[GF-Users] postfix-tlspol rpm - spec file sample complete

Michael Webb michael.webb at integrilog.com
Mon Jul 28 23:56:55 MST 2025 

Peter. Thanks for the help again. The spec file is working now. The rpm is running on my servers with no issues and I am now comfortable to offer this spec file to create a postfix-tlspol release candidate rpm for distribution with ghettoforge. To fix the problem last I reported, I used more shell commands from the creator's example script to replace some of the go-rpm-macros.

The spec automatically downloads the latest git package for each build and therefore dns and network must be working on the mock host and in mock. Unlike the creator's example, this spec does not upgrade golang and the vendor packages to the latest and does no CPU optimization for what I thought would be for broadest compatibility. However, CPU detection and optimization may be preferable for servers with high email volume.

The justification for highlighting this package is that, as far as I know, github.com/Zuplu/postfix-tlspol is the only open-source program available to lookup both DANE and MTA_STS policy helping us achieve tighter RFC compliance. Through its evolution I witnessed the creator actively collaborate with the postfix maintainers and end-users (including some providing high volume email services) to ensure RFC compliance and compatibility. I have personally been using this on low volume servers I maintain since Jan 2025 and consider it stable. Even in a degraded state (e.g. socket timeout), postfix will continue to deliver mail without TLS policy lookup in most cases which no different to how many email servers are still operating in an optimal state - i.e. low risk.

Spec (see also below)
https://integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/postfix-tlspol-1.8.12-1.spec.txt

sample srpm & rpm
https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol

My build sequence on the mock machine was:

	dnf install bind
	rpmbuild -bs /root/rpmbuild/SPECS/postfix-tlspol-1.8.12-1.spec
	mock -r centos-stream+epel-9-x86_64 --rebuild /root/rpmbuild/SRPMS/postfix-tlspol-1.8.12-1.el9.src.rpm --enable-network

The following entries are also recommended in /etc/named.conf on the target machines
 
	min-cache-ttl 10;
	max-cache-ttl 240;

After install of the rpm on the target machine, the service can be tested manually.
 
 	/usr/bin/postfix-tlspol -config /etc/postfix-tlspol/config.yaml -query integrilog.com


Regards
Michael Webb

postfix-tlspol-1.8.12-1.spec
---------------------------------------------------------------------------------------------------------------------------
Name:           postfix-tlspol
Version:        1.8.12
Release:        1%{?dist}
Summary:        Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE

License:        MIT and GPLv3+

%global common_description %{expand:
Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix,
prioritizing DANE.}

%define _unpackaged_files_terminate_build 0
%global goipath         github.com/Zuplu/postfix-tlspol
%gometa -L -f
URL:		%{gourl}

BuildRequires:  git golang go-rpm-macros systemd-rpm-macros 

%description %{common_description}

%prep
cd %{_builddir}
git clone %{URL}
mv %{_builddir}/postfix-tlspol %{_builddir}/%{archivename}

%build
# Stay with the golang version loaded with mock (set GOTOOLCHAIN=auto to allow upgrades)
export GOTOOLCHAIN=local
# Use pure golang. Don't link any gcc libraries.
export CGO_ENABLED=0
printf "Version: %version\n"
cd %{_builddir}/%{archivename}
mkdir -p build
if go build -buildmode=exe -trimpath -tags netgo -ldflags="-d -extldflags='-static' -s -X 'main.Version=%version'" -o build/postfix-tlspol .; then
    printf "Build succeeded!\n"
  else
    printf "Build failed!\n"
    exit 1
fi


%install
install -m 0755 -vd                     %{buildroot}%{_bindir}
%__install -Dm 755 "%{_builddir}/%{archivename}/build/postfix-tlspol" "%{buildroot}%{_bindir}/"
%__install -Dm 644 "%{_builddir}/%{archivename}/configs/config.default.yaml" "%{buildroot}%{_sysconfdir}/postfix-tlspol/config.yaml"
%__install -Dm 644 "%{_builddir}/%{archivename}/README.md" "%{buildroot}%{_pkgdocdir}/README.md"
%__install -Dm 644 "%{_builddir}/%{archivename}/SECURITY.md" "%{buildroot}%{_pkgdocdir}/SECURITY.md"
%__install -Dm 755 "%{_builddir}/%{archivename}/scripts/query.sh" "%{buildroot}/usr/local/bin/postfix-tlspol/query.sh"
%__install -Dm 755 "%{_builddir}/%{archivename}/scripts/test.sh" "%{buildroot}/usr/local/bin/postfix-tlspol/test.sh"
%__install -Dm 644 "%{_builddir}/%{archivename}/init/postfix-tlspol.service" "%{buildroot}%{_unitdir}/postfix-tlspol.service"
%__install -Dm 644 "%{_builddir}/%{archivename}/LICENSE" "%{buildroot}/usr/share/licenses/postfix-tlspol/LICENSE"
# Change default DNS Server IP Address to 127.0.0.1:53
sed -i 's/53\:53/1\:53/g' %{buildroot}%{_sysconfdir}/postfix-tlspol/config.yaml

%post
%systemd_post postfix-tlspol.service
exit 0

%preun
%systemd_preun postfix-tlspol.service
exit 0

%postun
%systemd_postun_with_restart postfix-tlspol.service
exit 0

%files
%{_bindir}/postfix-tlspol
/usr/share/licenses/postfix-tlspol/LICENSE
%config(noreplace) %{_sysconfdir}/postfix-tlspol/config.yaml
%{_pkgdocdir}/*.md
/usr/local/bin/postfix-tlspol/*.sh
%{_unitdir}/postfix-tlspol.service

%changelog
* Mon Jul 28 2025 Michael Webb <gf101 at integrilog.com> - 1.8.12-1
- Initial build For EL 9
-------------------------------------------------------------------------------------------------------------------------------------------

More information about the users mailing list