[GF-Users] postfix-tlspol rpm - spec file sample complete
Peter
peter at pajamian.dhs.org
Tue Jul 29 01:00:12 MST 2025
Thanks Michael,
One more thing, though. By policy GhettoForge requires that all sources
are distributed in the .src.rpm and not downloaded, this is to ensure
stability and reproducibility of builds. I noticed that the last
src.rpm you provided included the source tarball but this one does not.
Can you modify it to build from a provided source tarball instead of
downloading?
Peter
On 29/07/25 18:56, Michael Webb wrote:
> Peter. Thanks for the help again. The spec file is working now. The rpm is running on my servers with no issues and I am now comfortable to offer this spec file to create a postfix-tlspol release candidate rpm for distribution with ghettoforge. To fix the problem last I reported, I used more shell commands from the creator's example script to replace some of the go-rpm-macros.
>
> The spec automatically downloads the latest git package for each build and therefore dns and network must be working on the mock host and in mock. Unlike the creator's example, this spec does not upgrade golang and the vendor packages to the latest and does no CPU optimization for what I thought would be for broadest compatibility. However, CPU detection and optimization may be preferable for servers with high email volume.
>
> The justification for highlighting this package is that, as far as I know, github.com/Zuplu/postfix-tlspol is the only open-source program available to lookup both DANE and MTA_STS policy helping us achieve tighter RFC compliance. Through its evolution I witnessed the creator actively collaborate with the postfix maintainers and end-users (including some providing high volume email services) to ensure RFC compliance and compatibility. I have personally been using this on low volume servers I maintain since Jan 2025 and consider it stable. Even in a degraded state (e.g. socket timeout), postfix will continue to deliver mail without TLS policy lookup in most cases which no different to how many email servers are still operating in an optimal state - i.e. low risk.
>
> Spec (see also below)
> https://integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/postfix-tlspol-1.8.12-1.spec.txt
>
> sample srpm & rpm
> https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol
>
> My build sequence on the mock machine was:
>
> dnf install bind
> rpmbuild -bs /root/rpmbuild/SPECS/postfix-tlspol-1.8.12-1.spec
> mock -r centos-stream+epel-9-x86_64 --rebuild /root/rpmbuild/SRPMS/postfix-tlspol-1.8.12-1.el9.src.rpm --enable-network
>
> The following entries are also recommended in /etc/named.conf on the target machines
>
> min-cache-ttl 10;
> max-cache-ttl 240;
>
> After install of the rpm on the target machine, the service can be tested manually.
>
> /usr/bin/postfix-tlspol -config /etc/postfix-tlspol/config.yaml -query integrilog.com
>
>
> Regards
> Michael Webb
>
> postfix-tlspol-1.8.12-1.spec
> ---------------------------------------------------------------------------------------------------------------------------
> Name: postfix-tlspol
> Version: 1.8.12
> Release: 1%{?dist}
> Summary: Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE
>
> License: MIT and GPLv3+
>
> %global common_description %{expand:
> Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix,
> prioritizing DANE.}
>
> %define _unpackaged_files_terminate_build 0
> %global goipath github.com/Zuplu/postfix-tlspol
> %gometa -L -f
> URL: %{gourl}
>
> BuildRequires: git golang go-rpm-macros systemd-rpm-macros
>
> %description %{common_description}
>
> %prep
> cd %{_builddir}
> git clone %{URL}
> mv %{_builddir}/postfix-tlspol %{_builddir}/%{archivename}
>
> %build
> # Stay with the golang version loaded with mock (set GOTOOLCHAIN=auto to allow upgrades)
> export GOTOOLCHAIN=local
> # Use pure golang. Don't link any gcc libraries.
> export CGO_ENABLED=0
> printf "Version: %version\n"
> cd %{_builddir}/%{archivename}
> mkdir -p build
> if go build -buildmode=exe -trimpath -tags netgo -ldflags="-d -extldflags='-static' -s -X 'main.Version=%version'" -o build/postfix-tlspol .; then
> printf "Build succeeded!\n"
> else
> printf "Build failed!\n"
> exit 1
> fi
>
>
> %install
> install -m 0755 -vd %{buildroot}%{_bindir}
> %__install -Dm 755 "%{_builddir}/%{archivename}/build/postfix-tlspol" "%{buildroot}%{_bindir}/"
> %__install -Dm 644 "%{_builddir}/%{archivename}/configs/config.default.yaml" "%{buildroot}%{_sysconfdir}/postfix-tlspol/config.yaml"
> %__install -Dm 644 "%{_builddir}/%{archivename}/README.md" "%{buildroot}%{_pkgdocdir}/README.md"
> %__install -Dm 644 "%{_builddir}/%{archivename}/SECURITY.md" "%{buildroot}%{_pkgdocdir}/SECURITY.md"
> %__install -Dm 755 "%{_builddir}/%{archivename}/scripts/query.sh" "%{buildroot}/usr/local/bin/postfix-tlspol/query.sh"
> %__install -Dm 755 "%{_builddir}/%{archivename}/scripts/test.sh" "%{buildroot}/usr/local/bin/postfix-tlspol/test.sh"
> %__install -Dm 644 "%{_builddir}/%{archivename}/init/postfix-tlspol.service" "%{buildroot}%{_unitdir}/postfix-tlspol.service"
> %__install -Dm 644 "%{_builddir}/%{archivename}/LICENSE" "%{buildroot}/usr/share/licenses/postfix-tlspol/LICENSE"
> # Change default DNS Server IP Address to 127.0.0.1:53
> sed -i 's/53\:53/1\:53/g' %{buildroot}%{_sysconfdir}/postfix-tlspol/config.yaml
>
> %post
> %systemd_post postfix-tlspol.service
> exit 0
>
> %preun
> %systemd_preun postfix-tlspol.service
> exit 0
>
> %postun
> %systemd_postun_with_restart postfix-tlspol.service
> exit 0
>
> %files
> %{_bindir}/postfix-tlspol
> /usr/share/licenses/postfix-tlspol/LICENSE
> %config(noreplace) %{_sysconfdir}/postfix-tlspol/config.yaml
> %{_pkgdocdir}/*.md
> /usr/local/bin/postfix-tlspol/*.sh
> %{_unitdir}/postfix-tlspol.service
>
> %changelog
> * Mon Jul 28 2025 Michael Webb <gf101 at integrilog.com> - 1.8.12-1
> - Initial build For EL 9
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.net
> http://lists.ghettoforge.net/mailman/listinfo/users
More information about the users
mailing list