[GF-Users] postfix-tlspol rpm - spec file sample complete (Rev 2)

Peter peter at pajamian.dhs.org
Wed Jul 30 00:26:42 MST 2025 

I put in a patch to reverse the linked commit (below) and it seems to 
build fine against 1.24.4.  Given that our options are:

1.  Allow the build to pull in a version of the go toolset which is one 
point release higher than that provided for el9 resulting in a 
potentially flaky build relying on a network connection and sources 
beyond our control.

2.  build the newer toolset ourselves and package it in ghettoforge, or ...

3.  Just patch down the required toolset to 1.24.4 which builds just 
fine (we'll see if it runs fine) and doesn't have any of the above issues.

I'm gonna go with 3 here.  I'll push out the packages shortly then you 
can have a look at the resulting src.rpm and see what I've done.


Peter


On 30/07/25 19:05, Peter wrote:
> Grrrr, it's attempting to download go 1.24.5 and install it for the
> build.  EL9 comes with 1.24.4 but this (vbery recent) commit changed the
> "required" go version to 1.24.5:
> 
> https://github.com/Zuplu/postfix-tlspol/commit/4e814599bfcc1a8d245ca7b62e52e8deeb3e968e
> 
> I have to wonder if they changed it just "keep current" or if there is
> an actual reason for that version.
> 
> 
> Peter
> 
> 
> On 30/07/25 05:29, Michael Webb wrote:
>> Hi Peter
>>
>> I have amended as requested and also changed one other aspect of the build philosophy related to golang toolchain version (see changelog)
>>
>> https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/postfix-tlspol-1.8.12-2/
>>
>> Thank you!
>> Mike
>>
>> -----Original Message-----
>> From: users-bounces at lists.ghettoforge.net <users-bounces at lists.ghettoforge.net> On Behalf Of Peter
>> Sent: Tuesday, July 29, 2025 2:00 AM
>> To: users at lists.ghettoforge.net
>> Subject: Re: [GF-Users] postfix-tlspol rpm - spec file sample complete
>>
>> Thanks Michael,
>>
>> One more thing, though.  By policy GhettoForge requires that all sources are distributed in the .src.rpm and not downloaded, this is to ensure stability and reproducibility of builds.  I noticed that the last src.rpm you provided included the source tarball but this one does not.
>> Can you modify it to build from a provided source tarball instead of downloading?
>>
>>
>> Peter
>>
>>
>> On 29/07/25 18:56, Michael Webb wrote:
>>> Peter. Thanks for the help again. The spec file is working now. The rpm is running on my servers with no issues and I am now comfortable to offer this spec file to create a postfix-tlspol release candidate rpm for distribution with ghettoforge. To fix the problem last I reported, I used more shell commands from the creator's example script to replace some of the go-rpm-macros.
>>>
>>> The spec automatically downloads the latest git package for each build and therefore dns and network must be working on the mock host and in mock. Unlike the creator's example, this spec does not upgrade golang and the vendor packages to the latest and does no CPU optimization for what I thought would be for broadest compatibility. However, CPU detection and optimization may be preferable for servers with high email volume.
>>>
>>> The justification for highlighting this package is that, as far as I know, github.com/Zuplu/postfix-tlspol is the only open-source program available to lookup both DANE and MTA_STS policy helping us achieve tighter RFC compliance. Through its evolution I witnessed the creator actively collaborate with the postfix maintainers and end-users (including some providing high volume email services) to ensure RFC compliance and compatibility. I have personally been using this on low volume servers I maintain since Jan 2025 and consider it stable. Even in a degraded state (e.g. socket timeout), postfix will continue to deliver mail without TLS policy lookup in most cases which no different to how many email servers are still operating in an optimal state - i.e. low risk.
>>>
>>> Spec (see also below)
>>> https://integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/postfix-tlspol-
>>> 1.8.12-1.spec.txt
>>>
>>> sample srpm & rpm
>>> https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol
>>>
>>> My build sequence on the mock machine was:
>>>
>>> 	dnf install bind
>>> 	rpmbuild -bs /root/rpmbuild/SPECS/postfix-tlspol-1.8.12-1.spec
>>> 	mock -r centos-stream+epel-9-x86_64 --rebuild
>>> /root/rpmbuild/SRPMS/postfix-tlspol-1.8.12-1.el9.src.rpm
>>> --enable-network
>>>
>>> The following entries are also recommended in /etc/named.conf on the
>>> target machines
>>>     
>>> 	min-cache-ttl 10;
>>> 	max-cache-ttl 240;
>>>
>>> After install of the rpm on the target machine, the service can be tested manually.
>>>     
>>>     	/usr/bin/postfix-tlspol -config /etc/postfix-tlspol/config.yaml
>>> -query integrilog.com
>>>
>>>
>>> Regards
>>> Michael Webb
>>>
>>> postfix-tlspol-1.8.12-1.spec
>>> ---------------------------------------------------------------------------------------------------------------------------
>>> Name:           postfix-tlspol
>>> Version:        1.8.12
>>> Release:        1%{?dist}
>>> Summary:        Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE
>>>
>>> License:        MIT and GPLv3+
>>>
>>> %global common_description %{expand:
>>> Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for
>>> Postfix, prioritizing DANE.}
>>>
>>> %define _unpackaged_files_terminate_build 0
>>> %global goipath         github.com/Zuplu/postfix-tlspol
>>> %gometa -L -f
>>> URL:		%{gourl}
>>>
>>> BuildRequires:  git golang go-rpm-macros systemd-rpm-macros
>>>
>>> %description %{common_description}
>>>
>>> %prep
>>> cd %{_builddir}
>>> git clone %{URL}
>>> mv %{_builddir}/postfix-tlspol %{_builddir}/%{archivename}
>>>
>>> %build
>>> # Stay with the golang version loaded with mock (set GOTOOLCHAIN=auto
>>> to allow upgrades) export GOTOOLCHAIN=local # Use pure golang. Don't
>>> link any gcc libraries.
>>> export CGO_ENABLED=0
>>> printf "Version: %version\n"
>>> cd %{_builddir}/%{archivename}
>>> mkdir -p build
>>> if go build -buildmode=exe -trimpath -tags netgo -ldflags="-d -extldflags='-static' -s -X 'main.Version=%version'" -o build/postfix-tlspol .; then
>>>        printf "Build succeeded!\n"
>>>      else
>>>        printf "Build failed!\n"
>>>        exit 1
>>> fi
>>>
>>>
>>> %install
>>> install -m 0755 -vd                     %{buildroot}%{_bindir}
>>> %__install -Dm 755 "%{_builddir}/%{archivename}/build/postfix-tlspol" "%{buildroot}%{_bindir}/"
>>> %__install -Dm 644 "%{_builddir}/%{archivename}/configs/config.default.yaml" "%{buildroot}%{_sysconfdir}/postfix-tlspol/config.yaml"
>>> %__install -Dm 644 "%{_builddir}/%{archivename}/README.md" "%{buildroot}%{_pkgdocdir}/README.md"
>>> %__install -Dm 644 "%{_builddir}/%{archivename}/SECURITY.md" "%{buildroot}%{_pkgdocdir}/SECURITY.md"
>>> %__install -Dm 755 "%{_builddir}/%{archivename}/scripts/query.sh" "%{buildroot}/usr/local/bin/postfix-tlspol/query.sh"
>>> %__install -Dm 755 "%{_builddir}/%{archivename}/scripts/test.sh" "%{buildroot}/usr/local/bin/postfix-tlspol/test.sh"
>>> %__install -Dm 644 "%{_builddir}/%{archivename}/init/postfix-tlspol.service" "%{buildroot}%{_unitdir}/postfix-tlspol.service"
>>> %__install -Dm 644 "%{_builddir}/%{archivename}/LICENSE" "%{buildroot}/usr/share/licenses/postfix-tlspol/LICENSE"
>>> # Change default DNS Server IP Address to 127.0.0.1:53 sed -i
>>> 's/53\:53/1\:53/g'
>>> %{buildroot}%{_sysconfdir}/postfix-tlspol/config.yaml
>>>
>>> %post
>>> %systemd_post postfix-tlspol.service
>>> exit 0
>>>
>>> %preun
>>> %systemd_preun postfix-tlspol.service
>>> exit 0
>>>
>>> %postun
>>> %systemd_postun_with_restart postfix-tlspol.service exit 0
>>>
>>> %files
>>> %{_bindir}/postfix-tlspol
>>> /usr/share/licenses/postfix-tlspol/LICENSE
>>> %config(noreplace) %{_sysconfdir}/postfix-tlspol/config.yaml
>>> %{_pkgdocdir}/*.md
>>> /usr/local/bin/postfix-tlspol/*.sh
>>> %{_unitdir}/postfix-tlspol.service
>>>
>>> %changelog
>>> * Mon Jul 28 2025 Michael Webb <gf101 at integrilog.com> - 1.8.12-1
>>> - Initial build For EL 9
>>> ----------------------------------------------------------------------
>>> ---------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> users mailing list
>>> users at lists.ghettoforge.net
>>> http://lists.ghettoforge.net/mailman/listinfo/users
>>
>> _______________________________________________
>> users mailing list
>> users at lists.ghettoforge.net
>> http://lists.ghettoforge.net/mailman/listinfo/users
>> _______________________________________________
>> users mailing list
>> users at lists.ghettoforge.net
>> http://lists.ghettoforge.net/mailman/listinfo/users
> 
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.net
> http://lists.ghettoforge.net/mailman/listinfo/users

More information about the users mailing list