diff --git a/.cvsignore b/.cvsignore index de96852..255b47c 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,2 @@ -pfixtls-0.8.11a-1.1.11-0.9.6d.tar.bz2 -postfix-1.1.12.tar.gz +pfixtls-0.8.13-2.0.10-0.9.7b.tar.gz +postfix-2.0.11.tar.gz diff --git a/README-Postfix-SASL-RedHat.txt b/README-Postfix-SASL-RedHat.txt new file mode 100644 index 0000000..c4ae6ca --- /dev/null +++ b/README-Postfix-SASL-RedHat.txt @@ -0,0 +1,444 @@ +Quick Start to Authenticate with SASL and PAM: +---------------------------------------------- + +If you don't need the details and are an experienced system +administrator you can just do this, otherwise read on. + +1) Edit /etc/postfix/main.cf and set this: + +smtpd_sasl_auth_enable = yes +smtpd_sasl_security_options = noanonymous +broken_sasl_auth_clients = yes + +smtpd_recipient_restrictions = + permit_sasl_authenticated, + permit_mynetworks, + check_relay_domains + +2) Turn on saslauthd: + + /sbin/chkconfig --level 345 saslauthd on + /sbin/service saslauthd start + +3) Edit /etc/sysconfig/saslauthd and set this: + + MECH=pam + +4) Restart Postfix: + + /sbin/service postfix restart + +A crash course in using SASL with Postfix: +------------------------------------------ + +Red Hat's Postfix RPMs include support for both SASL and TLS. SASL, the +Simple Authentication and Security Layer, allows Postfix to implement RFC +2554, which defines an extension to ESMTP, SMTP AUTH, which compliant +ESMTP clients can use to authenticate themselves to ESMTP servers. +Typically, this is used to allow roaming users to relay mail through a +server safely without configuring the SMTP server to be an open relay. +Inclusion of TLS support allows Postfix to implement RFC 2487, which +defines an extension to ESMTP, SMTP STARTTLS, which compliant ESMTP +clients and servers can use to encrypt the SMTP session. This is a +security enhancement -- normally SMTP is transmitted as cleartext over the +wire, making it vulnerable to both passive sniffing and active alteration +via monkey-in-the-middle attacks. In addition, STARTTLS can also be +used by either or both server and client to verify the identity of the +other end, making it useful for the same sorts of purposes as SMTP AUTH. +The two can even be combined. Typically, this is done by first starting +TLS, to encrypt the SMTP session, and then issuing the SMTP AUTH command, +to authenticate the client; this combination ensures that the username +and password transferred as part of the SMTP AUTH are protected by the +TLS encrypted session. + +SMTP AUTH is implemented using SASL, an abstraction layer which can +authenticate against a variety of sources. On Red Hat, SASL can use +the /etc/shadow file, or it can use PAM libraries, or it can use its own +password database (/etc/sasldb), or it can do various more exotic things. + +Authentication raises a number of security concerns for obvious +reasons. As a consequence authentication services on Red Hat systems +are restricted to processes running with root privileges. However for +security reasons it is also essential that a mail server such as +Postfix run without root privileges so that mail operations cannot +compromise the host system. This means that Postfix cannot directly +use authentication services because it does not execute with root +privileges. The answer to this this problem is to introduce an +intermediary process that runs with root privileges which Postfix can +communicate with and will perform authentication on behalf of +Postfix. The SASL package includes an authentication daemon called +saslauthd which provided this service, think of it as an +authentication proxy. + +Using Saslauthd: +---------------- + +To use saslauthd there are several things you must assure are +configured. + +SASL has been shipped in various versions, currently there is SASL V1 +and SASL V2. The implementation of saslauthd is not compatible between +SASL V1 and V2 libraries. You must use the V2 implementation of +SASL. Note that currently the V1 SASL libraries install in +/usr/lib/sasl and the V2 SASL libraries install in /usr/lib/sasl2. + +Selecting an Authentication Method: +----------------------------------- + +Recall that it is saslauthd which is authenticating, not +Postfix. To start with you must tell Postfix to use saslauthd, in +main.cf edit this configuration parameter: + + smtpd_sasl_auth_enable = yes + +It is also recommended that you disable anonymous logins otherwise +you've left your system open, so also add this configuration +parameter. + + smtpd_sasl_security_options = noanonymous + +Now you must tell saslauthd which authentication method to use. To +determine the authentication methods currently supported by saslauthd +invoke saslauthd with the -v parameter, it will print its version and +its list of methods and then exit, for example: + + /usr/sbin/saslauthd -v + saslauthd 2.1.10 + authentication mechanisms: getpwent kerberos5 pam rimap shadow + +When saslauthd starts up it reads its configuration options from the +file /etc/sysconfig/saslauthd. Currently there are two parameters +which can be set in this file, MECH and FLAGS. MECH is the +authentication mechanism and FLAGS is any command line flags you may +wish to pass to saslauthd. To tell saslauthd to use a specific +mechanism edit /etc/sysconfig/saslauthd and set the MECH parameter, +for example to use PAM it would look like this: + + MECH=pam + +Of course you may use any of the other authentication mechanisms that +saslauthd reported it supports. PAM is an excellent choice as PAM +supports many of the same authentication methods that saslauthd does, +but by using PAM you will have centralized all of your authentication +configuration under PAM which is one of PAM's greatest assets. + +How Postfix Interacts with SASL to Name its Authentication Services: +-------------------------------------------------------------------- + +It can be very helpful to understand how Postfix communicates with +SASL to name its authentication services. Knowing this will let you +identify the configuration files the various components will access. + +When Postfix invokes SASL it must give SASL an application name that +SASL will use among other things to locate a configuration file for +the application. The application name Postfix identifies itself as is +"smtpd". SASL will append ".conf" to the application name and look for +a config file in its library directory. Thus SASL will read Postfix's +configuration from: + + /usr/lib/sasl2/smtpd.conf + +This file names the authentication method SASL will use for Postfix +(actually for smtpd, other MTA's such as sendmail may use the same +file). Because we want to use the saslauthd authentication proxy +daemon the contents of this file is: + + pwcheck_method: saslauthd + +This tells SASL when being invoked to authentication for Postfix that +it should use saslauthd. Saslauthd's mechanism is set in +/etc/sysconfig/saslauthd (see below). + +When Postfix calls on SASL to authenticate it passes to SASL a service +name. This service name is used in authentication method specific +way. The service name Postfix passes to SASL is "smtp" (note this is +not the same as the application name which is "smtpd"). To understand +this better consider the case of using PAM authentication. When SASL, +or in our case saslauthd, invokes PAM it passes the service name of +"smtp" to PAM which means that when PAM wants to read configuration +information for this client it will find it under the name of "smtp". + +Turning on the Authentication Daemon: +------------------------------------- + +Red Hat security policy is not to automatically enable services +belonging to a package when the package is installed. The system +administrator must explicitly enable the service. To enable saslauthd +do the following: + +1) Tell the init process to launch saslauthd when entering various run + levels. Assuming you want saslauthd to run at run levels 3,4,5 + invoke chkconfig. + + /sbin/chkconfig --level 345 saslauthd on + +2) You will probably want to start saslauthd now without having to + reboot, to do this: + + /sbin/service saslauthd start + +Trouble Shooting Authentication: +-------------------------------- + +The best way to debug authentication problems is to examine log +messages from the authentication components. However, normally these +log messages are suppressed. There are two principle reasons the +messages are suppressed. The first is that they are typically logged +at the DEBUG logging priority level which is the lowest priority and +the syslog configuration typically logs only higher priority +messages. The second reason is that for security reasons authentication +logging is considered a risk. Authentication logging has been divided +into two different facilities, auth and authpriv. authpriv is private +and is typically shunted off to a different log file with higher +protection. You will want to be able to see both auth and authpriv +messages at all priorities. To do this as root edit /etc/syslog.conf +file, find the following line + +authpriv.* /var/log/secure + +edit the line to: + +authpriv.*;auth.* /var/log/secure + +Then restart syslogd so the syslog configuration changes will be +picked up: + + /sbin/service syslogd restart + +Now all authentication messages at all priorities will log to +/var/log/secure. + +Using PAM to Authenticate: +-------------------------- + +Edit /etc/sysconfig/saslauthd and set MECH to PAM like this: + + MECH=pam + +When PAM is invoked via SASL it is passed a service name of +"smtp". This means that PAM will read its configuration parameters for +Postfix from the file: /etc/pam.d/smtp. By default this file is set to +refer to the global system PAM authentication policy, thus by default +you'll get whatever PAM authentication your system is configured for +and virtually all applications use. Configuring PAM authentication is +beyond the scope of this document, please refer to the PAM +documentation if you which to modify PAM. + +Trouble Shooting PAM Authentication: +------------------------------------ + +1) One possible reason PAM may fail to authenticate even if the user +is known to the system is if PAM fails to find the service +configuration file in /etc/pam.d. Service configuration files are not +required by PAM, if it does not find a service configuration file it +will default to "other". Since PAM does not consider the absence of a +service configuration file a problem it does not log anything nor does +it return an error to the calling application. In other words it is +completely silent about the fact it did not find a service +configuration file. On Red Hat system the default implementation of +"other" for PAM is to deny access. This means on Red Hat systems the +absence of a PAM service configuration file will mean PAM will +silently fail authentication. The PAM service configuration file for +postfix is /etc/pam.d/smtp and is intalled by the Red Hat Postfix rpm +and put under control of "alternatives" with name mta. Alternatives +allows one to select between the sendmail and postfix MTA's and +manages symbolic links for files the two MTA's share. /etc/pam.d/smtp +is one such file, if you have not selected Postfix as your prefered +MTA the link to this file will not be present. To select Postfix as +your MTA do this: "/usr/sbin/alternatives --config mta" and follow the +prompt to select postfix. + +2) Is SASL appending a realm or domain to a username? PAM + authentication requires a bare username and password, other + authentication methods require the username to be qualified with a + realm. Typically the username will be rewritten as user@realm + (e.g. user@foo.com) PAM does not understand a username with + "@realm" appended to it and will fail the authentication with the + message that the user is unknown. If the log files shows saslauthd + usernames with "@realm" appended to it then the + smtpd_sasl_local_domain configuration parameter is likely set in + /etc/postfix/main.cf file, make sure its either not set or set it + to an empty string. Restart postfix and test authtentication again, + the log file should show only a bare username. + + + +Using saslpasswd to Authenticate: +--------------------------------- + +SASL can maintain its own password database independent of the host +system's authentication setup, it is called saslpasswd. You may wish +to use saslpasswd if you want to isolate who can smtp authenticate +from general system users. However, it does add another password +database that a system administrator must maintain. + +To authenticate against sasldb, you'll first have to create accounts. +These accounts are entirely separate from system accounts, and are used +only by connecting SMTP clients to authenticate themselves. Use the +saslpassword command: + +saslpasswd -u realm -c user + +to create an account named user which can log into realm. For the +realm, make absolutely certain that you use the same value as is set for +myhostname in /etc/postfix/main.cf. If you don't, it likely won't work. + +Also, be aware that saslpasswd is somewhat buggy. The first time you +run it, it may generate an error message while initializing the sasldb. +If it does, just add that user a second time. + +You'll need to set permissions on the SASL password database so that +the Postfix daemons can read it: + + chgrp postfix /etc/sasldb + chmod g+r /etc/sasldb + +Now, you'll need to modify /etc/postfix/main.cf to tell it to +support SASL. The complete options you might want to use are in the +sample-auth.cf file in the Postfix documentation directory. An option +you will definitely need is: + +# enable SASL support +smtpd_sasl_auth_enable = yes + +You might also need to set the SASL authentication realm to whatever +realm you used when you created your sasldb; by default, this is set to +$myhostname, but you instead might need something like: + +# set SASL realm to domain instead +smtpd_sasl_local_domain = $mydomain + +Other Postfix Authentication Parameters: +---------------------------------------- + +If you want to allow your already configured users to still use your SMTP +server, and to allow users authenticated via SMTP AUTH to use your server +as well, then modify your existing smtpd_recipient_restrictions line to; + +# also allow authenticated (RFC 2554) users +smtpd_recipient_restrictions = permit_sasl_authenticated ... + +If you want to restrict use of your server to just authenticated clients +(Note: this is a bad idea for public mail servers), then instead use: + +# restrict server access to authenticated (RFC 2554) clients +smtpd_delay_reject = yes +smtpd_client_restrictions = permit_sasl_authenticated ... + +SASL supports several password types which have differing security +properties. Different SMTP clients may support some or all of these +password types. When the client issues an EHLO command, the server +tells it which types it supports: + +$ telnet station6 25 +Trying 10.100.0.6... +Connected to station6.example.com. +Escape character is '^]'. +220 station6.example.com ESMTP Postfix +ehlo station7 +250-station6.example.com +250-PIPELINING +250-SIZE 10240000 +250-VRFY +250-ETRN +250-STARTTLS +250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 +250-XVERP +250 8BITMIME + +Here, the server supports PLAIN, LOGIN, DIGEST-MD5, and CRAM-MD5 password +methods. + +The client then chooses the first of these listed methods which it also +supports, and issues an SMTP AUTH request. + +For security, PLAIN and LOGIN methods are typically disabled. These two +methods use trivially decryptable encryption, making the username and +password issued by the client vulnerable to interception via a sniffer +in between the server and client. Unfortunately, they can't always +be disabled. Some popular SMTP clients, including MS Outlook 5.x, +only support PLAIN authentication, for example. + +To limit the login methods offered by the server: + +# disable unsafe password methods +smtpd_sasl_security_options = noplaintext noanonymous + +Available options are: + +noplaintext, which disables LOGIN and PLAIN +noanonymous, which disables disables ANON +nodictionary, which disables methods vulnerable to dictionary attacks +noactive, which disables methods vulnerable to active attacks + +The last two are rarely used, since almost all supported methods are +vulnerable to those attacks ;-). + +Also be aware that some broken clients mis-implement the SMTP AUTH +protocol, and send commands using incorrect syntax (AUTH=foo instead of +the correct AUTH foo). MS Outlook 4.x clients have this bug, among +a legion of others.... If you need to support these clients, use: + +# support braindead MS products +broken_sasl_auth_clients = yes + +To help prevent spoofing, you can also create a map file of SASL login +names which are allowed to use specific envelope sender (MAIL FROM) +addresses. If you choose to do this, you also have to tell Postfix to +reject addresses which don't match login names: + +# prevent spoofing by authenticated users +reject_sender_login_mismatch +smtpd_sender_login_maps=type:/path/to/file + +Configuration of SASL clients is much simpler. Postfix itself can be +made a SASL client; this is typically useful when roaming users run Linux +on their laptop and need to relay mail back through the organization's +main server. + +To enable Postfix to act as an SMTP AUTH client, simply add to +/etc/postfix/main.cf: + +# support authentication (RFC 2557) when relaying through a server +smtp_sasl_auth_enable = yes + +and tell Postfix where to find the usernames and passwords it should +use to authenticate: + +# location of passwords for authentication client +smtp_sasl_password_maps = type:/path/to/file + +The file itself should have the format: + +destination username:password + +where destination is the name of the server, and username:password are +the username and password which should be presented to that server to +authenticate when connecting to it as a client. + +Optionally, the authentication methods to be used can be specified for +the Postfix client, just as they can be for the Postfix server: + +# disable plaintext and anonymous +smtp_sasl_security_options = noplaintext noanonymous + +Many popular end-user MUAs can also be configured as SMTP AUTH clients. +Clients capable of this supplied with Red Hat include pine, Netscape, +and Mozilla. + +Other Sources of Documentation: +------------------------------- + +Local configuration examples: + +/usr/share/doc/postfix-*/samples + +Postfix Howtos, Guides and Tips by Ralf Hildebrandt and Patrick +Koetter can be found at: http://postfix.state-of-mind.de + +------------------------------------------------------------------------------ + +Please send any comments / corrections to Chris Ricker +. This material can be freely modified and +redistributed. Additional material provided by John Dennis + diff --git a/postfix-pam.conf b/postfix-pam.conf new file mode 100644 index 0000000..6452ee0 --- /dev/null +++ b/postfix-pam.conf @@ -0,0 +1,3 @@ +#%PAM-1.0 +auth required pam_stack.so service=system-auth +account required pam_stack.so service=system-auth diff --git a/postfix-sasl.conf b/postfix-sasl.conf new file mode 100644 index 0000000..d82ed6e --- /dev/null +++ b/postfix-sasl.conf @@ -0,0 +1 @@ +pwcheck_method: saslauthd diff --git a/postfix.spec b/postfix.spec index 985271d..59c3daa 100644 --- a/postfix.spec +++ b/postfix.spec @@ -1,17 +1,26 @@ -%define copy_cmd copy() { ln -f "$1" "$2" 2>/dev/null || cp -df "$1" "$2"; } -%define ROOT /var/spool/postfix - -%define LDAP 0 +%define LDAP 2 %define MYSQL 0 %define PCRE 1 -%define SASL 1 +%define SASL 2 %define TLS 1 -%define SMTPD_MULTILINE_GREETING 1 %define POSTDROP_GID 90 +# On Redhat 8.0.1 and earlier, LDAP is compiled with SASL V1 and won't work +# if postfix is compiled with SASL V2. So we drop to SASL V1 if LDAP is +# requested but use the preferred SASL V2 if LDAP is not requested. +# Sometime soon LDAP will build agains SASL V2 and this won't be needed. + +%if %{LDAP} <= 1 && %{SASL} >= 2 +%undefine SASL +%define SASL 1 +%endif + +# Do we use db3 or db4 ? If we have db4, assume db4, otherwise db3. +%define dbver db4 + # If set to 1 if official version, 0 if snapshot %define official 1 -%define ver 1.1.12 +%define ver 2.0.11 %define releasedate 20020624 %define alternatives 1 %if %{official} @@ -21,8 +30,10 @@ Version: %{ver} Version: %{ver}-%{releasedate} %define ftp_directory experimental %endif +Release: 5 +Epoch: 2 -%define tlsno pfixtls-0.8.11a-1.1.11-0.9.6d +%define tlsno pfixtls-0.8.13-2.0.10-0.9.7b # Postfix requires one exlusive uid/gid and a 2nd exclusive gid for its own # use. Let me know if the second gid collides with another package. @@ -31,6 +42,7 @@ Version: %{ver}-%{releasedate} %define postfix_gid 89 %define maildrop_group postdrop %define maildrop_gid %{POSTDROP_GID} +%define docdir %{_docdir}/%{name}-%{version} Name: postfix Group: System Environment/Daemons @@ -44,36 +56,39 @@ PreReq: /usr/sbin/alternatives Obsoletes: sendmail exim qmail %endif PreReq: %{_sbindir}/groupadd, %{_sbindir}/useradd -Epoch: 2 Provides: MTA smtpd smtpdaemon /usr/bin/newaliases -Release: 1 Summary: Postfix Mail Transport Agent Source0: ftp://ftp.porcupine.org/mirrors/postfix-release/%{ftp_directory}/%{name}-%{version}.tar.gz Source3: postfix-etc-init.d-postfix Source5: postfix-aliases -Source6: postfix-chroot-setup.awk -Source9: ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/%{tlsno}.tar.bz2 -Source10: postfix-smtpd.conf -Source11: README-Postifx-SASL-RedHat.txt +Source9: ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/%{tlsno}.tar.gz +Source11: README-Postfix-SASL-RedHat.txt +# Sources >= 100 are config files +Source100: postfix-sasl.conf +Source101: postfix-pam.conf +Source102: postfix-saslauthd.conf Patch1: postfix-config.patch Patch2: postfix-smtp_sasl_proto.c.patch Patch3: postfix-alternatives.patch -Patch4: postfix-1.1.4-sasl2-patch -Patch5: postfix-1.1.12-resolve.patch # Optional patches - set the appropriate environment variables to include # them when building the package/spec file -# applied if %SMTPD_MULTILINE_GREETING=1 -Patch99: postfix-smtpd_multiline_greeting.patch - BuildRoot: %{_tmppath}/%{name}-buildroot # Determine the different packages required for building postfix -BuildRequires: gawk, perl, sed, ed, db4-devel, pkgconfig +BuildRequires: gawk, perl, sed, ed, %{dbver}-devel, pkgconfig + +Requires: %{dbver} %if %{LDAP} -BuildRequires: openldap >= 1.2.9, openldap-devel >= 1.2.9 +BuildRequires: openldap >= 2.0.27, openldap-devel >= 2.0.27 +Requires: openldap >= 2.0.27 +%endif + +%if %{SASL} +BuildRequires: cyrus-sasl >= 2.1.10, cyrus-sasl-devel >= 2.1.10 +Requires: cyrus-sasl >= 2.1.10 %endif %if %{PCRE} @@ -86,21 +101,16 @@ Requires: mysql, mysqlclient9 BuildRequires: mysql, mysqlclient9, mysql-devel %endif -%if %{SASL} -Requires: cyrus-sasl -BuildRequires: cyrus-sasl, cyrus-sasl-devel -%endif - %if %{TLS} Requires: openssl -BuildRequires: openssl-devel +BuildRequires: openssl-devel >= 0.9.6 %endif Provides: /usr/sbin/sendmail /usr/bin/mailq /usr/bin/rmail %description Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), -TLS and running in a chroot environment. +TLS %prep umask 022 @@ -109,41 +119,21 @@ umask 022 # Apply the TLS patch, must be at first, because the changes of master.cf %if %{TLS} patch -p1 <%{tlsno}/pfixtls.diff +%patch1 -p1 -b .config +%else +# Without the TLS patch the context lines in this patch don't match. +# Set fuzz to ignore all context lines, this is a bit dangerous. +patch --fuzz=3 -p1 -b -z .config < %{P:1} %endif # Apply obligatory patches -%patch1 -p1 -b .config %patch2 -p1 -b .auth %if %alternatives %patch3 -p1 -b .alternatives %endif -# Apply the SASL2 patch to make postfix work correctly with SASL2. -%patch4 -p1 -b .sasl2 - -# Fix issue with malformed addresses -%patch5 -p1 -b .headers - # Apply optional patches -# Apply my SMTPD Multiline greeting patch -%if %{SMTPD_MULTILINE_GREETING} -%patch99 -p1 -b .multiline -%endif - -# Move around the TLS docs -%if %{TLS} -mkdir html/TLS -mv %{tlsno}/doc/* html/TLS -for i in ACKNOWLEDGEMENTS CHANGES INSTALL README TODO; do - mv %{tlsno}/$i $i.TLS -done -%endif - -# setup master.cf to be chrooted -mv conf/master.cf conf/master.cf-nochroot -awk -f %{_sourcedir}/postfix-chroot-setup.awk < conf/master.cf-nochroot > conf/master.cf - %build umask 022 @@ -156,7 +146,7 @@ CCARGS="${CCARGS} -fsigned-char" %if %{LDAP} CCARGS="${CCARGS} -DHAS_LDAP" - AUXLIBS="${AUXLIBS} -L/usr/%{_lib} -lldap -llber" + AUXLIBS="${AUXLIBS} -L%{_libdir} -lldap -llber" %endif %if %{PCRE} # -I option required for pcre 3.4 (and later?) @@ -165,11 +155,19 @@ CCARGS="${CCARGS} -fsigned-char" %endif %if %{MYSQL} CCARGS="${CCARGS} -DHAS_MYSQL -I/usr/include/mysql" - AUXLIBS="${AUXLIBS} -L/usr/%{_lib}/mysql -lmysqlclient -lm" + AUXLIBS="${AUXLIBS} -L%{_libdir}/mysql -lmysqlclient -lm" %endif %if %{SASL} + %define sasl_lib_dir %{_libdir}/sasl2 CCARGS="${CCARGS} -DUSE_SASL_AUTH" - AUXLIBS="${AUXLIBS} -lsasl" + %if %{SASL} <= 1 + %define sasl_lib_dir %{_libdir}/sasl + AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl" + %else + %define sasl_lib_dir %{_libdir}/sasl2 + CCARGS="${CCARGS} -I/usr/include/sasl" + AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl2" + %endif %endif %if %{TLS} if pkg-config openssl ; then @@ -205,11 +203,17 @@ sh postfix-install -non-interactive \ mail_owner=postfix \ setgid_group=%{maildrop_group} \ manpage_directory=%{_mandir} \ - sample_directory=/samples \ - readme_directory=%{_docdir}/%{name}-%{version}/README_FILES || exit 1 + sample_directory=%{docdir}/samples \ + readme_directory=%{docdir}/README_FILES || exit 1 -rm -fr ./samples -mv $RPM_BUILD_ROOT/samples . +# Move around the TLS docs +%if %{TLS} +mkdir -p $RPM_BUILD_ROOT%{docdir}/TLS +cp %{tlsno}/doc/* $RPM_BUILD_ROOT%{docdir}/TLS +for i in ACKNOWLEDGEMENTS CHANGES INSTALL README TODO; do + cp %{tlsno}/$i $RPM_BUILD_ROOT%{docdir}/TLS +done +%endif # Change alias_maps and alias_database default directory to %{_sysconfdir}/postfix bin/postconf -c $RPM_BUILD_ROOT%{_sysconfdir}/postfix -e \ @@ -222,11 +226,6 @@ bin/postconf -c $RPM_BUILD_ROOT%{_sysconfdir}/postfix -e \ install -c %{_sourcedir}/postfix-etc-init.d-postfix \ $RPM_BUILD_ROOT/etc/rc.d/init.d/postfix -# These set up the chroot directory structure -mkdir -p $RPM_BUILD_ROOT%{_var}/spool/postfix/etc -mkdir -p $RPM_BUILD_ROOT%{_var}/spool/postfix/%{_lib} -mkdir -p $RPM_BUILD_ROOT%{_var}/spool/postfix/usr/%{_lib}/zoneinfo - install -c auxiliary/rmail/rmail $RPM_BUILD_ROOT%{_bindir}/rmail # copy new aliases files and generate a ghost aliases.db file @@ -260,11 +259,16 @@ q EOF # Install the smtpd.conf file for SASL support. -mkdir -p $RPM_BUILD_ROOT%{_libdir}/sasl -install -m 644 %SOURCE10 $RPM_BUILD_ROOT%{_libdir}/sasl/smtpd.conf +mkdir -p $RPM_BUILD_ROOT%{sasl_lib_dir} +install -m 644 %SOURCE100 $RPM_BUILD_ROOT%{sasl_lib_dir}/smtpd.conf +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d +install -m 644 %SOURCE101 $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/smtp.postfix +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig +install -m 644 %SOURCE102 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/saslauthd # Install Postfix Red Hat HOWTO. -cp %{SOURCE11} . +mkdir -p $RPM_BUILD_ROOT%{docdir} +install -c %{SOURCE11} $RPM_BUILD_ROOT%{docdir} # remove LICENSE file from /etc/postfix (it's still in docdir) rm -f $RPM_BUILD_ROOT%{_sysconfdir}/postfix/LICENSE @@ -290,18 +294,15 @@ sh %{_sysconfdir}/postfix/post-install \ mail_owner=postfix \ setgid_group=%{maildrop_group} \ manpage_directory=%{_mandir} \ - sample_directory=%{_docdir}/%{name}-%{version}/samples \ - readme_directory=%{_docdir}/%{name}-%{version}/README_FILES \ + sample_directory=%{docdir}/samples \ + readme_directory=%{docdir}/README_FILES \ upgrade-package -# setup chroot config -mkdir -p %{ROOT}/etc -[ -e /etc/localtime ] && cp /etc/localtime %{ROOT}/etc - %if %alternatives /usr/sbin/alternatives --install %{_sbindir}/sendmail mta %{_sbindir}/sendmail.postfix 30 \ --slave %{_bindir}/mailq mta-mailq %{_bindir}/mailq.postfix \ --slave %{_bindir}/newaliases mta-newaliases %{_bindir}/newaliases.postfix \ + --slave %{_sysconfdir}/pam.d/smtp mta-pam %{_sysconfdir}/pam.d/smtp.postfix \ --slave %{_bindir}/rmail mta-rmail %{_bindir}/rmail.postfix \ --slave %{_mandir}/man1/mailq.1.gz mta-mailqman %{_mandir}/man1/mailq.postfix.1.gz \ --slave %{_mandir}/man1/newaliases.1.gz mta-newaliasesman %{_mandir}/man1/newaliases.postfix.1.gz \ @@ -309,43 +310,6 @@ mkdir -p %{ROOT}/etc --initscript postfix %endif -# Generate chroot jails on the fly when needed things are installed/upgraded -%triggerin -- glibc -%{copy_cmd} -# Kill off old versions -rm -rf %{ROOT}/%{_lib}/libnss* %{ROOT}/%{_lib}/libresolv* -# Copy the relevant parts in -LIBCVER=`ls -l /%{_lib}/libc.so.6* | sed "s/.*libc-\(.*\).so$/\1/g"` -for i in compat dns files hesiod nis nisplus ; do - [ -e /%{_lib}/libnss_$i-${LIBCVER}.so ] && copy /%{_lib}/libnss_$i-${LIBCVER}.so %{ROOT}/%{_lib} - [ -e /%{_lib}/libnss_$i.so ] && copy /%{_lib}/libnss_$i.so %{ROOT}/%{_lib} -done -copy /%{_lib}/libresolv-${LIBCVER}.so %{ROOT}/%{_lib} -ldconfig -n %{ROOT}/%{_lib} - -%if %{LDAP} -%triggerin -- openldap -rm -rf %{ROOT}/usr/%{_lib}/liblber* %{ROOT}/usr/%{_lib}/libldap* -%{copy_cmd} -copy /usr/%{_lib}/liblber.so.2 %{ROOT}/usr/%{_lib} -copy /usr/%{_lib}/libldap_r.so.2 %{ROOT}/usr/%{_lib} -copy /usr/%{_lib}/libldap.so.2 %{ROOT}/usr/%{_lib} -ldconfig -n %{ROOT}/usr/%{_lib} -%endif - -%triggerin -- setup -rm -f %{ROOT}/etc/services -%{copy_cmd} -copy /etc/services %{ROOT}/etc - -# Put db4 in the chroot jail, but only if the soname is correct -%triggerin -- db4 -%{copy_cmd} -DBVER=`ldd %{_libexecdir}/postfix/pickup |grep libdb |sed "s,[[:blank:]],,g;s,=>.*,,"` -if [ -e "/%{_lib}/$DBVER" ]; then - copy "/%{_lib}/$DBVER" %{ROOT}/%{_lib} -fi - %pre # Add user and groups if necessary %{_sbindir}/groupadd -g %{maildrop_gid} -r %{maildrop_group} 2>/dev/null @@ -357,33 +321,6 @@ exit 0 %preun umask 022 -# selectively remove the rest of the queue directory structure -# first remove the "queues" (and assume the hash depth is still 2) -queue_directory_remove () { - for dir in active bounce defer deferred flush incoming; do - for a in 0 1 2 3 4 5 6 7 8 9 A B C D E F; do - test -d $dir/$a && { - for b in 0 1 2 3 4 5 6 7 8 9 A B C D E F; do - test -d $dir/$a/$b && ( - /bin/rm -f $dir/$a/$b/* - /bin/rmdir $dir/$a/$b - ) - done - /bin/rmdir $dir/$a || echo "WARNING: preun - unable to remove directory %{_var}/spool/postfix/$dir/$a" - } - done - /bin/rmdir $dir || echo "WARNING: preun - unable to remove directory %{_var}/spool/postfix/$dir" - done - - # now remove the other directories - for dir in corrupt maildrop pid private public saved; do - test -d $dir && { - /bin/rm -f $dir/* - /bin/rmdir $dir || echo "WARNING: preun - unable to remove directory %{_var}/spool/postfix/$dir" - } - done -} - if [ "$1" = 0 ]; then # stop postfix silently, but only if it's running /sbin/service postfix stop &>/dev/null @@ -392,17 +329,8 @@ if [ "$1" = 0 ]; then /usr/sbin/alternatives --remove mta %{_sbindir}/sendmail.postfix %endif - cd %{_var}/spool/postfix && { - # Clean up chroot environment - rm -rf %{ROOT}/%{_lib} %{ROOT}/usr %{ROOT}/etc - queue_directory_remove - } fi -# Remove unneeded symbolic links -for i in samples; do - test -L %{_sysconfdir}/postfix/$i && rm %{_sysconfdir}/postfix/$i -done exit 0 %postun @@ -417,6 +345,11 @@ exit 0 %files %defattr(-, root, root) + +%config(noreplace) %{sasl_lib_dir}/smtpd.conf +%config(noreplace) %{_sysconfdir}/pam.d/smtp.postfix +%config(noreplace) %{_sysconfdir}/sysconfig/saslauthd + %verify(not md5 size mtime) %config %dir %{_sysconfdir}/postfix %attr(0755, root, root) %config %{_sysconfdir}/postfix/postfix-script %attr(0755, root, root) %config %{_sysconfdir}/postfix/post-install @@ -439,11 +372,6 @@ exit 0 %attr(0755, root, root) %config /etc/rc.d/init.d/postfix -%dir %verify(not md5 size mtime) %{_var}/spool/postfix -%dir %attr(-, root, root) %verify(not md5 size mtime) %{_var}/spool/postfix/etc -%dir %attr(-, root, root) %verify(not md5 size mtime) %{_var}/spool/postfix/%{_lib} -%attr(-, root, root) %verify(not md5 size mtime) %{_var}/spool/postfix/usr - # For correct directory permissions check postfix-install script %dir %attr(0700, postfix, root) %verify(not md5 size mtime) %{_var}/spool/postfix/active %dir %attr(0700, postfix, root) %verify(not md5 size mtime) %{_var}/spool/postfix/bounce @@ -460,15 +388,7 @@ exit 0 %dir %attr(0755, root, root) %verify(not md5 size mtime) %{_var}/spool/postfix/pid -%doc 0README COMPATIBILITY HISTORY INSTALL LICENSE PORTING RELEASE_NOTES README-Postifx-SASL-RedHat.txt -%if %{TLS} -%doc ACKNOWLEDGEMENTS.TLS CHANGES.TLS README.TLS TODO.TLS html/TLS/* -%endif -%doc html -%doc samples -%doc README_FILES - -%{_libdir}/sasl/smtpd.conf +%doc %{docdir} %dir %attr(0755, root, root) %verify(not md5 size mtime) %{_libexecdir}/postfix %{_libexecdir}/postfix/bounce @@ -481,6 +401,7 @@ exit 0 %{_libexecdir}/postfix/nqmgr %{_libexecdir}/postfix/pickup %{_libexecdir}/postfix/pipe +%{_libexecdir}/postfix/proxymap %{_libexecdir}/postfix/qmgr %{_libexecdir}/postfix/qmqpd %{_libexecdir}/postfix/showq @@ -517,8 +438,28 @@ exit 0 %{_mandir}/*/* %changelog -* Mon Jul 28 2003 Bill Nottingham 2:1.1.12-1 -- update to 1.1.12, add a patch from the author +* Tue Jul 22 2003 Nalin Dahyabhai 2.0.11-5 +- rebuild + +* Thu Jun 26 2003 John Dennis +- bug 98095, change rmail.postfix to rmail for uucp invocation in master.cf + +* Wed Jun 25 2003 John Dennis +- add missing dependency for db3/db4 + +* Thu Jun 19 2003 John Dennis +- upgrade to new 2.0.11 upstream release +- fix authentication problems +- rewrite SASL documentation +- upgrade to use SASL version 2 +- Fix bugs 75439, 81913 90412, 91225, 78020, 90891, 88131 + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Fri Mar 7 2003 John Dennis +- upgrade to release 2.0.6 +- remove chroot as this is now the preferred installation according to Wietse Venema, the postfix author * Mon Feb 24 2003 Elliot Lee - rebuilt diff --git a/sources b/sources index f293e2f..e07a0ce 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -9ea830b526ca7aabd1092fd0990cf27c pfixtls-0.8.11a-1.1.11-0.9.6d.tar.bz2 -d1d0f9792ec6ea063ccca59184e54212 postfix-1.1.12.tar.gz +31f1e830882025957f735e5e9b7dd2fd pfixtls-0.8.13-2.0.10-0.9.7b.tar.gz +a6bb9809a29c7e00a576491e1b57b79a postfix-2.0.11.tar.gz