I made a new structure for ipv6 which mainly patches the source. Unfortunately my gentoo is not really used as an MTA... it's basically a test-system, but for those wo want ipv6 (and only those (thriugh USE flag)) here is the chance to blow their MTA ;)
# Copyright 1999-2002 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License, v2 or later # /space/gentoo/cvsroot/gentoo-x86/net-mail/postfix/postfix-1.1.8.ebuild,v 1.1 2002/05/14 03:49:25 woodchip Exp DESCRIPTION="A fast and secure drop-in replacement for sendmail" HOMEPAGE="http://www.postfix.org/" LICENSE="IPL-1" SLOT="0" KEYWORDS="*" POSTFIX_TLS_VER="0.8.11a-${PV}-0.9.6d" S=${WORKDIR}/${P} SRC_URI="ftp://ftp.porcupine.org/mirrors/postfix-release/official/${P}.tar.gz ssl? ( ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-${POSTFIX_TLS_VER}.tar.gz )" PROVIDE="virtual/mta" DEPEND=">=sys-libs/db-3.2 >=dev-libs/libpcre-3.4 sasl? ( >=dev-libs/cyrus-sasl-1.5.27 ) ldap? ( >=net-nds/openldap-1.2 ) mysql? ( >=dev-db/mysql-3.23.28 ) ssl? ( >=dev-libs/openssl-0.9.6d )" RDEPEND="${DEPEND} >=net-mail/mailbase-0.00 !virtual/mta" pkg_setup() { if ! grep -q ^postdrop: /etc/group ; then groupadd postdrop || die "problem adding group postdrop" fi } src_unpack() { unpack ${A} use ssl && ( \ cd ${S} patch -p1 < ${WORKDIR}/pfixtls-${POSTFIX_TLS_VER}/pfixtls.diff || die ) use ipv6 && ( \ cd ${S} patch -p1 < ${FILESDIR}/tls+ipv6-1.1.11.20020613.patch || die ) cd ${S}/conf cp main.cf main.cf.orig sed -e "s:/usr/libexec/postfix:/usr/lib/postfix:" main.cf.orig > main.cf cd ${S}/src/global cp mail_params.h mail_params.h.orig sed -e "s:/usr/libexec/postfix:/usr/lib/postfix:" mail_params.h.orig > mail_params.h use mysql \ && CCARGS="${CCARGS} -DHAS_MYSQL -I/usr/include/mysql" \ && AUXLIBS="${AUXLIBS} -lmysqlclient -lm" use ldap \ && CCARGS="${CCARGS} -DHAS_LDAP" \ && AUXLIBS="${AUXLIBS} -lldap -llber" use ssl \ && CCARGS="${CCARGS} -DHAS_SSL" \ && AUXLIBS="${AUXLIBS} -lssl" # note: if sasl is built w/ pam, then postfix _MUST_ be built w/ pam use pam && AUXLIBS="${AUXLIBS} -lpam" # stuff we always want... CCARGS="${CCARGS} -I/usr/include -DHAS_PCRE" AUXLIBS="${AUXLIBS} -L/usr/lib -lpcre -ldl -lcrypt" if [ "`use sasl`" ] then AUXLIBS="${AUXLIBS} -lsasl" CCARGS="${CCARGS} -DUSE_SASL_AUTH" fi DEBUG="" cd ${S} make tidy || die make makefiles CC="cc" OPT="${CFLAGS}" DEBUG="${DEBUG}" \ CCARGS="${CCARGS}" AUXLIBS="${AUXLIBS}" || die } src_compile() { emake || die "compile problem" } src_install () { dodir /usr/bin /usr/sbin /usr/lib/postfix /etc/postfix/sample cd ${S}/bin dosbin post* sendmail chown root.postdrop ${D}/usr/sbin/{postdrop,postqueue} chmod 2755 ${D}/usr/sbin/{postdrop,postqueue} dosym /usr/sbin/sendmail /usr/bin/mail dosym /usr/sbin/sendmail /usr/bin/mailq dosym /usr/sbin/sendmail /usr/bin/newaliases dosym /usr/sbin/sendmail /usr/lib/sendmail cd ${S}/libexec exeinto /usr/lib/postfix doexe * cd ${S}/man doman man*/* cd ${S} dodoc *README COMPATIBILITY HISTORY LICENSE PORTING RELEASE_NOTES INSTALL dohtml html/* cd ${S}/conf insinto /etc/postfix/sample doins access aliases canonical relocated transport \ pcre_table regexp_table postfix-script* *.cf exeinto /etc/postfix doexe postfix-script post-install postfix-files || die insinto /etc/postfix doins ${FILESDIR}/main.cf master.cf || die exeinto /etc/init.d ; newexe ${FILESDIR}/postfix.rc6 postfix insinto /etc/pam.d ; newins ${FILESDIR}/smtp.pam smtp insinto /etc/sasl ; doins ${FILESDIR}/smtpd.conf } pkg_postinst() { install -d 0755 ${ROOT}/var/spool/postfix ewarn "If you've upgraded from <postfix-1.1.8, you must update" ewarn "/etc/postfix/master.cf to the latest version" ewarn "(/etc/postfix/._cfg*_master.cf). Otherwise Postfix will" ewarn "not work correctly." if [ ! -e /etc/mail/aliases.db ] ; then ewarn "" ewarn "First time installers: You must edit" ewarn "/etc/mail/aliases to suit your needs and then run" ewarn "/usr/bin/aliases. Postfix will not work correctly" ewarn "without it." fi }
Created attachment 2259 [details] Postfix Ebuild
Created attachment 2260 [details, diff] tls + ipv6 Patch
ehhmmm ... missed that with the attachment somehow... sorry.
net-mail/postfix-1.1.11.20020613 has been added into portage. It is currently masked in package.mask. Please comment out of package.mask and test the ebuild. If you have the ability to test the added funtionality, (tls, ipv6, and sasl(v2)), please do and report back on this bug report.
I was able to compile, unfortunately has one of our switches (yes a switch) a ipv6 problem - so I can't test _this_ build. I used the same patch on my debian system at home, and there the ipv6 functionality works fine. TLS + SASL are things I just didn't hat enough time yet to dig into the materia (did it once with sendmail... ages ago...)
postfix as "TLS Client works fine.... su I hope server does as well.... SASL is still not checked.... btw: TLS is done over ipv4 :( - due lack of ipv6 backbone....
Please check out bug #3730 as I put together a little postfix and sasl howto if you are interested in testing sasl support :)
fighting to get sasl v2 working... I think I spotted a problem in the ebuild with the smtpd.conf.... first it can't find the config to copy and second it wants to copy it to /usr/lib/sasl2... but according to the ebuild of sasl 2.1.6 the smtpd.conf should go to /etc/sasl2 - I'm not yet a sasl-expert... so please verfy my information :)
cyrus-sasl-2.1.7 has been released into portage. Configuration files are to be kept in /etc/sasl2. I have also released postfix-1.1.11.20020613-r1 into portage which installs smtpd.conf into /etc/sasl2. This should hopefully alleviate some of the sasl woes people have been experiencing. Please report back on this bug report success and failures. emerge rsync emerge cyrus-sasl emerge postfix
I just moved to 1.1.11.20020613-r1 and TLS seems to have stopped working for me. It was nearly working for me before upgrading, but I was getting an 'unknown password verifier' out of SASL. Now that I've upgraded, without changing my main.cf, postfix acts as though there is no TLS support. Despite the fact I have 'smtpd_tls_auth_only = yes' set, and of course 'smtpd_use_tls = yes,' when I telnet into port 25 and test it with a EHLO, postfix advertises all the auth methods. If I try STARTTLS, I get '502 Error: command not implemented' after a short pause. The prescribed method of determining if postfix is built with TLS support is to run ldd on smtpd and look for libssl.so, I do find it and libsasl2.so listed there. Not sure what to do now, what to check or try. Please advise. - Robert
I just noticed this: jrray root # emerge postfix Calculating dependencies ...done! >>> emerge net-mail/postfix-1.1.11.20020613-r1 to / >>> md5 ;-) postfix-1.1.11-20020613.tar.gz >>> Unpacking source... >>> Unpacking postfix-1.1.11-20020613.tar.gz /usr/sbin/ebuild.sh: [: missing `]' /usr/sbin/ebuild.sh: ssl: command not found mysql ldap ssl pam patching file src/lmtp/lmtp.h patching file src/smtp/smtp.h patching file src/smtpd/smtpd.h Perhaps related to my problem? - Robert
I have updated the CCARGS and AUXLIBS variables with -I/usr/include/openssl and -lcrypto which were missing previously. Files should be available on rsync servers within 24 hours. Please test the updated ebuild and let me know how TLS related things are working. Also if anyone has comments on SASL's status after the recent updates... Also updated incorrect coding syntax related to the tls+ipv6 patch. - regarding comment #12
I patched the postfix ebuild to get TLS working again, but SASL is still being a problem for me. cyrus-sasl-2.1.7.ebuild has chown root:mail ${ROOT}/etc/sasl2 chmod 640 ${ROOT}/etc/sasl2 in pkg_postinst(), making /etc/sasl2 unreadable by the postfix user (no execute bit in the directory permissions and the postfix user isn't in the mail group). In this state, smtpd.conf isn't found and the default authentication method is used: [postfix/smtpd] warning: SASL authentication problem: unable to open Berkeley db /etc/sasl2: Permission denied I changed the perms on /etc/sasl2 to 775 and ownership to root.root. Now postfix can read the directory, but smtpd.conf still isn't read: [postfix/smtpd] warning: SASL authentication problem: unable to open Berkeley db /etc/sasl2: Is a directory Cyrus-sasl wants /etc/sasl2 to be a file, the sasldb password database. In order to make it find smtpd.conf, I had to create a symlink: /usr/lib/sasl2/smtpd.conf -> /etc/sasl2/smtpd.conf Now that smtpd.conf can be read, it is apparently not understood: [postfix/smtpd] warning: SASL authentication problem: unknown password verifier When I change smtpd.conf to look like so: pwcheck_method: saslauthd and start the saslauthd service, finally PAM is brought into action, however authentication fails! [PAM_pwdb] check pass; user unknown [saslauthd] AUTHFAIL: user=jrray@jrray.spacemeat.com service=smtp realm=jrray.spacemeat.com [PAM auth error] I don't know why PAM is saying "user unknown," perhaps it is trying to find a user called "jrray@jrray.spacement.com" instead of simply "jrray." - Robert
I modified the pam_pwdb.so module and verified that indeed an inappropriate username is trying to be authorized: [PAM_pwdb] check pass; user (test@jrray.spacemeat.com) unknown; supplied p (test) [saslauthd] AUTHFAIL: user=test@jrray.spacemeat.com service=smtp realm=jrray.spacemeat.com [PAM auth error] The '@jrray.spacemeat.com' bit is being added by postfix based on the smtpd_sasl_local_domain value. Any idea how this can be avoided? Sorry about the rapid fire comments, - Robert
I updated cyrus-sasl with the proper configure option for dbpath (/etc/sasl2/sasldb2) and reset /etc/sasl2 permissions. Update portage and re-emerge cyrus-sasl and hopefully this should fix your noted problems. Thank you for reporting useful information for getting the problems solved.
I just installed Postfix on a Debian System wirh AUTH Support through SASL 1.5 and I'd like to share some things I came up with... with sasldb auth merhod: smtpd was chrooted, so It couldn't find /etc/sasldb with passwd or pam: I guess only root is able to call those functions... and smtpd run's as postfix. finally I took pwcheck - something previous to authd... you still can't chroot the smtpd process, but you don't need a seperate sb for users... AH... one thing.... only with the sasldb I was able to have CRAM-MD5 and DIGEST... with pwcheck I only have PLAIN... but hey... POP3 is also not encrypted...
The postfix-1.1.11.20020613.ebuild has disappeared from portage due to a developer accidentally thinking it was an old package. I am working on a new ebuild of postfix based on the 20020822 snapshot with all the support we have been discussing built in. The main issue I am having right now is the best ssl and ipv6 patches are together in one patch which is not how I want this software to build. ssl and ipv6 support needs to be separable. I will be spending some time with the latest tls+ipv6 patch to see if I can split it into two patches. If anyone here knows of good separate tls and ipv6 patches for postfix I will definitely entertain their usage.
I found some sources... http://www.postfix.org/addon.html which leads to ftp://ftp.kame.net/pub/kame/misc/ http://www.aet.TU-Cottbus.DE/personen/jaenicke/postfix_tls/ I guess KAME is quite outdated... so here is another one http://cvs.pld.org.pl/SOURCES/postfix-ipv6.patch I don't know if any of these links are usefull or if they work for 1.11 or any snapshots.
adding TLS support only is fine... but there are no good standalone IPV6 patches available... (neither of the ipv6 patches you specify actually work for the development postfix-1.1.11-20020822) My thought now is to have the separate TLS patch and the IPV6+TLS patch available for use ipv6 && ssl - TLS+IPV6 patch -ipv6 && ssl - standalone TLS patch ipv6 && -ssl - spit out an error message saying ssl must be enabled I will be testing. I'll let you know how things go. If anybody has any other suggestions for the ebuild as far added support, please let me know.
I have released postfix-1.1.11.20020822 into portage. It is currently masked but has support for both tls and ipv6+tls. Please test the ebuild and let me know how things work for you.
postfix-1.1.11.20020822.ebuild has been unmasked. mysql, ldap, tls, ipv6, and sasl v1 and v2 support is in the ebuild. Please test and report your experience on this report.
postfix-1.1.11.20020917 has been released into portage. Including tls+ipv6 support.