0

Background

Hello, OpenDKIM is available on the official apk repository, but does not include important configuration flags I need such as --with-odbx and --with-sql-backend.

I was able to compile it relatively easily. However, the resulting OpenDKIM binary cannot verify DKIM headers since it does not support RSA-SHA256. I found this odd since apk add opendkim does support RSA-SHA256.

Question

How can I compile OpenDKIM on Alpine 3.14 with these additional configuration flags and still have support for RSA-SHA256?

Steps to reproduce

First, I pre-downloaded OpenDKIM 2.11.0-Beta2 and OpenDBX 1.4.6 into a packages folder.

mkdir packages
wget -P packages \
  https://github.com/trusteddomainproject/OpenDKIM/archive/refs/tags/2.11.0-Beta2.tar.gz \ 
  http://linuxnetworks.de/opendbx/download/opendbx-1.4.6.tar.gz

Then I wrote this Dockerfile, based mainly on the APKBUILD file.

FROM alpine:3.14

COPY packages /opt/data

RUN apk add --no-cache \
    alpine-sdk \
    automake \
    autoconf \
    db-dev \
    libtool \
    mariadb-dev \
    readline-dev \
  && cd /opt/data \
  && tar xzf opendbx-1.4.6.tar.gz \
  && cd opendbx-1.4.6/ \
  && CPPFLAGS="-I/usr/include/mysql" ./configure --with-backends="mysql" \
  && make install

RUN apk add --no-cache \
    openssl-dev \
    libmilter-dev \
  && cd /opt/data \
  && tar xzf 2.11.0-Beta2.tar.gz \
  && cd OpenDKIM-2.11.0-Beta2 \
  && autoreconf -vif \
  && ./configure \
    --sysconfdir=/etc/opendkim \
    --with-odbx \
    --with-openssl=/usr/lib \
    --with-sql-backend \
  && make \
  && make install

Then I built and ran the docker image:

docker build -t opendkim-alpine .
docker run opendkim-alpine opendkim -V

Notice rsa-sha256 is missing from the "Supported signing algorithms. Compare to the output here:

docker run alpine:3.14 ash -c 'apk add opendkim && opendkim -V'

Notes

  • ./configure failed to complete with an error that libssl could not be found until I specified --with-openssl=/usr/lib. I think this may hint that I need to pass LDFLAGS or CFLAGS, but I don't know what those should be.
  • Debian Buster does include the compilation flags I need.
  • In the APKBUILD file, I have no idea what the values of CFLAGS are and I couldn't easily figure out what default_prepare does. It seems relatively opaque and difficult to find the answers to these questions except by experiment.
  • I've seen other attempts which create an entire alpine build environment and use sed to modify the APKBUILD file to include extra flags. This seemed like overkill.
  • For Googlers, the error message I get when trying to run opendkim in verify mode is opendkim: verify mode requires rsa-sha256 support.
jchook
  • 123
  • 9

1 Answers1

0

Okay, I figured it out. I fully don't understand why, but I needed to set this env var for ./configure:

CPPFLAGS="-I/usr/include/openssl"

So the full RUN command becomes:

RUN apk add --no-cache \
    openssl-dev \
    libmilter-dev \
  && cd /opt/data \
  && tar xzf 2.11.0-Beta2.tar.gz \
  && cd OpenDKIM-2.11.0-Beta2 \
  && autoreconf -vif \
  && CPPFLAGS="-I/usr/include/openssl" ./configure \
    --sysconfdir=/etc/opendkim \
    --with-odbx \
    --with-openssl \
    --with-sql-backend \
  && make \
  && make install

I resolved this through trial and error and would love an explanation why OpenDKIM couldn't find openssl located there by default.

jchook
  • 123
  • 9