Current Postfix-3.4 and recent snapshots (including postfix-3.4.0_rc3 in portage) fail to build with LibreSSL 2.8/2.9. The last known snapshot that succesfully compiled and runs with LibreSSL is postfix-3.4_pre20190106 . The introduction of server side SNI in Postfix has most likely been the cause of this. The gentoo ebuild currently fails at this point: x86_64-pc-linux-gnu-gcc -fPIC -I. -I../../include -DHAS_PCRE -DUSE_TLS -DHAS_LMDB -DDEF_SASL_SERVER=\"dovecot\" -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DNO_NIS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DHAS_DEV_URANDOM -DDEF_SHLIB_DIR=\"/usr/lib64/postfix/\${mail_version}\" -DUSE_DYNAMIC_LIBS -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat -Wno-comment -O2 -pipe -march=native -mtune=native -Wno-comment -I. -I../../include -DLINUX4 -Wl,--enable-new-dtags -Wl,-rpath,/usr/lib64/postfix/3.4.0-RC3 -o smtpd smtpd.o smtpd_token.o smtpd_check.o smtpd_chat.o smtpd_state.o smtpd_peer.o smtpd_sasl_proto.o smtpd_sasl_glue.o smtpd_proxy.o smtpd_xforward.o smtpd_dsn_fix.o smtpd_milter.o smtpd_resolve.o smtpd_expand.o smtpd_haproxy.o ../../lib/libpostfix-master.so ../../lib/libpostfix-tls.so ../../lib/libxsasl.a ../../lib/libmilter.a ../../lib/libpostfix-dns.so ../../lib/libpostfix-global.so ../../lib/libpostfix-util.so -pie -Wl,-O1 -Wl,--as-needed -ldl -lpam -lssl -lcrypto -lsasl2 -llmdb -lpthread -L/usr/lib64 -lpcre -ldb -lnsl -lresolv -ldl -licui18n -licuuc -licudata /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../../lib/libpostfix-tls.so: undefined reference to `SSL_set0_chain' /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../../lib/libpostfix-tls.so: undefined reference to `SSL_CTX_set_num_tickets' /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../../lib/libpostfix-tls.so: undefined reference to `SSL_CTX_set0_chain' collect2: error: ld returned 1 exit status However this is not the only issue. After experimenting with the code it appears that there are multiple fixes required in multiple files for this build to run to completion. None of the other main distributions have updated to these new versions yet. An updated libressl patch is going to be required to resolve this issue.
Adding libressl to cc list
The latest stable postfix compiles fine. This will be tracked though in hopes that the masked 3.4.x postfix is patched or fixed upstream in a newer release. Reversing the assignee and CC as this is a libressl problem due to API differences.
Yes, this is only affecting the unstable Postfix releases for now - the stable releases are fine as are earlier snapshots, all with LibreSSL-2.9.0. It's unlikely we will see upstream patched for this, the author of Postfix has stated that LibreSSL is not supported (1) and IIRC attempts to upstream LibreSSL patches have been rejected in the past. I'm tracking the FreeBSD and OpenBSD repositories frequently to see if/when they have a patch we can use, but so far I haven't seen a patch to fix the issue. (1) http://postfix.1071664.n5.nabble.com/Postfix-3-2-snapshots-1227-amp-1231-td88067.html
I've made some progress with this - and as of now have a working postfix-3.4/3.5 build against the newly released version of LibreSSL. The steps I had to do to fix this were: 1. Upgrade to LibreSSL-2.9.1 (note: as of now this is not in portage yet, but presumably it will be soon). According to the release notes for 2.9.1 there are additional fixes for OpenSSL 1.1 compatibility, which seem to matter, because this same Postfix build did not succeed with LibreSSL 2.9.0 . We may want to make LibreSSL-2.9.0 a build time blocker (if that is possible?). 2. Remove the following patches from the ebuild: #eapply -p0 "${FILESDIR}/${PN}-libressl.patch" \ # "${FILESDIR}/${PN}-libressl-runtime.patch" \ # "${FILESDIR}/${PN}-libressl-eccurve.patch" # "${FILESDIR}/${PN}-libressl-session-tickets.patch" 3. Add the following two patches from the FreeBSD ports tree: https://github.com/freebsd/freebsd-ports/blob/master/mail/postfix-current/files/patch-src_tls_tls__certkey.c https://github.com/freebsd/freebsd-ports/blob/master/mail/postfix-current/files/patch-src_tls_tls__server.c I think it's easier to sync to another distributions patches for the core Postfix code patching (non Gentoo specific fixes) than maintain a separate set. This was all tested with postfix-3.5_pre20190330.ebuild. I did not test with earlier versions of LibreSSL. Given the level of patching/fixes seems minimal with the newer versions of both packages and especially with LibreSSL/OpenSSL compatibility improving all the time, it is probably worthy of a discussion/decision how far back we would want to support and how much patching we should be doing.
(In reply to Reuben Farrelly from comment #4) > I've made some progress with this - and as of now have a working > postfix-3.4/3.5 build against the newly released version of LibreSSL. Patches look innocent enough. Can you please check postfix-3.5_pre20190330-r1 as I dont have a libressl system to check? It includes the patches and a hard dependency on >=libressl-2.9.1. Thank you for your help.
Thanks. LibreSSL-2.9.1 is in the tree as of earlier today now too. The new postfix-3.5_pre20190330-r1 ebuild just added passes my build and basic run test at least, I'll report back if there are any other runtime issues - but so far it looks to be good.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6d3245f45ce67b26c39de3039b832ba8747fe45 commit d6d3245f45ce67b26c39de3039b832ba8747fe45 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2019-04-29 06:44:34 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2019-04-29 06:44:34 +0000 mail-mta/postfix: add libressl support for postfix-3.4 releases Closes: https://bugs.gentoo.org/678874 Closes: https://github.com/gentoo/gentoo/pull/11851 Package-Manager: Portage-2.3.65, Repoman-2.3.12 Signed-off-by: Eray Aslan <eras@gentoo.org> mail-mta/postfix/postfix-3.4.5-r1.ebuild | 321 +++++++++++++++++++++++++++++++ 1 file changed, 321 insertions(+)
