mail-filter/spamassassin: new revision with LibreSSL and spamd fixes.

This new revision adds another patch for upstream bugs 7093/7199. The
sslv3 option for spamd didn't do what it was supposed to do, and
moreover, it broke LibreSSL which no longer supports SSLv3. The patch
removes the option and makes it an error. There is a simple fix for
users, to remove the --ssl-version option if they are using it. Thanks
to Reuben Farrelly for reporting the issue.

The second round of changes addresses a few old Gentoo bugs regarding
the spamd init scripts and configuration. First, the init script was
missing a call to "checkpath" to ensure that the PID file had some
place to live. That's now fixed. Second, it used to be the case that
some configuration was necessary if you opted to run spamd as a
non-root user. That is no longer the case, so all of the documentation
surrounding that issue has been removed, and the config/init scripts
greatly simplified. Finally, a SPAMD_TIMEOUT option was added to allow
spamd a little bit of time when restarting or shutting down.

Peter Gantner, Juan David Ibáñez Palomar, Marcin Mirosław, Frieder
Bürzele, and a few other people helped out on those bugs. Thanks!

Gentoo-Bug: 322025
Gentoo-Bug: 455604
Gentoo-Bug: 523960
Upstream-Bug: 7093
Upstream-Bug: 7199

Package-Manager: portage-2.2.28

4 files changed, 557 insertions, 0 deletions

diff --git a/mail-filter/spamassassin/files/3.4.1-spamd.conf b/mail-filter/spamassassin/files/3.4.1-spamd.conf
new file mode 100644
index 000000000000..0cb7cbbfc471
--- /dev/null
+++ b/mail-filter/spamassassin/files/3.4.1-spamd.conf
@@ -0,0 +1,25 @@
+# Config file for /etc/init.d/spamd
+#
+# ***WARNING***
+#
+# spamd was not designed to listed to an untrusted network. spamd
+# is vulnerable to DoS attacks (and eternal doom) if used to listen
+# to an untrusted network.
+#
+# ***WARNING***
+#
+
+# Additional options to pass to the spamd daemon. The spamd(1) man
+# page explains the available options. If you choose to listen on a
+# non-default interface, you will need to use OpenRC's "rc_need"
+# mechanism to ensure that your interface comes up before spamd
+# starts. The openrc-run(8) man page describes rc_need.
+SPAMD_OPTS="--max-children=5 --create-prefs --helper-home-dir"
+
+# Sets the 'nice' level of the spamd process.
+SPAMD_NICELEVEL=0
+
+# How long (in seconds) should we wait for spamd to stop after we've
+# asked it to? After this amount of time, if spamd is still running,
+# we will assume that it has failed to stop.
+SPAMD_TIMEOUT=15
diff --git a/mail-filter/spamassassin/files/3.4.1-spamd.init b/mail-filter/spamassassin/files/3.4.1-spamd.init
new file mode 100644
index 000000000000..7d2af814a03b
--- /dev/null
+++ b/mail-filter/spamassassin/files/3.4.1-spamd.init
@@ -0,0 +1,56 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+PIDDIR=/run/spamd
+PIDFILE=${PIDDIR}/spamd.pid
+
+extra_started_commands="reload"
+
+depend() {
+	before mta
+	use logger
+@USEPOSTGRES@	use postgresql
+@USEMYSQL@	use mysql
+}
+
+start() {
+	ebegin "Starting spamd"
+
+	# Ensure that the PID file's directory exists.
+	checkpath --directory "${PIDDIR}"
+
+	# Reloading spamd causes its PID to change, so we track it by
+	# name instead.
+	start-stop-daemon --start --quiet \
+		--name spamd \
+		--nicelevel ${SPAMD_NICELEVEL} \
+		--pidfile ${PIDFILE} \
+		--exec /usr/sbin/spamd -- \
+			--daemonize \
+			--pidfile=${PIDFILE} \
+			${SPAMD_OPTS}
+
+	retval=$?
+
+	eend ${retval} "Failed to start spamd"
+}
+
+stop() {
+	ebegin "Stopping spamd"
+	# Retry after SPAMD_TIMEOUT seconds because spamd can take a
+	# while to kill off all of its children. This was bug 322025.
+	start-stop-daemon --stop \
+			  --quiet \
+			  --retry ${SPAMD_TIMEOUT} \
+			  --pidfile ${PIDFILE}
+	eend $? "Failed to stop spamd"
+}
+
+reload() {
+	ebegin "Reloading configuration"
+	# Warning: causes the PID of the spamd process to change.
+	start-stop-daemon --signal HUP --quiet --pidfile ${PIDFILE}
+	eend $?
+}
diff --git a/mail-filter/spamassassin/files/spamassassin-3.4.1-bug_7199.patch b/mail-filter/spamassassin/files/spamassassin-3.4.1-bug_7199.patch
new file mode 100644
index 000000000000..323740cbb048
--- /dev/null
+++ b/mail-filter/spamassassin/files/spamassassin-3.4.1-bug_7199.patch
@@ -0,0 +1,280 @@
+The "sslv3" option doesn't do what it says (upstream bug 7093) and
+only makes things worse. The SSLv3 support also prevents SpamAssassin
+from working with LibreSSL, which no longer does SSLv3.
+
+Index: trunk/spamc/libspamc.c
+===================================================================
+--- trunk.orig/spamc/libspamc.c
++++ trunk/spamc/libspamc.c
+@@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp,
+     unsigned int throwaway;
+     SSL_CTX *ctx = NULL;
+     SSL *ssl = NULL;
+-    SSL_METHOD *meth;
++    const SSL_METHOD *meth;
+     char zlib_on = 0;
+     unsigned char *zlib_buf = NULL;
+     int zlib_bufsiz = 0;
+@@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp,
+     if (flags & SPAMC_USE_SSL) {
+ #ifdef SPAMC_SSL
+ 	SSLeay_add_ssl_algorithms();
+-	if (flags & SPAMC_TLSV1) {
+-	    meth = TLSv1_client_method();
+-	} else {
+-	    meth = SSLv3_client_method(); /* default */
+-	}
++	meth = SSLv23_client_method();
+ 	SSL_load_error_strings();
+ 	ctx = SSL_CTX_new(meth);
+ #else
+@@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c
+     int failureval;
+     SSL_CTX *ctx = NULL;
+     SSL *ssl = NULL;
+-    SSL_METHOD *meth;
++    const SSL_METHOD *meth;
+ 
+     assert(tp != NULL);
+     assert(m != NULL);
+@@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c
+     if (flags & SPAMC_USE_SSL) {
+ #ifdef SPAMC_SSL
+ 	SSLeay_add_ssl_algorithms();
+-	meth = SSLv3_client_method();
++	meth = SSLv23_client_method();
+ 	SSL_load_error_strings();
+ 	ctx = SSL_CTX_new(meth);
+ #else
+Index: trunk/spamc/spamc.c
+===================================================================
+--- trunk.orig/spamc/spamc.c
++++ trunk/spamc/spamc.c
+@@ -368,16 +368,11 @@ read_args(int argc, char **argv,
+             case 'S':
+             {
+                 flags |= SPAMC_USE_SSL;
+-		if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) {
+-		    flags |= SPAMC_SSLV3;
+-		}
+-		else if (strcmp(spamc_optarg,"tlsv1") == 0) {
+-		    flags |= SPAMC_TLSV1;
+-		}
+-		else {
+-		    libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
+-		    ret = EX_USAGE;
+-		}
++                if(spamc_optarg) {
++                    libspamc_log(flags, LOG_ERR,
++                        "Explicit specification of an SSL/TLS version no longer supported.");
++                    ret = EX_USAGE;
++                }
+                 break;
+             }
+ #endif
+Index: trunk/spamd/spamd.raw
+===================================================================
+--- trunk.orig/spamd/spamd.raw
++++ trunk/spamd/spamd.raw
+@@ -409,7 +409,6 @@ GetOptions(
+   'sql-config!'              => \$opt{'sql-config'},
+   'ssl'                      => \$opt{'ssl'},
+   'ssl-port=s'               => \$opt{'ssl-port'},
+-  'ssl-version=s'            => \$opt{'ssl-version'},
+   'syslog-socket=s'          => \$opt{'syslog-socket'},
+   'syslog|s=s'               => \$opt{'syslog'},
+   'log-timestamp-fmt:s'      => \$opt{'log-timestamp-fmt'},
+@@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) {
+ 
+ # Do whitelist later in tmp dir. Side effect: this will be done as -u user.
+ 
+-my $sslversion = $opt{'ssl-version'} || 'sslv3';
+-if ($sslversion !~ /^(?:sslv3|tlsv1)$/) {
+-  die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
+-}
+-
+ $opt{'server-key'}  ||= "$LOCAL_RULES_DIR/certs/server-key.pem";
+ $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";
+ 
+@@ -899,9 +893,8 @@ sub compose_listen_info_string {
+                       $socket_info->{ip_addr}, $socket_info->{port}));
+ 
+     } elsif ($socket->isa('IO::Socket::SSL')) {
+-      push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s",
+-                      $socket_info->{ip_addr}, $socket_info->{port},
+-                      $opt{'ssl-version'}||'sslv3'));
++      push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
++                      $socket_info->{port}));
+     }
+   }
+ 
+@@ -1072,7 +1065,6 @@ sub server_sock_setup_inet {
+     $sockopt{V6Only} = 1  if $io_socket_module_name eq 'IO::Socket::IP'
+                              && IO::Socket::IP->VERSION >= 0.09;
+     %sockopt = (%sockopt, (
+-      SSL_version     => $sslversion,
+       SSL_verify_mode => 0x00,
+       SSL_key_file    => $opt{'server-key'},
+       SSL_cert_file   => $opt{'server-cert'},
+@@ -1093,7 +1085,8 @@ sub server_sock_setup_inet {
+     if (!$server_inet) {
+       $diag = sprintf("could not create %s socket on [%s]:%s: %s",
+                       $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
+-                      $adr, $port, $!);
++                      $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
++                      "$!,$IO::Socket::SSL::SSL_ERROR" : $!);
+       push(@diag_fail, $diag);
+     } else {
+       $diag = sprintf("created %s socket on [%s]:%s",
+@@ -3238,7 +3231,6 @@ Options:
+  -H [dir], --helper-home-dir[=dir] Specify a different HOME directory
+  --ssl                             Enable SSL on TCP connections
+  --ssl-port port                   Override --port setting for SSL connections
+- --ssl-version sslversion          Specify SSL protocol version to use
+  --server-key keyfile              Specify an SSL keyfile
+  --server-cert certfile            Specify an SSL certificate
+  --socketpath=path                 Listen on a given UNIX domain socket
+@@ -3727,14 +3719,6 @@ Optionally specifies the port number for
+ SSL connections (default: whatever --port uses).  See B<--ssl> for
+ more details.
+ 
+-=item B<--ssl-version>=I<sslversion>
+-
+-Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
+-The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
+-higher hello handshake, then negotiating use of SSLv3 or TLSv1
+-protocol if the client can accept it.  Specifying B<--ssl-version>
+-implies B<--ssl>.
+-
+ =item B<--server-key> I<keyfile>
+ 
+ Specify the SSL key file to use for SSL connections.
+Index: trunk/spamc/spamc.pod
+===================================================================
+--- trunk.orig/spamc/spamc.pod
++++ trunk/spamc/spamc.pod
+@@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a
+ Sleep for I<sleep> seconds between failed spamd filtering attempts.
+ The default is 1 second.
+ 
+-=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion>
++=item B<-S>, B<--ssl>, B<--ssl>
+ 
+ If spamc was built with support for SSL, encrypt data to and from the
+ spamd process with SSL; spamd must support SSL as well.
+-I<sslversion> specifies the SSL protocol version to use, either
+-C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.
+ 
+ =item B<-t> I<timeout>, B<--timeout>=I<timeout>
+ 
+Index: trunk/t/spamd_ssl_tls.t
+===================================================================
+--- trunk.orig/t/spamd_ssl_tls.t
++++ /dev/null
+@@ -1,28 +0,0 @@
+-#!/usr/bin/perl
+-
+-use lib '.'; use lib 't';
+-use SATest; sa_t_init("spamd_ssl_tls");
+-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
+-
+-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
+-
+-# ---------------------------------------------------------------------------
+-
+-%patterns = (
+-
+-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
+-q{ Subject: There yours for FREE!}, 'subj',
+-q{ X-Spam-Status: Yes, score=}, 'status',
+-q{ X-Spam-Flag: YES}, 'flag',
+-q{ X-Spam-Level: **********}, 'stars',
+-q{ TEST_ENDSNUMS}, 'endsinnums',
+-q{ TEST_NOREALNAME}, 'noreal',
+-q{ This must be the very last line}, 'lastline',
+-
+-
+-);
+-
+-ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
+-           "--ssl=tlsv1 < data/spam/001",
+-           \&patterns_run_cb));
+-ok_all_patterns();
+Index: trunk/t/spamd_ssl_v3.t
+===================================================================
+--- trunk.orig/t/spamd_ssl_v3.t
++++ /dev/null
+@@ -1,28 +0,0 @@
+-#!/usr/bin/perl
+-
+-use lib '.'; use lib 't';
+-use SATest; sa_t_init("spamd_sslv3");
+-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
+-
+-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
+-
+-# ---------------------------------------------------------------------------
+-
+-%patterns = (
+-
+-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
+-q{ Subject: There yours for FREE!}, 'subj',
+-q{ X-Spam-Status: Yes, score=}, 'status',
+-q{ X-Spam-Flag: YES}, 'flag',
+-q{ X-Spam-Level: **********}, 'stars',
+-q{ TEST_ENDSNUMS}, 'endsinnums',
+-q{ TEST_NOREALNAME}, 'noreal',
+-q{ This must be the very last line}, 'lastline',
+-
+-
+-);
+-
+-ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
+-           "--ssl=sslv3 < data/spam/001",
+-           \&patterns_run_cb));
+-ok_all_patterns();
+Index: trunk/t/spamd_ssl_accept_fail.t
+===================================================================
+--- trunk.orig/t/spamd_ssl_accept_fail.t
++++ trunk/t/spamd_ssl_accept_fail.t
+@@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la
+ 
+ );
+ 
+-ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
++ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
+ ok (spamcrun ("< data/spam/001", \&patterns_run_cb));
+-ok (spamcrun ("--ssl=sslv3  < data/spam/001", \&patterns_run_cb));
++ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb));
+ ok (stop_spamd ());
+ 
+ ok_all_patterns();
+Index: trunk/t/spamd_ssl.t
+===================================================================
+--- trunk.orig/t/spamd_ssl.t
++++ trunk/t/spamd_ssl.t
+@@ -2,10 +2,7 @@
+ 
+ use lib '.'; use lib 't';
+ use SATest; sa_t_init("spamd_ssl");
+-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9),
+-    onfail => sub {
+-	warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" .
+-	    "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" };
++use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
+ 
+ exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
+ 
+Index: trunk/MANIFEST
+===================================================================
+--- trunk.orig/MANIFEST
++++ trunk/MANIFEST
+@@ -513,8 +513,6 @@ t/spamd_report_ifspam.t
+ t/spamd_sql_prefs.t
+ t/spamd_ssl.t
+ t/spamd_ssl_accept_fail.t
+-t/spamd_ssl_tls.t
+-t/spamd_ssl_v3.t
+ t/spamd_stop.t
+ t/spamd_symbols.t
+ t/spamd_syslog.t
diff --git a/mail-filter/spamassassin/spamassassin-3.4.1-r5.ebuild b/mail-filter/spamassassin/spamassassin-3.4.1-r5.ebuild
new file mode 100644
index 000000000000..f127be2f5601
--- /dev/null
+++ b/mail-filter/spamassassin/spamassassin-3.4.1-r5.ebuild
@@ -0,0 +1,196 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit toolchain-funcs systemd
+
+MY_P=Mail-SpamAssassin-${PV//_/-}
+S=${WORKDIR}/${MY_P}
+DESCRIPTION="An extensible mail filter which can identify and tag spam"
+HOMEPAGE="http://spamassassin.apache.org/"
+SRC_URI="mirror://apache/spamassassin/source/${MY_P}.tar.bz2"
+
+LICENSE="Apache-2.0 GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"
+IUSE="+bayes berkdb ipv6 ldap libressl mysql postgres qmail sqlite ssl test"
+
+# You can do without a database unless you need the Bayes features.
+REQUIRED_USE="bayes? ( || ( berkdb mysql postgres sqlite ) )"
+
+DEPEND=">=dev-lang/perl-5.8.8-r8
+	virtual/perl-MIME-Base64
+	>=virtual/perl-Pod-Parser-1.510.0-r2
+	virtual/perl-Storable
+	virtual/perl-Time-HiRes
+	>=dev-perl/HTML-Parser-3.43
+	>=dev-perl/Mail-DKIM-0.37
+	>=dev-perl/Net-DNS-0.53
+	dev-perl/Digest-SHA1
+	dev-perl/libwww-perl
+	>=virtual/perl-Archive-Tar-1.23
+	app-crypt/gnupg
+	>=virtual/perl-IO-Zlib-1.04
+	>=dev-util/re2c-0.12.0
+	dev-perl/Mail-SPF
+	>=dev-perl/NetAddr-IP-4.0.1
+	dev-perl/Geo-IP
+	dev-perl/Encode-Detect
+	dev-perl/Net-Patricia
+	ssl? (
+		dev-perl/IO-Socket-SSL
+		!libressl? ( dev-libs/openssl:0 )
+		libressl? ( dev-libs/libressl )
+	)
+	berkdb? (
+		virtual/perl-DB_File
+	)
+	ldap? ( dev-perl/perl-ldap )
+	mysql? (
+		dev-perl/DBI
+		dev-perl/DBD-mysql
+	)
+	postgres? (
+		dev-perl/DBI
+		dev-perl/DBD-Pg
+	)
+	sqlite? (
+		dev-perl/DBI
+		dev-perl/DBD-SQLite
+	)
+	ipv6? (
+		|| ( dev-perl/IO-Socket-INET6
+			virtual/perl-IO-Socket-IP )
+	)"
+RDEPEND="${DEPEND}"
+
+# Some spamd tests fail, and it looks like the whole suite eventually
+# hangs.
+RESTRICT=test
+
+PATCHES=(
+	"${FILESDIR}/spamassassin-3.4.1-bug_7199.patch"
+	"${FILESDIR}/spamassassin-3.4.1-bug_7223.patch"
+	"${FILESDIR}/spamassassin-3.4.1-bug_7231.patch"
+	"${FILESDIR}/spamassassin-3.4.1-bug_7265.patch"
+)
+
+src_configure() {
+	# spamc can be built with ssl support.
+	local use_ssl="no"
+	if use ssl; then
+		use_ssl="yes"
+	fi
+
+	# Set SYSCONFDIR explicitly so we can't get bitten by bug 48205 again
+	# (just to be sure, nobody knows how it could happen in the first place).
+	#
+	# We also set the path to the perl executable explictly. This will be
+	# used to create the initial shebang line in the scripts (bug 62276).
+	perl Makefile.PL \
+		PREFIX="${EPREFIX}/usr" \
+		INSTALLDIRS=vendor \
+		SYSCONFDIR="${EPREFIX}/etc" \
+		DATADIR="${EPREFIX}/usr/share/spamassassin" \
+		PERL_BIN="${EPREFIX}/usr/bin/perl" \
+		ENABLE_SSL="${use_ssl}" \
+		DESTDIR="${D}" \
+		|| die "Unable to build!"
+
+	# Now configure spamc.
+	emake CC="$(tc-getCC)" LDFLAGS="${LDFLAGS}" spamc/Makefile
+}
+
+src_compile() {
+	PERL_MM_USE_DEFAULT=1 emake
+
+	if use qmail; then
+		emake spamc/qmail-spamc
+	fi
+}
+
+src_install () {
+	emake install
+	einstalldocs
+
+	# Create the stub dir used by sa-update and friends
+	keepdir /var/lib/spamassassin
+
+	# Move spamd to sbin where it belongs.
+	dodir /usr/sbin
+	mv "${ED}"/usr/bin/spamd "${ED}"/usr/sbin/spamd  || die "move spamd failed"
+
+	if use qmail; then
+		dobin spamc/qmail-spamc
+	fi
+
+	ln -s mail/spamassassin "${ED}"/etc/spamassassin || die
+
+	# Disable plugin by default
+	sed -i -e 's/^loadplugin/\#loadplugin/g' \
+		"${ED}"/etc/mail/spamassassin/init.pre \
+		|| die "failed to disable plugins by default"
+
+	# Add the init and config scripts.
+	newinitd "${FILESDIR}"/3.4.1-spamd.init spamd
+	newconfd "${FILESDIR}"/3.4.1-spamd.conf spamd
+
+	systemd_newunit "${FILESDIR}"/${PN}.service-r1 ${PN}.service
+	systemd_install_serviced "${FILESDIR}"/${PN}.service.conf
+
+	if use postgres; then
+		sed -i -e 's:@USEPOSTGRES@::' "${ED}/etc/init.d/spamd" || die
+
+		dodoc sql/*_pg.sql
+	else
+		sed -i -e '/@USEPOSTGRES@/d' "${ED}/etc/init.d/spamd" || die
+	fi
+
+	if use mysql; then
+		sed -i -e 's:@USEMYSQL@::' "${ED}/etc/init.d/spamd" || die
+
+		dodoc sql/*_mysql.sql
+	else
+		sed -i -e '/@USEMYSQL@/d' "${ED}/etc/init.d/spamd" || die
+	fi
+
+	dodoc NOTICE TRADEMARK CREDITS UPGRADE USAGE sql/README.bayes \
+		sql/README.awl procmailrc.example sample-nonspam.txt \
+		sample-spam.txt spamd/PROTOCOL spamd/README.vpopmail \
+		spamd-apache2/README.apache
+
+	# Rename some docu files so they don't clash with others
+	newdoc spamd/README README.spamd
+	newdoc sql/README README.sql
+	newdoc ldap/README README.ldap
+
+	if use qmail; then
+		dodoc spamc/README.qmail
+	fi
+
+	insinto /etc/mail/spamassassin/
+	insopts -m0400
+	newins "${FILESDIR}"/secrets.cf secrets.cf.example
+
+	# Create the directory where sa-update stores its GPG key (if you
+	# choose to import one). If this directory does not exist, the
+	# import will fail. This is bug 396307. We expect that the import
+	# will be performed as root, and making the directory accessible
+	# only to root prevents a warning on the command-line.
+	diropts -m0700
+	dodir /etc/mail/spamassassin/sa-update-keys
+}
+
+pkg_postinst() {
+	elog
+	elog "No rules are install by default. You will need to run sa-update"
+	elog "at least once, and most likely configure SpamAssassin before it"
+	elog "will work. You should also consider a cron job for sa-update."
+	elog
+	elog "Configuration and update help can be found on the wiki:"
+	elog
+	elog "  https://wiki.gentoo.org/wiki/SpamAssassin"
+	elog
+}