opendmarc: initial commit, version 1.4.2

opendmarc/.footprint

@@ -0,0 +1,92 @@
+drwxr-xr-x	root/root	etc/
+drwxr-xr-x	root/root	etc/opendmarc/
+-rw-r--r--	root/root	etc/opendmarc/opendmarc.conf
+drwxr-xr-x	root/root	etc/rc.d/
+-rwxr-xr-x	root/root	etc/rc.d/opendmarc
+drwxr-xr-x	root/root	usr/
+drwxr-xr-x	root/root	usr/include/
+drwxr-xr-x	root/root	usr/include/opendmarc/
+-rw-r--r--	root/root	usr/include/opendmarc/dmarc.h
+drwxr-xr-x	root/root	usr/lib/
+-rw-r--r--	root/root	usr/lib/libopendmarc.a
+-rwxr-xr-x	root/root	usr/lib/libopendmarc.la
+lrwxrwxrwx	root/root	usr/lib/libopendmarc.so -> libopendmarc.so.2.0.3
+lrwxrwxrwx	root/root	usr/lib/libopendmarc.so.2 -> libopendmarc.so.2.0.3
+-rwxr-xr-x	root/root	usr/lib/libopendmarc.so.2.0.3
+drwxr-xr-x	root/root	usr/sbin/
+-rwxr-xr-x	root/root	usr/sbin/opendmarc
+-rwxr-xr-x	root/root	usr/sbin/opendmarc-check
+-rwxr-xr-x	root/root	usr/sbin/opendmarc-expire
+-rwxr-xr-x	root/root	usr/sbin/opendmarc-import
+-rwxr-xr-x	root/root	usr/sbin/opendmarc-importstats
+-rwxr-xr-x	root/root	usr/sbin/opendmarc-params
+-rwxr-xr-x	root/root	usr/sbin/opendmarc-reports
+drwxr-xr-x	root/root	usr/share/
+drwxr-xr-x	root/root	usr/share/doc/
+drwxr-xr-x	root/root	usr/share/doc/opendmarc/
+-rw-r--r--	root/root	usr/share/doc/opendmarc/LICENSE
+-rw-r--r--	root/root	usr/share/doc/opendmarc/LICENSE.Sendmail
+-rw-r--r--	root/root	usr/share/doc/opendmarc/README
+-rw-r--r--	root/root	usr/share/doc/opendmarc/README.rddmarc
+-rw-r--r--	root/root	usr/share/doc/opendmarc/README.schema
+-rw-r--r--	root/root	usr/share/doc/opendmarc/dmarc_policy_t.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/dmarcfail.py
+-rw-r--r--	root/root	usr/share/doc/opendmarc/index.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/mkdmarc
+-rw-r--r--	root/root	usr/share/doc/opendmarc/mysql_ip6.c
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc.conf.sample
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc.service.in
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc.spec.in
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_dns_fake_record.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_get_policy_to_enforce.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_lib_t.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_connect_clear.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_connect_init.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_connect_rset.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_connect_shutdown.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_adkim.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_alignment.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_aspf.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_fo.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_p.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_pct.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_rf.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_rua.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_ruf.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_sp.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_fetch_utilized_domain.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_library_init.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_library_shutdown.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_parse_dmarc.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_query_dmarc.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_status_to_str.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_store_dkim.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_store_dmarc.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_store_from_domain.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_store_spf.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_policy_to_buf.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_spf_test.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_status_t.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_tld_read_file.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_tld_shutdown.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_util_clearargv.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_xml.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/opendmarc_xml_parse.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/overview.html
+-rw-r--r--	root/root	usr/share/doc/opendmarc/rddmarc
+-rw-r--r--	root/root	usr/share/doc/opendmarc/schema.mysql
+drwxr-xr-x	root/root	usr/share/man/
+drwxr-xr-x	root/root	usr/share/man/man5/
+-rw-r--r--	root/root	usr/share/man/man5/opendmarc.conf.5.gz
+drwxr-xr-x	root/root	usr/share/man/man8/
+-rw-r--r--	root/root	usr/share/man/man8/opendmarc-check.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/opendmarc-expire.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/opendmarc-import.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/opendmarc-importstats.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/opendmarc-params.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/opendmarc-reports.8.gz
+-rw-r--r--	root/root	usr/share/man/man8/opendmarc.8.gz
+drwxr-xr-x	root/root	var/
+drwxr-xr-x	root/root	var/lib/
+drwxr-xr-x	opendmarc/opendmarc	var/lib/opendmarc/

opendmarc/.signature

@@ -0,0 +1,8 @@
+untrusted comment: verify with /etc/ports/contrib.pub
+RWSagIOpLGJF3/BJKRMhoZXcSMfCNEMJUFkDnhrvgL8c1RpIRgoXYR7JQqcuegWnDC9JXX0hKmE7t+ZOjH6PA+8ciN68uMoW7A8=
+SHA256 (Pkgfile) = 6d131cf52be805a7dd95c6cff2e0a013c0319177031021c8a2e841a9f05a7e10
+SHA256 (.footprint) = 7610383ea1c223a1c3ef3ea004fc18ac32d97c8234695a09916f520247e492dc
+SHA256 (rel-opendmarc-1-4-2.tar.gz) = ee1dcdd158fd5fd2b16de2b86980c4a4be60a070641ca19591a713da4e4008bb
+SHA256 (opendmarc.conf) = 2af0ee67e97609096c725836318dbb50c74090dfe88cdeedc4a1a7f3331be91c
+SHA256 (opendmarc.rc) = 52928eb777292d24138e73f265a68ac682e74c4e470b017bcaffe04bba95e129
+SHA256 (arcseal-segfaults.patch) = c76524f6583fed5237c701bdd3cb1412a86c53de67c18fe18b2629a9a218e7e3

opendmarc/Pkgfile

@@ -0,0 +1,31 @@
+# Description: Free open source software implementation of the DMARC specification
+# URL: https://github.com/trusteddomainproject/OpenDMARC
+# Maintainer:
+# Depends on: libbsd libidn libspf2
+
+name=opendmarc
+version=1.4.2
+release=1
+source=(https://github.com/trusteddomainproject/OpenDMARC/archive/rel-${name}-${version//./-}.tar.gz
+  opendmarc.conf opendmarc.rc
+  arcseal-segfaults.patch)
+
+build() {
+  cd OpenDMARC-rel-$name-${version//./-}
+
+  patch -Np1 -i $SRC/arcseal-segfaults.patch
+
+  autoreconf -vi
+  ./configure --prefix=/usr \
+    --sysconfdir="/etc/$name" \
+    --with-spf \
+    --with-spf2-include=/usr/include/spf2 \
+    --with-spf2-lib=/usr/lib/
+
+  make
+  make DESTDIR=$PKG install
+
+  install -o root -g root -m 0755 -D $SRC/$name.rc $PKG/etc/rc.d/$name
+  install -o opendmarc -g opendmarc -m 0755 -d $PKG/var/lib/opendmarc
+  install -o root -g root -Dm 0644 $SRC/$name.conf $PKG/etc/$name/$name.conf
+}

opendmarc/arcseal-segfaults.patch

@@ -0,0 +1,50 @@
+From: "@KIC-8462852" <>
+Date: Tue, 18 Jan 2022 11:57:01 -0500
+Subject: Fix segfaults, increase token max lengths in ARC-Seal headers
+
+Origin: other, https://github.com/trusteddomainproject/OpenDMARC/files/6717466/opendmarc-arcseal.patch.txt
+Bug: https://github.com/trusteddomainproject/OpenDMARC/issues/183
+---
+ opendmarc/opendmarc-arcseal.c | 7 ++++++-
+ opendmarc/opendmarc-arcseal.h | 2 +-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/opendmarc/opendmarc-arcseal.c b/opendmarc/opendmarc-arcseal.c
+index 73eebb7..a5ae77b 100644
+--- a/opendmarc/opendmarc-arcseal.c
++++ b/opendmarc/opendmarc-arcseal.c
+@@ -29,7 +29,7 @@
+ #include "opendmarc.h"
+ 
+ #define OPENDMARC_ARCSEAL_MAX_FIELD_NAME_LEN 255
+-#define OPENDMARC_ARCSEAL_MAX_TOKEN_LEN      512
++#define OPENDMARC_ARCSEAL_MAX_TOKEN_LEN      768
+ 
+ /* tables */
+ struct opendmarc_arcseal_lookup
+@@ -167,7 +167,12 @@ opendmarc_arcseal_parse(u_char *hdr, struct arcseal *as)
+ 		if (*token_ptr == '\0')
+ 			return 0;
+ 		tag_label = strsep(&token_ptr, "=");
++		if (token_ptr == NULL)
++			return -1;
++
+ 		tag_value = opendmarc_arcseal_strip_whitespace(token_ptr);
++		if (tag_value == NULL)
++			return -1;
+ 
+ 		tag_code = opendmarc_arcseal_convert(as_tags, tag_label);
+ 
+diff --git a/opendmarc/opendmarc-arcseal.h b/opendmarc/opendmarc-arcseal.h
+index 4eb0927..6e11a06 100644
+--- a/opendmarc/opendmarc-arcseal.h
++++ b/opendmarc/opendmarc-arcseal.h
+@@ -32,7 +32,7 @@
+ /* max header tag value length (short) */
+ #define OPENDMARC_ARCSEAL_MAX_SHORT_VALUE_LEN 256
+ /* max header tag value length (long) */
+-#define OPENDMARC_ARCSEAL_MAX_LONG_VALUE_LEN  512
++#define OPENDMARC_ARCSEAL_MAX_LONG_VALUE_LEN  768
+ 
+ /* names and field labels */
+ #define OPENDMARC_ARCSEAL_HDRNAME	"ARC-Seal"

opendmarc/opendmarc.conf

@@ -0,0 +1,370 @@
+## opendmarc.conf -- configuration file for OpenDMARC filter
+##
+## Copyright (c) 2012-2015, The Trusted Domain Project.  All rights reserved.
+
+## DEPRECATED CONFIGURATION OPTIONS
+## 
+## The following configuration options are no longer valid.  They should be
+## removed from your existing configuration file to prevent potential issues.
+## Failure to do so may result in opendmarc being unable to start.
+## 
+## Renamed in 1.3.0:
+##   ForensicReports became FailureReports
+##   ForensicReportsBcc became FailureReportsBcc
+##   ForensicReportsOnNone became FailureReportsOnNone
+##   ForensicReportsSentBy became FailureReportsSentBy
+
+## CONFIGURATION OPTIONS
+
+##  AuthservID (string)
+##  	defaults to MTA name
+##
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
+##  header field after verifying a message.  If the string "HOSTNAME" is
+##  provided, the name of the host running the filter (as returned by the
+##  gethostname(3) function) will be used.  
+#
+# AuthservID name
+AuthservID HOSTNAME
+
+##  AuthservIDWithJobID { true | false }
+##  	default "false"
+##
+##  If "true", requests that the authserv-id portion of the added
+##  Authentication-Results header fields contain the job ID of the message
+##  being evaluated.
+#
+# AuthservIDWithJobID false
+
+##  AutoRestart { true | false }
+##  	default "false"
+##
+##  Automatically re-start on failures. Use with caution; if the filter fails
+##  instantly after it starts, this can cause a tight fork(2) loop.
+#
+# AutoRestart false
+
+##  AutoRestartCount n
+##  	default 0
+##
+##  Sets the maximum automatic restart count.  After this number of automatic
+##  restarts, the filter will give up and terminate.  A value of 0 implies no
+##  limit.
+#
+# AutoRestartCount 0
+
+##  AutoRestartRate n/t[u]
+##  	default (no limit)
+##
+##  Sets the maximum automatic restart rate.  If the filter begins restarting
+##  faster than the rate defined here, it will give up and terminate.  This
+##  is a string of the form n/t[u] where n is an integer limiting the count
+##  of restarts in the given interval and t[u] defines the time interval
+##  through which the rate is calculated; t is an integer and u defines the
+##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
+##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
+##  value of "10/1h" limits the restarts to 10 in one hour. There is no
+##  default, meaning restart rate is not limited.
+#
+# AutoRestartRate n/t[u]
+
+##  Background { true | false }
+##  	default "true"
+##
+##  Causes opendmarc to fork and exits immediately, leaving the service
+##  running in the background.
+#
+# Background true
+
+##  BaseDirectory (string)
+##  	default (none)
+##
+##  If set, instructs the filter to change to the specified directory using
+##  chdir(2) before doing anything else.  This means any files referenced
+##  elsewhere in the configuration file can be specified relative to this
+##  directory.  It's also useful for arranging that any crash dumps will be
+##  saved to a specific location.
+#
+# BaseDirectory /var/run/opendmarc
+
+##  ChangeRootDirectory (string)
+##  	default (none)
+##
+##  Requests that the operating system change the effective root directory of
+##  the process to the one specified here prior to beginning execution.
+##  chroot(2) requires superuser access.  A warning will be generated if
+##  UserID is not also set.
+# 
+# ChangeRootDirectory /var/chroot/opendmarc
+
+##  CopyFailuresTo (string)
+##  	default (none)
+##
+##  Requests addition of the specified email address to the envelope of
+##  any message that fails the DMARC evaluation.
+#
+# CopyFailuresTo postmaster@localhost
+
+##  DNSTimeout (integer)
+##  	default 5
+## 
+##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
+##  (NOT YET IMPLEMENTED)
+#
+# DNSTimeout 5
+
+##  EnableCoredumps { true | false }
+##  	default "false"
+##
+##  On systems that have such support, make an explicit request to the kernel
+##  to dump cores when the filter crashes for some reason.  Some modern UNIX
+##  systems suppress core dumps during crashes for security reasons if the
+##  user ID has changed during the lifetime of the process.  Currently only
+##  supported on Linux.
+#
+# EnableCoreDumps false
+
+##  FailureReports { true | false }
+##  	default "false"
+##
+##  Enables generation of failure reports when the DMARC test fails and the
+##  purported sender of the message has requested such reports.  Reports are
+##  formatted per RFC6591.
+# 
+# FailureReports false
+
+##  FailureReportsBcc (string)
+##  	default (none)
+##
+##  When failure reports are enabled and one is to be generated, always
+##  send one to the address(es) specified here.  If a failure report is
+##  requested by the domain owner, the address(es) are added in a Bcc: field.
+##  If no request is made, they address(es) are used in a To: field.  There
+##  is no default.
+# 
+# FailureReportsBcc postmaster@example.coom
+
+##  FailureReportsOnNone { true | false }
+##  	default "false"
+##
+##  Supplements the "FailureReports" setting by generating reports for
+##  domains that advertise "none" policies.  By default, reports are only
+##  generated (when enabled) for sending domains advertising a "quarantine"
+##  or "reject" policy.
+# 
+# FailureReportsOnNone false
+
+##  FailureReportsSentBy string
+##  	default "USER@HOSTNAME"
+##
+##  Specifies the email address to use in the From: field of failure
+##  reports generated by the filter.  The default is to use the userid of
+##  the user running the filter and the local hostname to construct an
+##  email address.  "postmaster" is used in place of the userid if a name
+##  could not be determined.
+# 
+# FailureReportsSentBy USER@HOSTNAME
+
+##  HistoryFile path
+##  	default (none)
+##
+##  If set, specifies the location of a text file to which records are written
+##  that can be used to generate DMARC aggregate reports.  Records are groups
+##  of rows containing information about a single received message, and
+##  include all relevant information needed to generate a DMARC aggregate
+##  report.  It is expected that this will not be used in its raw form, but
+##  rather periodically imported into a relational database from which the
+##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
+#
+# HistoryFile /var/run/opendmarc.dat
+
+##  IgnoreAuthenticatedClients { true | false }
+##  	default "false"
+##
+##  If set, causes mail from authenticated clients (i.e., those that used
+##  SMTP AUTH) to be ignored by the filter.
+#
+IgnoreAuthenticatedClients true
+
+##  IgnoreHosts path
+##  	default (internal)
+##
+##  Specifies the path to a file that contains a list of hostnames, IP
+##  addresses, and/or CIDR expressions identifying hosts whose SMTP
+##  connections are to be ignored by the filter.  If not specified, defaults
+##  to "127.0.0.1" only.
+#
+# IgnoreHosts /etc/opendmarc/ignore.hosts
+
+##  IgnoreMailFrom domain[,...]
+##  	default (none)
+##
+##  Gives a list of domain names whose mail (based on the From: domain) is to
+##  be ignored by the filter.  The list should be comma-separated.  Matching
+##  against this list is case-insensitive.  The default is an empty list,
+##  meaning no mail is ignored.
+#
+# IgnoreMailFrom example.com
+
+##  MilterDebug (integer)
+##  	default 0
+##
+##  Sets the debug level to be requested from the milter library.
+#
+# MilterDebug 0
+
+##  PidFile path
+##  	default (none)
+##
+##  Specifies the path to a file that should be created at process start
+##  containing the process ID.
+#
+# PidFile /var/run/opendmarc.pid
+
+##  PublicSuffixList path
+##  	default (none)
+##
+##  Specifies the path to a file that contains top-level domains (TLDs) that
+##  will be used to compute the Organizational Domain for a given domain name,
+##  as described in the DMARC specification.  If not provided, the filter will
+##  not be able to determine the Organizational Domain and only the presented
+##  domain will be evaluated.
+#
+# PublicSuffixList path
+
+##  RecordAllMessages { true | false }
+##  	default "false"
+##
+##  If set and "HistoryFile" is in use, all received messages are recorded
+##  to the history file.  If not set (the default), only messages for which
+##  the From: domain published a DMARC record will be recorded in the
+##  history file.
+#
+# RecordAllMessages false
+
+##  RejectFailures { true | false }
+##  	default "false"
+##
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
+##  temp-failed if evaluation could not be completed.  By default, no message
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
+##  evaluation of the message.  Instead, an Authentication-Results header
+##  field will be added.
+#
+# RejectFailures false
+
+##  ReportCommand string
+##  	default "/usr/sbin/sendmail -t"
+##
+##  Indicates the shell command to which failure reports should be passed for
+##  delivery when "FailureReports" is enabled.
+#
+# ReportCommand /usr/sbin/sendmail -t
+
+##  RequiredHeaders { true | false }
+##  	default "false"
+##
+##  If set, the filter will ensure the header of the message conforms to the
+##  basic header field count restrictions laid out in RFC5322, Section 3.6.
+##  Messages failing this test are rejected without further processing.  A
+##  From: field from which no domain name could be extracted will also be
+##  rejected.
+#
+# RequiredHeaders false
+
+##  Socket socketspec
+##  	default (none)
+##
+##  Specifies the socket that should be established by the filter to receive
+##  connections from sendmail(8) in order to provide service.  socketspec is
+##  in one of two forms: local:path, which creates a UNIX domain socket at
+##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
+##  a TCP socket on the specified port for the appropriate protocol family.
+##  If the host is not given as either a hostname or an IP address, the
+##  socket will be listening on all interfaces.  This option is mandatory
+##  either in the configuration file or on the command line.  If an IP
+##  address is used, it must be enclosed in square brackets.
+#
+# Socket inet:8893@localhost
+Socket unix:/var/spool/opendmarc/opendmarc.sock
+
+##  SoftwareHeader { true | false }
+##  	default "false"
+##
+##  Causes the filter to add a "DMARC-Filter" header field indicating the
+##  presence of this filter in the path of the message from injection to
+##  delivery.  The product's name, version, and the job ID are included in
+##  the header field's contents.
+#
+# SoftwareHeader false
+
+##  SPFIgnoreResults { true | false }
+##	default "false"
+##
+##  Causes the filter to ignore any SPF results in the header of the
+##  message.  This is useful if you want the filter to perfrom SPF checks
+##  itself, or because you don't trust the arriving header.
+#
+# SPFIgnoreResults false
+
+##  SPFSelfValidate { true | false }
+##	default false
+##
+##  Enable internal spf checking with --with-spf
+##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
+##
+##  Causes the filter to perform a fallback SPF check itself when
+##  it can find no SPF results in the message header.  If SPFIgnoreResults
+##  is also set, it never looks for SPF results in headers and
+##  always performs the SPF check itself when this is set.
+#
+SPFSelfValidate true
+
+##  Syslog { true | false }
+##  	default "false"
+##
+##  Log via calls to syslog(3) any interesting activity.
+#
+# Syslog false
+
+##  SyslogFacility facility-name
+##  	default "mail"
+##
+##  Log via calls to syslog(3) using the named facility.  The facility names
+##  are the same as the ones allowed in syslog.conf(5).
+#
+# SyslogFacility mail
+
+##  TrustedAuthservIDs string
+##  	default HOSTNAME
+##
+##  Specifies one or more "authserv-id" values to trust as relaying true
+##  upstream DKIM and SPF results.  The default is to use the name of
+##  the MTA processing the message.  To specify a list, separate each entry
+##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
+##  the host running the filter as reported by the gethostname(3) function.
+#
+# TrustedAuthservIDs HOSTNAME
+
+##  UMask mask
+##  	default (none)
+##
+##  Requests a specific permissions mask to be used for file creation.  This
+##  only really applies to creation of the socket when Socket specifies a
+##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
+##  files are normally created by the mkstemp(3) function that enforces a
+##  specific file mode on creation regardless of the process umask.  See
+##  umask(2) for more information.
+#
+# UMask 077
+UMask 002
+
+##  UserID user[:group]
+##  	default (none)
+##
+##  Attempts to become the specified userid before starting operations.
+##  The process will be assigned all of the groups and primary group ID of
+##  the named userid unless an alternate group is specified.
+#
+# UserID opendmarc
+# ATTENTION: user and group are enforced throug the systemd service file

opendmarc/opendmarc.rc

@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# /etc/rc.d/opendmarc: start/stop the opendmarc daemon
+#
+
+SSD=/sbin/start-stop-daemon
+PROG=/usr/sbin/opendmarc
+PID=/run/opendmarc/opendmarc.pid
+OPTS="-c /etc/opendmarc/opendmarc.conf"
+HOME="/run/opendmarc"
+USER=opendmarc
+GROUP=$USER
+
+case $1 in
+    "start")
+        [ ! -e $HOME ] && install -o $USER -g $GROUP -m 0755 -d $HOME
+        $SSD --start --pidfile $PID -u $USER --exec $PROG -- $OPTS
+        ;;
+    "stop")
+        $SSD --stop --retry 10 --exec $PROG --pidfile $PID
+        ;;
+    "restart")
+        $0 stop
+        $0 start
+        ;;
+    "status")
+        $SSD --status --name opendmarc --pidfile $PID
+        case $? in
+            0)
+                echo "$PROG is running with pid $(cat $PID)"
+                ;;
+            1)
+                echo "$PROG is not running but pid file $PID exists"
+                ;;
+            3)
+                echo "$PROG is not running"
+                ;;
+            4)
+                echo "Unable to determine program status"
+                ;;
+        esac
+        ;;
+    *)
+        echo "Usage: $0 [start|stop|restart|status]"
+        ;;
+esac

opendmarc/pre-install

@@ -0,0 +1,9 @@
+#!/bin/sh -e
+
+_USER=opendmarc
+_HOME=/var/lib/opendmarc
+_GROUP=opendmarc
+
+/usr/bin/getent group $_GROUP > /dev/null 2>&1 || /usr/sbin/groupadd $_GROUP
+/usr/bin/getent passwd $_USER > /dev/null 2>&1 || /usr/sbin/useradd -c 'opendmarc system user' -g $_GROUP -d $_HOME -s /bin/false $_USER
+passwd -l $_USER > /dev/null