Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 5023 - postfix- + tls + ipv6
Summary: postfix- + tls + ipv6
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: x86 Linux
: High enhancement (vote)
Assignee: Nick Hadaway
Depends on:
Reported: 2002-07-15 08:22 UTC by Philipp Morger
Modified: 2003-02-04 19:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Postfix Ebuild (postfix-,3.81 KB, application/octet-stream)
2002-07-15 08:27 UTC, Philipp Morger
tls + ipv6 Patch (tls+ipv6-1.1.11-20020613.patch,337.81 KB, patch)
2002-07-15 08:28 UTC, Philipp Morger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Morger 2002-07-15 08:22:05 UTC
I made a new structure for ipv6 which mainly patches the source.

Unfortunately my gentoo is not really used as an MTA... it's basically a
test-system, but for those wo want ipv6 (and only those (thriugh USE flag)) here
is the chance to blow their MTA ;)
Comment 1 Philipp Morger 2002-07-15 08:25:05 UTC
# Copyright 1999-2002 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or later
# /space/gentoo/cvsroot/gentoo-x86/net-mail/postfix/postfix-1.1.8.ebuild,v 1.1
2002/05/14 03:49:25 woodchip Exp

DESCRIPTION="A fast and secure drop-in replacement for sendmail"


    ssl? (${POSTFIX_TLS_VER}.tar.gz )"

    sasl? ( >=dev-libs/cyrus-sasl-1.5.27 )
    ldap? ( >=net-nds/openldap-1.2 )
    mysql? ( >=dev-db/mysql-3.23.28 )
    ssl? ( >=dev-libs/openssl-0.9.6d )"

pkg_setup() {
    if ! grep -q ^postdrop: /etc/group ; then
        groupadd postdrop || die "problem adding group postdrop"

src_unpack() {
    unpack ${A}

    use ssl && ( \
        cd ${S}
        patch -p1 < ${WORKDIR}/pfixtls-${POSTFIX_TLS_VER}/pfixtls.diff || die

    use ipv6 && ( \
        cd ${S}
        patch -p1 < ${FILESDIR}/tls+ipv6- || die

    cd ${S}/conf
    sed -e "s:/usr/libexec/postfix:/usr/lib/postfix:" >

    cd ${S}/src/global
    cp mail_params.h mail_params.h.orig
    sed -e "s:/usr/libexec/postfix:/usr/lib/postfix:" mail_params.h.orig >

    use mysql \
        && CCARGS="${CCARGS} -DHAS_MYSQL -I/usr/include/mysql" \
        && AUXLIBS="${AUXLIBS} -lmysqlclient -lm"

    use ldap \
        && CCARGS="${CCARGS} -DHAS_LDAP" \
        && AUXLIBS="${AUXLIBS} -lldap -llber"

    use ssl \
        && CCARGS="${CCARGS} -DHAS_SSL" \
        && AUXLIBS="${AUXLIBS} -lssl"

    # note: if sasl is built w/ pam, then postfix _MUST_ be built w/ pam
    use pam && AUXLIBS="${AUXLIBS} -lpam"

    # stuff we always want...
    CCARGS="${CCARGS} -I/usr/include -DHAS_PCRE"
    AUXLIBS="${AUXLIBS} -L/usr/lib -lpcre -ldl -lcrypt"
    if [ "`use sasl`" ]
        AUXLIBS="${AUXLIBS} -lsasl"

    cd ${S}
    make tidy || die
    make makefiles CC="cc" OPT="${CFLAGS}" DEBUG="${DEBUG}" \
        CCARGS="${CCARGS}" AUXLIBS="${AUXLIBS}" || die

src_compile() {
    emake || die "compile problem"

src_install () {
    dodir /usr/bin /usr/sbin /usr/lib/postfix /etc/postfix/sample

    cd ${S}/bin
    dosbin post* sendmail
    chown root.postdrop ${D}/usr/sbin/{postdrop,postqueue}
    chmod 2755 ${D}/usr/sbin/{postdrop,postqueue}

    dosym /usr/sbin/sendmail /usr/bin/mail
    dosym /usr/sbin/sendmail /usr/bin/mailq
    dosym /usr/sbin/sendmail /usr/bin/newaliases
    dosym /usr/sbin/sendmail /usr/lib/sendmail

    cd ${S}/libexec
    exeinto /usr/lib/postfix
    doexe *

    cd ${S}/man
    doman man*/*

    cd ${S}
    dohtml html/*

    cd ${S}/conf
    insinto /etc/postfix/sample
    doins access aliases canonical relocated transport \
        pcre_table regexp_table postfix-script* *.cf

    exeinto /etc/postfix
    doexe postfix-script post-install postfix-files || die

    insinto /etc/postfix
    doins ${FILESDIR}/ || die

    exeinto /etc/init.d ; newexe ${FILESDIR}/postfix.rc6 postfix
    insinto /etc/pam.d ; newins ${FILESDIR}/smtp.pam smtp
    insinto /etc/sasl ; doins ${FILESDIR}/smtpd.conf

pkg_postinst() {
    install -d 0755 ${ROOT}/var/spool/postfix

    ewarn "If you've upgraded from <postfix-1.1.8, you must update"
    ewarn "/etc/postfix/ to the latest version"
    ewarn "(/etc/postfix/._cfg* Otherwise Postfix will"
    ewarn "not work correctly."

    if [ ! -e /etc/mail/aliases.db ] ; then
        ewarn ""
        ewarn "First time installers: You must edit"
        ewarn "/etc/mail/aliases to suit your needs and then run"
        ewarn "/usr/bin/aliases. Postfix will not work correctly"
        ewarn "without it."
Comment 2 Philipp Morger 2002-07-15 08:27:26 UTC
Created attachment 2259 [details]
Postfix Ebuild
Comment 3 Philipp Morger 2002-07-15 08:28:11 UTC
Created attachment 2260 [details, diff]
tls + ipv6 Patch
Comment 4 Philipp Morger 2002-07-15 08:29:34 UTC
ehhmmm ... missed that with the attachment somehow... sorry.
Comment 5 Nick Hadaway 2002-07-22 18:03:28 UTC
net-mail/postfix- has been added into portage.  It is currently
masked in package.mask.  Please comment out of package.mask and test the ebuild.
If you have the ability to test the added funtionality, (tls, ipv6, and
sasl(v2)), please do and report back on this bug report.
Comment 6 Philipp Morger 2002-07-23 10:01:34 UTC
I was able to compile, unfortunately has one of our switches (yes a switch) a
ipv6 problem - so I can't test _this_ build.

I used the same patch on my debian system at home, and there the ipv6
functionality works fine.

TLS + SASL are things I just didn't hat enough time yet to dig into the materia
(did it once with sendmail... ages ago...)

Comment 7 Philipp Morger 2002-07-24 07:01:23 UTC
postfix as "TLS Client works fine.... su I hope server does as well....

SASL is still not checked....

btw: TLS is done over ipv4 :( - due lack of ipv6 backbone....
Comment 8 Nick Hadaway 2002-07-25 17:56:44 UTC
Please check out bug #3730 as I put together a little postfix and sasl howto if
you are interested in testing sasl support :)
Comment 9 Philipp Morger 2002-08-07 06:07:57 UTC
fighting to get sasl v2 working... I think I spotted a problem in the ebuild
with the smtpd.conf.... first it can't find the config to copy and second it
wants to copy it to /usr/lib/sasl2... but according to the ebuild of sasl 2.1.6
the smtpd.conf should go to /etc/sasl2 - I'm not yet a sasl-expert... so please
verfy my information :)
Comment 10 Nick Hadaway 2002-08-13 16:45:01 UTC
cyrus-sasl-2.1.7 has been released into portage.  Configuration files are to be 
kept in /etc/sasl2.  I have also released postfix- into 
portage which installs smtpd.conf into /etc/sasl2.  This should hopefully 
alleviate some of the sasl woes people have been experiencing.  Please report 
back on this bug report success and failures.

emerge rsync
emerge cyrus-sasl
emerge postfix
Comment 11 J Robert Ray 2002-08-14 21:34:42 UTC
I just moved to and TLS seems to have stopped working for me.
 It was nearly working for me before upgrading, but I was getting an 'unknown
password verifier' out of SASL.  Now that I've upgraded, without changing my, postfix acts as though there is no TLS support.

Despite the fact I have 'smtpd_tls_auth_only = yes' set, and of course
'smtpd_use_tls = yes,' when I telnet into port 25 and test it with a EHLO,
postfix advertises all the auth methods.

If I try STARTTLS, I get '502 Error: command not implemented' after a short pause.

The prescribed method of determining if postfix is built with TLS support is to
run ldd on smtpd and look for, I do find it and listed there.

Not sure what to do now, what to check or try.  Please advise.

- Robert
Comment 12 J Robert Ray 2002-08-15 17:32:13 UTC
I just noticed this:

jrray root # emerge postfix
Calculating dependencies ...done!
>>> emerge net-mail/postfix- to /
>>> md5 ;-) postfix-1.1.11-20020613.tar.gz
>>> Unpacking source...
>>> Unpacking postfix-1.1.11-20020613.tar.gz
/usr/sbin/ [: missing `]'
/usr/sbin/ ssl: command not found
patching file src/lmtp/lmtp.h
patching file src/smtp/smtp.h
patching file src/smtpd/smtpd.h

Perhaps related to my problem?

- Robert
Comment 13 Nick Hadaway 2002-08-15 17:51:34 UTC
I have updated the CCARGS and AUXLIBS variables with -I/usr/include/openssl 
and -lcrypto which were missing previously.  Files should be available on rsync 
servers within 24 hours.  Please test the updated ebuild and let me know how 
TLS related things are working.

Also if anyone has comments on SASL's status after the recent updates...

Also updated incorrect coding syntax related to the tls+ipv6 patch. - regarding 
comment #12
Comment 14 J Robert Ray 2002-08-15 18:55:51 UTC
I patched the postfix ebuild to get TLS working again, but SASL is still being a
problem for me.

cyrus-sasl-2.1.7.ebuild has

        chown root:mail ${ROOT}/etc/sasl2
        chmod 640 ${ROOT}/etc/sasl2

in pkg_postinst(), making /etc/sasl2 unreadable by the postfix user (no execute
bit in the directory permissions and the postfix user isn't in the mail group).

In this state, smtpd.conf isn't found and the default authentication method is used:
[postfix/smtpd] warning: SASL authentication problem: unable to open Berkeley db
/etc/sasl2: Permission denied

I changed the perms on /etc/sasl2 to 775 and ownership to root.root.  Now
postfix can read the directory, but smtpd.conf still isn't read:
[postfix/smtpd] warning: SASL authentication problem: unable to open Berkeley db
/etc/sasl2: Is a directory

Cyrus-sasl wants /etc/sasl2 to be a file, the sasldb password database.

In order to make it find smtpd.conf, I had to create a symlink:
/usr/lib/sasl2/smtpd.conf -> /etc/sasl2/smtpd.conf

Now that smtpd.conf can be read, it is apparently not understood:
[postfix/smtpd] warning: SASL authentication problem: unknown password verifier

When I change smtpd.conf to look like so:
pwcheck_method: saslauthd

and start the saslauthd service, finally PAM is brought into action, however
authentication fails!

[PAM_pwdb] check pass; user unknown
[saslauthd] AUTHFAIL: service=smtp [PAM auth error]

I don't know why PAM is saying "user unknown," perhaps it is trying to find a
user called "" instead of simply "jrray."

- Robert
Comment 15 J Robert Ray 2002-08-15 20:24:39 UTC
I modified the module and verified that indeed an inappropriate
username is trying to be authorized:

[PAM_pwdb] check pass; user ( unknown; supplied p (test)
[saslauthd] AUTHFAIL: service=smtp [PAM auth error]

The '' bit is being added by postfix based on the
smtpd_sasl_local_domain value.  Any idea how this can be avoided?

Sorry about the rapid fire comments,

- Robert
Comment 16 Nick Hadaway 2002-08-16 00:10:02 UTC
I updated cyrus-sasl with the proper configure option for dbpath
(/etc/sasl2/sasldb2) and reset /etc/sasl2 permissions.  Update portage and
re-emerge cyrus-sasl and hopefully this should fix your noted problems.

Thank you for reporting useful information for getting the problems solved.
Comment 17 Philipp Morger 2002-08-28 10:41:52 UTC
I just installed Postfix on a Debian System wirh AUTH Support through SASL 1.5

and I'd like to share some things I came up with...

with sasldb auth merhod: smtpd was chrooted, so It couldn't find /etc/sasldb

with passwd or pam: I guess only root is able to call those functions... and
smtpd run's as postfix.

finally I took pwcheck - something previous to authd... you still can't chroot
the smtpd process, but you don't need a seperate sb for users... 

AH... one thing.... only with the sasldb I was able to have CRAM-MD5 and
DIGEST... with pwcheck I only have PLAIN... but hey... POP3 is also not
Comment 18 Nick Hadaway 2002-09-03 15:21:03 UTC
The postfix- has disappeared from portage due to a 
developer accidentally thinking it was an old package. 
I am working on a new ebuild of postfix based on the 20020822 snapshot with 
all the support we have been discussing built in.  The main issue I am having 
right now is the best ssl and ipv6 patches are together in one patch which is 
not how I want this software to build.  ssl and ipv6 support needs to be 
separable.  I will be spending some time with the latest tls+ipv6 patch to see 
if I can split it into two patches. 
If anyone here knows of good separate tls and ipv6 patches for postfix I will 
definitely entertain their usage. 
Comment 19 Philipp Morger 2002-09-04 01:28:24 UTC
I found some sources...

which leads to

I guess KAME is quite outdated...

so here is another one

I don't know if any of these links are usefull or if they work for 1.11 or any
Comment 20 Nick Hadaway 2002-09-05 10:53:18 UTC
adding TLS support only is fine... but there are no good standalone IPV6 patches
available... (neither of the ipv6 patches you specify actually work for the
development postfix-1.1.11-20020822)

My thought now is to have the separate TLS patch and the IPV6+TLS patch
available for use

ipv6 && ssl - TLS+IPV6 patch
-ipv6 && ssl - standalone TLS patch
ipv6 && -ssl - spit out an error message saying ssl must be enabled

I will be testing.  I'll let you know how things go.

If anybody has any other suggestions for the ebuild as far added support, please
let me know.
Comment 21 Nick Hadaway 2002-09-11 14:58:37 UTC
I have released postfix- into portage.  It is currently masked 
but has support for both tls and ipv6+tls.  Please test the ebuild and let me 
know how things work for you.
Comment 22 Nick Hadaway 2002-09-17 16:32:52 UTC
postfix- has been unmasked.  mysql, ldap, tls, ipv6, and
sasl v1 and v2 support is in the ebuild.  Please test and report your experience
on this report.
Comment 23 Nick Hadaway 2002-09-19 14:27:08 UTC
postfix- has been released into portage.  Including tls+ipv6