15 @@ mkdir -p %{buildroot}/%{_unitdir}
 mv %{buildroot}/%{_sysconfdir}/systemd/system/postsrsd.service %{buildroot}/%{_unitdir}/postsrsd.service
 rm -rf %{buildroot}/%{_sysconfdir}/systemd
 
-# chroot directory
-# (also move default config which is in the way)
-sed -i 's/^CHROOT=.*/CHROOT=\/run\/postsrsd/' %{buildroot}/%{_sysconfdir}/default/%{name}
-sed -ri -e 's/postsrsd\/default/postsrsd.default/' \
-        -e "s/(\[Install\])/RuntimeDirectory=postsrsd\nRuntimeDirectoryMode=0750\n\n\1/" %{buildroot}/%{_unitdir}/postsrsd.service
+# default configuration and chroot directory
+cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/
+sed -ri -e "s/(\[Install\])/RuntimeDirectory=postsrsd\nRuntimeDirectoryMode=0750\n\n\1/" %{buildroot}/%{_unitdir}/postsrsd.service
 
 
 %files
 %license LICENSE
 %ghost %{_sysconfdir}/postsrsd.secret
-%config(noreplace) %{_sysconfdir}/default/%{name}
+%config(noreplace) %{_sysconfdir}/postsrsd.conf
 %{_unitdir}/postsrsd.service
 %{_sbindir}/postsrsd
 %{_docdir}/%{name}