[GF-Users] postfix-tlspol rpm - spec file sample complete (Rev 2)
Michael Webb
michael.webb at integrilog.com
Wed Jul 30 01:38:37 MST 2025
Just confirming I just rebuilt and tested with your changes - had no issues with building or testing binary built without -L for %gometa and TOOLCHAIN=local.
-----Original Message-----
From: users-bounces at lists.ghettoforge.net <users-bounces at lists.ghettoforge.net> On Behalf Of Peter
Sent: Wednesday, July 30, 2025 2:11 AM
To: users at lists.ghettoforge.net
Subject: Re: [GF-Users] postfix-tlspol rpm - spec file sample complete (Rev 2)
Oh TOOLCHAIN=local should eliminate the need for the patch, thanks for that.
Also fixing the %gometa line for compatibility with EL8 (since the go-rpm-macros in EL8 doesn't support the -L flag to the %gometa macro).
Peter
On 30/07/25 19:39, Michael Webb wrote:
> I decided to go with allowing it to upgrade the toolchain because I was concerned that the other modules might not play nicely if they are using a later feature. It is easy to disable by changing the one line to TOOLCHAIN=local. The package seemed to work well either way, so do what is best for you.
>
> -----Original Message-----
> From: users-bounces at lists.ghettoforge.net <users-bounces at lists.ghettoforge.net> On Behalf Of Peter
> Sent: Wednesday, July 30, 2025 1:05 AM
> To: users at lists.ghettoforge.net
> Subject: Re: [GF-Users] postfix-tlspol rpm - spec file sample complete (Rev 2)
>
> Grrrr, it's attempting to download go 1.24.5 and install it for the build. EL9 comes with 1.24.4 but this (vbery recent) commit changed the "required" go version to 1.24.5:
>
> https://github.com/Zuplu/postfix-tlspol/commit/4e814599bfcc1a8d245ca7b62e52e8deeb3e968e
>
> I have to wonder if they changed it just "keep current" or if there is an actual reason for that version.
>
>
> Peter
>
>
> On 30/07/25 05:29, Michael Webb wrote:
>> Hi Peter
>>
>> I have amended as requested and also changed one other aspect of the build philosophy related to golang toolchain version (see changelog)
>>
>> https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/postfix-tlspol-1.8.12-2/
>>
>> Thank you!
>> Mike
>>
>> -----Original Message-----
>> From: users-bounces at lists.ghettoforge.net <users-bounces at lists.ghettoforge.net> On Behalf Of Peter
>> Sent: Tuesday, July 29, 2025 2:00 AM
>> To: users at lists.ghettoforge.net
>> Subject: Re: [GF-Users] postfix-tlspol rpm - spec file sample complete
>>
>> Thanks Michael,
>>
>> One more thing, though. By policy GhettoForge requires that all sources are distributed in the .src.rpm and not downloaded, this is to ensure stability and reproducibility of builds. I noticed that the last src.rpm you provided included the source tarball but this one does not.
>> Can you modify it to build from a provided source tarball instead of downloading?
>>
>>
>> Peter
>>
>>
>> On 29/07/25 18:56, Michael Webb wrote:
>>> Peter. Thanks for the help again. The spec file is working now. The rpm is running on my servers with no issues and I am now comfortable to offer this spec file to create a postfix-tlspol release candidate rpm for distribution with ghettoforge. To fix the problem last I reported, I used more shell commands from the creator's example script to replace some of the go-rpm-macros.
>>>
>>> The spec automatically downloads the latest git package for each build and therefore dns and network must be working on the mock host and in mock. Unlike the creator's example, this spec does not upgrade golang and the vendor packages to the latest and does no CPU optimization for what I thought would be for broadest compatibility. However, CPU detection and optimization may be preferable for servers with high email volume.
>>>
>>> The justification for highlighting this package is that, as far as I know, github.com/Zuplu/postfix-tlspol is the only open-source program available to lookup both DANE and MTA_STS policy helping us achieve tighter RFC compliance. Through its evolution I witnessed the creator actively collaborate with the postfix maintainers and end-users (including some providing high volume email services) to ensure RFC compliance and compatibility. I have personally been using this on low volume servers I maintain since Jan 2025 and consider it stable. Even in a degraded state (e.g. socket timeout), postfix will continue to deliver mail without TLS policy lookup in most cases which no different to how many email servers are still operating in an optimal state - i.e. low risk.
>>>
>>> Spec (see also below)
>>> https://integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol/postfix-tlspol-
>>> 1.8.12-1.spec.txt
>>>
>>> sample srpm & rpm
>>> https://www.integrilog.com/adhj5jkuuk2sfsf0/postfix-tlspol
>>>
>>> My build sequence on the mock machine was:
>>>
>>> dnf install bind
>>> rpmbuild -bs /root/rpmbuild/SPECS/postfix-tlspol-1.8.12-1.spec
>>> mock -r centos-stream+epel-9-x86_64 --rebuild
>>> /root/rpmbuild/SRPMS/postfix-tlspol-1.8.12-1.el9.src.rpm
>>> --enable-network
>>>
>>> The following entries are also recommended in /etc/named.conf on the
>>> target machines
>>>
>>> min-cache-ttl 10;
>>> max-cache-ttl 240;
>>>
>>> After install of the rpm on the target machine, the service can be tested manually.
>>>
>>> /usr/bin/postfix-tlspol -config /etc/postfix-tlspol/config.yaml
>>> -query integrilog.com
>>>
>>>
>>> Regards
>>> Michael Webb
>>>
>>> postfix-tlspol-1.8.12-1.spec
>>> ---------------------------------------------------------------------------------------------------------------------------
>>> Name: postfix-tlspol
>>> Version: 1.8.12
>>> Release: 1%{?dist}
>>> Summary: Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for Postfix, prioritizing DANE
>>>
>>> License: MIT and GPLv3+
>>>
>>> %global common_description %{expand:
>>> Lightweight MTA-STS + DANE/TLSA resolver and TLS policy server for
>>> Postfix, prioritizing DANE.}
>>>
>>> %define _unpackaged_files_terminate_build 0
>>> %global goipath github.com/Zuplu/postfix-tlspol
>>> %gometa -L -f
>>> URL: %{gourl}
>>>
>>> BuildRequires: git golang go-rpm-macros systemd-rpm-macros
>>>
>>> %description %{common_description}
>>>
>>> %prep
>>> cd %{_builddir}
>>> git clone %{URL}
>>> mv %{_builddir}/postfix-tlspol %{_builddir}/%{archivename}
>>>
>>> %build
>>> # Stay with the golang version loaded with mock (set GOTOOLCHAIN=auto
>>> to allow upgrades) export GOTOOLCHAIN=local # Use pure golang. Don't
>>> link any gcc libraries.
>>> export CGO_ENABLED=0
>>> printf "Version: %version\n"
>>> cd %{_builddir}/%{archivename}
>>> mkdir -p build
>>> if go build -buildmode=exe -trimpath -tags netgo -ldflags="-d -extldflags='-static' -s -X 'main.Version=%version'" -o build/postfix-tlspol .; then
>>> printf "Build succeeded!\n"
>>> else
>>> printf "Build failed!\n"
>>> exit 1
>>> fi
>>>
>>>
>>> %install
>>> install -m 0755 -vd %{buildroot}%{_bindir}
>>> %__install -Dm 755 "%{_builddir}/%{archivename}/build/postfix-tlspol" "%{buildroot}%{_bindir}/"
>>> %__install -Dm 644 "%{_builddir}/%{archivename}/configs/config.default.yaml" "%{buildroot}%{_sysconfdir}/postfix-tlspol/config.yaml"
>>> %__install -Dm 644 "%{_builddir}/%{archivename}/README.md" "%{buildroot}%{_pkgdocdir}/README.md"
>>> %__install -Dm 644 "%{_builddir}/%{archivename}/SECURITY.md" "%{buildroot}%{_pkgdocdir}/SECURITY.md"
>>> %__install -Dm 755 "%{_builddir}/%{archivename}/scripts/query.sh" "%{buildroot}/usr/local/bin/postfix-tlspol/query.sh"
>>> %__install -Dm 755 "%{_builddir}/%{archivename}/scripts/test.sh" "%{buildroot}/usr/local/bin/postfix-tlspol/test.sh"
>>> %__install -Dm 644 "%{_builddir}/%{archivename}/init/postfix-tlspol.service" "%{buildroot}%{_unitdir}/postfix-tlspol.service"
>>> %__install -Dm 644 "%{_builddir}/%{archivename}/LICENSE" "%{buildroot}/usr/share/licenses/postfix-tlspol/LICENSE"
>>> # Change default DNS Server IP Address to 127.0.0.1:53 sed -i
>>> 's/53\:53/1\:53/g'
>>> %{buildroot}%{_sysconfdir}/postfix-tlspol/config.yaml
>>>
>>> %post
>>> %systemd_post postfix-tlspol.service
>>> exit 0
>>>
>>> %preun
>>> %systemd_preun postfix-tlspol.service
>>> exit 0
>>>
>>> %postun
>>> %systemd_postun_with_restart postfix-tlspol.service exit 0
>>>
>>> %files
>>> %{_bindir}/postfix-tlspol
>>> /usr/share/licenses/postfix-tlspol/LICENSE
>>> %config(noreplace) %{_sysconfdir}/postfix-tlspol/config.yaml
>>> %{_pkgdocdir}/*.md
>>> /usr/local/bin/postfix-tlspol/*.sh
>>> %{_unitdir}/postfix-tlspol.service
>>>
>>> %changelog
>>> * Mon Jul 28 2025 Michael Webb <gf101 at integrilog.com> - 1.8.12-1
>>> - Initial build For EL 9
>>> ----------------------------------------------------------------------
>>> ---------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> users mailing list
>>> users at lists.ghettoforge.net
>>> http://lists.ghettoforge.net/mailman/listinfo/users
>>
>> _______________________________________________
>> users mailing list
>> users at lists.ghettoforge.net
>> http://lists.ghettoforge.net/mailman/listinfo/users
>> _______________________________________________
>> users mailing list
>> users at lists.ghettoforge.net
>> http://lists.ghettoforge.net/mailman/listinfo/users
>
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.net
> http://lists.ghettoforge.net/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.net
> http://lists.ghettoforge.net/mailman/listinfo/users
_______________________________________________
users mailing list
users at lists.ghettoforge.net
http://lists.ghettoforge.net/mailman/listinfo/users
More information about the users
mailing list