* update opendkim to 2.11.0beta-8.1

opendkim/PKGBUILD

@@ -4,7 +4,7 @@
 
 pkgname=opendkim
 pkgver=2.11.0beta
-pkgrel=8
+pkgrel=8.1
 _commit=551ab3820476234def82eb2223ca6c7b45b45076
 pkgdesc="Open source implementation of the DKIM sender authentication system. Based on a fork of dkim-milter."
 arch=(x86_64 powerpc64le powerpc64 powerpc)
@@ -21,17 +21,50 @@ source=("git+https://github.com/trusteddomainproject/OpenDKIM.git#commit=${_comm
         opendkim.sysusers
         opendkim.tmpfiles
         opendkim.service
-        openssl_1.1.0_compat.patch)
+        opendkim-2.10.3-fix-ldap-sasl-pc.patch
+        opendkim-2.10.3-incompatible-pointer-types.patch
+        opendkim-2.10.3-snprintf-include.patch
+        opendkim-2.10.3-vsnprintf-include.patch
+        conf_refcnt.patch
+        fix-RSA_Sign-call.patch
+        ftbfs-gcc-14-1075339.patch
+        insheader.patch
+        mlfi_close.patch
+        nsupdate_output.patch
+        replace-headers.patch)
 sha256sums=('7ecf55e6cc7f2b167ac109223e270d35d0c1f467f0574260cafab5ced0f2d0d3'
             'd677e975977a94c09aaf1c92a98797189d969cdce98ac3867d7a3737ad4eaab0'
             '9cf80fce628104be279f82c120119284e5ab295d5ce64ced5b9d98271d2c752e'
             'ab66c9fdcb8913f2a550289dd44d56d17b960cf5275839ffd03cba70a27ab6ed'
             'a9beeedc6fb543d92a9dd50c99c018dccdc2b7123675d37d7a4123a93d211487'
-            '5095a7516493af08396060852851231c9b1cba5ee00493f810f0dfc9a69f8dfe')
+            '7b2627e3f787952d36f33b052a0723d0bf8dbfc36de40fc11d4b9b4c4cfbd485'
+            '0499d37648554d186fcee44d90dcb1c6ebd0666c2169409f211389f5ffcd3d74'
+            '1bdf003c597aaa1d62ca51bfb43589c02aa9b0bbd7ab0659d77d6d6c04fa4ce6'
+            'b0cacfa7407b7d9c7d24591f4b8fca9deb8254c4754ec25aace5411866fbe219'
+            '07ee5ff2a0664bd40db6cc98d58fd2ba5cfcd46ffc52f1e4dafdd8d11790db4b'
+            '9910a3899313dec7f313153818cd71bdd57526931433b5b96d28f840e1afbe59'
+            '731aed3eae50e55c7c2a9810ba12f99366a437fc72e634fe9ec5ae19f1237578'
+            'b26859b22027099432982e467549de4cbb56675379b43b252298879ebfa3b76d'
+            '9a3e177ba92806d63a5bf8504fe27f60a069513dd7c0119889756d39bb894c62'
+            'a9bf505214a5c48d95be0ddd1b953d7221b73c11cdec4c0d3c4f017e1e8536fe'
+            '969b409b23f7b1352e399963a6105ff906d27a2134e63ca672d26f9c543ea275')
 
 prepare() {
   cd "$srcdir/OpenDKIM"
   patch -p1 -i "$srcdir"/7c70ee7c86da1cecc621182355cc950d3b193314.patch
+
+  patch -Np1 -i ${srcdir}/opendkim-2.10.3-fix-ldap-sasl-pc.patch
+  patch -Np1 -i ${srcdir}/opendkim-2.10.3-incompatible-pointer-types.patch
+  patch -Np1 -i ${srcdir}/opendkim-2.10.3-snprintf-include.patch
+  patch -Np1 -i ${srcdir}/opendkim-2.10.3-vsnprintf-include.patch
+  patch -Np1 -i ${srcdir}/conf_refcnt.patch
+  patch -Np1 -i ${srcdir}/fix-RSA_Sign-call.patch
+  patch -Np1 -i ${srcdir}/ftbfs-gcc-14-1075339.patch
+  patch -Np1 -i ${srcdir}/insheader.patch
+  patch -Np1 -i ${srcdir}/mlfi_close.patch
+  patch -Np1 -i ${srcdir}/nsupdate_output.patch
+  patch -Np1 -i ${srcdir}/replace-headers.patch
+
   autoreconf -i
 }
 

opendkim/conf_refcnt.patch

@@ -0,0 +1,13 @@
+Description: opendkim/opendkim.c:dkimf_config_free(): don't assert conf->refcnt == 0
+Bug: https://github.com/trusteddomainproject/OpenDKIM/issues/22
+
+--- a/opendkim/opendkim.c
++++ b/opendkim/opendkim.c
+@@ -5902,7 +5902,6 @@
+ dkimf_config_free(struct dkimf_config *conf)
+ {
+ 	assert(conf != NULL);
+-	assert(conf->conf_refcnt == 0);
+ 
+ 	dkimf_zapkey(conf);
+ 

opendkim/fix-RSA_Sign-call.patch

@@ -0,0 +1,27 @@
+Description: Fix signedness bug in RSA_Sign call
+Author: Martin Grimm <martin.grimm@to.com>
+Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/159
+
+--- a/libopendkim/dkim.c
++++ b/libopendkim/dkim.c
+@@ -3951,6 +3951,7 @@
+ 	  {
+ 		int nid;
+ 		struct dkim_crypto *crypto;
++		unsigned int ui_l = 0;
+ 
+ 		crypto = (struct dkim_crypto *) sig->sig_signature;
+ 
+@@ -3961,9 +3962,11 @@
+ 		    sig->sig_hashtype == DKIM_HASHTYPE_SHA256)
+ 			nid = NID_sha256;
+ 
++		/* use variable ui_l to savely get the length (unsigned int *) out of RSA_sign and into size_t type l */
+ 		status = RSA_sign(nid, digest, diglen,
+-	                          crypto->crypto_out, (int *) &l,
++	                          crypto->crypto_out, &ui_l,
+ 		                  crypto->crypto_key);
++		l = ui_l;
+ 		if (status != 1 || l == 0)
+ 		{
+ 			dkim_load_ssl_errors(dkim, 0);

opendkim/ftbfs-gcc-14-1075339.patch

@@ -0,0 +1,17 @@
+Description: Fix FTBFS with gcc-14
+Author: Tim Woodall <debianbugs@woodall.me.uk>
+Bug-Debian: https://bugs.debian.org/1075339
+Forwarded: no
+Last-Update: 2024-08-25
+
+--- opendkim-2.11.0~beta2.orig/librbl/rbl.c
++++ opendkim-2.11.0~beta2/librbl/rbl.c
+@@ -329,7 +329,7 @@ void
+ rbl_res_close(void *srv)
+ {
+ #ifdef HAVE_RES_NINIT
+-	struct state *res;
++	struct __res_state *res;
+ 
+ 	res = srv;
+ 

opendkim/insheader.patch

@@ -0,0 +1,69 @@
+Description: Insert trace headers at index 0
+Author: David Bürgin <dbuergin@gluet.ch>
+Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/126
+
+--- a/opendkim/opendkim.c
++++ b/opendkim/opendkim.c
+@@ -3670,7 +3670,7 @@
+ 
+ 	if (ctx == NULL)
+ 		lua_pushnil(l);
+-	else if (dkimf_insheader(ctx, 1, name, value) == MI_SUCCESS)
++	else if (dkimf_insheader(ctx, 0, name, value) == MI_SUCCESS)
+ 		lua_pushnumber(l, 1);
+ 	else
+ 		lua_pushnil(l);
+@@ -4246,7 +4246,7 @@
+ 	assert(conf != NULL);
+ 	assert(ctx != NULL);
+ 
+-	if (dkimf_insheader(ctx, 1, AUTHRESULTSHDR,
++	if (dkimf_insheader(ctx, 0, AUTHRESULTSHDR,
+ 	                    (char *) dfc->mctx_dkimar) == MI_FAILURE)
+ 	{
+ 		if (conf->conf_dolog)
+@@ -13517,7 +13517,7 @@
+ 		         dkimf_lookup_inttostr(dfc->mctx_status,
+ 		                               dkimf_statusstrings));
+ 
+-		if (dkimf_insheader(ctx, 1, AUTHRESULTSHDR,
++		if (dkimf_insheader(ctx, 0, AUTHRESULTSHDR,
+ 		                    (char *) header) == MI_FAILURE)
+ 		{
+ 			if (conf->conf_dolog)
+@@ -14962,7 +14962,7 @@
+ 						        sizeof header);
+ 					}
+ 		
+-					if (dkimf_insheader(ctx, 1,
++					if (dkimf_insheader(ctx, 0,
+ 					                    AUTHRESULTSHDR,
+ 					                    (char *) header) == MI_FAILURE)
+ 					{
+@@ -15165,7 +15165,7 @@
+ 			dkimf_stripcr((char *) start);
+ 			dkimf_dstring_cat(dfc->mctx_tmpstr, start);
+ 
+-			if (dkimf_insheader(ctx, 1, DKIM_SIGNHEADER,
++			if (dkimf_insheader(ctx, 0, DKIM_SIGNHEADER,
+ 			                    (char *) dkimf_dstring_get(dfc->mctx_tmpstr)) == MI_FAILURE)
+ 			{
+ 				if (conf->conf_dolog)
+@@ -15201,7 +15201,7 @@
+ 		/* add VBR-Info header if generated */
+ 		if (dfc->mctx_vbrinfo != NULL)
+ 		{
+-			if (dkimf_insheader(ctx, 1, VBR_INFOHEADER,
++			if (dkimf_insheader(ctx, 0, VBR_INFOHEADER,
+ 			                    dfc->mctx_vbrinfo) == MI_FAILURE)
+ 			{
+ 				if (conf->conf_dolog)
+@@ -15251,7 +15251,7 @@
+ 		         dfc->mctx_jobid != NULL ? dfc->mctx_jobid
+ 		                                 : (u_char *) JOBIDUNKNOWN);
+ 
+-		if (dkimf_insheader(ctx, 1, SWHEADERNAME, xfhdr) != MI_SUCCESS)
++		if (dkimf_insheader(ctx, 0, SWHEADERNAME, xfhdr) != MI_SUCCESS)
+ 		{
+ 			if (conf->conf_dolog)
+ 			{

opendkim/mlfi_close.patch

@@ -0,0 +1,90 @@
+Description: Reorder mlfi_close logic fixing use-after-free error
+Author: David Bürgin <dbuergin@gluet.ch>
+Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/129
+
+--- a/opendkim/opendkim.c
++++ b/opendkim/opendkim.c
+@@ -15360,6 +15360,41 @@
+ 	cc = (connctx) dkimf_getpriv(ctx);
+ 	if (cc != NULL)
+ 	{
++#ifdef QUERY_CACHE
++		if (querycache)
++		{
++			time_t now;
++
++			(void) time(&now);
++			if (cache_lastlog + CACHESTATSINT < now)
++			{
++				u_int c_hits;
++				u_int c_queries;
++				u_int c_expired;
++				u_int c_pct;
++				u_int c_keys;
++
++				dkim_getcachestats(cc->cctx_config->conf_libopendkim,
++				                   &c_queries, &c_hits, &c_expired,
++				                   &c_keys, FALSE);
++
++				cache_lastlog = now;
++
++				if (c_queries == 0)
++					c_pct = 0;
++				else
++					c_pct = (c_hits * 100) / c_queries;
++
++				syslog(LOG_INFO,
++				       "cache: %u quer%s, %u hit%s (%d%%), %u expired, %u key%s",
++				       c_queries, c_queries == 1 ? "y" : "ies",
++				       c_hits, c_hits == 1 ? "" : "s",
++				       c_pct, c_expired,
++				       c_keys, c_keys == 1 ? "" : "s");
++			}
++		}
++#endif /* QUERY_CACHE */
++
+ 		pthread_mutex_lock(&conf_lock);
+ 
+ 		cc->cctx_config->conf_refcnt--;
+@@ -15374,41 +15409,6 @@
+ 		dkimf_setpriv(ctx, NULL);
+ 	}
+ 
+-#ifdef QUERY_CACHE
+-	if (querycache)
+-	{
+-		time_t now;
+-
+-		(void) time(&now);
+-		if (cache_lastlog + CACHESTATSINT < now)
+-		{
+-			u_int c_hits;
+-			u_int c_queries;
+-			u_int c_expired;
+-			u_int c_pct;
+-			u_int c_keys;
+-
+-			dkim_getcachestats(cc->cctx_config->conf_libopendkim,
+-			                   &c_queries, &c_hits, &c_expired,
+-			                   &c_keys, FALSE);
+-
+-			cache_lastlog = now;
+-
+-			if (c_queries == 0)
+-				c_pct = 0;
+-			else
+-				c_pct = (c_hits * 100) / c_queries;
+-
+-			syslog(LOG_INFO,
+-			       "cache: %u quer%s, %u hit%s (%d%%), %u expired, %u key%s",
+-			       c_queries, c_queries == 1 ? "y" : "ies",
+-			       c_hits, c_hits == 1 ? "" : "s",
+-			       c_pct, c_expired,
+-			       c_keys, c_keys == 1 ? "" : "s");
+-		}
+-	}
+-#endif /* QUERY_CACHE */
+-
+ 	return SMFIS_CONTINUE;
+ }
+ 

opendkim/nsupdate_output.patch

@@ -0,0 +1,125 @@
+opendkim-genzone: fix nsupdate output
+
+This patch addresses several issues with the nsupdate output:
+
+o Add the correct fields (v=DKIM1, etc) before the key
+o Properly break fields into 255 byte chunks
+o Add the possibility to restrict the key to email signing
+
+Based on an original patch by Marco Favero as posted at:
+https://sourceforge.net/p/opendkim/feature-requests/200/
+
+Bug: https://sourceforge.net/p/opendkim/feature-requests/200/
+
+--- a/opendkim/opendkim-genzone.8.in
++++ b/opendkim/opendkim-genzone.8.in
+@@ -7,6 +7,7 @@
+ [\-C address]
+ [\-d domain]
+ [\-D]
++[\-M]
+ [\-E secs]
+ [\-F]
+ [\-N ns[,...]]
+@@ -64,6 +65,10 @@
+ .I \-D
+ Adds a "._domainkey" suffix to selector names in the zone file.
+ .TP
++.I \-M
++Restricts the keys for use in e-mail signing only.  The default is to allow
++the keys to be used for any service.
++.TP
+ .I \-E secs
+ When generating an SOA record (see
+ .I \-S
+--- a/opendkim/opendkim-genzone.c
++++ b/opendkim/opendkim-genzone.c
+@@ -52,7 +52,7 @@
+ 
+ /* definitions */
+ #define	BUFRSZ		1024
+-#define	CMDLINEOPTS	"C:d:DE:Fo:N:r:R:sSt:T:uvx:"
++#define	CMDLINEOPTS	"C:d:DME:Fo:N:r:R:sSt:T:uvx:"
+ #define	DEFCONFFILE	CONFIG_BASE "/opendkim.conf"
+ #define	DEFEXPIRE	604800
+ #define	DEFREFRESH	10800
+@@ -195,6 +195,7 @@
+ 	                "\t-D          \tinclude '._domainkey' suffix\n"
+ 	                "\t-E secs     \tuse specified expiration time in SOA\n"
+ 	                "\t-F          \tinclude '._domainkey' suffix and domainname\n"
++			"\t-M          \trestricts the keys for use in e-mail signing only\n"
+ 	                "\t-o file     \toutput file\n"
+ 	                "\t-N ns[,...] \tlist NS records\n"
+ 	                "\t-r secs     \tuse specified refresh time in SOA\n"
+@@ -230,6 +231,7 @@
+ 	_Bool fqdnsuffix = FALSE;
+ 	_Bool subdomains = FALSE;
+ 	_Bool writesoa = FALSE;
++	_Bool mailrestrict = FALSE;
+ 	int c;
+ 	int status;
+ 	int verbose = 0;
+@@ -309,6 +311,10 @@
+ 			fqdnsuffix = TRUE;
+ 			break;
+ 
++		  case 'M':
++			mailrestrict = TRUE;
++			break;
++
+ 		  case 'N':
+ 			nameservers = strdup(optarg);
+ 			break;
+@@ -873,42 +879,42 @@
+ 			fprintf(out, "zone %s\n", domain);
+ 
+ 			snprintf(tmpbuf, sizeof tmpbuf,
+-			         "update add %s%s%s%s%s %d TXT \"",
++			         "update add %s%s%s%s%s %d TXT \"v=DKIM1\\;k=rsa\\;%sp=",
+ 			         selector, suffix ? DKIMZONE : "",
+ 			         fqdnsuffix ? "." : "",
+ 			         fqdnsuffix ? domain : "",
+ 			         fqdnsuffix ? "." : "",
+-			         ttl == -1 ? defttl : ttl);
++			         ttl == -1 ? defttl : ttl,
++				 mailrestrict ? "s=email\\;" : "");
+ 		}
+ 		else
+ 		{
+ 			if (ttl == -1)
+ 			{
+ 				snprintf(tmpbuf, sizeof tmpbuf,
+-				         "%s%s%s%s%s\tIN\tTXT\t( \"v=DKIM1; k=rsa; p=",
++				         "%s%s%s%s%s\tIN\tTXT\t( \"v=DKIM1\\;k=rsa\\;%sp=",
+ 				         selector, suffix ? DKIMZONE : "",
+ 				         fqdnsuffix ? "." : "",
+ 				         fqdnsuffix ? domain : "",
+-				         fqdnsuffix ? "." : "");
++				         fqdnsuffix ? "." : "",
++					 mailrestrict ? "s=email\\;" : "");
+ 			}
+ 			else
+ 			{
+ 				snprintf(tmpbuf, sizeof tmpbuf,
+-				         "%s%s%s%s%s\t%d\tIN\tTXT\t( \"v=DKIM1; k=rsa; p=",
++				         "%s%s%s%s%s\t%d\tIN\tTXT\t( \"v=DKIM1\\;k=rsa\\;%sp=",
+ 				         selector, suffix ? DKIMZONE : "",
+ 				         fqdnsuffix ? "." : "",
+ 				         fqdnsuffix ? domain : "",
+ 				         fqdnsuffix ? "." : "",
+-				         ttl);
++				         ttl,
++				         mailrestrict ? "s=email\\;" : "");
+ 			}
+ 		}
+ 
+ 		fprintf(out, "%s", tmpbuf);
+ 
+-		if (nsupdate)
+-			olen = 0;
+-		else
+-			olen = strflen(tmpbuf);
++		olen = strflen(strstr(tmpbuf, "v=DKIM1"));
+ 
+ 		seenlf = FALSE;
+ 

opendkim/opendkim-2.10.3-fix-ldap-sasl-pc.patch

@@ -0,0 +1,69 @@
+From f203e0a001468cd30a0a3b780c90f0f90cdc35b8 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Sat, 2 Dec 2023 18:44:20 -0500
+Subject: [PATCH 1/2] configure.ac: update OpenLDAP's pkgconfig name
+
+OpenLDAP provides the file ldap.pc for its libldap library. This can
+be verified via libraries/libldap/ldap.pc.in in the repository,
+
+  https://git.openldap.org/openldap/openldap/-/blob/master/
+
+Our ./configure script checks instead for the name "openldap", which
+at some point may have been correct, but no longer works. We switch to
+"ldap" so that we can locate the upstream file.
+
+On some platforms (https://bugs.gentoo.org/918512) this will fix a
+linking error. Thanks to Chris Pritchard for the report and the
+diagnosis.
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 1eaa95d8..b8353077 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1800,7 +1800,7 @@ OPENLDAP_LIBS=""
+ if test \( x"$ldappath" = x"auto" -o x"$ldappath" = x"yes" \) -a \
+ 	x"$PKG_CONFIG" != x""
+ then
+-        PKG_CHECK_MODULES([OPENLDAP], [openldap >= 2.0.0],
++        PKG_CHECK_MODULES([OPENLDAP], [ldap >= 2.0.0],
+ 	[
+ 		ldap_found="yes"
+ 		OPENLDAP_CPPFLAGS="$OPENLDAP_CFLAGS"
+
+From 12b1403eea40f3df59ef130a28164f16d08053fc Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Sat, 2 Dec 2023 18:52:09 -0500
+Subject: [PATCH 2/2] configure.ac: update Cyrus SASL's pkgconfig name
+
+Cyrus SASL provides the file libsasl2.pc for its libsasl2
+library. This can be verified in its git repository:
+
+  https://github.com/cyrusimap/cyrus-sasl/blob/master/libsasl2.pc.in
+
+Our ./configure script checks instead for the name "cyrussasl", which
+at some point may have been correct, but no longer works. We switch to
+"libsasl2" so that we can locate the upstream file.
+
+On some platforms (https://bugs.gentoo.org/918512) this will fix a
+linking error. Thanks to Chris Pritchard for the report and the
+diagnosis.
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index b8353077..071e8511 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1890,7 +1890,7 @@ sasl_found="no"
+ if test \( x"$saslpath" = x"auto" -o x"$saslpath" = x"yes" \) -a \
+ 	x"$PKG_CONFIG" != x""
+ then
+-        PKG_CHECK_MODULES([SASL], [cyrussasl >= 2.1.0],
++        PKG_CHECK_MODULES([SASL], [libsasl2 >= 2.1.0],
+ 	[
+ 		sasl_found="yes"
+ 		SASL_CPPFLAGS="$SASL_CFLAGS"

opendkim/opendkim-2.10.3-fix-libmilter-search.patch

@@ -0,0 +1,223 @@
+From a1371d8c81d5fc22cbc8ea2b1c9eb465e9a8e874 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Fri, 6 Nov 2020 07:40:06 -0500
+Subject: [PATCH] configure.ac: simplify the search for libmilter.
+
+This commit (temporarily?) reverts the --with-milter flag to a boolean,
+disallowing the user to pass it a path. This is done for several reasons:
+
+  * There's only one standard major version of libmilter, so people are
+    unlikely to have multiple copies of it installed side-by-side. And
+    When only one copy is present and usable with "-lmilter", the
+    ability to specify a path is redundant.
+
+  * The "milter path" was used for both the headers and the library
+    itself. As a result, the user was expected to specify something
+    like "/usr" as the milter path, whence OpenDKIM would infer that
+    the headers live in /usr/include and that the libraries live
+    in /usr/<somewhere>. If multiple libraries live in multiple
+    somewheres -- as is the case with "lib" and "lib64" on multilib
+    systems -- OpenDKIM is prone to guessing incorrectly. In other
+    words, the "milter path" mechanism was not fine-grained enough
+    to specify the correct library, and this led to link failures
+    in some not-too-uncommon cases.
+
+  * Headers and libraries in non-standard paths should be handled with
+    pkg-config, anyway.
+---
+ configure.ac         | 129 +++++++------------------------------------
+ opendkim/Makefile.am |   9 ++-
+ 2 files changed, 23 insertions(+), 115 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 828fe53f..8234e588 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -932,120 +932,29 @@ AC_SUBST(LIBCRYPTO_LIBS)
+ AC_MSG_CHECKING([for milter library and includes])
+ AC_ARG_WITH([milter],
+             AS_HELP_STRING([--with-milter],
+-                           [location of milter includes and library]),
+-            [milterpath="$withval"], [milterpath="auto"])
+-
+-if test x"$enable_filter" = x"no"
+-then
+-	milterpath="no"
+-fi
+-
+-if test "$milterpath" = "auto" -o "$milterpath" = "yes"
+-then
+-	milterdirs="/usr/local /opt/local /usr"
+-	for d in $milterdirs
+-	do
+-		if test -f $d/include/libmilter/mfapi.h
+-		then
+-			milterpath=$d
+-			break
+-		fi
+-	done
+-fi
+-case "$milterpath" in
+-	no)
+-		if test x"$enable_filter" = x"yes"
+-		then
+-			AC_MSG_ERROR([milter is required])
+-		fi
+-		AC_MSG_RESULT(disabled)
+-		;;
+-	auto)
+-		AC_MSG_ERROR([milter not found])
+-		;;
+-	*/*)
+-		if ! test -f $milterpath/include/libmilter/mfapi.h
+-		then
+-			AC_MSG_ERROR([milter includes not found at $milterpath])
+-		fi
+-		AC_MSG_RESULT([$milterpath])
+-		;;
+-	*)
+-		AC_MSG_ERROR([milter not found])
+-		;;
+-esac
+-
+-LIBMILTER_INCDIRS=""
+-LIBMILTER_LIBDIRS=""
+-LIBMILTER_LIBS=""
++                           [whether or not (yes or no) to use libmilter]),
++            [milterpath="$withval"], [milterpath="no"])
++
++AS_IF([test x"$enable_filter" = x"no"],[milterpath="no"])
++AS_IF([test x"$milterpath" = x"no"], [
++  AS_IF([test x"$enable_filter" = x"yes"],[
++    AC_MSG_ERROR([libmilter is required if filtering is enabled])
++  ])
++])
+ 
+-if test x"$milterpath" != x"no"
+-then
+-	LIBMILTER_INCDIRS="-I$milterpath/include"
++AS_IF([test x"$milterpath" = x"yes"], [
++  AC_CHECK_HEADER(libmilter/mfapi.h,
++                  [],
++		  AC_MSG_ERROR([libmilter/mfapi.h not found]))
+ 
+-	saved_CC="$CC"
+-	saved_CFLAGS="$CFLAGS"
+-	saved_CPPFLAGS="$CPPFLAGS"
+-	saved_LDFLAGS="$LDFLAGS"
+-	saved_LIBS="$LIBS"
++  AC_SEARCH_LIBS([smfi_register],
++                 [milter],
++		 [LIBMILTER_LIBS="-lmilter"],
++		 AC_MSG_ERROR([libmilter not found]))
+ 
+-	CC="$PTHREAD_CC"
+-	LIBS="$outer_LIBS $PTHREAD_LIBS $saved_LIBS"
+-	CPPFLAGS="$LIBMILTER_INCDIRS $saved_CPPFLAGS"
+-	CFLAGS="$PTHREAD_CFLAGS $saved_CFLAGS"
+-	LDFLAGS="$outer_LDFLAGS $PTHREAD_CFLAGS $saved_LDFLAGS"
+-
+-	breakloop="no"
+-	for d in lib lib64 lib/libmilter
+-	do
+-		unset ac_cv_search_smfi_register
+-		LDFLAGS="$outer_LDFLAGS $PTHREAD_CFLAGS -L$milterpath/$d $saved_LDFLAGS"
+-		AC_SEARCH_LIBS([smfi_register], [milter],
+-		               [
+-		               	LIBMILTER_LIBDIRS="-L$milterpath/$d"
+-		               	LIBMILTER_LIBS="-lmilter"
+-		               	breakloop="yes"
+-		               ])
+-
+-		AC_CHECK_FUNC([smfi_insheader],
+-			      AC_DEFINE([HAVE_SMFI_INSHEADER], 1,
+-					[Define if libmilter has smfi_insheader()]))
+-
+-		AC_CHECK_FUNC([smfi_opensocket],
+-			      AC_DEFINE([HAVE_SMFI_OPENSOCKET], 1,
+-					[Define if libmilter has smfi_opensocket()]))
+-
+-		AC_CHECK_FUNC([smfi_progress],
+-			      AC_DEFINE([HAVE_SMFI_PROGRESS], 1,
+-					[Define if libmilter has smfi_progress()]))
+-
+-		AC_CHECK_FUNC([smfi_setsymlist],
+-			      AC_DEFINE([HAVE_SMFI_SETSYMLIST], 1,
+-					[Define if libmilter has smfi_setsymlist()]))
+-
+-		AC_CHECK_FUNC([smfi_version],
+-			      AC_DEFINE([HAVE_SMFI_VERSION], 1,
+-					[Define if libmilter has smfi_version()]))
+-
+-		if test x"$breakloop" = x"yes"
+-		then
+-			break
+-		fi
+-	done
+-	if test x"$LIBMILTER_LIBDIRS" = x""
+-	then
+-		AC_MSG_ERROR([libmilter not found])
+-	fi
+-
+-	CC="$saved_CC"
+-	CPPFLAGS="$saved_CPPFLAGS"
+-	CFLAGS="$saved_CFLAGS"
+-	LDFLAGS="$saved_LDFLAGS"
+-	LIBS="$saved_LIBS"
+-fi
++  AC_CHECK_FUNCS([smfi_insheader smfi_opensocket smfi_progress smfi_setsymlist smfi_version])
++])
+ 
+-AC_SUBST(LIBMILTER_INCDIRS)
+-AC_SUBST(LIBMILTER_LIBDIRS)
+ AC_SUBST(LIBMILTER_LIBS)
+ 
+ #
+diff --git a/opendkim/Makefile.am b/opendkim/Makefile.am
+index 4aa615c1..e3d1d10e 100644
+--- a/opendkim/Makefile.am
++++ b/opendkim/Makefile.am
+@@ -26,7 +26,7 @@ opendkim_SOURCES = opendkim.c opendkim.h opendkim-ar.c opendkim-ar.h opendkim-ar
+ opendkim_CC = $(PTHREAD_CC)
+ opendkim_CFLAGS = $(PTHREAD_CFLAGS) $(LIBCRYPTO_CFLAGS) $(COV_CFLAGS)
+ opendkim_CPPFLAGS = -I$(srcdir)/../libopendkim $(LIBCRYPTO_CPPFLAGS)
+-opendkim_LDFLAGS = $(LIBCRYPTO_LIBDIRS) $(LIBMILTER_LIBDIRS) $(PTHREAD_CFLAGS) $(COV_LDFLAGS)
++opendkim_LDFLAGS = $(LIBCRYPTO_LIBDIRS) $(PTHREAD_CFLAGS) $(COV_LDFLAGS)
+ opendkim_LDADD = ../libopendkim/libopendkim.la $(LIBMILTER_LIBS) $(LIBCRYPTO_LIBS) $(PTHREAD_LIBS) $(COV_LIBADD) $(LIBRESOLV)
+ if USE_DB_OPENDKIM
+ opendkim_CPPFLAGS += $(LIBDB_INCDIRS)
+@@ -88,7 +88,6 @@ opendkim_CPPFLAGS += -I$(srcdir)/../reprrd
+ opendkim_LDADD += ../reprrd/libreprrd.la
+ endif
+ 
+-opendkim_CPPFLAGS += $(LIBMILTER_INCDIRS)
+ endif
+ 
+ if STATS
+@@ -108,7 +107,7 @@ opendkim_testkey_CFLAGS = $(LIBCRYPTO_CFLAGS) $(COV_CFLAGS) $(PTHREAD_CFLAGS)
+ opendkim_testkey_LDFLAGS = $(LIBCRYPTO_LIBDIRS) $(COV_LDFLAGS) $(PTHREAD_CFLAGS)
+ opendkim_testkey_LDADD = ../libopendkim/libopendkim.la $(LIBCRYPTO_LIBS) $(LIBRESOLV) $(COV_LIBADD) $(PTHREAD_LIBS)
+ if LUA
+-opendkim_testkey_CPPFLAGS += $(LIBLUA_INCDIRS) $(LIBMILTER_INCDIRS)
++opendkim_testkey_CPPFLAGS += $(LIBLUA_INCDIRS)
+ opendkim_testkey_LDFLAGS += $(LIBLUA_LIBDIRS)
+ opendkim_testkey_LDADD += $(LIBLUA_LIBS)
+ endif
+@@ -200,7 +199,7 @@ opendkim_genzone_CPPFLAGS += $(OPENLDAP_CPPFLAGS)
+ opendkim_genzone_LDADD += $(OPENLDAP_LIBS)
+ endif
+ if LUA
+-opendkim_genzone_CPPFLAGS += $(LIBLUA_INCDIRS) $(LIBMILTER_INCDIRS)
++opendkim_genzone_CPPFLAGS += $(LIBLUA_INCDIRS)
+ opendkim_genzone_LDFLAGS += $(LIBLUA_LIBDIRS)
+ opendkim_genzone_LDADD += $(LIBLUA_LIBS)
+ endif
+@@ -250,7 +249,7 @@ opendkim_atpszone_CPPFLAGS += $(OPENLDAP_CPPFLAGS)
+ opendkim_atpszone_LDADD += $(OPENLDAP_LIBS)
+ endif
+ if LUA
+-opendkim_atpszone_CPPFLAGS += $(LIBLUA_INCDIRS) $(LIBMILTER_INCDIRS)
++opendkim_atpszone_CPPFLAGS += $(LIBLUA_INCDIRS)
+ opendkim_atpszone_LDFLAGS += $(LIBLUA_LIBDIRS)
+ opendkim_atpszone_LDADD += $(LIBLUA_LIBS)
+ endif

opendkim/opendkim-2.10.3-incompatible-pointer-types.patch

@@ -0,0 +1,32 @@
+From 514ed1085d7399f7fe3bb53e6ae4693168dd0ab9 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Mon, 22 Apr 2024 07:37:40 -0400
+Subject: [PATCH] opendkim/opendkim.c: add two missing dkimf_dstring_get()
+ calls
+
+This fixes the build with CFLAGS="-Werror=incompatible-pointer-types",
+which some newer compilers are planning to make default.
+
+Gentoo-Bug: https://bugs.gentoo.org/919366
+---
+ opendkim/opendkim.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/opendkim/opendkim.c b/opendkim/opendkim.c
+index d4229e8f..93d05a1e 100644
+--- a/opendkim/opendkim.c
++++ b/opendkim/opendkim.c
+@@ -11656,8 +11656,8 @@ mlfi_eoh(SMFICTX *ctx)
+ 	    (status != 0 || user == NULL || domain == NULL ||
+ 	     user[0] == '\0' || domain[0] == '\0'))
+ 	{
+-		strlcpy(addr, conf->conf_defsender, sizeof addr);
+-		status = dkim_mail_parse(addr, &user, &domain);
++		strlcpy(dkimf_dstring_get(addr), conf->conf_defsender, sizeof addr);
++		status = dkim_mail_parse(dkimf_dstring_get(addr), &user, &domain);
+ 	}
+ #endif /* _FFR_DEFAULT_SENDER */
+ 
+-- 
+2.43.2
+

opendkim/opendkim-2.10.3-snprintf-include.patch

@@ -0,0 +1,27 @@
+From 706554992156dd655e893268f201bbecbe283eb5 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Thu, 23 Feb 2023 17:05:36 -0500
+Subject: [PATCH 1/1] libopendkim/util.c: include stdio.h for snprintf.
+
+This fixes a build failure on musl, reported at
+
+  https://bugs.gentoo.org/896048
+---
+ libopendkim/util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libopendkim/util.c b/libopendkim/util.c
+index 6792b169..b1c6a769 100644
+--- a/libopendkim/util.c
++++ b/libopendkim/util.c
+@@ -17,6 +17,7 @@
+ # include <stdbool.h>
+ #endif /* HAVE_STDBOOL_H */
+ #include <ctype.h>
++#include <stdio.h>
+ #include <assert.h>
+ #include <string.h>
+ #include <errno.h>
+-- 
+2.39.2
+

opendkim/opendkim-2.10.3-vsnprintf-include.patch

@@ -0,0 +1,26 @@
+From e4d091c594d1b5791f52c9249abd80fd6706e5ee Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Sun, 28 Jul 2024 08:00:38 -0400
+Subject: [PATCH] libvbr/vbr.c: include <stdio.h> for vsnprintf()
+
+This fixes an implicit declaration error with newer compilers and on
+musl where stdio.h does not incidentally get included by some other
+header.
+
+Bug: https://bugs.gentoo.org/936591
+---
+ libvbr/vbr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libvbr/vbr.c b/libvbr/vbr.c
+index cb9124d7..aadfbd03 100644
+--- a/libvbr/vbr.c
++++ b/libvbr/vbr.c
+@@ -18,6 +18,7 @@
+ #include <arpa/inet.h>
+ #include <arpa/nameser.h>
+ #include <netdb.h>
++#include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <errno.h>

opendkim/replace-headers.patch

@@ -0,0 +1,14 @@
+Description: Add missing ReplaceHeaders definition
+Author: Toby Ovod-Everett
+Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/125
+
+--- a/opendkim/opendkim-config.h
++++ b/opendkim/opendkim-config.h
+@@ -147,6 +147,7 @@
+ 	{ "RemoveARFrom",		CONFIG_TYPE_STRING,	FALSE },
+ 	{ "RemoveOldSignatures",	CONFIG_TYPE_BOOLEAN,	FALSE },
+ #ifdef _FFR_REPLACE_RULES
++	{ "ReplaceHeaders",		CONFIG_TYPE_STRING,	FALSE },
+ 	{ "ReplaceRules",		CONFIG_TYPE_STRING,	FALSE },
+ #endif /* _FFR_REPLACE_RULES */
+ 	{ "ReportAddress",		CONFIG_TYPE_STRING,	FALSE },