From michael.webb at integrilog.com Thu Jul 10 03:27:52 2025 From: michael.webb at integrilog.com (Michael Webb) Date: Thu, 10 Jul 2025 10:27:52 +0000 Subject: [GF-Users] postfix-tlspol In-Reply-To: <81ab31f9-4795-431c-b664-a9335f4f7e2c@pajamian.dhs.org> References:

<00090599df7b4d07a73a8a12c42d77f0@integrilog.com> <81ab31f9-4795-431c-b664-a9335f4f7e2c@pajamian.dhs.org> Message-ID: Hi Peter Please could you post your example tlsrpt-reporter spec file again? The link has expired. I have installed mock but am still learning. For now, I modified my spec file by removing go-vendor-tools references and tested line by line, and it now makes an installable rpm with rpmbuild, but there is nothing there yet to install the config.yaml and postfix-tlspol.service files. Mike ------------------------------------------------------------------------------------------------------------------------------------------------------------ # Modified output generated by go2rpm 1.16.0.post0 # All references to go-vendor-tools and related output removed for compatibility with EL9 # https://github.com/Zuplu/postfix-tlspol %global goipath github.com/Zuplu/postfix-tlspol Version: 1.8.12 %gometa -L -f %global common_description %{expand: Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE.} Name: postfix-tlspol Release: 1 Summary: Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE License: See LICENSE File URL: %{gourl} Source0: %{gosource} Source1: %{archivename}-vendor.tar.bz2 BuildRequires: go-rpm-macros %description %{common_description} %prep %goprep -A %setup -q -T -D -a1 %{forgesetupargs} %autopatch -p1 %build %gobuild -o %{gobuilddir}/bin/postfix-tlspol %{goipath} %install install -m 0755 -vd %{buildroot}%{_bindir} install -m 0755 -vp %{gobuilddir}/bin/* %{buildroot}%{_bindir}/ %files %license LICENSE %doc README.md SECURITY.md %{_bindir}/postfix-tlspol ------------------------------------------------------------------------------------------------------------------------------------------------------------------ -----Original Message----- From: users-bounces at lists.ghettoforge.org On Behalf Of Peter Sent: Monday, June 23, 2025 7:04 AM To: users at lists.ghettoforge.org Subject: Re: [GF-Users] postfix-tlspol It's a good start, but it requires go-vendor-tools for the build which is not available for EL8 or EL9. That means that we either need to also build go-vendor-tools or just fix the spec to not use the macros that are in that package, I will likely do the latter because it's not worth going down dependency hell when I can just work around it in the spec file. As for actually testing, I suggest building with fedora mock, there are plenty of howtos online for this so I won't go into details here about it but it provides a clean build environment for each build and can do cross-distro builds as well, it's what I use to build for GF. I'll get back to it when I can, I seem to have 100 different things piling up right now. Peter On 22/06/25 20:25, Michael Webb wrote: > Hi Peter > > Thank you for the examples. > > Hope this helps. I have created a spec file but don't know if this is any good because I don't know how to test it (yet). > > https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/golang-github-zuplu-postfix-tlspol.spec.txt > > I discovered a package called go2rpm. Took a while to find all the dependencies I needed, but the output looks reasonable. > > 1. Only thing that the build couldn't resolve was the spdx for 2 perceived license instances and I had to specify EXCLUDE in these 2 places for "COPYRIGHT" and "yaml" (see below). > 2. Also, I contend that although the default/example config.yaml specifies 127.0.0.53:53 intended for "resolve", the preferred IP address for EL should be 127.0.0.1:53 for "bind" DNS resolver. > > > I think this was all I needed (Rocky 9.6) to build the spec file. I did not use a python venv and installed go2rpm directly into my os: > > dnf install git golang python python3-build python3-installer python3-specfile pip rpmdevtools askalono-cli > pip install tomlkit flit-core aiohttp gitpython jinja2 go-vendor-tools > cd /root > git clone https://gitlab.com/fedora/sigs/go/go2rpm > cd go2rpm > python -m build --wheel --no-isolation > python -m installer --destdir=/ /root/go2rpm/dist/go2rpm-1.16.0.post0-py3-none-any.whl > mkdir /root/rpmspec > cd /root/rpmspec > git config --global user.name "root" #unsure what I was supposed to put here and why it cared > git config --global user.email "root at example.com" #unsure why it needed this, it did not included it in the spec file > go2rpm -d -p vendor github.com/Zuplu/postfix-tlspol > > Warnings from the build: > > Undetected licenses found! Please enter them manually. > * Undetected license: /tmp/tmpsnmp5mkw/postfix-tlspol-1.8.11/vendor/github.com/miekg/dns/COPYRIGHT > Enter SPDX expression (or EXCLUDE): EXCLUDE > Adding file to licensing.exclude_files... > * Undetected license: /tmp/tmpsnmp5mkw/postfix-tlspol-1.8.11/vendor/gopkg.in/yaml.v3/LICENSE > Enter SPDX expression (or EXCLUDE): EXCLUDE > Adding file to licensing.exclude_files... > LICENSE: MIT > > Will be away for the week with limited access to email, so may not be very responsive. > > Thanks for the help and support > > Mike > > > > -----Original Message----- > From: users-bounces at lists.ghettoforge.org On Behalf Of Peter > Sent: Saturday, June 21, 2025 6:59 PM > To: users at lists.ghettoforge.org > Subject: Re: [GF-Users] postfix-tlspol > > If you want to have a crack at it you can look at the one I made for > tlsrpt-reporter: > > https://rpa.st/raw/GV6Q > > ...compare that to the PKGBUILD file from arch: > > https://gitlab.archlinux.org/archlinux/packaging/packages/tlsrpt-reporter/-/raw/main/PKGBUILD?ref_type=heads > > ...and then you'd want to try a similar adaptation for the PKGBUILD file for postfix-tlspol: > > https://gitlab.archlinux.org/archlinux/packaging/packages/postfix-tlspol/-/raw/main/PKGBUILD?ref_type=heads > > > Peter > > > On 22/06/25 02:25, Michael Webb wrote: >> Peter, Understood. Thank you. Maybe I can learn to do it. For now I >> have logged a request at the source. Someone there with hidden talents >> may be able to contribute. >> https://github.com/Zuplu/postfix-tlspol/issues/56 >> >> Mike >> >> -----Original Message----- >> From: users-bounces at lists.ghettoforge.org >> On Behalf Of Peter >> Sent: Friday, June 20, 2025 6:32 PM >> To: users at lists.ghettoforge.org >> Subject: Re: [GF-Users] postfix-tlspol >> >> I'm happy to do it, but there's currently no spec file available so I'll have to create one likely based on the steps in the arch PKGBUILD file. >> It might take a little while to do because I currently have a lot of other stuff on my plate and very little time to do it. >> >> >> Peter >> >> >> On 21/06/25 10:34, Michael Webb wrote: >>> Hi Peter >>> >>> I have wanted to mention this package for some time. I consider it >>> essential to postfix TLS and TLSRPT integration. Although I have been >>> compiling myself and using this package on my production servers >>> since January 2025 with ease, I believe it would benefit the EL >>> community more to have it available on GhettoForge. >>> >>> https://github.com/Zuplu/postfix-tlspol >>> >>> To the best of my knowledge, it was the first (and possibly is still >>> the >>> only) open-source program to resolve both TLSA and MTA-STS records >>> and prioritize DANE delivery when recipients have specified both >>> record types. The author has been developing this since October 2024 >>> and has brought Wietse Venema into the discussion several times to >>> clarify IETF RFC language and postfix connectivity. A couple of >>> European email services providers (with high and varied volume) also >>> actively worked with the author to fix some issues. The integration >>> was extremely well done with helpful logs, console query commands for >>> testing, compact, high-speed processing, and using best practice in >>> general. The only updates for about the last 6 weeks have been >>> platform related and I personally consider it stable. >>> >>> Mike >>> >>> From peter at pajamian.dhs.org Thu Jul 10 13:53:05 2025 From: peter at pajamian.dhs.org (Peter) Date: Fri, 11 Jul 2025 08:53:05 +1200 Subject: [GF-Users] postfix-tlspol In-Reply-To: References:

<00090599df7b4d07a73a8a12c42d77f0@integrilog.com> <81ab31f9-4795-431c-b664-a9335f4f7e2c@pajamian.dhs.org> Message-ID: <2b7016dc-bd04-45bf-945c-194875031092@pajamian.dhs.org> https://rpa.st/raw/KMMQ I'll see if I can build it with that spec that you're showing. Peter On 10/07/25 22:27, Michael Webb wrote: > Hi Peter > > Please could you post your example tlsrpt-reporter spec file again? The link has expired. > > I have installed mock but am still learning. For now, I modified my spec file by removing go-vendor-tools references and tested line by line, and it now makes an installable rpm with rpmbuild, but there is nothing there yet to install the config.yaml and postfix-tlspol.service files. > > Mike > ------------------------------------------------------------------------------------------------------------------------------------------------------------ > # Modified output generated by go2rpm 1.16.0.post0 > # All references to go-vendor-tools and related output removed for compatibility with EL9 > > # https://github.com/Zuplu/postfix-tlspol > %global goipath github.com/Zuplu/postfix-tlspol > Version: 1.8.12 > > %gometa -L -f > > %global common_description %{expand: > Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, > prioritizing DANE.} > > Name: postfix-tlspol > Release: 1 > Summary: Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE > > License: See LICENSE File > URL: %{gourl} > Source0: %{gosource} > Source1: %{archivename}-vendor.tar.bz2 > > BuildRequires: go-rpm-macros > > %description %{common_description} > > %prep > %goprep -A > %setup -q -T -D -a1 %{forgesetupargs} > %autopatch -p1 > > %build > %gobuild -o %{gobuilddir}/bin/postfix-tlspol %{goipath} > > %install > install -m 0755 -vd %{buildroot}%{_bindir} > install -m 0755 -vp %{gobuilddir}/bin/* %{buildroot}%{_bindir}/ > > %files > %license LICENSE > %doc README.md SECURITY.md > %{_bindir}/postfix-tlspol > ------------------------------------------------------------------------------------------------------------------------------------------------------------------ > > > -----Original Message----- > From: users-bounces at lists.ghettoforge.org On Behalf Of Peter > Sent: Monday, June 23, 2025 7:04 AM > To: users at lists.ghettoforge.org > Subject: Re: [GF-Users] postfix-tlspol > > It's a good start, but it requires go-vendor-tools for the build which is not available for EL8 or EL9. That means that we either need to also build go-vendor-tools or just fix the spec to not use the macros that are in that package, I will likely do the latter because it's not worth going down dependency hell when I can just work around it in the spec file. > > As for actually testing, I suggest building with fedora mock, there are plenty of howtos online for this so I won't go into details here about it but it provides a clean build environment for each build and can do cross-distro builds as well, it's what I use to build for GF. > > I'll get back to it when I can, I seem to have 100 different things piling up right now. > > > Peter > > > On 22/06/25 20:25, Michael Webb wrote: >> Hi Peter >> >> Thank you for the examples. >> >> Hope this helps. I have created a spec file but don't know if this is any good because I don't know how to test it (yet). >> >> https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/golang-github-zuplu-postfix-tlspol.spec.txt >> >> I discovered a package called go2rpm. Took a while to find all the dependencies I needed, but the output looks reasonable. >> >> 1. Only thing that the build couldn't resolve was the spdx for 2 perceived license instances and I had to specify EXCLUDE in these 2 places for "COPYRIGHT" and "yaml" (see below). >> 2. Also, I contend that although the default/example config.yaml specifies 127.0.0.53:53 intended for "resolve", the preferred IP address for EL should be 127.0.0.1:53 for "bind" DNS resolver. >> >> >> I think this was all I needed (Rocky 9.6) to build the spec file. I did not use a python venv and installed go2rpm directly into my os: >> >> dnf install git golang python python3-build python3-installer python3-specfile pip rpmdevtools askalono-cli >> pip install tomlkit flit-core aiohttp gitpython jinja2 go-vendor-tools >> cd /root >> git clone https://gitlab.com/fedora/sigs/go/go2rpm >> cd go2rpm >> python -m build --wheel --no-isolation >> python -m installer --destdir=/ /root/go2rpm/dist/go2rpm-1.16.0.post0-py3-none-any.whl >> mkdir /root/rpmspec >> cd /root/rpmspec >> git config --global user.name "root" #unsure what I was supposed to put here and why it cared >> git config --global user.email "root at example.com" #unsure why it needed this, it did not included it in the spec file >> go2rpm -d -p vendor github.com/Zuplu/postfix-tlspol >> >> Warnings from the build: >> >> Undetected licenses found! Please enter them manually. >> * Undetected license: /tmp/tmpsnmp5mkw/postfix-tlspol-1.8.11/vendor/github.com/miekg/dns/COPYRIGHT >> Enter SPDX expression (or EXCLUDE): EXCLUDE >> Adding file to licensing.exclude_files... >> * Undetected license: /tmp/tmpsnmp5mkw/postfix-tlspol-1.8.11/vendor/gopkg.in/yaml.v3/LICENSE >> Enter SPDX expression (or EXCLUDE): EXCLUDE >> Adding file to licensing.exclude_files... >> LICENSE: MIT >> >> Will be away for the week with limited access to email, so may not be very responsive. >> >> Thanks for the help and support >> >> Mike >> >> >> >> -----Original Message----- >> From: users-bounces at lists.ghettoforge.org On Behalf Of Peter >> Sent: Saturday, June 21, 2025 6:59 PM >> To: users at lists.ghettoforge.org >> Subject: Re: [GF-Users] postfix-tlspol >> >> If you want to have a crack at it you can look at the one I made for >> tlsrpt-reporter: >> >> https://rpa.st/raw/GV6Q >> >> ...compare that to the PKGBUILD file from arch: >> >> https://gitlab.archlinux.org/archlinux/packaging/packages/tlsrpt-reporter/-/raw/main/PKGBUILD?ref_type=heads >> >> ...and then you'd want to try a similar adaptation for the PKGBUILD file for postfix-tlspol: >> >> https://gitlab.archlinux.org/archlinux/packaging/packages/postfix-tlspol/-/raw/main/PKGBUILD?ref_type=heads >> >> >> Peter >> >> >> On 22/06/25 02:25, Michael Webb wrote: >>> Peter, Understood. Thank you. Maybe I can learn to do it. For now I >>> have logged a request at the source. Someone there with hidden talents >>> may be able to contribute. >>> https://github.com/Zuplu/postfix-tlspol/issues/56 >>> >>> Mike >>> >>> -----Original Message----- >>> From: users-bounces at lists.ghettoforge.org >>> On Behalf Of Peter >>> Sent: Friday, June 20, 2025 6:32 PM >>> To: users at lists.ghettoforge.org >>> Subject: Re: [GF-Users] postfix-tlspol >>> >>> I'm happy to do it, but there's currently no spec file available so I'll have to create one likely based on the steps in the arch PKGBUILD file. >>> It might take a little while to do because I currently have a lot of other stuff on my plate and very little time to do it. >>> >>> >>> Peter >>> >>> >>> On 21/06/25 10:34, Michael Webb wrote: >>>> Hi Peter >>>> >>>> I have wanted to mention this package for some time. I consider it >>>> essential to postfix TLS and TLSRPT integration. Although I have been >>>> compiling myself and using this package on my production servers >>>> since January 2025 with ease, I believe it would benefit the EL >>>> community more to have it available on GhettoForge. >>>> >>>> https://github.com/Zuplu/postfix-tlspol >>>> >>>> To the best of my knowledge, it was the first (and possibly is still >>>> the >>>> only) open-source program to resolve both TLSA and MTA-STS records >>>> and prioritize DANE delivery when recipients have specified both >>>> record types. The author has been developing this since October 2024 >>>> and has brought Wietse Venema into the discussion several times to >>>> clarify IETF RFC language and postfix connectivity. A couple of >>>> European email services providers (with high and varied volume) also >>>> actively worked with the author to fix some issues. The integration >>>> was extremely well done with helpful logs, console query commands for >>>> testing, compact, high-speed processing, and using best practice in >>>> general. The only updates for about the last 6 weeks have been >>>> platform related and I personally consider it stable. >>>> >>>> Mike >>>> >>>> > _______________________________________________ > users mailing list > users at lists.ghettoforge.org > http://lists.ghettoforge.org/mailman/listinfo/users From michael.webb at integrilog.com Thu Jul 10 13:57:48 2025 From: michael.webb at integrilog.com (Michael Webb) Date: Thu, 10 Jul 2025 20:57:48 +0000 Subject: [GF-Users] postfix-tlspol In-Reply-To: <2b7016dc-bd04-45bf-945c-194875031092@pajamian.dhs.org> References:

<00090599df7b4d07a73a8a12c42d77f0@integrilog.com> <81ab31f9-4795-431c-b664-a9335f4f7e2c@pajamian.dhs.org> <2b7016dc-bd04-45bf-945c-194875031092@pajamian.dhs.org> Message-ID: <42bff59f1783401d8cf0ebe58d6f7a04@integrilog.com> Awesome. Thanks. -----Original Message----- From: users-bounces at lists.ghettoforge.org On Behalf Of Peter Sent: Thursday, July 10, 2025 2:53 PM To: users at lists.ghettoforge.org Subject: Re: [GF-Users] postfix-tlspol https://rpa.st/raw/KMMQ I'll see if I can build it with that spec that you're showing. Peter On 10/07/25 22:27, Michael Webb wrote: > Hi Peter > > Please could you post your example tlsrpt-reporter spec file again? The link has expired. > > I have installed mock but am still learning. For now, I modified my spec file by removing go-vendor-tools references and tested line by line, and it now makes an installable rpm with rpmbuild, but there is nothing there yet to install the config.yaml and postfix-tlspol.service files. > > Mike > ---------------------------------------------------------------------- > ---------------------------------------------------------------------- > ---------------- # Modified output generated by go2rpm 1.16.0.post0 # > All references to go-vendor-tools and related output removed for > compatibility with EL9 > > # https://github.com/Zuplu/postfix-tlspol > %global goipath github.com/Zuplu/postfix-tlspol > Version: 1.8.12 > > %gometa -L -f > > %global common_description %{expand: > Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for > Postfix, prioritizing DANE.} > > Name: postfix-tlspol > Release: 1 > Summary: Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE > > License: See LICENSE File > URL: %{gourl} > Source0: %{gosource} > Source1: %{archivename}-vendor.tar.bz2 > > BuildRequires: go-rpm-macros > > %description %{common_description} > > %prep > %goprep -A > %setup -q -T -D -a1 %{forgesetupargs} > %autopatch -p1 > > %build > %gobuild -o %{gobuilddir}/bin/postfix-tlspol %{goipath} > > %install > install -m 0755 -vd %{buildroot}%{_bindir} > install -m 0755 -vp %{gobuilddir}/bin/* %{buildroot}%{_bindir}/ > > %files > %license LICENSE > %doc README.md SECURITY.md > %{_bindir}/postfix-tlspol > ---------------------------------------------------------------------- > ---------------------------------------------------------------------- > ---------------------- > > > -----Original Message----- > From: users-bounces at lists.ghettoforge.org > On Behalf Of Peter > Sent: Monday, June 23, 2025 7:04 AM > To: users at lists.ghettoforge.org > Subject: Re: [GF-Users] postfix-tlspol > > It's a good start, but it requires go-vendor-tools for the build which is not available for EL8 or EL9. That means that we either need to also build go-vendor-tools or just fix the spec to not use the macros that are in that package, I will likely do the latter because it's not worth going down dependency hell when I can just work around it in the spec file. > > As for actually testing, I suggest building with fedora mock, there are plenty of howtos online for this so I won't go into details here about it but it provides a clean build environment for each build and can do cross-distro builds as well, it's what I use to build for GF. > > I'll get back to it when I can, I seem to have 100 different things piling up right now. > > > Peter > > > On 22/06/25 20:25, Michael Webb wrote: >> Hi Peter >> >> Thank you for the examples. >> >> Hope this helps. I have created a spec file but don't know if this is any good because I don't know how to test it (yet). >> >> https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/golang-git >> hub-zuplu-postfix-tlspol.spec.txt >> >> I discovered a package called go2rpm. Took a while to find all the dependencies I needed, but the output looks reasonable. >> >> 1. Only thing that the build couldn't resolve was the spdx for 2 perceived license instances and I had to specify EXCLUDE in these 2 places for "COPYRIGHT" and "yaml" (see below). >> 2. Also, I contend that although the default/example config.yaml specifies 127.0.0.53:53 intended for "resolve", the preferred IP address for EL should be 127.0.0.1:53 for "bind" DNS resolver. >> >> >> I think this was all I needed (Rocky 9.6) to build the spec file. I did not use a python venv and installed go2rpm directly into my os: >> >> dnf install git golang python python3-build python3-installer >> python3-specfile pip rpmdevtools askalono-cli pip install tomlkit >> flit-core aiohttp gitpython jinja2 go-vendor-tools cd /root git clone >> https://gitlab.com/fedora/sigs/go/go2rpm >> cd go2rpm >> python -m build --wheel --no-isolation python -m installer >> --destdir=/ /root/go2rpm/dist/go2rpm-1.16.0.post0-py3-none-any.whl >> mkdir /root/rpmspec >> cd /root/rpmspec >> git config --global user.name "root" #unsure what I was supposed to >> put here and why it cared git config --global user.email >> "root at example.com" #unsure why it needed this, it did not included >> it in the spec file go2rpm -d -p vendor >> github.com/Zuplu/postfix-tlspol >> >> Warnings from the build: >> >> Undetected licenses found! Please enter them manually. >> * Undetected license: >> /tmp/tmpsnmp5mkw/postfix-tlspol-1.8.11/vendor/github.com/miekg/dns/CO >> PYRIGHT Enter SPDX expression (or EXCLUDE): EXCLUDE Adding file to >> licensing.exclude_files... >> * Undetected license: >> /tmp/tmpsnmp5mkw/postfix-tlspol-1.8.11/vendor/gopkg.in/yaml.v3/LICENS >> E Enter SPDX expression (or EXCLUDE): EXCLUDE Adding file to >> licensing.exclude_files... >> LICENSE: MIT >> >> Will be away for the week with limited access to email, so may not be very responsive. >> >> Thanks for the help and support >> >> Mike >> >> >> >> -----Original Message----- >> From: users-bounces at lists.ghettoforge.org >> On Behalf Of Peter >> Sent: Saturday, June 21, 2025 6:59 PM >> To: users at lists.ghettoforge.org >> Subject: Re: [GF-Users] postfix-tlspol >> >> If you want to have a crack at it you can look at the one I made for >> tlsrpt-reporter: >> >> https://rpa.st/raw/GV6Q >> >> ...compare that to the PKGBUILD file from arch: >> >> https://gitlab.archlinux.org/archlinux/packaging/packages/tlsrpt-repo >> rter/-/raw/main/PKGBUILD?ref_type=heads >> >> ...and then you'd want to try a similar adaptation for the PKGBUILD file for postfix-tlspol: >> >> https://gitlab.archlinux.org/archlinux/packaging/packages/postfix-tls >> pol/-/raw/main/PKGBUILD?ref_type=heads >> >> >> Peter >> >> >> On 22/06/25 02:25, Michael Webb wrote: >>> Peter, Understood. Thank you. Maybe I can learn to do it. For now I >>> have logged a request at the source. Someone there with hidden >>> talents may be able to contribute. >>> https://github.com/Zuplu/postfix-tlspol/issues/56 >>> >>> Mike >>> >>> -----Original Message----- >>> From: users-bounces at lists.ghettoforge.org >>> On Behalf Of Peter >>> Sent: Friday, June 20, 2025 6:32 PM >>> To: users at lists.ghettoforge.org >>> Subject: Re: [GF-Users] postfix-tlspol >>> >>> I'm happy to do it, but there's currently no spec file available so I'll have to create one likely based on the steps in the arch PKGBUILD file. >>> It might take a little while to do because I currently have a lot of other stuff on my plate and very little time to do it. >>> >>> >>> Peter >>> >>> >>> On 21/06/25 10:34, Michael Webb wrote: >>>> Hi Peter >>>> >>>> I have wanted to mention this package for some time. I consider it >>>> essential to postfix TLS and TLSRPT integration. Although I have >>>> been compiling myself and using this package on my production >>>> servers since January 2025 with ease, I believe it would benefit >>>> the EL community more to have it available on GhettoForge. >>>> >>>> https://github.com/Zuplu/postfix-tlspol >>>> >>>> To the best of my knowledge, it was the first (and possibly is >>>> still the >>>> only) open-source program to resolve both TLSA and MTA-STS records >>>> and prioritize DANE delivery when recipients have specified both >>>> record types. The author has been developing this since October >>>> 2024 and has brought Wietse Venema into the discussion several >>>> times to clarify IETF RFC language and postfix connectivity. A >>>> couple of European email services providers (with high and varied >>>> volume) also actively worked with the author to fix some issues. >>>> The integration was extremely well done with helpful logs, console >>>> query commands for testing, compact, high-speed processing, and >>>> using best practice in general. The only updates for about the last >>>> 6 weeks have been platform related and I personally consider it stable. >>>> >>>> Mike >>>> >>>> > _______________________________________________ > users mailing list > users at lists.ghettoforge.org > http://lists.ghettoforge.org/mailman/listinfo/users _______________________________________________ users mailing list users at lists.ghettoforge.org http://lists.ghettoforge.org/mailman/listinfo/users From michael.webb at integrilog.com Thu Jul 10 15:37:35 2025 From: michael.webb at integrilog.com (Michael Webb) Date: Thu, 10 Jul 2025 22:37:35 +0000 Subject: [GF-Users] postfix-tlspol In-Reply-To: <42bff59f1783401d8cf0ebe58d6f7a04@integrilog.com> References:

<00090599df7b4d07a73a8a12c42d77f0@integrilog.com> <81ab31f9-4795-431c-b664-a9335f4f7e2c@pajamian.dhs.org> <2b7016dc-bd04-45bf-945c-194875031092@pajamian.dhs.org> <42bff59f1783401d8cf0ebe58d6f7a04@integrilog.com> Message-ID: Go2rpm built a sources archive with the spec file that might save you time. You can download from here https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/ Mike -----Original Message----- From: users-bounces at lists.ghettoforge.org On Behalf Of Michael Webb Sent: Thursday, July 10, 2025 2:58 PM To: GhettoForge Users mailing list Subject: Re: [GF-Users] postfix-tlspol Awesome. Thanks. -----Original Message----- From: users-bounces at lists.ghettoforge.org On Behalf Of Peter Sent: Thursday, July 10, 2025 2:53 PM To: users at lists.ghettoforge.org Subject: Re: [GF-Users] postfix-tlspol https://rpa.st/raw/KMMQ I'll see if I can build it with that spec that you're showing. Peter On 10/07/25 22:27, Michael Webb wrote: > Hi Peter > > Please could you post your example tlsrpt-reporter spec file again? The link has expired. > > I have installed mock but am still learning. For now, I modified my spec file by removing go-vendor-tools references and tested line by line, and it now makes an installable rpm with rpmbuild, but there is nothing there yet to install the config.yaml and postfix-tlspol.service files. > > Mike > ---------------------------------------------------------------------- > ---------------------------------------------------------------------- > ---------------- # Modified output generated by go2rpm 1.16.0.post0 # > All references to go-vendor-tools and related output removed for > compatibility with EL9 > > # https://github.com/Zuplu/postfix-tlspol > %global goipath github.com/Zuplu/postfix-tlspol > Version: 1.8.12 > > %gometa -L -f > > %global common_description %{expand: > Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for > Postfix, prioritizing DANE.} > > Name: postfix-tlspol > Release: 1 > Summary: Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE > > License: See LICENSE File > URL: %{gourl} > Source0: %{gosource} > Source1: %{archivename}-vendor.tar.bz2 > > BuildRequires: go-rpm-macros > > %description %{common_description} > > %prep > %goprep -A > %setup -q -T -D -a1 %{forgesetupargs} > %autopatch -p1 > > %build > %gobuild -o %{gobuilddir}/bin/postfix-tlspol %{goipath} > > %install > install -m 0755 -vd %{buildroot}%{_bindir} > install -m 0755 -vp %{gobuilddir}/bin/* %{buildroot}%{_bindir}/ > > %files > %license LICENSE > %doc README.md SECURITY.md > %{_bindir}/postfix-tlspol > ---------------------------------------------------------------------- > ---------------------------------------------------------------------- > ---------------------- > > > -----Original Message----- > From: users-bounces at lists.ghettoforge.org > On Behalf Of Peter > Sent: Monday, June 23, 2025 7:04 AM > To: users at lists.ghettoforge.org > Subject: Re: [GF-Users] postfix-tlspol > > It's a good start, but it requires go-vendor-tools for the build which is not available for EL8 or EL9. That means that we either need to also build go-vendor-tools or just fix the spec to not use the macros that are in that package, I will likely do the latter because it's not worth going down dependency hell when I can just work around it in the spec file. > > As for actually testing, I suggest building with fedora mock, there are plenty of howtos online for this so I won't go into details here about it but it provides a clean build environment for each build and can do cross-distro builds as well, it's what I use to build for GF. > > I'll get back to it when I can, I seem to have 100 different things piling up right now. > > > Peter > > > On 22/06/25 20:25, Michael Webb wrote: >> Hi Peter >> >> Thank you for the examples. >> >> Hope this helps. I have created a spec file but don't know if this is any good because I don't know how to test it (yet). >> >> https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/golang-git >> hub-zuplu-postfix-tlspol.spec.txt >> >> I discovered a package called go2rpm. Took a while to find all the dependencies I needed, but the output looks reasonable. >> >> 1. Only thing that the build couldn't resolve was the spdx for 2 perceived license instances and I had to specify EXCLUDE in these 2 places for "COPYRIGHT" and "yaml" (see below). >> 2. Also, I contend that although the default/example config.yaml specifies 127.0.0.53:53 intended for "resolve", the preferred IP address for EL should be 127.0.0.1:53 for "bind" DNS resolver. >> >> >> I think this was all I needed (Rocky 9.6) to build the spec file. I did not use a python venv and installed go2rpm directly into my os: >> >> dnf install git golang python python3-build python3-installer >> python3-specfile pip rpmdevtools askalono-cli pip install tomlkit >> flit-core aiohttp gitpython jinja2 go-vendor-tools cd /root git clone >> https://gitlab.com/fedora/sigs/go/go2rpm >> cd go2rpm >> python -m build --wheel --no-isolation python -m installer >> --destdir=/ /root/go2rpm/dist/go2rpm-1.16.0.post0-py3-none-any.whl >> mkdir /root/rpmspec >> cd /root/rpmspec >> git config --global user.name "root" #unsure what I was supposed to >> put here and why it cared git config --global user.email >> "root at example.com" #unsure why it needed this, it did not included >> it in the spec file go2rpm -d -p vendor >> github.com/Zuplu/postfix-tlspol >> >> Warnings from the build: >> >> Undetected licenses found! Please enter them manually. >> * Undetected license: >> /tmp/tmpsnmp5mkw/postfix-tlspol-1.8.11/vendor/github.com/miekg/dns/CO >> PYRIGHT Enter SPDX expression (or EXCLUDE): EXCLUDE Adding file to >> licensing.exclude_files... >> * Undetected license: >> /tmp/tmpsnmp5mkw/postfix-tlspol-1.8.11/vendor/gopkg.in/yaml.v3/LICENS >> E Enter SPDX expression (or EXCLUDE): EXCLUDE Adding file to >> licensing.exclude_files... >> LICENSE: MIT >> >> Will be away for the week with limited access to email, so may not be very responsive. >> >> Thanks for the help and support >> >> Mike >> >> >> >> -----Original Message----- >> From: users-bounces at lists.ghettoforge.org >> On Behalf Of Peter >> Sent: Saturday, June 21, 2025 6:59 PM >> To: users at lists.ghettoforge.org >> Subject: Re: [GF-Users] postfix-tlspol >> >> If you want to have a crack at it you can look at the one I made for >> tlsrpt-reporter: >> >> https://rpa.st/raw/GV6Q >> >> ...compare that to the PKGBUILD file from arch: >> >> https://gitlab.archlinux.org/archlinux/packaging/packages/tlsrpt-repo >> rter/-/raw/main/PKGBUILD?ref_type=heads >> >> ...and then you'd want to try a similar adaptation for the PKGBUILD file for postfix-tlspol: >> >> https://gitlab.archlinux.org/archlinux/packaging/packages/postfix-tls >> pol/-/raw/main/PKGBUILD?ref_type=heads >> >> >> Peter >> >> >> On 22/06/25 02:25, Michael Webb wrote: >>> Peter, Understood. Thank you. Maybe I can learn to do it. For now I >>> have logged a request at the source. Someone there with hidden >>> talents may be able to contribute. >>> https://github.com/Zuplu/postfix-tlspol/issues/56 >>> >>> Mike >>> >>> -----Original Message----- >>> From: users-bounces at lists.ghettoforge.org >>> On Behalf Of Peter >>> Sent: Friday, June 20, 2025 6:32 PM >>> To: users at lists.ghettoforge.org >>> Subject: Re: [GF-Users] postfix-tlspol >>> >>> I'm happy to do it, but there's currently no spec file available so I'll have to create one likely based on the steps in the arch PKGBUILD file. >>> It might take a little while to do because I currently have a lot of other stuff on my plate and very little time to do it. >>> >>> >>> Peter >>> >>> >>> On 21/06/25 10:34, Michael Webb wrote: >>>> Hi Peter >>>> >>>> I have wanted to mention this package for some time. I consider it >>>> essential to postfix TLS and TLSRPT integration. Although I have >>>> been compiling myself and using this package on my production >>>> servers since January 2025 with ease, I believe it would benefit >>>> the EL community more to have it available on GhettoForge. >>>> >>>> https://github.com/Zuplu/postfix-tlspol >>>> >>>> To the best of my knowledge, it was the first (and possibly is >>>> still the >>>> only) open-source program to resolve both TLSA and MTA-STS records >>>> and prioritize DANE delivery when recipients have specified both >>>> record types. The author has been developing this since October >>>> 2024 and has brought Wietse Venema into the discussion several >>>> times to clarify IETF RFC language and postfix connectivity. A >>>> couple of European email services providers (with high and varied >>>> volume) also actively worked with the author to fix some issues. >>>> The integration was extremely well done with helpful logs, console >>>> query commands for testing, compact, high-speed processing, and >>>> using best practice in general. The only updates for about the last >>>> 6 weeks have been platform related and I personally consider it stable. >>>> >>>> Mike >>>> >>>> > _______________________________________________ > users mailing list > users at lists.ghettoforge.org > http://lists.ghettoforge.org/mailman/listinfo/users _______________________________________________ users mailing list users at lists.ghettoforge.org http://lists.ghettoforge.org/mailman/listinfo/users _______________________________________________ users mailing list users at lists.ghettoforge.org http://lists.ghettoforge.org/mailman/listinfo/users