From d804da3ef31b93a5e33fb913525a621c5ed1be38 Mon Sep 17 00:00:00 2001 From: Raphaël Marichez Date: Thu, 14 Aug 2008 16:37:27 +0200 Subject: version bump security bug 232642 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Raphaël Marichez --- .../files/postfix-2.4.7-CVE-2008-2936.patch | 45 ++ .../files/postfix-2.4.7-CVE-2008-2937.patch | 481 +++++++++++++++++++++ .../files/postfix-2.5.3-CVE-2008-2936.patch | 44 ++ mail-mta/postfix/files/postfix-2.5.3-strncmp.patch | 48 ++ mail-mta/postfix/postfix-2.4.7-r1.ebuild | 380 ++++++++++++++++ mail-mta/postfix/postfix-2.5.3-r1.ebuild | 388 +++++++++++++++++ mail-mta/postfix/postfix-2.5.3.ebuild | 385 +++++++++++++++++ 7 files changed, 1771 insertions(+) create mode 100644 mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2936.patch create mode 100644 mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2937.patch create mode 100644 mail-mta/postfix/files/postfix-2.5.3-CVE-2008-2936.patch create mode 100644 mail-mta/postfix/files/postfix-2.5.3-strncmp.patch create mode 100644 mail-mta/postfix/postfix-2.4.7-r1.ebuild create mode 100644 mail-mta/postfix/postfix-2.5.3-r1.ebuild create mode 100644 mail-mta/postfix/postfix-2.5.3.ebuild diff --git a/mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2936.patch b/mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2936.patch new file mode 100644 index 0000000..f8d6ecb --- /dev/null +++ b/mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2936.patch @@ -0,0 +1,45 @@ +Index: postfix-2.4.7/src/util/safe_open.c +=================================================================== +--- postfix-2.4.7.orig/src/util/safe_open.c ++++ postfix-2.4.7/src/util/safe_open.c +@@ -83,6 +83,7 @@ + #include + #include + #include ++#include + #include + + /* safe_open_exist - open existing file */ +@@ -138,13 +139,30 @@ static VSTREAM *safe_open_exist(const ch + * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks + * owned by a non-root user. This would open a security hole when + * delivering mail to a world-writable mailbox directory. ++ * ++ * The semantics of link(symlink, target) has changed over time. ++ * Traditionally, UNIX systems hardlink the target of the symlink. ++ * However, some systems hardlink the symlink itself. The latter behavior ++ * was introduced with Solaris 2.0, and with Linux kernel 2.0. Sebastian ++ * Krahmer of SuSE found that hardlinks to symlinks could be used to ++ * append mail for root to a sensitive file. For this reason, we not ++ * only require that a symlink is owned by root, but we now also require ++ * that its parent directory is writable only by root. + */ + else if (lstat(path, &lstat_st) < 0) { + vstring_sprintf(why, "file status changed unexpectedly: %m"); + errno = EPERM; + } else if (S_ISLNK(lstat_st.st_mode)) { +- if (lstat_st.st_uid == 0) +- return (fp); ++ if (lstat_st.st_uid == 0) { ++ struct stat parent_st; ++ const char *parent; ++ ++ parent = sane_dirname((VSTRING *) 0, path); ++ if (stat(parent, &parent_st) == 0 /* real parent */ ++ && parent_st.st_uid == 0 ++ && (parent_st.st_mode & (S_IWGRP | S_IWOTH)) == 0) ++ return (fp); ++ } + vstring_sprintf(why, "file is a symbolic link"); + errno = EPERM; + } else if (fstat_st->st_dev != lstat_st.st_dev diff --git a/mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2937.patch b/mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2937.patch new file mode 100644 index 0000000..af38319 --- /dev/null +++ b/mail-mta/postfix/files/postfix-2.4.7-CVE-2008-2937.patch @@ -0,0 +1,481 @@ +diff --git a/HISTORY b/HISTORY +index 73db63f..bfc98a1 100644 +--- a/HISTORY ++++ b/HISTORY +@@ -13599,3 +13599,9 @@ Apologies for any names omitted. + prevent dovecot-auth memory wastage. Timo Sirainen. File: + xsasl/xsasl_dovecot_server.c. + ++20080725 ++ ++ Paranoia: defer delivery when a mailbox file is not owned ++ by the recipient. Requested by Sebastian Krahmer, SuSE. ++ Specify "strict_mailbox_ownership=no" to ignore ownership ++ discrepancies. Files: local/mailbox.c, virtual/mailbox.c. +diff --git a/RELEASE_NOTES b/RELEASE_NOTES +index cf371e5..fb5f4cd 100644 +--- a/RELEASE_NOTES ++++ b/RELEASE_NOTES +@@ -11,6 +11,14 @@ instead, a new snapshot is released. + The mail_release_date configuration parameter (format: yyyymmdd) + specifies the release date of a stable release or snapshot release. + ++Incompatibility with Postfix 2.4.7 ++================================== ++ ++When a mailbox file is not owned by its recipient, the local and ++virtual delivery agents now log a warning and defer delivery. ++Specify "strict_mailbox_ownership = no" to ignore such ownership ++discrepancies. ++ + Incompatibility with Postfix 2.4.4 + ================================== + +diff --git a/html/local.8.html b/html/local.8.html +index de3fd4f..9cece01 100644 +--- a/html/local.8.html ++++ b/html/local.8.html +@@ -394,6 +394,12 @@ LOCAL(8) LOCAL(8) + attempt; do not update the Delivered-To: address + while expanding aliases or .forward files. + ++ Available in Postfix version 2.4.7-r1 and later: ++ ++ strict_mailbox_ownership (yes) ++ Defer delivery when a mailbox file is not owned by ++ its recipient. ++ + DELIVERY METHOD CONTROLS + The precedence of local(8) delivery methods from high to + low is: aliases, .forward files, mailbox_transport_maps, +@@ -532,6 +538,12 @@ LOCAL(8) LOCAL(8) + agent allows in $name expansions of $command_execu- + tion_directory. + ++ Available in Postfix version 2.4.7-r1 and later: ++ ++ strict_mailbox_ownership (yes) ++ Defer delivery when a mailbox file is not owned by ++ its recipient. ++ + MISCELLANEOUS CONTROLS + config_directory (see 'postconf -d' output) + The default location of the Postfix main.cf and +diff --git a/html/postconf.5.html b/html/postconf.5.html +index a19b6b3..7952563 100644 +--- a/html/postconf.5.html ++++ b/html/postconf.5.html +@@ -11602,6 +11602,17 @@ This feature is available in Postfix 2.0 and later. + + + ++
strict_mailbox_ownership ++(default: yes)
++ ++

Defer delivery when a mailbox file is not owned by its recipient. ++The default setting is not backwards compatible.

++ ++

This feature is available in Postfix 2.4.7-r1 and later.

++ ++ ++
++ +
strict_mime_encoding_domain + (default: no)
+ +diff --git a/html/virtual.8.html b/html/virtual.8.html +index 3d7e526..0341911 100644 +--- a/html/virtual.8.html ++++ b/html/virtual.8.html +@@ -200,9 +200,15 @@ VIRTUAL(8) VIRTUAL(8) + destination for final delivery to domains listed + with $virtual_mailbox_domains. + ++ Available in Postfix version 2.4.7-r1 and later: ++ ++ strict_mailbox_ownership (yes) ++ Defer delivery when a mailbox file is not owned by ++ its recipient. ++ + LOCKING CONTROLS + virtual_mailbox_lock (see 'postconf -d' output) +- How to lock a UNIX-style virtual(8) mailbox before ++ How to lock a UNIX-style virtual(8) mailbox before + attempting delivery. + + deliver_lock_attempts (20) +@@ -210,41 +216,41 @@ VIRTUAL(8) VIRTUAL(8) + sive lock on a mailbox file or bounce(8) logfile. + + deliver_lock_delay (1s) +- The time between attempts to acquire an exclusive ++ The time between attempts to acquire an exclusive + lock on a mailbox file or bounce(8) logfile. + + stale_lock_time (500s) +- The time after which a stale exclusive mailbox ++ The time after which a stale exclusive mailbox + lockfile is removed. + + RESOURCE AND RATE CONTROLS + virtual_destination_concurrency_limit ($default_destina- + tion_concurrency_limit) +- The maximal number of parallel deliveries to the +- same destination via the virtual message delivery ++ The maximal number of parallel deliveries to the ++ same destination via the virtual message delivery + transport. + + virtual_destination_recipient_limit ($default_destina- + tion_recipient_limit) +- The maximal number of recipients per delivery via ++ The maximal number of recipients per delivery via + the virtual message delivery transport. + + virtual_mailbox_limit (51200000) +- The maximal size in bytes of an individual mailbox ++ The maximal size in bytes of an individual mailbox + or maildir file, or zero (no limit). + + MISCELLANEOUS CONTROLS + config_directory (see 'postconf -d' output) +- The default location of the Postfix main.cf and ++ The default location of the Postfix main.cf and + master.cf configuration files. + + daemon_timeout (18000s) +- How much time a Postfix daemon process may take to +- handle a request before it is terminated by a ++ How much time a Postfix daemon process may take to ++ handle a request before it is terminated by a + built-in watchdog timer. + + delay_logging_resolution_limit (2) +- The maximal number of digits after the decimal ++ The maximal number of digits after the decimal + point when logging sub-second delay values. + + ipc_timeout (3600s) +@@ -252,33 +258,33 @@ VIRTUAL(8) VIRTUAL(8) + over an internal communication channel. + + max_idle (100s) +- The maximum amount of time that an idle Postfix +- daemon process waits for an incoming connection ++ The maximum amount of time that an idle Postfix ++ daemon process waits for an incoming connection + before terminating voluntarily. + + max_use (100) +- The maximal number of incoming connections that a +- Postfix daemon process will service before termi- ++ The maximal number of incoming connections that a ++ Postfix daemon process will service before termi- + nating voluntarily. + + process_id (read-only) +- The process ID of a Postfix command or daemon ++ The process ID of a Postfix command or daemon + process. + + process_name (read-only) +- The process name of a Postfix command or daemon ++ The process name of a Postfix command or daemon + process. + + queue_directory (see 'postconf -d' output) +- The location of the Postfix top-level queue direc- ++ The location of the Postfix top-level queue direc- + tory. + + syslog_facility (mail) + The syslog facility of Postfix logging. + + syslog_name (postfix) +- The mail system name that is prepended to the +- process name in syslog records, so that "smtpd" ++ The mail system name that is prepended to the ++ process name in syslog records, so that "smtpd" + becomes, for example, "postfix/smtpd". + + SEE ALSO +@@ -291,20 +297,20 @@ VIRTUAL(8) VIRTUAL(8) + VIRTUAL_README, domain hosting howto + + LICENSE +- The Secure Mailer license must be distributed with this ++ The Secure Mailer license must be distributed with this + software. + + HISTORY +- This delivery agent was originally based on the Postfix +- local delivery agent. Modifications mainly consisted of +- removing code that either was not applicable or that was +- not safe in this context: aliases, ~user/.forward files, ++ This delivery agent was originally based on the Postfix ++ local delivery agent. Modifications mainly consisted of ++ removing code that either was not applicable or that was ++ not safe in this context: aliases, ~user/.forward files, + delivery to "|command" or to /file/name. + + The Delivered-To: message header appears in the qmail sys- + tem by Daniel Bernstein. + +- The maildir structure appears in the qmail system by ++ The maildir structure appears in the qmail system by + Daniel Bernstein. + + AUTHOR(S) +diff --git a/man/man5/postconf.5 b/man/man5/postconf.5 +index 7af763b..ba9f36a 100644 +--- a/man/man5/postconf.5 ++++ b/man/man5/postconf.5 +@@ -7062,6 +7062,11 @@ This feature should not be enabled on a general purpose mail server, + because it is likely to reject legitimate email. + .PP + This feature is available in Postfix 2.0 and later. ++.SH strict_mailbox_ownership (default: yes) ++Defer delivery when a mailbox file is not owned by its recipient. ++The default setting is not backwards compatible. ++.PP ++This feature is available in Postfix 2.4.7-r1 and later. + .SH strict_mime_encoding_domain (default: no) + Reject mail with invalid Content-Transfer-Encoding: information + for the message/* or multipart/* MIME content types. This blocks +diff --git a/man/man8/local.8 b/man/man8/local.8 +index 4452007..5af15a9 100644 +--- a/man/man8/local.8 ++++ b/man/man8/local.8 +@@ -412,6 +412,10 @@ Update the \fBlocal\fR(8) delivery agent's idea of the Delivered-To: + address (see prepend_delivered_header) only once, at the start of + a delivery attempt; do not update the Delivered-To: address while + expanding aliases or .forward files. ++.PP ++Available in Postfix version 2.4.7-r1 and later: ++.IP "\fBstrict_mailbox_ownership (yes)\fR" ++Defer delivery when a mailbox file is not owned by its recipient. + .SH "DELIVERY METHOD CONTROLS" + .na + .nf +@@ -510,7 +514,7 @@ Restrict \fBlocal\fR(8) mail delivery to external commands. + Restrict \fBlocal\fR(8) mail delivery to external files. + .IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR" + Restrict the characters that the \fBlocal\fR(8) delivery agent allows in +-$name expansions of $mailbox_command. ++$name expansions of $mailbox_command and $command_execution_directory. + .IP "\fBdefault_privs (nobody)\fR" + The default rights used by the \fBlocal\fR(8) delivery agent for delivery + to external file or command. +@@ -522,6 +526,10 @@ Available in Postfix version 2.2 and later: + .IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR" + Restrict the characters that the \fBlocal\fR(8) delivery agent allows + in $name expansions of $command_execution_directory. ++.PP ++Available in Postfix version 2.4.7-r1 and later: ++.IP "\fBstrict_mailbox_ownership (yes)\fR" ++Defer delivery when a mailbox file is not owned by its recipient. + .SH "MISCELLANEOUS CONTROLS" + .na + .nf +diff --git a/man/man8/virtual.8 b/man/man8/virtual.8 +index b45ac26..22e41b5 100644 +--- a/man/man8/virtual.8 ++++ b/man/man8/virtual.8 +@@ -213,6 +213,10 @@ mail is delivered via the $virtual_transport mail delivery transport. + .IP "\fBvirtual_transport (virtual)\fR" + The default mail delivery transport and next-hop destination for + final delivery to domains listed with $virtual_mailbox_domains. ++.PP ++Available in Postfix version 2.4.7-r1 and later: ++.IP "\fBstrict_mailbox_ownership (yes)\fR" ++Defer delivery when a mailbox file is not owned by its recipient. + .SH "LOCKING CONTROLS" + .na + .nf +diff --git a/mantools/postlink b/mantools/postlink +index b4771d9..e2503ca 100755 +--- a/mantools/postlink ++++ b/mantools/postlink +@@ -496,6 +496,7 @@ while (<>) { + s;\bstrict_8bitmime\b;$&;g; + s;\bstrict_8bitmime_body\b;$&;g; + s;\bstrict_mime_encoding_domain\b;$&;g; ++ s;\bstrict_mailbox_ownership\b;$&;g; + s;\bstrict_rfc821_envelopes\b;$&;g; + s;\bsun_mailtool_compatibility\b;$&;g; + s;\bswap_bangpath\b;$&;g; +diff --git a/proto/postconf.proto b/proto/postconf.proto +index f5a90ed..7761e7e 100644 +--- a/proto/postconf.proto ++++ b/proto/postconf.proto +@@ -10586,3 +10586,10 @@ to the SASL authcid, but this causes inter-operability problems + with some SMTP servers.

+ +

This feature is available in Postfix 2.4.4 and later.

++ ++%PARAM strict_mailbox_ownership yes ++ ++

Defer delivery when a mailbox file is not owned by its recipient. ++The default setting is not backwards compatible.

++ ++

This feature is available in Postfix 2.4.7-r1 and later.

+diff --git a/src/global/mail_params.h b/src/global/mail_params.h +index 2785921..9cf6216 100644 +--- a/src/global/mail_params.h ++++ b/src/global/mail_params.h +@@ -2783,6 +2783,13 @@ extern char *var_milt_v; + #define DEF_INT_FILT_CLASSES "" + extern char *var_int_filt_classes; + ++ /* ++ * Mailbox ownership. ++ */ ++#define VAR_STRICT_MBOX_OWNER "strict_mailbox_ownership" ++#define DEF_STRICT_MBOX_OWNER 1 ++extern bool var_strict_mbox_owner; ++ + /* LICENSE + /* .ad + /* .fi +diff --git a/src/global/mail_version.h b/src/global/mail_version.h +index ae94ab9..7ceadad 100644 +--- a/src/global/mail_version.h ++++ b/src/global/mail_version.h +@@ -20,8 +20,8 @@ + * Patches change both the patchlevel and the release date. Snapshots have no + * patchlevel; they change the release date only. + */ +-#define MAIL_RELEASE_DATE "20080131" +-#define MAIL_VERSION_NUMBER "2.4.7" ++#define MAIL_RELEASE_DATE "20080726" ++#define MAIL_VERSION_NUMBER "2.4.7-r1" + + #ifdef SNAPSHOT + # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE +diff --git a/src/local/local.c b/src/local/local.c +index 557be6f..72ea49f 100644 +--- a/src/local/local.c ++++ b/src/local/local.c +@@ -378,6 +378,10 @@ + /* address (see prepend_delivered_header) only once, at the start of + /* a delivery attempt; do not update the Delivered-To: address while + /* expanding aliases or .forward files. ++/* .PP ++/* Available in Postfix version 2.4.7-r1 and later: ++/* .IP "\fBstrict_mailbox_ownership (yes)\fR" ++/* Defer delivery when a mailbox file is not owned by its recipient. + /* DELIVERY METHOD CONTROLS + /* .ad + /* .fi +@@ -468,7 +472,7 @@ + /* Restrict \fBlocal\fR(8) mail delivery to external files. + /* .IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR" + /* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in +-/* $name expansions of $mailbox_command. ++/* $name expansions of $mailbox_command and $command_execution_directory. + /* .IP "\fBdefault_privs (nobody)\fR" + /* The default rights used by the \fBlocal\fR(8) delivery agent for delivery + /* to external file or command. +@@ -480,6 +484,10 @@ + /* .IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR" + /* Restrict the characters that the \fBlocal\fR(8) delivery agent allows + /* in $name expansions of $command_execution_directory. ++/* .PP ++/* Available in Postfix version 2.4.7-r1 and later: ++/* .IP "\fBstrict_mailbox_ownership (yes)\fR" ++/* Defer delivery when a mailbox file is not owned by its recipient. + /* MISCELLANEOUS CONTROLS + /* .ad + /* .fi +@@ -641,6 +649,7 @@ int var_mailtool_compat; + char *var_mailbox_lock; + int var_mailbox_limit; + bool var_frozen_delivered; ++bool var_strict_mbox_owner; + + int local_cmd_deliver_mask; + int local_file_deliver_mask; +@@ -887,6 +896,7 @@ int main(int argc, char **argv) + VAR_STAT_HOME_DIR, DEF_STAT_HOME_DIR, &var_stat_home_dir, + VAR_MAILTOOL_COMPAT, DEF_MAILTOOL_COMPAT, &var_mailtool_compat, + VAR_FROZEN_DELIVERED, DEF_FROZEN_DELIVERED, &var_frozen_delivered, ++ VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner, + 0, + }; + +diff --git a/src/local/mailbox.c b/src/local/mailbox.c +index 92bd79d..d35ef66 100644 +--- a/src/local/mailbox.c ++++ b/src/local/mailbox.c +@@ -194,6 +194,12 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr) + vstream_fclose(mp->fp); + dsb_simple(why, "5.2.0", + "destination %s is not a regular file", mailbox); ++ } else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) { ++ vstream_fclose(mp->fp); ++ dsb_simple(why, "4.2.0", ++ "destination %s is not owned by recipient", mailbox); ++ msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch", ++ VAR_STRICT_MBOX_OWNER); + } else { + end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END); + mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp, +diff --git a/src/virtual/mailbox.c b/src/virtual/mailbox.c +index 09fc54b..f0ad6eb 100644 +--- a/src/virtual/mailbox.c ++++ b/src/virtual/mailbox.c +@@ -125,6 +125,12 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr) + msg_warn("recipient %s: destination %s is not a regular file", + state.msg_attr.rcpt.address, usr_attr.mailbox); + dsb_simple(why, "5.3.5", "mail system configuration error"); ++ } else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) { ++ vstream_fclose(mp->fp); ++ dsb_simple(why, "4.2.0", ++ "destination %s is not owned by recipient", usr_attr.mailbox); ++ msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch", ++ VAR_STRICT_MBOX_OWNER); + } else { + end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END); + mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp, +diff --git a/src/virtual/virtual.c b/src/virtual/virtual.c +index 7d6e1b8..57b4098 100644 +--- a/src/virtual/virtual.c ++++ b/src/virtual/virtual.c +@@ -183,6 +183,10 @@ + /* .IP "\fBvirtual_transport (virtual)\fR" + /* The default mail delivery transport and next-hop destination for + /* final delivery to domains listed with $virtual_mailbox_domains. ++/* .PP ++/* Available in Postfix version 2.4.7-r1 and later: ++/* .IP "\fBstrict_mailbox_ownership (yes)\fR" ++/* Defer delivery when a mailbox file is not owned by its recipient. + /* LOCKING CONTROLS + /* .ad + /* .fi +@@ -329,6 +333,7 @@ char *var_virt_mailbox_base; + char *var_virt_mailbox_lock; + int var_virt_mailbox_limit; + char *var_mail_spool_dir; /* XXX dependency fix */ ++bool var_strict_mbox_owner; + + /* + * Mappings. +@@ -504,6 +509,10 @@ int main(int argc, char **argv) + VAR_VIRT_MAILBOX_LOCK, DEF_VIRT_MAILBOX_LOCK, &var_virt_mailbox_lock, 1, 0, + 0, + }; ++ static const CONFIG_BOOL_TABLE bool_table[] = { ++ VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner, ++ 0, ++ }; + + /* + * Fingerprint executables and core dumps. +@@ -513,6 +522,7 @@ int main(int argc, char **argv) + single_server_main(argc, argv, local_service, + MAIL_SERVER_INT_TABLE, int_table, + MAIL_SERVER_STR_TABLE, str_table, ++ MAIL_SERVER_BOOL_TABLE, bool_table, + MAIL_SERVER_PRE_INIT, pre_init, + MAIL_SERVER_POST_INIT, post_init, + MAIL_SERVER_PRE_ACCEPT, pre_accept, diff --git a/mail-mta/postfix/files/postfix-2.5.3-CVE-2008-2936.patch b/mail-mta/postfix/files/postfix-2.5.3-CVE-2008-2936.patch new file mode 100644 index 0000000..ea92d7e --- /dev/null +++ b/mail-mta/postfix/files/postfix-2.5.3-CVE-2008-2936.patch @@ -0,0 +1,44 @@ +diff -Naur postfix-2.5.3.orig/src/util/safe_open.c postfix-2.5.3/src/util/safe_open.c +--- postfix-2.5.3.orig/src/util/safe_open.c 2006-06-05 01:04:49.000000000 +0200 ++++ postfix-2.5.3/src/util/safe_open.c 2008-08-03 16:42:10.882440950 +0200 +@@ -83,6 +83,7 @@ + #include + #include + #include ++#include + #include + + /* safe_open_exist - open existing file */ +@@ -138,13 +139,30 @@ + * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks + * owned by a non-root user. This would open a security hole when + * delivering mail to a world-writable mailbox directory. ++ * ++ * The semantics of link(symlink, target) has changed over time. ++ * Traditionally, UNIX systems hardlink the target of the symlink. ++ * However, some systems hardlink the symlink itself. The latter behavior ++ * was introduced with Solaris 2.0, and with Linux kernel 2.0. Sebastian ++ * Krahmer of SuSE found that hardlinks to symlinks could be used to ++ * append mail for root to a sensitive file. For this reason, we not ++ * only require that a symlink is owned by root, but we now also require ++ * that its parent directory is writable only by root. + */ + else if (lstat(path, &lstat_st) < 0) { + vstring_sprintf(why, "file status changed unexpectedly: %m"); + errno = EPERM; + } else if (S_ISLNK(lstat_st.st_mode)) { +- if (lstat_st.st_uid == 0) +- return (fp); ++ if (lstat_st.st_uid == 0) { ++ struct stat parent_st; ++ const char *parent; ++ ++ parent = sane_dirname((VSTRING *) 0, path); ++ if (stat(parent, &parent_st) == 0 /* real parent */ ++ && parent_st.st_uid == 0 ++ && (parent_st.st_mode & (S_IWGRP | S_IWOTH)) == 0) ++ return (fp); ++ } + vstring_sprintf(why, "file is a symbolic link"); + errno = EPERM; + } else if (fstat_st->st_dev != lstat_st.st_dev diff --git a/mail-mta/postfix/files/postfix-2.5.3-strncmp.patch b/mail-mta/postfix/files/postfix-2.5.3-strncmp.patch new file mode 100644 index 0000000..7673a98 --- /dev/null +++ b/mail-mta/postfix/files/postfix-2.5.3-strncmp.patch @@ -0,0 +1,48 @@ +diff -uNr -r postfix-2.5.1-orig/src/sendmail/sendmail.c postfix-2.5.1/src/sendmail/sendmail.c +--- postfix-2.5.1-orig/src/sendmail/sendmail.c 2008-01-09 14:59:40.000000000 +0100 ++++ postfix-2.5.1/src/sendmail/sendmail.c 2008-03-14 19:23:25.405275019 +0100 +@@ -1046,7 +1046,7 @@ + mode = SM_MODE_MAILQ; + } else if (strcmp(argv[0], "newaliases") == 0) { + mode = SM_MODE_NEWALIAS; +- } else if (strcmp(argv[0], "smtpd") == 0) { ++ } else if (strncmp(argv[0], "smtpd", 5) == 0) { + mode = SM_MODE_DAEMON; + } else { + mode = SM_MODE_ENQUEUE; +diff -uNr -r postfix-2.5.1-orig/src/smtp/smtp.c postfix-2.5.1/src/smtp/smtp.c +--- postfix-2.5.1-orig/src/smtp/smtp.c 2008-01-15 01:41:46.000000000 +0100 ++++ postfix-2.5.1/src/smtp/smtp.c 2008-03-14 19:23:25.405275019 +0100 +@@ -962,7 +962,7 @@ + TLS_CLIENT_INIT(&props, + log_level = var_smtp_tls_loglevel, + verifydepth = var_smtp_tls_scert_vd, +- cache_type = strcmp(var_procname, "smtp") == 0 ? ++ cache_type = strncmp(var_procname, "smtp", 4) == 0 ? + TLS_MGR_SCACHE_SMTP : TLS_MGR_SCACHE_LMTP, + cert_file = var_smtp_tls_cert_file, + key_file = var_smtp_tls_key_file, +@@ -1058,7 +1058,7 @@ + /* + * XXX At this point, var_procname etc. are not initialized. + */ +- smtp_mode = (strcmp(sane_basename((VSTRING *) 0, argv[0]), "smtp") == 0); ++ smtp_mode = (strncmp(sane_basename((VSTRING *) 0, argv[0]), "smtp", 4) == 0); + + /* + * Initialize with the LMTP or SMTP parameter name space. +diff -uNr -r postfix-2.5.1-orig/src/smtp/smtp_state.c postfix-2.5.1/src/smtp/smtp_state.c +--- postfix-2.5.1-orig/src/smtp/smtp_state.c 2006-01-06 01:07:36.000000000 +0100 ++++ postfix-2.5.1/src/smtp/smtp_state.c 2008-03-14 19:23:44.896995323 +0100 +@@ -86,9 +86,9 @@ + * form, and then to transform from the internal form to external forms Y + * and Z. + */ +- if (strcmp(var_procname, "lmtp") == 0) { ++ if (strncmp(var_procname, "lmtp", 4) == 0) { + state->misc_flags |= SMTP_MISC_FLAG_USE_LMTP; +- } else if (strcmp(var_procname, "smtp") == 0) { ++ } else if (strncmp(var_procname, "smtp", 4) == 0) { + /* void */ + } else { + msg_fatal("unexpected process name \"%s\" - " diff --git a/mail-mta/postfix/postfix-2.4.7-r1.ebuild b/mail-mta/postfix/postfix-2.4.7-r1.ebuild new file mode 100644 index 0000000..5b65459 --- /dev/null +++ b/mail-mta/postfix/postfix-2.4.7-r1.ebuild @@ -0,0 +1,380 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/postfix-2.4.7-r1.ebuild,v 1.1 2008/08/14 12:33:40 falco Exp $ + +# NOTE: this ebuild is a regular ebuild without mailer-config support! +# Comment lines below "regular ebuild" and uncomment lines below "mailer-config support" +# to turn this ebuild to a mailer-config enabled ebuild. + +# regular ebuild +inherit eutils multilib ssl-cert toolchain-funcs flag-o-matic pam +# mailer-config support +#inherit eutils multilib ssl-cert toolchain-funcs flag-o-matic mailer pam + +KEYWORDS="alpha amd64 ~arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~x86-fbsd" + +# regular ebuild +IUSE="cdb dovecot-sasl hardened ipv6 ldap mailwrapper mbox mysql nis pam postgres sasl selinux ssl vda" +# mailer-config support +#IUSE="cdb dovecot-sasl hardened ipv6 ldap mbox mysql nis pam postgres sasl selinux ssl vda" + +MY_PV="${PV/_rc/-RC}" +MY_SRC="${PN}-${MY_PV}" +MY_URI="ftp://ftp.porcupine.org/mirrors/postfix-release/official" +VDA_P="${PN}-2.4.6-vda-ng-r2" +RC_VER="2.5" + +DESCRIPTION="A fast and secure drop-in replacement for sendmail." +HOMEPAGE="http://www.postfix.org/" +SRC_URI="${MY_URI}/${MY_SRC}.tar.gz + vda? ( http://gentoo.longitekk.com/${VDA_P}.patch.gz ) " + +LICENSE="IPL-1" +SLOT="0" + +# regular ebuild +PROVIDE="virtual/mta virtual/mda" +# mailer-config support +#PROVIDE="${PROVIDE} virtual/mda" + +DEPEND=">=sys-libs/db-3.2 + >=dev-libs/libpcre-3.4 + cdb? ( || ( >=dev-db/cdb-0.75-r1 >=dev-db/tinycdb-0.76 ) ) + ldap? ( >=net-nds/openldap-1.2 ) + mysql? ( virtual/mysql ) + pam? ( virtual/pam ) + postgres? ( virtual/postgresql-base ) + sasl? ( >=dev-libs/cyrus-sasl-2 ) + ssl? ( >=dev-libs/openssl-0.9.6g )" + +# regular ebuild +RDEPEND="${DEPEND} + >=net-mail/mailbase-0.00 + !mailwrapper? ( !virtual/mta ) + mailwrapper? ( >=net-mail/mailwrapper-0.2 ) + selinux? ( sec-policy/selinux-postfix )" + +# mailer-config support +#RDEPEND="${DEPEND} +# >=net-mail/mailbase-0.00 +# selinux? ( sec-policy/selinux-postfix )" + +S="${WORKDIR}/${MY_SRC}" + +group_user_check() { + einfo "Checking for postfix group ..." + enewgroup postfix 207 + einfo "Checking for postdrop group ..." + enewgroup postdrop 208 + einfo "Checking for postfix user ..." + enewuser postfix 207 -1 /var/spool/postfix postfix,mail +} + +pkg_setup() { + # Do not upgrade live from Postfix <2.4 + if [[ -f /var/lib/init.d/started/postfix ]] ; then + if has_version ' 17/Nov/2006 + # Fix because infra boxes hit 2Gb .db files that fail a 32-bit fstat signed check. + mycc="${mycc} -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE" + filter-lfs-flags + + local my_cc=$(tc-getCC) + einfo "CC=${my_cc:=gcc}" + + # Workaround for bug #76512 + [[ "$(gcc-version)" == "3.4" ]] && use hardened && replace-flags -O? -Os + + make DEBUG="" CC="${my_cc:=gcc}" OPT="${CFLAGS}" CCARGS="${mycc}" AUXLIBS="${mylibs}" \ + makefiles || die "configure problem" + + emake || die "compile problem" +} + +src_install () { + /bin/sh postfix-install \ + -non-interactive \ + install_root="${D}" \ + config_directory="/usr/share/doc/${PF}/defaults" \ + readme_directory="/usr/share/doc/${PF}/readme" \ + || die "postfix-install failed" + + # Fix spool removal on upgrade + rm -Rf "${D}/var" + keepdir /var/spool/postfix + + # Install rmail for UUCP, closes bug #19127 + dobin auxiliary/rmail/rmail + + # mailwrapper stuff + if use mailwrapper ; then + mv "${D}/usr/sbin/sendmail" "${D}/usr/sbin/sendmail.postfix" + mv "${D}/usr/bin/rmail" "${D}/usr/bin/rmail.postfix" + # mailer-config support + #rm "${D}/usr/bin/mailq" "${D}/usr/bin/newaliases" + + mv "${D}/usr/share/man/man1/sendmail.1" \ + "${D}/usr/share/man/man1/sendmail-postfix.1" + mv "${D}/usr/share/man/man1/newaliases.1" \ + "${D}/usr/share/man/man1/newaliases-postfix.1" + mv "${D}/usr/share/man/man1/mailq.1" \ + "${D}/usr/share/man/man1/mailq-postfix.1" + mv "${D}/usr/share/man/man5/aliases.5" \ + "${D}/usr/share/man/man5/aliases-postfix.5" + + # regular ebuild + insinto /etc/mail + doins "${FILESDIR}/mailer.conf" + # mailer-config support + #mailer_install_conf + else + # Provide another link for legacy FSH + dosym /usr/sbin/sendmail /usr/$(get_libdir)/sendmail + fi + + # Install qshape tool + dobin auxiliary/qshape/qshape.pl + + # Performance tuning tools and their manuals + dosbin bin/smtp-{source,sink} bin/qmqp-{source,sink} + doman man/man1/smtp-{source,sink}.1 man/man1/qmqp-{source,sink}.1 + + # Set proper permissions on required files/directories + fowners root:postdrop /usr/sbin/post{drop,queue} + fperms 02711 /usr/sbin/post{drop,queue} + + keepdir /etc/postfix + mv "${D}"/usr/share/doc/${PF}/defaults/{*.cf,post*-*} "${D}"/etc/postfix + if use mbox ; then + mypostconf="mail_spool_directory=/var/spool/mail" + else + mypostconf="home_mailbox=.maildir/" + fi + "${D}/usr/sbin/postconf" -c "${D}/etc/postfix" \ + -e ${mypostconf} || die "postconf failed" + + insinto /etc/postfix + newins "${FILESDIR}/smtp.pass" saslpass + fperms 600 /etc/postfix/saslpass + + newinitd "${FILESDIR}/postfix.rc6.${RC_VER}" postfix || die "newinitd failed" + + mv "${S}/examples" "${D}/usr/share/doc/${PF}/" + dodoc *README COMPATIBILITY HISTORY INSTALL PORTING RELEASE_NOTES* + dohtml html/* + + pamd_mimic_system smtp auth account + + if use sasl ; then + insinto /etc/sasl2 + newins "${FILESDIR}/smtp.sasl" smtpd.conf + fi +} + +pkg_postinst() { + # Add postfix, postdrop user/group (bug #77565) + group_user_check || die "Failed to check/add needed user/group" + + # Do not install server.{key,pem) SSL certificates if they already exist + if use ssl && [[ ! -f "${ROOT}"/etc/ssl/postfix/server.key \ + && ! -f "${ROOT}"/etc/ssl/postfix/server.pem ]] ; then + SSL_ORGANIZATION="${SSL_ORGANIZATION:-Postfix SMTP Server}" + install_cert /etc/ssl/postfix/server + chown postfix:mail "${ROOT}"/etc/ssl/postfix/server.{key,pem} + fi + + ebegin "Fixing queue directories and permissions" + "${ROOT}/etc/postfix/post-install" upgrade-permissions + echo + ewarn "If you upgraded from Postfix-1.x, you must revisit" + ewarn "your configuration files. See" + ewarn " /usr/share/doc/${PF}/RELEASE_NOTES" + ewarn "for a list of changes." + + if [[ ! -e /etc/mail/aliases.db ]] ; then + echo + ewarn "You must edit /etc/mail/aliases to suit your needs" + ewarn "and then run /usr/bin/newaliases. Postfix will not" + ewarn "work correctly without it." + fi + + # regular ebuild + if ! use mailwrapper && [[ -e /etc/mailer.conf ]] ; then + einfo + einfo "Since you emerged Postfix without mailwrapper in USE," + einfo "you may want to 'emerge -C mailwrapper' now." + einfo + fi + # mailer-config support + #mailer_pkg_postinst +} diff --git a/mail-mta/postfix/postfix-2.5.3-r1.ebuild b/mail-mta/postfix/postfix-2.5.3-r1.ebuild new file mode 100644 index 0000000..7076f22 --- /dev/null +++ b/mail-mta/postfix/postfix-2.5.3-r1.ebuild @@ -0,0 +1,388 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/postfix-2.5.3-r1.ebuild,v 1.1 2008/08/14 12:33:40 falco Exp $ + +# NOTE: this ebuild is a regular ebuild without mailer-config support! +# Comment lines below "regular ebuild" and uncomment lines below "mailer-config support" +# to turn this ebuild to a mailer-config enabled ebuild. + +# regular ebuild +inherit eutils multilib ssl-cert toolchain-funcs flag-o-matic pam +# mailer-config support +#inherit eutils multilib ssl-cert toolchain-funcs flag-o-matic mailer pam + +KEYWORDS="alpha amd64 ~arm hppa ia64 ppc ppc64 ~s390 ~sh sparc x86 ~x86-fbsd" + +# regular ebuild +IUSE="cdb dovecot-sasl hardened ipv6 ldap mailwrapper mbox mysql nis pam postgres sasl selinux ssl vda" +# mailer-config support +#IUSE="cdb dovecot-sasl hardened ipv6 ldap mbox mysql nis pam postgres sasl selinux ssl vda" + +MY_PV="${PV/_rc/-RC}" +MY_SRC="${PN}-${MY_PV}" +MY_URI="ftp://ftp.porcupine.org/mirrors/postfix-release/official" +VDA_PV="2.5.3" +VDA_P="${PN}-${VDA_PV}-vda-ng" +RC_VER="2.5" + +DESCRIPTION="A fast and secure drop-in replacement for sendmail." +HOMEPAGE="http://www.postfix.org/" +SRC_URI="${MY_URI}/${MY_SRC}.tar.gz + vda? ( http://vda.sourceforge.net/VDA/${VDA_P}.patch.gz ) " + +LICENSE="IPL-1" +SLOT="0" + +# regular ebuild +PROVIDE="virtual/mta virtual/mda" +# mailer-config support +#PROVIDE="${PROVIDE} virtual/mda" + +DEPEND=">=sys-libs/db-3.2 + >=dev-libs/libpcre-3.4 + cdb? ( || ( >=dev-db/cdb-0.75-r1 >=dev-db/tinycdb-0.76 ) ) + ldap? ( >=net-nds/openldap-1.2 ) + mysql? ( virtual/mysql ) + pam? ( virtual/pam ) + postgres? ( virtual/postgresql-base ) + sasl? ( >=dev-libs/cyrus-sasl-2 ) + ssl? ( >=dev-libs/openssl-0.9.6g )" + +# regular ebuild +RDEPEND="${DEPEND} + >=net-mail/mailbase-0.00 + !mailwrapper? ( + !virtual/mta + !net-mail/mailwrapper + ) + mailwrapper? ( >=net-mail/mailwrapper-0.2 ) + selinux? ( sec-policy/selinux-postfix )" + +# mailer-config support +#RDEPEND="${DEPEND} +# >=net-mail/mailbase-0.00 +# selinux? ( sec-policy/selinux-postfix )" + +S="${WORKDIR}/${MY_SRC}" + +group_user_check() { + einfo "Checking for postfix group ..." + enewgroup postfix 207 + einfo "Checking for postdrop group ..." + enewgroup postdrop 208 + einfo "Checking for postfix user ..." + enewuser postfix 207 -1 /var/spool/postfix postfix,mail +} + +pkg_setup() { + # Do not upgrade live from Postfix <2.5 + if [[ -f /var/lib/init.d/started/postfix ]] ; then + if has_version ' 17/Nov/2006 + # Fix because infra boxes hit 2Gb .db files that fail a 32-bit fstat signed check. + mycc="${mycc} -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE" + filter-lfs-flags + + local my_cc=$(tc-getCC) + einfo "CC=${my_cc:=gcc}" + + # Workaround for bug #76512 + [[ "$(gcc-version)" == "3.4" ]] && use hardened && replace-flags -O? -Os + + make DEBUG="" CC="${my_cc:=gcc}" OPT="${CFLAGS}" CCARGS="${mycc}" AUXLIBS="${mylibs}" \ + makefiles || die "configure problem" + + emake || die "compile problem" +} + +src_install () { + /bin/sh postfix-install \ + -non-interactive \ + install_root="${D}" \ + config_directory="/usr/share/doc/${PF}/defaults" \ + readme_directory="/usr/share/doc/${PF}/readme" \ + || die "postfix-install failed" + + # Fix spool removal on upgrade + rm -Rf "${D}/var" + keepdir /var/spool/postfix + + # Install rmail for UUCP, closes bug #19127 + dobin auxiliary/rmail/rmail + + # mailwrapper stuff + if use mailwrapper ; then + mv "${D}/usr/sbin/sendmail" "${D}/usr/sbin/sendmail.postfix" + mv "${D}/usr/bin/rmail" "${D}/usr/bin/rmail.postfix" + # mailer-config support + #rm "${D}/usr/bin/mailq" "${D}/usr/bin/newaliases" + + mv "${D}/usr/share/man/man1/sendmail.1" \ + "${D}/usr/share/man/man1/sendmail-postfix.1" + mv "${D}/usr/share/man/man1/newaliases.1" \ + "${D}/usr/share/man/man1/newaliases-postfix.1" + mv "${D}/usr/share/man/man1/mailq.1" \ + "${D}/usr/share/man/man1/mailq-postfix.1" + mv "${D}/usr/share/man/man5/aliases.5" \ + "${D}/usr/share/man/man5/aliases-postfix.5" + + # regular ebuild + insinto /etc/mail + doins "${FILESDIR}/mailer.conf" + # mailer-config support + #mailer_install_conf + else + # Provide another link for legacy FSH + dosym /usr/sbin/sendmail /usr/$(get_libdir)/sendmail + fi + + # Install qshape tool + dobin auxiliary/qshape/qshape.pl + + # Performance tuning tools and their manuals + dosbin bin/smtp-{source,sink} bin/qmqp-{source,sink} + doman man/man1/smtp-{source,sink}.1 man/man1/qmqp-{source,sink}.1 + + # Set proper permissions on required files/directories + dodir /var/lib/postfix + keepdir /var/lib/postfix + fowners postfix:postfix /var/lib/postfix + fowners postfix:postfix /var/lib/postfix/.keep_${CATEGORY}_${PN}-${SLOT} + fperms 0750 /var/lib/postfix + fowners root:postdrop /usr/sbin/post{drop,queue} + fperms 02711 /usr/sbin/post{drop,queue} + + keepdir /etc/postfix + mv "${D}"/usr/share/doc/${PF}/defaults/{*.cf,post*-*} "${D}"/etc/postfix + if use mbox ; then + mypostconf="mail_spool_directory=/var/spool/mail" + else + mypostconf="home_mailbox=.maildir/" + fi + "${D}/usr/sbin/postconf" -c "${D}/etc/postfix" \ + -e ${mypostconf} || die "postconf failed" + + insinto /etc/postfix + newins "${FILESDIR}/smtp.pass" saslpass + fperms 600 /etc/postfix/saslpass + + newinitd "${FILESDIR}/postfix.rc6.${RC_VER}" postfix || die "newinitd failed" + + mv "${S}/examples" "${D}/usr/share/doc/${PF}/" + dodoc *README COMPATIBILITY HISTORY INSTALL PORTING RELEASE_NOTES* + dohtml html/* + + pamd_mimic_system smtp auth account + + if use sasl ; then + insinto /etc/sasl2 + newins "${FILESDIR}/smtp.sasl" smtpd.conf + fi +} + +pkg_postinst() { + # Add postfix, postdrop user/group (bug #77565) + group_user_check || die "Failed to check/add needed user/group" + + # Do not install server.{key,pem) SSL certificates if they already exist + if use ssl && [[ ! -f "${ROOT}"/etc/ssl/postfix/server.key \ + && ! -f "${ROOT}"/etc/ssl/postfix/server.pem ]] ; then + SSL_ORGANIZATION="${SSL_ORGANIZATION:-Postfix SMTP Server}" + install_cert /etc/ssl/postfix/server + chown postfix:mail "${ROOT}"/etc/ssl/postfix/server.{key,pem} + fi + + ebegin "Fixing queue directories and permissions" + "${ROOT}/etc/postfix/post-install" upgrade-permissions + echo + ewarn "If you upgraded from Postfix-1.x, you must revisit" + ewarn "your configuration files. See" + ewarn " /usr/share/doc/${PF}/RELEASE_NOTES" + ewarn "for a list of changes." + + if [[ ! -e /etc/mail/aliases.db ]] ; then + echo + ewarn "You must edit /etc/mail/aliases to suit your needs" + ewarn "and then run /usr/bin/newaliases. Postfix will not" + ewarn "work correctly without it." + fi + + # regular ebuild + if ! use mailwrapper && [[ -e /etc/mailer.conf ]] ; then + einfo + einfo "Since you emerged Postfix without mailwrapper in USE," + einfo "you may want to 'emerge -C mailwrapper' now." + einfo + fi + # mailer-config support + #mailer_pkg_postinst +} diff --git a/mail-mta/postfix/postfix-2.5.3.ebuild b/mail-mta/postfix/postfix-2.5.3.ebuild new file mode 100644 index 0000000..ae02828 --- /dev/null +++ b/mail-mta/postfix/postfix-2.5.3.ebuild @@ -0,0 +1,385 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/postfix-2.5.3.ebuild,v 1.1 2008/08/03 14:29:58 dertobi123 Exp $ + +# NOTE: this ebuild is a regular ebuild without mailer-config support! +# Comment lines below "regular ebuild" and uncomment lines below "mailer-config support" +# to turn this ebuild to a mailer-config enabled ebuild. + +# regular ebuild +inherit eutils multilib ssl-cert toolchain-funcs flag-o-matic pam +# mailer-config support +#inherit eutils multilib ssl-cert toolchain-funcs flag-o-matic mailer pam + +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd" + +# regular ebuild +IUSE="cdb dovecot-sasl hardened ipv6 ldap mailwrapper mbox mysql nis pam postgres sasl selinux ssl vda" +# mailer-config support +#IUSE="cdb dovecot-sasl hardened ipv6 ldap mbox mysql nis pam postgres sasl selinux ssl vda" + +MY_PV="${PV/_rc/-RC}" +MY_SRC="${PN}-${MY_PV}" +MY_URI="ftp://ftp.porcupine.org/mirrors/postfix-release/official" +VDA_PV="2.5.3" +VDA_P="${PN}-${VDA_PV}-vda-ng" +RC_VER="2.5" + +DESCRIPTION="A fast and secure drop-in replacement for sendmail." +HOMEPAGE="http://www.postfix.org/" +SRC_URI="${MY_URI}/${MY_SRC}.tar.gz + vda? ( http://vda.sourceforge.net/VDA/${VDA_P}.patch.gz ) " + +LICENSE="IPL-1" +SLOT="0" + +# regular ebuild +PROVIDE="virtual/mta virtual/mda" +# mailer-config support +#PROVIDE="${PROVIDE} virtual/mda" + +DEPEND=">=sys-libs/db-3.2 + >=dev-libs/libpcre-3.4 + cdb? ( || ( >=dev-db/cdb-0.75-r1 >=dev-db/tinycdb-0.76 ) ) + ldap? ( >=net-nds/openldap-1.2 ) + mysql? ( virtual/mysql ) + pam? ( virtual/pam ) + postgres? ( virtual/postgresql-base ) + sasl? ( >=dev-libs/cyrus-sasl-2 ) + ssl? ( >=dev-libs/openssl-0.9.6g )" + +# regular ebuild +RDEPEND="${DEPEND} + >=net-mail/mailbase-0.00 + !mailwrapper? ( + !virtual/mta + !net-mail/mailwrapper + ) + mailwrapper? ( >=net-mail/mailwrapper-0.2 ) + selinux? ( sec-policy/selinux-postfix )" + +# mailer-config support +#RDEPEND="${DEPEND} +# >=net-mail/mailbase-0.00 +# selinux? ( sec-policy/selinux-postfix )" + +S="${WORKDIR}/${MY_SRC}" + +group_user_check() { + einfo "Checking for postfix group ..." + enewgroup postfix 207 + einfo "Checking for postdrop group ..." + enewgroup postdrop 208 + einfo "Checking for postfix user ..." + enewuser postfix 207 -1 /var/spool/postfix postfix,mail +} + +pkg_setup() { + # Do not upgrade live from Postfix <2.5 + if [[ -f /var/lib/init.d/started/postfix ]] ; then + if has_version ' 17/Nov/2006 + # Fix because infra boxes hit 2Gb .db files that fail a 32-bit fstat signed check. + mycc="${mycc} -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE" + filter-lfs-flags + + local my_cc=$(tc-getCC) + einfo "CC=${my_cc:=gcc}" + + # Workaround for bug #76512 + [[ "$(gcc-version)" == "3.4" ]] && use hardened && replace-flags -O? -Os + + make DEBUG="" CC="${my_cc:=gcc}" OPT="${CFLAGS}" CCARGS="${mycc}" AUXLIBS="${mylibs}" \ + makefiles || die "configure problem" + + emake || die "compile problem" +} + +src_install () { + /bin/sh postfix-install \ + -non-interactive \ + install_root="${D}" \ + config_directory="/usr/share/doc/${PF}/defaults" \ + readme_directory="/usr/share/doc/${PF}/readme" \ + || die "postfix-install failed" + + # Fix spool removal on upgrade + rm -Rf "${D}/var" + keepdir /var/spool/postfix + + # Install rmail for UUCP, closes bug #19127 + dobin auxiliary/rmail/rmail + + # mailwrapper stuff + if use mailwrapper ; then + mv "${D}/usr/sbin/sendmail" "${D}/usr/sbin/sendmail.postfix" + mv "${D}/usr/bin/rmail" "${D}/usr/bin/rmail.postfix" + # mailer-config support + #rm "${D}/usr/bin/mailq" "${D}/usr/bin/newaliases" + + mv "${D}/usr/share/man/man1/sendmail.1" \ + "${D}/usr/share/man/man1/sendmail-postfix.1" + mv "${D}/usr/share/man/man1/newaliases.1" \ + "${D}/usr/share/man/man1/newaliases-postfix.1" + mv "${D}/usr/share/man/man1/mailq.1" \ + "${D}/usr/share/man/man1/mailq-postfix.1" + mv "${D}/usr/share/man/man5/aliases.5" \ + "${D}/usr/share/man/man5/aliases-postfix.5" + + # regular ebuild + insinto /etc/mail + doins "${FILESDIR}/mailer.conf" + # mailer-config support + #mailer_install_conf + else + # Provide another link for legacy FSH + dosym /usr/sbin/sendmail /usr/$(get_libdir)/sendmail + fi + + # Install qshape tool + dobin auxiliary/qshape/qshape.pl + + # Performance tuning tools and their manuals + dosbin bin/smtp-{source,sink} bin/qmqp-{source,sink} + doman man/man1/smtp-{source,sink}.1 man/man1/qmqp-{source,sink}.1 + + # Set proper permissions on required files/directories + dodir /var/lib/postfix + keepdir /var/lib/postfix + fowners postfix:postfix /var/lib/postfix + fowners postfix:postfix /var/lib/postfix/.keep_${CATEGORY}_${PN}-${SLOT} + fperms 0750 /var/lib/postfix + fowners root:postdrop /usr/sbin/post{drop,queue} + fperms 02711 /usr/sbin/post{drop,queue} + + keepdir /etc/postfix + mv "${D}"/usr/share/doc/${PF}/defaults/{*.cf,post*-*} "${D}"/etc/postfix + if use mbox ; then + mypostconf="mail_spool_directory=/var/spool/mail" + else + mypostconf="home_mailbox=.maildir/" + fi + "${D}/usr/sbin/postconf" -c "${D}/etc/postfix" \ + -e ${mypostconf} || die "postconf failed" + + insinto /etc/postfix + newins "${FILESDIR}/smtp.pass" saslpass + fperms 600 /etc/postfix/saslpass + + newinitd "${FILESDIR}/postfix.rc6.${RC_VER}" postfix || die "newinitd failed" + + mv "${S}/examples" "${D}/usr/share/doc/${PF}/" + dodoc *README COMPATIBILITY HISTORY INSTALL PORTING RELEASE_NOTES* + dohtml html/* + + pamd_mimic_system smtp auth account + + if use sasl ; then + insinto /etc/sasl2 + newins "${FILESDIR}/smtp.sasl" smtpd.conf + fi +} + +pkg_postinst() { + # Add postfix, postdrop user/group (bug #77565) + group_user_check || die "Failed to check/add needed user/group" + + # Do not install server.{key,pem) SSL certificates if they already exist + if use ssl && [[ ! -f "${ROOT}"/etc/ssl/postfix/server.key \ + && ! -f "${ROOT}"/etc/ssl/postfix/server.pem ]] ; then + SSL_ORGANIZATION="${SSL_ORGANIZATION:-Postfix SMTP Server}" + install_cert /etc/ssl/postfix/server + chown postfix:mail "${ROOT}"/etc/ssl/postfix/server.{key,pem} + fi + + ebegin "Fixing queue directories and permissions" + "${ROOT}/etc/postfix/post-install" upgrade-permissions + echo + ewarn "If you upgraded from Postfix-1.x, you must revisit" + ewarn "your configuration files. See" + ewarn " /usr/share/doc/${PF}/RELEASE_NOTES" + ewarn "for a list of changes." + + if [[ ! -e /etc/mail/aliases.db ]] ; then + echo + ewarn "You must edit /etc/mail/aliases to suit your needs" + ewarn "and then run /usr/bin/newaliases. Postfix will not" + ewarn "work correctly without it." + fi + + # regular ebuild + if ! use mailwrapper && [[ -e /etc/mailer.conf ]] ; then + einfo + einfo "Since you emerged Postfix without mailwrapper in USE," + einfo "you may want to 'emerge -C mailwrapper' now." + einfo + fi + # mailer-config support + #mailer_pkg_postinst +} -- cgit v1.2.3-65-gdbad