auto-import postfix-2.0.11-5 from postfix-2.0.11-5.src.rpm

2004-09-09 10:37:31 +00:00 · 2004-09-09 10:37:31 +00:00 · 01e895e066
commit 01e895e066
parent ba5bdf45bc
6 changed files with 556 additions and 167 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1,2 +1,2 @@
-pfixtls-0.8.11a-1.1.11-0.9.6d.tar.bz2
+pfixtls-0.8.13-2.0.10-0.9.7b.tar.gz
-postfix-1.1.12.tar.gz
+postfix-2.0.11.tar.gz
--- a/README-Postfix-SASL-RedHat.txt
+++ b/README-Postfix-SASL-RedHat.txt
@ -0,0 +1,444 @@
 Quick Start to Authenticate with SASL and PAM:
 ----------------------------------------------
 If you don't need the details and are an experienced system
 administrator you can just do this, otherwise read on.
 1) Edit /etc/postfix/main.cf and set this:
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_security_options = noanonymous
 broken_sasl_auth_clients = yes
 smtpd_recipient_restrictions = 
  permit_sasl_authenticated,
  permit_mynetworks,
  check_relay_domains
 2) Turn on saslauthd:
   /sbin/chkconfig --level 345 saslauthd on
   /sbin/service saslauthd start
 3) Edit /etc/sysconfig/saslauthd and set this:
   MECH=pam
 4) Restart Postfix:
   /sbin/service postfix restart
 A crash course in using SASL with Postfix:
 ------------------------------------------
 Red Hat's Postfix RPMs include support for both SASL and TLS.  SASL, the
 Simple Authentication and Security Layer, allows Postfix to implement RFC
 2554, which defines an extension to ESMTP, SMTP AUTH, which compliant
 ESMTP clients can use to authenticate themselves to ESMTP servers.
 Typically, this is used to allow roaming users to relay mail through a
 server safely without configuring the SMTP server to be an open relay.
 Inclusion of TLS support allows Postfix to implement RFC 2487, which
 defines an extension to ESMTP, SMTP STARTTLS, which compliant ESMTP
 clients and servers can use to encrypt the SMTP session.  This is a
 security enhancement -- normally SMTP is transmitted as cleartext over the
 wire, making it vulnerable to both passive sniffing and active alteration
 via monkey-in-the-middle attacks.  In addition, STARTTLS can also be
 used by either or both server and client to verify the identity of the
 other end, making it useful for the same sorts of purposes as SMTP AUTH.
 The two can even be combined.  Typically, this is done by first starting
 TLS, to encrypt the SMTP session, and then issuing the SMTP AUTH command,
 to authenticate the client; this combination ensures that the username
 and password transferred as part of the SMTP AUTH are protected by the
 TLS encrypted session.
 SMTP AUTH is implemented using SASL, an abstraction layer which can
 authenticate against a variety of sources.  On Red Hat, SASL can use
 the /etc/shadow file, or it can use PAM libraries, or it can use its own
 password database (/etc/sasldb), or it can do various more exotic things.
 Authentication raises a number of security concerns for obvious
 reasons. As a consequence authentication services on Red Hat systems
 are restricted to processes running with root privileges. However for
 security reasons it is also essential that a mail server such as
 Postfix run without root privileges so that mail operations cannot
 compromise the host system. This means that Postfix cannot directly
 use authentication services because it does not execute with root
 privileges. The answer to this this problem is to introduce an
 intermediary process that runs with root privileges which Postfix can
 communicate with and will perform authentication on behalf of
 Postfix. The SASL package includes an authentication daemon called
 saslauthd which provided this service, think of it as an
 authentication proxy.
 Using Saslauthd:
 ---------------- 
 To use saslauthd there are several things you must assure are
 configured. 
 SASL has been shipped in various versions, currently there is SASL V1
 and SASL V2. The implementation of saslauthd is not compatible between
 SASL V1 and V2 libraries. You must use the V2 implementation of
 SASL. Note that currently the V1 SASL libraries install in
 /usr/lib/sasl and the V2 SASL libraries install in /usr/lib/sasl2.
 Selecting an Authentication Method:
 -----------------------------------
 Recall that it is saslauthd which is authenticating, not
 Postfix. To start with you must tell Postfix to use saslauthd, in
 main.cf edit this configuration parameter:
   smtpd_sasl_auth_enable = yes
 It is also recommended that you disable anonymous logins otherwise
 you've left your system open, so also add this configuration
 parameter. 
   smtpd_sasl_security_options = noanonymous
 Now you must tell saslauthd which authentication method to use. To
 determine the authentication methods currently supported by saslauthd
 invoke saslauthd with the -v parameter, it will print its version and
 its list of methods and then exit, for example:
   /usr/sbin/saslauthd -v
   saslauthd 2.1.10
   authentication mechanisms: getpwent kerberos5 pam rimap shadow 
 When saslauthd starts up it reads its configuration options from the
 file /etc/sysconfig/saslauthd. Currently there are two parameters
 which can be set in this file, MECH and FLAGS. MECH is the
 authentication mechanism and FLAGS is any command line flags you may
 wish to pass to saslauthd. To tell saslauthd to use a specific
 mechanism edit /etc/sysconfig/saslauthd and set the MECH parameter,
 for example to use PAM it would look like this:
   MECH=pam
 Of course you may use any of the other authentication mechanisms that
 saslauthd reported it supports. PAM is an excellent choice as PAM
 supports many of the same authentication methods that saslauthd does,
 but by using PAM you will have centralized all of your authentication
 configuration under PAM which is one of PAM's greatest assets.
 How Postfix Interacts with SASL to Name its Authentication Services:
 --------------------------------------------------------------------
 It can be very helpful to understand how Postfix communicates with
 SASL to name its authentication services. Knowing this will let you
 identify the configuration files the various components will access.
 When Postfix invokes SASL it must give SASL an application name that
 SASL will use among other things to locate a configuration file for
 the application. The application name Postfix identifies itself as is
 "smtpd". SASL will append ".conf" to the application name and look for
 a config file in its library directory. Thus SASL will read Postfix's
 configuration from:
   /usr/lib/sasl2/smtpd.conf
 This file names the authentication method SASL will use for Postfix
 (actually for smtpd, other MTA's such as sendmail may use the same
 file). Because we want to use the saslauthd authentication proxy
 daemon the contents of this file is:
   pwcheck_method: saslauthd
 This tells SASL when being invoked to authentication for Postfix that
 it should use saslauthd. Saslauthd's mechanism is set in
 /etc/sysconfig/saslauthd (see below).
 When Postfix calls on SASL to authenticate it passes to SASL a service
 name. This service name is used in authentication method specific
 way. The service name Postfix passes to SASL is "smtp" (note this is
 not the same as the application name which is "smtpd"). To understand
 this better consider the case of using PAM authentication. When SASL,
 or in our case saslauthd, invokes PAM it passes the service name of
 "smtp" to PAM which means that when PAM wants to read configuration
 information for this client it will find it under the name of "smtp". 
 Turning on the Authentication Daemon:
 -------------------------------------
 Red Hat security policy is not to automatically enable services
 belonging to a package when the package is installed. The system
 administrator must explicitly enable the service. To enable saslauthd
 do the following:
 1) Tell the init process to launch saslauthd when entering various run
   levels. Assuming you want saslauthd to run at run levels 3,4,5
   invoke chkconfig.
   /sbin/chkconfig --level 345 saslauthd on
 2) You will probably want to start saslauthd now without having to
   reboot, to do this:
   /sbin/service saslauthd start
 Trouble Shooting Authentication:
 --------------------------------
 The best way to debug authentication problems is to examine log
 messages from the authentication components. However, normally these
 log messages are suppressed. There are two principle reasons the
 messages are suppressed. The first is that they are typically logged
 at the DEBUG logging priority level which is the lowest priority and
 the syslog configuration typically logs only higher priority
 messages. The second reason is that for security reasons authentication
 logging is considered a risk. Authentication logging has been divided
 into two different facilities, auth and authpriv. authpriv is private
 and is typically shunted off to a different log file with higher
 protection. You will want to be able to see both auth and authpriv
 messages at all priorities. To do this as root edit /etc/syslog.conf
 file, find the following line
 authpriv.*					/var/log/secure
 edit the line to:
 authpriv.*;auth.*				/var/log/secure
 Then restart syslogd so the syslog configuration changes will be
 picked up:
       /sbin/service syslogd restart
 Now all authentication messages at all priorities will log to
 /var/log/secure. 
 Using PAM to Authenticate:
 --------------------------
 Edit /etc/sysconfig/saslauthd and set MECH to PAM like this:
   MECH=pam
 When PAM is invoked via SASL it is passed a service name of
 "smtp". This means that PAM will read its configuration parameters for
 Postfix from the file: /etc/pam.d/smtp. By default this file is set to
 refer to the global system PAM authentication policy, thus by default
 you'll get whatever PAM authentication your system is configured for
 and virtually all applications use. Configuring PAM authentication is
 beyond the scope of this document, please refer to the PAM
 documentation if you which to modify PAM.
 Trouble Shooting PAM Authentication:
 ------------------------------------
 1) One possible reason PAM may fail to authenticate even if the user
 is known to the system is if PAM fails to find the service
 configuration file in /etc/pam.d. Service configuration files are not
 required by PAM, if it does not find a service configuration file it
 will default to "other". Since PAM does not consider the absence of a
 service configuration file a problem it does not log anything nor does
 it return an error to the calling application. In other words it is
 completely silent about the fact it did not find a service
 configuration file. On Red Hat system the default implementation of
 "other" for PAM is to deny access. This means on Red Hat systems the
 absence of a PAM service configuration file will mean PAM will
 silently fail authentication. The PAM service configuration file for
 postfix is /etc/pam.d/smtp and is intalled by the Red Hat Postfix rpm
 and put under control of "alternatives" with name mta. Alternatives
 allows one to select between the sendmail and postfix MTA's and
 manages symbolic links for files the two MTA's share. /etc/pam.d/smtp
 is one such file, if you have not selected Postfix as your prefered
 MTA the link to this file will not be present. To select Postfix as
 your MTA do this: "/usr/sbin/alternatives --config mta" and follow the
 prompt to select postfix.
 2) Is SASL appending a realm or domain to a username? PAM
   authentication requires a bare username and password, other
   authentication methods require the username to be qualified with a
   realm. Typically the username will be rewritten as user@realm
   (e.g. user@foo.com) PAM does not understand a username with
   "@realm" appended to it and will fail the authentication with the
   message that the user is unknown. If the log files shows saslauthd
   usernames with "@realm" appended to it then the
   smtpd_sasl_local_domain configuration parameter is likely set in
   /etc/postfix/main.cf file, make sure its either not set or set it
   to an empty string. Restart postfix and test authtentication again,
   the log file should show only a bare username.
 Using saslpasswd to Authenticate:
 ---------------------------------
 SASL can maintain its own password database independent of the host
 system's authentication setup, it is called saslpasswd. You may wish
 to use saslpasswd if you want to isolate who can smtp authenticate
 from general system users. However, it does add another password
 database that a system administrator must maintain.
 To authenticate against sasldb, you'll first have to create accounts.
 These accounts are entirely separate from system accounts, and are used
 only by connecting SMTP clients to authenticate themselves.  Use the
 saslpassword command:
 saslpasswd -u realm -c user
 to create an account named user which can log into realm.  For the
 realm, make absolutely certain that you use the same value as is set for
 myhostname in /etc/postfix/main.cf.  If you don't, it likely won't work.
 Also, be aware that saslpasswd is somewhat buggy.  The first time you
 run it, it may generate an error message while initializing the sasldb.
 If it does, just add that user a second time.
 You'll need to set permissions on the SASL password database so that
 the Postfix daemons can read it:
   chgrp postfix /etc/sasldb
   chmod g+r /etc/sasldb
 Now, you'll need to modify /etc/postfix/main.cf to tell it to
 support SASL.  The complete options you might want to use are in the
 sample-auth.cf file in the Postfix documentation directory.  An option
 you will definitely need is:
 # enable SASL support
 smtpd_sasl_auth_enable = yes
 You might also need to set the SASL authentication realm to whatever
 realm you used when you created your sasldb; by default, this is set to
 $myhostname, but you instead might need something like:
 # set SASL realm to domain instead
 smtpd_sasl_local_domain = $mydomain
 Other Postfix Authentication Parameters:
 ----------------------------------------
 If you want to allow your already configured users to still use your SMTP
 server, and to allow users authenticated via SMTP AUTH to use your server
 as well, then modify your existing smtpd_recipient_restrictions line to;
 # also allow authenticated (RFC 2554) users
 smtpd_recipient_restrictions = permit_sasl_authenticated ...
 If you want to restrict use of your server to just authenticated clients
 (Note: this is a bad idea for public mail servers), then instead use:
 # restrict server access to authenticated (RFC 2554) clients
 smtpd_delay_reject = yes
 smtpd_client_restrictions = permit_sasl_authenticated ...
 SASL supports several password types which have differing security
 properties.  Different SMTP clients may support some or all of these
 password types.  When the client issues an EHLO command, the server
 tells it which types it supports:
 $ telnet station6 25
 Trying 10.100.0.6...
 Connected to station6.example.com.
 Escape character is '^]'.
 220 station6.example.com ESMTP Postfix
 ehlo station7
 250-station6.example.com
 250-PIPELINING
 250-SIZE 10240000
 250-VRFY
 250-ETRN
 250-STARTTLS
 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
 250-XVERP
 250 8BITMIME
 Here, the server supports PLAIN, LOGIN, DIGEST-MD5, and CRAM-MD5 password
 methods.
 The client then chooses the first of these listed methods which it also
 supports, and issues an SMTP AUTH request.
 For security, PLAIN and LOGIN methods are typically disabled.  These two
 methods use trivially decryptable encryption, making the username and
 password issued by the client vulnerable to interception via a sniffer
 in between the server and client.  Unfortunately, they can't always
 be disabled.  Some popular SMTP clients, including MS Outlook 5.x,
 only support PLAIN authentication, for example.
 To limit the login methods offered by the server:
 # disable unsafe password methods
 smtpd_sasl_security_options = noplaintext noanonymous
 Available options are:
 noplaintext, which disables LOGIN and PLAIN
 noanonymous, which disables disables ANON
 nodictionary, which disables methods vulnerable to dictionary attacks
 noactive, which disables methods vulnerable to active attacks
 The last two are rarely used, since almost all supported methods are
 vulnerable to those attacks ;-).
 Also be aware that some broken clients mis-implement the SMTP AUTH
 protocol, and send commands using incorrect syntax (AUTH=foo instead of
 the correct AUTH foo).  MS Outlook 4.x clients have this bug, among
 a legion of others....  If you need to support these clients, use:
 # support braindead MS products
 broken_sasl_auth_clients = yes
 To help prevent spoofing, you can also create a map file of SASL login
 names which are allowed to use specific envelope sender (MAIL FROM)
 addresses.  If you choose to do this, you also have to tell Postfix to
 reject addresses which don't match login names:
 # prevent spoofing by authenticated users
 reject_sender_login_mismatch
 smtpd_sender_login_maps=type:/path/to/file
 Configuration of SASL clients is much simpler.  Postfix itself can be
 made a SASL client; this is typically useful when roaming users run Linux
 on their laptop and need to relay mail back through the organization's
 main server.
 To enable Postfix to act as an SMTP AUTH client, simply add to
 /etc/postfix/main.cf:
 # support authentication (RFC 2557) when relaying through a server
 smtp_sasl_auth_enable = yes
 and tell Postfix where to find the usernames and passwords it should
 use to authenticate:
 # location of passwords for authentication client
 smtp_sasl_password_maps = type:/path/to/file
 The file itself should have the format:
 destination     username:password
 where destination is the name of the server, and username:password are
 the username and password which should be presented to that server to
 authenticate when connecting to it as a client.
 Optionally, the authentication methods to be used can be specified for
 the Postfix client, just as they can be for the Postfix server:
 # disable plaintext and anonymous
 smtp_sasl_security_options = noplaintext noanonymous
 Many popular end-user MUAs can also be configured as SMTP AUTH clients.
 Clients capable of this supplied with Red Hat include pine, Netscape,
 and Mozilla.
 Other Sources of Documentation:
 -------------------------------
 Local configuration examples:
 /usr/share/doc/postfix-*/samples
 Postfix Howtos, Guides and Tips by Ralf Hildebrandt and Patrick
 Koetter can be found at: http://postfix.state-of-mind.de
 ------------------------------------------------------------------------------
 Please send any comments / corrections to Chris Ricker
 <kaboom@gatech.edu>.  This material can be freely modified and
 redistributed. Additional material provided by John Dennis
 <jdennis@redhat.com>
--- a/postfix-pam.conf
+++ b/postfix-pam.conf
@ -0,0 +1,3 @@
 #%PAM-1.0
 auth       required	pam_stack.so service=system-auth
 account    required	pam_stack.so service=system-auth
--- a/postfix-sasl.conf
+++ b/postfix-sasl.conf
@ -0,0 +1 @@
 pwcheck_method: saslauthd
--- a/postfix.spec
+++ b/postfix.spec
@ -1,17 +1,26 @@
-%define copy_cmd copy() { ln -f "$1" "$2" 2>/dev/null || cp -df "$1" "$2"; }
+%define LDAP 2
 %define ROOT /var/spool/postfix
 %define LDAP 0
 %define MYSQL 0
 %define PCRE 1
-%define SASL 1
+%define SASL 2
 %define TLS 1
 %define SMTPD_MULTILINE_GREETING 1
 %define POSTDROP_GID 90
 # On Redhat 8.0.1 and earlier, LDAP is compiled with SASL V1 and won't work
 # if postfix is compiled with SASL V2. So we drop to SASL V1 if LDAP is
 # requested but use the preferred SASL V2 if LDAP is not requested.
 # Sometime soon LDAP will build agains SASL V2 and this won't be needed.
 %if %{LDAP} <= 1 && %{SASL} >= 2
 %undefine SASL
 %define SASL 1
 %endif
 # Do we use db3 or db4 ? If we have db4, assume db4, otherwise db3.
 %define dbver db4
 # If set to 1 if official version, 0 if snapshot
 %define official 1 
-%define ver 1.1.12
+%define ver 2.0.11
 %define releasedate 20020624
 %define alternatives 1
 %if %{official}
@ -21,8 +30,10 @@ Version: %{ver}
 Version: %{ver}-%{releasedate}
 %define ftp_directory experimental
 %endif
 Release: 5
 Epoch: 2
-%define tlsno pfixtls-0.8.11a-1.1.11-0.9.6d
+%define tlsno pfixtls-0.8.13-2.0.10-0.9.7b
 # Postfix requires one exlusive uid/gid and a 2nd exclusive gid for its own
 # use.  Let me know if the second gid collides with another package.
@ -31,6 +42,7 @@ Version: %{ver}-%{releasedate}
 %define postfix_gid    89
 %define maildrop_group postdrop
 %define maildrop_gid   %{POSTDROP_GID}
 %define docdir %{_docdir}/%{name}-%{version}
 Name: postfix
 Group: System Environment/Daemons
@ -44,36 +56,39 @@ PreReq: /usr/sbin/alternatives
 Obsoletes: sendmail exim qmail
 %endif
 PreReq: %{_sbindir}/groupadd, %{_sbindir}/useradd
 Epoch: 2
 Provides: MTA smtpd smtpdaemon /usr/bin/newaliases
 Release: 1
 Summary: Postfix Mail Transport Agent
 Source0: ftp://ftp.porcupine.org/mirrors/postfix-release/%{ftp_directory}/%{name}-%{version}.tar.gz
 Source3: postfix-etc-init.d-postfix
 Source5: postfix-aliases
-Source6: postfix-chroot-setup.awk
+Source9: ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/%{tlsno}.tar.gz
-Source9: ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/%{tlsno}.tar.bz2
+Source11: README-Postfix-SASL-RedHat.txt
-Source10: postfix-smtpd.conf
+# Sources >= 100 are config files
-Source11: README-Postifx-SASL-RedHat.txt
+Source100: postfix-sasl.conf
 Source101: postfix-pam.conf
 Source102: postfix-saslauthd.conf
 Patch1: postfix-config.patch
 Patch2: postfix-smtp_sasl_proto.c.patch
 Patch3: postfix-alternatives.patch
 Patch4: postfix-1.1.4-sasl2-patch
 Patch5: postfix-1.1.12-resolve.patch
 # Optional patches - set the appropriate environment variables to include
 #                    them when building the package/spec file
 # applied if %SMTPD_MULTILINE_GREETING=1
 Patch99: postfix-smtpd_multiline_greeting.patch
 BuildRoot: %{_tmppath}/%{name}-buildroot
 # Determine the different packages required for building postfix
-BuildRequires: gawk, perl, sed, ed, db4-devel, pkgconfig
+BuildRequires: gawk, perl, sed, ed, %{dbver}-devel, pkgconfig
 Requires: %{dbver}
 %if %{LDAP}
-BuildRequires: openldap >= 1.2.9, openldap-devel >= 1.2.9
+BuildRequires: openldap >= 2.0.27, openldap-devel >= 2.0.27
 Requires: openldap >= 2.0.27
 %endif
 %if %{SASL}
 BuildRequires: cyrus-sasl >= 2.1.10, cyrus-sasl-devel >= 2.1.10
 Requires: cyrus-sasl  >= 2.1.10
 %endif
 %if %{PCRE}
@ -86,21 +101,16 @@ Requires: mysql, mysqlclient9
 BuildRequires: mysql, mysqlclient9, mysql-devel
 %endif
 %if %{SASL}
 Requires: cyrus-sasl
 BuildRequires: cyrus-sasl, cyrus-sasl-devel
 %endif
 %if %{TLS}
 Requires: openssl
-BuildRequires: openssl-devel
+BuildRequires: openssl-devel >= 0.9.6
 %endif
 Provides: /usr/sbin/sendmail /usr/bin/mailq /usr/bin/rmail
 %description
 Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),
-TLS and running in a chroot environment.
+TLS
 %prep
 umask 022
@ -109,41 +119,21 @@ umask 022
 # Apply the TLS patch, must be at first, because the changes of master.cf
 %if %{TLS}
 patch -p1 <%{tlsno}/pfixtls.diff
 %patch1 -p1 -b .config
 %else
 # Without the TLS patch the context lines in this patch don't match.
 # Set fuzz to ignore all context lines, this is a bit dangerous.
 patch --fuzz=3 -p1 -b -z .config < %{P:1}
 %endif
 # Apply obligatory patches
 %patch1 -p1 -b .config
 %patch2 -p1 -b .auth
 %if %alternatives
 %patch3 -p1 -b .alternatives
 %endif
 # Apply the SASL2 patch to make postfix work correctly with SASL2.
 %patch4 -p1 -b .sasl2
 # Fix issue with malformed addresses
 %patch5 -p1 -b .headers
 # Apply optional patches
 # Apply my SMTPD Multiline greeting patch
 %if %{SMTPD_MULTILINE_GREETING}
 %patch99 -p1 -b .multiline
 %endif
 # Move around the TLS docs
 %if %{TLS}
 mkdir html/TLS
 mv %{tlsno}/doc/* html/TLS
 for i in ACKNOWLEDGEMENTS CHANGES INSTALL README TODO; do
  mv %{tlsno}/$i $i.TLS
 done
 %endif
 # setup master.cf to be chrooted
 mv conf/master.cf conf/master.cf-nochroot
 awk -f %{_sourcedir}/postfix-chroot-setup.awk < conf/master.cf-nochroot > conf/master.cf
 %build
 umask 022
@ -156,7 +146,7 @@ CCARGS="${CCARGS} -fsigned-char"
 %if %{LDAP}
  CCARGS="${CCARGS} -DHAS_LDAP"
-  AUXLIBS="${AUXLIBS} -L/usr/%{_lib} -lldap -llber"
+  AUXLIBS="${AUXLIBS} -L%{_libdir} -lldap -llber"
 %endif
 %if %{PCRE}
  # -I option required for pcre 3.4 (and later?)
@ -165,11 +155,19 @@ CCARGS="${CCARGS} -fsigned-char"
 %endif
 %if %{MYSQL}
  CCARGS="${CCARGS} -DHAS_MYSQL -I/usr/include/mysql"
-  AUXLIBS="${AUXLIBS} -L/usr/%{_lib}/mysql -lmysqlclient -lm"
+  AUXLIBS="${AUXLIBS} -L%{_libdir}/mysql -lmysqlclient -lm"
 %endif
 %if %{SASL}
  %define sasl_lib_dir %{_libdir}/sasl2
  CCARGS="${CCARGS} -DUSE_SASL_AUTH"
-  AUXLIBS="${AUXLIBS} -lsasl"
+  %if %{SASL} <= 1
    %define sasl_lib_dir %{_libdir}/sasl
    AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl"
  %else
    %define sasl_lib_dir %{_libdir}/sasl2
    CCARGS="${CCARGS} -I/usr/include/sasl"
    AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl2"
  %endif
 %endif
 %if %{TLS}
  if pkg-config openssl ; then
@ -205,11 +203,17 @@ sh postfix-install -non-interactive \
       mail_owner=postfix \
       setgid_group=%{maildrop_group} \
       manpage_directory=%{_mandir} \
-       sample_directory=/samples \
+       sample_directory=%{docdir}/samples \
-       readme_directory=%{_docdir}/%{name}-%{version}/README_FILES || exit 1
+       readme_directory=%{docdir}/README_FILES || exit 1
-rm -fr ./samples
+# Move around the TLS docs
-mv $RPM_BUILD_ROOT/samples .
+%if %{TLS}
 mkdir -p $RPM_BUILD_ROOT%{docdir}/TLS
 cp %{tlsno}/doc/* $RPM_BUILD_ROOT%{docdir}/TLS
 for i in ACKNOWLEDGEMENTS CHANGES INSTALL README TODO; do
  cp %{tlsno}/$i $RPM_BUILD_ROOT%{docdir}/TLS
 done
 %endif
 # Change alias_maps and alias_database default directory to %{_sysconfdir}/postfix
 bin/postconf -c $RPM_BUILD_ROOT%{_sysconfdir}/postfix -e \
@ -222,11 +226,6 @@ bin/postconf -c $RPM_BUILD_ROOT%{_sysconfdir}/postfix -e \
 install -c %{_sourcedir}/postfix-etc-init.d-postfix \
                  $RPM_BUILD_ROOT/etc/rc.d/init.d/postfix
 # These set up the chroot directory structure
 mkdir -p $RPM_BUILD_ROOT%{_var}/spool/postfix/etc
 mkdir -p $RPM_BUILD_ROOT%{_var}/spool/postfix/%{_lib}
 mkdir -p $RPM_BUILD_ROOT%{_var}/spool/postfix/usr/%{_lib}/zoneinfo
 install -c auxiliary/rmail/rmail $RPM_BUILD_ROOT%{_bindir}/rmail
 # copy new aliases files and generate a ghost aliases.db file
@ -260,11 +259,16 @@ q
 EOF
 # Install the smtpd.conf file for SASL support.
-mkdir -p $RPM_BUILD_ROOT%{_libdir}/sasl
+mkdir -p $RPM_BUILD_ROOT%{sasl_lib_dir}
-install -m 644 %SOURCE10 $RPM_BUILD_ROOT%{_libdir}/sasl/smtpd.conf
+install -m 644 %SOURCE100 $RPM_BUILD_ROOT%{sasl_lib_dir}/smtpd.conf
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d
 install -m 644 %SOURCE101 $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/smtp.postfix
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
 install -m 644 %SOURCE102 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/saslauthd
 # Install Postfix Red Hat HOWTO.
-cp %{SOURCE11} .
+mkdir -p $RPM_BUILD_ROOT%{docdir}
 install -c %{SOURCE11} $RPM_BUILD_ROOT%{docdir}
 # remove LICENSE file from /etc/postfix (it's still in docdir)
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/postfix/LICENSE
@ -290,18 +294,15 @@ sh %{_sysconfdir}/postfix/post-install \
 	mail_owner=postfix \
 	setgid_group=%{maildrop_group} \
 	manpage_directory=%{_mandir} \
-	sample_directory=%{_docdir}/%{name}-%{version}/samples \
+	sample_directory=%{docdir}/samples \
-	readme_directory=%{_docdir}/%{name}-%{version}/README_FILES \
+	readme_directory=%{docdir}/README_FILES \
 	upgrade-package
 # setup chroot config
 mkdir -p %{ROOT}/etc
 [ -e /etc/localtime ] && cp /etc/localtime %{ROOT}/etc
 %if %alternatives
 /usr/sbin/alternatives --install %{_sbindir}/sendmail mta %{_sbindir}/sendmail.postfix 30 \
        --slave %{_bindir}/mailq mta-mailq %{_bindir}/mailq.postfix \
        --slave %{_bindir}/newaliases mta-newaliases %{_bindir}/newaliases.postfix \
        --slave %{_sysconfdir}/pam.d/smtp mta-pam %{_sysconfdir}/pam.d/smtp.postfix \
        --slave %{_bindir}/rmail mta-rmail %{_bindir}/rmail.postfix \
        --slave %{_mandir}/man1/mailq.1.gz mta-mailqman %{_mandir}/man1/mailq.postfix.1.gz \
        --slave %{_mandir}/man1/newaliases.1.gz mta-newaliasesman %{_mandir}/man1/newaliases.postfix.1.gz \
@ -309,43 +310,6 @@ mkdir -p %{ROOT}/etc
 	--initscript postfix
 %endif
 # Generate chroot jails on the fly when needed things are installed/upgraded
 %triggerin -- glibc
 %{copy_cmd}
 # Kill off old versions
 rm -rf %{ROOT}/%{_lib}/libnss* %{ROOT}/%{_lib}/libresolv*
 # Copy the relevant parts in
 LIBCVER=`ls -l /%{_lib}/libc.so.6* | sed "s/.*libc-\(.*\).so$/\1/g"`
 for i in compat dns files hesiod nis nisplus ; do
 	[ -e /%{_lib}/libnss_$i-${LIBCVER}.so ] && copy /%{_lib}/libnss_$i-${LIBCVER}.so %{ROOT}/%{_lib}
 	[ -e /%{_lib}/libnss_$i.so ] && copy /%{_lib}/libnss_$i.so %{ROOT}/%{_lib}
 done
 copy /%{_lib}/libresolv-${LIBCVER}.so %{ROOT}/%{_lib}
 ldconfig -n %{ROOT}/%{_lib}
 %if %{LDAP}
 %triggerin -- openldap
 rm -rf %{ROOT}/usr/%{_lib}/liblber* %{ROOT}/usr/%{_lib}/libldap*
 %{copy_cmd}
 copy /usr/%{_lib}/liblber.so.2 %{ROOT}/usr/%{_lib}
 copy /usr/%{_lib}/libldap_r.so.2 %{ROOT}/usr/%{_lib}
 copy /usr/%{_lib}/libldap.so.2 %{ROOT}/usr/%{_lib}
 ldconfig -n %{ROOT}/usr/%{_lib}
 %endif
 %triggerin -- setup
 rm -f %{ROOT}/etc/services
 %{copy_cmd}
 copy /etc/services %{ROOT}/etc
 # Put db4 in the chroot jail, but only if the soname is correct
 %triggerin -- db4
 %{copy_cmd}
 DBVER=`ldd %{_libexecdir}/postfix/pickup |grep libdb |sed "s,[[:blank:]],,g;s,=>.*,,"`
 if [ -e "/%{_lib}/$DBVER" ]; then
 	copy "/%{_lib}/$DBVER" %{ROOT}/%{_lib}
 fi
 %pre
 # Add user and groups if necessary
 %{_sbindir}/groupadd -g %{maildrop_gid} -r %{maildrop_group} 2>/dev/null
@ -357,33 +321,6 @@ exit 0
 %preun
 umask 022
 # selectively remove the rest of the queue directory structure
 # first remove the "queues" (and assume the hash depth is still 2)
 queue_directory_remove () {
    for dir in active bounce defer deferred flush incoming; do
        for a in 0 1 2 3 4 5 6 7 8 9 A B C D E F; do
   	    test -d $dir/$a && {
 	        for b in 0 1 2 3 4 5 6 7 8 9 A B C D E F; do
 		    test -d $dir/$a/$b && (
 		        /bin/rm -f $dir/$a/$b/*
 		        /bin/rmdir $dir/$a/$b
 		    )
 		done
 		/bin/rmdir $dir/$a || echo "WARNING: preun - unable to remove directory %{_var}/spool/postfix/$dir/$a"
 	    }
        done
 	/bin/rmdir $dir || echo "WARNING: preun - unable to remove directory %{_var}/spool/postfix/$dir"
    done
    # now remove the other directories
    for dir in corrupt maildrop pid private public saved; do
        test -d $dir && {
            /bin/rm -f $dir/*
            /bin/rmdir $dir || echo "WARNING: preun - unable to remove directory %{_var}/spool/postfix/$dir"
        }
    done
 }
 if [ "$1" = 0 ]; then
    # stop postfix silently, but only if it's running
    /sbin/service postfix stop &>/dev/null
@ -392,17 +329,8 @@ if [ "$1" = 0 ]; then
    /usr/sbin/alternatives --remove mta %{_sbindir}/sendmail.postfix
 %endif
    cd %{_var}/spool/postfix && {
        # Clean up chroot environment
 	rm -rf %{ROOT}/%{_lib} %{ROOT}/usr %{ROOT}/etc
        queue_directory_remove
    }
 fi
 # Remove unneeded symbolic links
 for i in samples; do
  test -L %{_sysconfdir}/postfix/$i && rm %{_sysconfdir}/postfix/$i
 done
 exit 0
 %postun
@ -417,6 +345,11 @@ exit 0
 %files
 %defattr(-, root, root)
 %config(noreplace) %{sasl_lib_dir}/smtpd.conf
 %config(noreplace) %{_sysconfdir}/pam.d/smtp.postfix
 %config(noreplace) %{_sysconfdir}/sysconfig/saslauthd
 %verify(not md5 size mtime) %config %dir %{_sysconfdir}/postfix
 %attr(0755, root, root) %config %{_sysconfdir}/postfix/postfix-script
 %attr(0755, root, root) %config %{_sysconfdir}/postfix/post-install
@ -439,11 +372,6 @@ exit 0
 %attr(0755, root, root) %config /etc/rc.d/init.d/postfix
 %dir                      %verify(not md5 size mtime) %{_var}/spool/postfix
 %dir %attr(-, root, root) %verify(not md5 size mtime) %{_var}/spool/postfix/etc
 %dir %attr(-, root, root) %verify(not md5 size mtime) %{_var}/spool/postfix/%{_lib}
 %attr(-, root, root)      %verify(not md5 size mtime) %{_var}/spool/postfix/usr
 # For correct directory permissions check postfix-install script
 %dir %attr(0700, postfix, root)     %verify(not md5 size mtime) %{_var}/spool/postfix/active
 %dir %attr(0700, postfix, root)     %verify(not md5 size mtime) %{_var}/spool/postfix/bounce
@ -460,15 +388,7 @@ exit 0
 %dir %attr(0755, root, root)        %verify(not md5 size mtime) %{_var}/spool/postfix/pid
-%doc 0README COMPATIBILITY HISTORY INSTALL LICENSE PORTING RELEASE_NOTES README-Postifx-SASL-RedHat.txt
+%doc %{docdir}
 %if %{TLS}
 %doc ACKNOWLEDGEMENTS.TLS CHANGES.TLS README.TLS TODO.TLS html/TLS/*
 %endif
 %doc html
 %doc samples
 %doc README_FILES
 %{_libdir}/sasl/smtpd.conf
 %dir %attr(0755, root, root) %verify(not md5 size mtime) %{_libexecdir}/postfix
 %{_libexecdir}/postfix/bounce
@ -481,6 +401,7 @@ exit 0
 %{_libexecdir}/postfix/nqmgr
 %{_libexecdir}/postfix/pickup
 %{_libexecdir}/postfix/pipe
 %{_libexecdir}/postfix/proxymap
 %{_libexecdir}/postfix/qmgr
 %{_libexecdir}/postfix/qmqpd
 %{_libexecdir}/postfix/showq
@ -517,8 +438,28 @@ exit 0
 %{_mandir}/*/*
 %changelog
-* Mon Jul 28 2003 Bill Nottingham <notting@redhat.com> 2:1.1.12-1
+* Tue Jul 22 2003 Nalin Dahyabhai <nalin@redhat.com> 2.0.11-5
- update to 1.1.12, add a patch from the author
+- rebuild
 * Thu Jun 26 2003 John Dennis <jdennis@finch.boston.redhat.com>
 - bug 98095, change rmail.postfix to rmail for uucp invocation in master.cf
 * Wed Jun 25 2003 John Dennis <jdennis@finch.boston.redhat.com>
 - add missing dependency for db3/db4
 * Thu Jun 19 2003 John Dennis <jdennis@finch.boston.redhat.com>
 - upgrade to new 2.0.11 upstream release
 - fix authentication problems
 - rewrite SASL documentation
 - upgrade to use SASL version 2
 - Fix bugs 75439, 81913 90412, 91225, 78020, 90891, 88131
 * Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
 - rebuilt
 * Fri Mar  7 2003 John Dennis <jdennis@finch.boston.redhat.com>
 - upgrade to release 2.0.6
 - remove chroot as this is now the preferred installation according to Wietse Venema, the postfix author
 * Mon Feb 24 2003 Elliot Lee <sopwith@redhat.com>
 - rebuilt
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-9ea830b526ca7aabd1092fd0990cf27c  pfixtls-0.8.11a-1.1.11-0.9.6d.tar.bz2
+31f1e830882025957f735e5e9b7dd2fd  pfixtls-0.8.13-2.0.10-0.9.7b.tar.gz
-d1d0f9792ec6ea063ccca59184e54212  postfix-1.1.12.tar.gz
+a6bb9809a29c7e00a576491e1b57b79a  postfix-2.0.11.tar.gz
`@ -1,2 +1,2 @@`
	`pfixtls-0.8.11a-1.1.11-0.9.6d.tar.bz2`	`pfixtls-0.8.13-2.0.10-0.9.7b.tar.gz`
	`postfix-1.1.12.tar.gz`	`postfix-2.0.11.tar.gz`
`@ -1,2 +1,2 @@`
	`9ea830b526ca7aabd1092fd0990cf27c pfixtls-0.8.11a-1.1.11-0.9.6d.tar.bz2`	`31f1e830882025957f735e5e9b7dd2fd pfixtls-0.8.13-2.0.10-0.9.7b.tar.gz`
	`d1d0f9792ec6ea063ccca59184e54212 postfix-1.1.12.tar.gz`	`a6bb9809a29c7e00a576491e1b57b79a postfix-2.0.11.tar.gz`