Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 678874 - mail-mta/postfix-3.4: LibreSSL Build Failures
Summary: mail-mta/postfix-3.4: LibreSSL Build Failures
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo LibreSSL
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks: libressl-2.8.0
  Show dependency tree
 
Reported: 2019-02-26 22:16 UTC by Reuben Farrelly
Modified: 2019-04-29 06:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Reuben Farrelly 2019-02-26 22:16:37 UTC
Current Postfix-3.4 and recent snapshots (including postfix-3.4.0_rc3 in portage) fail to build with LibreSSL 2.8/2.9.  The last known snapshot that succesfully compiled and runs with LibreSSL is postfix-3.4_pre20190106 .

The introduction of server side SNI in Postfix has most likely been the cause of this.

The gentoo ebuild currently fails at this point:

x86_64-pc-linux-gnu-gcc -fPIC -I. -I../../include -DHAS_PCRE -DUSE_TLS -DHAS_LMDB -DDEF_SASL_SERVER=\"dovecot\" -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DNO_NIS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DHAS_DEV_URANDOM -DDEF_SHLIB_DIR=\"/usr/lib64/postfix/\${mail_version}\" -DUSE_DYNAMIC_LIBS -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat -Wno-comment  -O2 -pipe -march=native -mtune=native -Wno-comment -I. -I../../include -DLINUX4 -Wl,--enable-new-dtags -Wl,-rpath,/usr/lib64/postfix/3.4.0-RC3 -o smtpd smtpd.o smtpd_token.o smtpd_check.o smtpd_chat.o smtpd_state.o smtpd_peer.o smtpd_sasl_proto.o smtpd_sasl_glue.o smtpd_proxy.o smtpd_xforward.o smtpd_dsn_fix.o smtpd_milter.o smtpd_resolve.o smtpd_expand.o smtpd_haproxy.o ../../lib/libpostfix-master.so ../../lib/libpostfix-tls.so ../../lib/libxsasl.a ../../lib/libmilter.a ../../lib/libpostfix-dns.so ../../lib/libpostfix-global.so ../../lib/libpostfix-util.so -pie -Wl,-O1 -Wl,--as-needed -ldl -lpam -lssl -lcrypto -lsasl2 -llmdb -lpthread -L/usr/lib64 -lpcre -ldb -lnsl -lresolv -ldl -licui18n -licuuc -licudata 
/usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../../lib/libpostfix-tls.so: undefined reference to `SSL_set0_chain'
/usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../../lib/libpostfix-tls.so: undefined reference to `SSL_CTX_set_num_tickets'
/usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../../lib/libpostfix-tls.so: undefined reference to `SSL_CTX_set0_chain'
collect2: error: ld returned 1 exit status

However this is not the only issue.  After experimenting with the code it appears that there are multiple fixes required in multiple files for this build to run to completion.

None of the other main distributions have updated to these new versions yet.  An updated libressl patch is going to be required to resolve this issue.
Comment 1 Eray Aslan gentoo-dev 2019-02-27 05:21:49 UTC
Adding libressl to cc list
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2019-02-27 06:00:09 UTC
The latest stable postfix compiles fine.  This will be tracked though in hopes that the masked 3.4.x postfix is patched or fixed upstream in a newer release.

Reversing the assignee and CC as this is a libressl problem due to API differences.
Comment 3 Reuben Farrelly 2019-02-27 06:33:25 UTC
Yes, this is only affecting the unstable Postfix releases for now - the stable releases are fine as are earlier snapshots, all with LibreSSL-2.9.0.

It's unlikely we will see upstream patched for this, the author of Postfix has stated that LibreSSL is not supported (1) and IIRC attempts to upstream LibreSSL patches have been rejected in the past.

I'm tracking the FreeBSD and OpenBSD repositories frequently to see if/when they have a patch we can use, but so far I haven't seen a patch to fix the issue.

(1) http://postfix.1071664.n5.nabble.com/Postfix-3-2-snapshots-1227-amp-1231-td88067.html
Comment 4 Reuben Farrelly 2019-04-23 22:36:05 UTC
I've made some progress with this - and as of now have a working postfix-3.4/3.5 build against the newly released version of LibreSSL.

The steps I had to do to fix this were:

1. Upgrade to LibreSSL-2.9.1 (note: as of now this is not in portage yet, but presumably it will be soon).  According to the release notes for 2.9.1 there are additional fixes for OpenSSL 1.1 compatibility, which seem to matter, because this same Postfix build did not succeed with LibreSSL 2.9.0 .  We may want to make LibreSSL-2.9.0 a build time blocker (if that is possible?).

2. Remove the following patches from the ebuild:

    #eapply -p0 "${FILESDIR}/${PN}-libressl.patch" \
    #   "${FILESDIR}/${PN}-libressl-runtime.patch" \
    #   "${FILESDIR}/${PN}-libressl-eccurve.patch"
    #   "${FILESDIR}/${PN}-libressl-session-tickets.patch"

3. Add the following two patches from the FreeBSD ports tree:

https://github.com/freebsd/freebsd-ports/blob/master/mail/postfix-current/files/patch-src_tls_tls__certkey.c

https://github.com/freebsd/freebsd-ports/blob/master/mail/postfix-current/files/patch-src_tls_tls__server.c

I think it's easier to sync to another distributions patches for the core Postfix code patching (non Gentoo specific fixes) than maintain a separate set.

This was all tested with postfix-3.5_pre20190330.ebuild.  I did not test with earlier versions of LibreSSL.  Given the level of patching/fixes seems minimal with the newer versions of both packages and especially with LibreSSL/OpenSSL compatibility improving all the time, it is probably worthy of a discussion/decision how far back we would want to support and how much patching we should be doing.
Comment 5 Eray Aslan gentoo-dev 2019-04-24 09:03:06 UTC
(In reply to Reuben Farrelly from comment #4)
> I've made some progress with this - and as of now have a working
> postfix-3.4/3.5 build against the newly released version of LibreSSL.

Patches look innocent enough.  Can you please check postfix-3.5_pre20190330-r1 as I dont have a libressl system to check?  It includes the patches and a hard dependency on >=libressl-2.9.1.

Thank you for your help.
Comment 6 Reuben Farrelly 2019-04-24 09:15:56 UTC
Thanks.  LibreSSL-2.9.1 is in the tree as of earlier today now too.

The new postfix-3.5_pre20190330-r1 ebuild just added passes my build and basic run test at least, I'll report back if there are any other runtime issues - but so far it looks to be good.
Comment 7 Larry the Git Cow gentoo-dev 2019-04-29 06:44:55 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6d3245f45ce67b26c39de3039b832ba8747fe45

commit d6d3245f45ce67b26c39de3039b832ba8747fe45
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2019-04-29 06:44:34 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2019-04-29 06:44:34 +0000

    mail-mta/postfix: add libressl support for postfix-3.4 releases
    
    Closes: https://bugs.gentoo.org/678874
    Closes: https://github.com/gentoo/gentoo/pull/11851
    Package-Manager: Portage-2.3.65, Repoman-2.3.12
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 mail-mta/postfix/postfix-3.4.5-r1.ebuild | 321 +++++++++++++++++++++++++++++++
 1 file changed, 321 insertions(+)