Import rpm: c8s

This commit is contained in:
James Antill 2023-02-27 15:02:06 -05:00
parent 4213c74b40
commit 801777824f
20 changed files with 2785 additions and 0 deletions

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
SOURCES/pflogsumm-1.1.5.tar.gz
SOURCES/postfix-3.5.8.tar.gz
/pflogsumm-1.1.5.tar.gz
/postfix-3.5.8.tar.gz

View File

@ -0,0 +1,440 @@
Quick Start to Authenticate with SASL and PAM:
----------------------------------------------
If you don't need the details and are an experienced system
administrator you can just do this, otherwise read on.
1) Edit /etc/postfix/main.cf and set this:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
2) Turn on saslauthd:
/sbin/chkconfig --level 345 saslauthd on
/sbin/service saslauthd start
3) Edit /etc/sysconfig/saslauthd and set this:
MECH=pam
4) Restart Postfix:
/sbin/service postfix restart
A crash course in using SASL with Postfix:
------------------------------------------
Red Hat's Postfix RPMs include support for both SASL and TLS. SASL, the
Simple Authentication and Security Layer, allows Postfix to implement RFC
2554, which defines an extension to ESMTP, SMTP AUTH, which compliant
ESMTP clients can use to authenticate themselves to ESMTP servers.
Typically, this is used to allow roaming users to relay mail through a
server safely without configuring the SMTP server to be an open relay.
Inclusion of TLS support allows Postfix to implement RFC 2487, which
defines an extension to ESMTP, SMTP STARTTLS, which compliant ESMTP
clients and servers can use to encrypt the SMTP session. This is a
security enhancement -- normally SMTP is transmitted as cleartext over the
wire, making it vulnerable to both passive sniffing and active alteration
via monkey-in-the-middle attacks. In addition, STARTTLS can also be
used by either or both server and client to verify the identity of the
other end, making it useful for the same sorts of purposes as SMTP AUTH.
The two can even be combined. Typically, this is done by first starting
TLS, to encrypt the SMTP session, and then issuing the SMTP AUTH command,
to authenticate the client; this combination ensures that the username
and password transferred as part of the SMTP AUTH are protected by the
TLS encrypted session.
SMTP AUTH is implemented using SASL, an abstraction layer which can
authenticate against a variety of sources. On Red Hat, SASL can use
the /etc/shadow file, or it can use PAM libraries, or it can use its own
password database (/etc/sasldb), or it can do various more exotic things.
Authentication raises a number of security concerns for obvious
reasons. As a consequence authentication services on Red Hat systems
are restricted to processes running with root privileges. However for
security reasons it is also essential that a mail server such as
Postfix run without root privileges so that mail operations cannot
compromise the host system. This means that Postfix cannot directly
use authentication services because it does not execute with root
privileges. The answer to this this problem is to introduce an
intermediary process that runs with root privileges which Postfix can
communicate with and will perform authentication on behalf of
Postfix. The SASL package includes an authentication daemon called
saslauthd which provided this service, think of it as an
authentication proxy.
Using Saslauthd:
----------------
To use saslauthd there are several things you must assure are
configured.
Selecting an Authentication Method:
-----------------------------------
Recall that it is saslauthd which is authenticating, not
Postfix. To start with you must tell Postfix to use saslauthd, in
main.cf edit this configuration parameter:
smtpd_sasl_auth_enable = yes
It is also recommended that you disable anonymous logins otherwise
you've left your system open, so also add this configuration
parameter.
smtpd_sasl_security_options = noanonymous
Now you must tell saslauthd which authentication method to use. To
determine the authentication methods currently supported by saslauthd
invoke saslauthd with the -v parameter, it will print its version and
its list of methods and then exit, for example:
/usr/sbin/saslauthd -v
saslauthd 2.1.10
authentication mechanisms: getpwent kerberos5 pam rimap shadow
When saslauthd starts up it reads its configuration options from the
file /etc/sysconfig/saslauthd. Currently there are two parameters
which can be set in this file, MECH and FLAGS. MECH is the
authentication mechanism and FLAGS is any command line flags you may
wish to pass to saslauthd. To tell saslauthd to use a specific
mechanism edit /etc/sysconfig/saslauthd and set the MECH parameter,
for example to use PAM it would look like this:
MECH=pam
Of course you may use any of the other authentication mechanisms that
saslauthd reported it supports. PAM is an excellent choice as PAM
supports many of the same authentication methods that saslauthd does,
but by using PAM you will have centralized all of your authentication
configuration under PAM which is one of PAM's greatest assets.
How Postfix Interacts with SASL to Name its Authentication Services:
--------------------------------------------------------------------
It can be very helpful to understand how Postfix communicates with
SASL to name its authentication services. Knowing this will let you
identify the configuration files the various components will access.
When Postfix invokes SASL it must give SASL an application name that
SASL will use among other things to locate a configuration file for
the application. The application name Postfix identifies itself as is
"smtpd". SASL will append ".conf" to the application name and look for
a config file in its library and config directories. Thus SASL will
read Postfix's configuration from
/etc/sasl2/smtpd.conf
This file names the authentication method SASL will use for Postfix
(actually for smtpd, other MTA's such as sendmail may use the same
file). Because we want to use the saslauthd authentication proxy
daemon the contents of this file is:
pwcheck_method: saslauthd
This tells SASL when being invoked to authentication for Postfix that
it should use saslauthd. Saslauthd's mechanism is set in
/etc/sysconfig/saslauthd (see below).
When Postfix calls on SASL to authenticate it passes to SASL a service
name. This service name is used in authentication method specific
way. The service name Postfix passes to SASL is "smtp" (note this is
not the same as the application name which is "smtpd"). To understand
this better consider the case of using PAM authentication. When SASL,
or in our case saslauthd, invokes PAM it passes the service name of
"smtp" to PAM which means that when PAM wants to read configuration
information for this client it will find it under the name of "smtp".
Turning on the Authentication Daemon:
-------------------------------------
Red Hat security policy is not to automatically enable services
belonging to a package when the package is installed. The system
administrator must explicitly enable the service. To enable saslauthd
do the following:
1) Tell the init process to launch saslauthd when entering various run
levels. Assuming you want saslauthd to run at run levels 3,4,5
invoke chkconfig.
/sbin/chkconfig --level 345 saslauthd on
2) You will probably want to start saslauthd now without having to
reboot, to do this:
/sbin/service saslauthd start
Trouble Shooting Authentication:
--------------------------------
The best way to debug authentication problems is to examine log
messages from the authentication components. However, normally these
log messages are suppressed. There are two principle reasons the
messages are suppressed. The first is that they are typically logged
at the DEBUG logging priority level which is the lowest priority and
the syslog configuration typically logs only higher priority
messages. The second reason is that for security reasons authentication
logging is considered a risk. Authentication logging has been divided
into two different facilities, auth and authpriv. authpriv is private
and is typically shunted off to a different log file with higher
protection. You will want to be able to see both auth and authpriv
messages at all priorities. To do this as root edit /etc/syslog.conf
file, find the following line
authpriv.* /var/log/secure
edit the line to:
authpriv.*;auth.* /var/log/secure
Then restart syslogd so the syslog configuration changes will be
picked up:
/sbin/service syslog restart
Now all authentication messages at all priorities will log to
/var/log/secure.
Using PAM to Authenticate:
--------------------------
Edit /etc/sysconfig/saslauthd and set MECH to PAM like this:
MECH=pam
When PAM is invoked via SASL it is passed a service name of
"smtp". This means that PAM will read its configuration parameters for
Postfix from the file: /etc/pam.d/smtp. By default this file is set to
refer to the global system PAM authentication policy, thus by default
you'll get whatever PAM authentication your system is configured for
and virtually all applications use. Configuring PAM authentication is
beyond the scope of this document, please refer to the PAM
documentation if you which to modify PAM.
Trouble Shooting PAM Authentication:
------------------------------------
1) One possible reason PAM may fail to authenticate even if the user
is known to the system is if PAM fails to find the service
configuration file in /etc/pam.d. Service configuration files are not
required by PAM, if it does not find a service configuration file it
will default to "other". Since PAM does not consider the absence of a
service configuration file a problem it does not log anything nor does
it return an error to the calling application. In other words it is
completely silent about the fact it did not find a service
configuration file. On Red Hat system the default implementation of
"other" for PAM is to deny access. This means on Red Hat systems the
absence of a PAM service configuration file will mean PAM will
silently fail authentication. The PAM service configuration file for
postfix is /etc/pam.d/smtp and is intalled by the Red Hat Postfix rpm
and put under control of "alternatives" with name mta. Alternatives
allows one to select between the sendmail and postfix MTA's and
manages symbolic links for files the two MTA's share. /etc/pam.d/smtp
is one such file, if you have not selected Postfix as your prefered
MTA the link to this file will not be present. To select Postfix as
your MTA do this: "/usr/sbin/alternatives --config mta" and follow the
prompt to select postfix.
2) Is SASL appending a realm or domain to a username? PAM
authentication requires a bare username and password, other
authentication methods require the username to be qualified with a
realm. Typically the username will be rewritten as user@realm
(e.g. user@foo.com) PAM does not understand a username with
"@realm" appended to it and will fail the authentication with the
message that the user is unknown. If the log files shows saslauthd
usernames with "@realm" appended to it then the
smtpd_sasl_local_domain configuration parameter is likely set in
/etc/postfix/main.cf file, make sure its either not set or set it
to an empty string. Restart postfix and test authtentication again,
the log file should show only a bare username.
Using saslpasswd to Authenticate:
---------------------------------
SASL can maintain its own password database independent of the host
system's authentication setup, it is called saslpasswd. You may wish
to use saslpasswd if you want to isolate who can smtp authenticate
from general system users. However, it does add another password
database that a system administrator must maintain.
To authenticate against sasldb, you'll first have to create accounts.
These accounts are entirely separate from system accounts, and are used
only by connecting SMTP clients to authenticate themselves. Use the
saslpassword command:
saslpasswd -u `postconf -h myhostname` -c user
to create an account named user which can log into realm. For the
realm, make absolutely certain that you use the same value as is set for
myhostname in /etc/postfix/main.cf. If you don't, it likely won't work.
Also, be aware that saslpasswd is somewhat buggy. The first time you
run it, it may generate an error message while initializing the sasldb.
If it does, just add that user a second time.
You'll need to set permissions on the SASL password database so that
the Postfix daemons can read it:
chgrp postfix /etc/sasldb
chmod g+r /etc/sasldb
Now, you'll need to modify /etc/postfix/main.cf to tell it to
support SASL. The complete options you might want to use are in the
sample-auth.cf file in the Postfix documentation directory. An option
you will definitely need is:
# enable SASL support
smtpd_sasl_auth_enable = yes
You might also need to set the SASL authentication realm to whatever
realm you used when you created your sasldb; by default, this is set to
$myhostname, but you instead might need something like:
# set SASL realm to domain instead
smtpd_sasl_local_domain = $mydomain
Other Postfix Authentication Parameters:
----------------------------------------
If you want to allow your already configured users to still use your SMTP
server, and to allow users authenticated via SMTP AUTH to use your server
as well, then modify your existing smtpd_recipient_restrictions line to;
# also allow authenticated (RFC 2554) users
smtpd_recipient_restrictions = permit_sasl_authenticated ...
If you want to restrict use of your server to just authenticated clients
(Note: this is a bad idea for public mail servers), then instead use:
# restrict server access to authenticated (RFC 2554) clients
smtpd_delay_reject = yes
smtpd_client_restrictions = permit_sasl_authenticated ...
SASL supports several password types which have differing security
properties. Different SMTP clients may support some or all of these
password types. When the client issues an EHLO command, the server
tells it which types it supports:
$ telnet station6 25
Trying 10.100.0.6...
Connected to station6.example.com.
Escape character is '^]'.
220 station6.example.com ESMTP Postfix
ehlo station7
250-station6.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-XVERP
250 8BITMIME
Here, the server supports PLAIN, LOGIN, DIGEST-MD5, and CRAM-MD5 password
methods.
The client then chooses the first of these listed methods which it also
supports, and issues an SMTP AUTH request.
For security, PLAIN and LOGIN methods are typically disabled. These two
methods use trivially decryptable encryption, making the username and
password issued by the client vulnerable to interception via a sniffer
in between the server and client. Unfortunately, they can't always
be disabled. Some popular SMTP clients, including MS Outlook 5.x,
only support PLAIN authentication, for example.
To limit the login methods offered by the server:
# disable unsafe password methods
smtpd_sasl_security_options = noplaintext noanonymous
Available options are:
noplaintext, which disables LOGIN and PLAIN
noanonymous, which disables disables ANON
nodictionary, which disables methods vulnerable to dictionary attacks
noactive, which disables methods vulnerable to active attacks
The last two are rarely used, since almost all supported methods are
vulnerable to those attacks ;-).
Also be aware that some broken clients mis-implement the SMTP AUTH
protocol, and send commands using incorrect syntax (AUTH=foo instead of
the correct AUTH foo). MS Outlook 4.x clients have this bug, among
a legion of others.... If you need to support these clients, use:
# support braindead MS products
broken_sasl_auth_clients = yes
To help prevent spoofing, you can also create a map file of SASL login
names which are allowed to use specific envelope sender (MAIL FROM)
addresses. If you choose to do this, you also have to tell Postfix to
reject addresses which don't match login names:
# prevent spoofing by authenticated users
reject_sender_login_mismatch
smtpd_sender_login_maps=type:/path/to/file
Configuration of SASL clients is much simpler. Postfix itself can be
made a SASL client; this is typically useful when roaming users run Linux
on their laptop and need to relay mail back through the organization's
main server.
To enable Postfix to act as an SMTP AUTH client, simply add to
/etc/postfix/main.cf:
# support authentication (RFC 2557) when relaying through a server
smtp_sasl_auth_enable = yes
and tell Postfix where to find the usernames and passwords it should
use to authenticate:
# location of passwords for authentication client
smtp_sasl_password_maps = type:/path/to/file
The file itself should have the format:
destination username:password
where destination is the name of the server, and username:password are
the username and password which should be presented to that server to
authenticate when connecting to it as a client.
Optionally, the authentication methods to be used can be specified for
the Postfix client, just as they can be for the Postfix server:
# disable plaintext and anonymous
smtp_sasl_security_options = noplaintext noanonymous
Many popular end-user MUAs can also be configured as SMTP AUTH clients.
Clients capable of this supplied with Red Hat include pine, Netscape,
and Mozilla.
Other Sources of Documentation:
-------------------------------
/usr/share/doc/postfix-<version>/README_FILES/SASL_README
Local configuration examples:
/usr/share/doc/postfix-*/samples
Postfix Howtos, Guides and Tips by Ralf Hildebrandt and Patrick
Koetter can be found at: http://postfix.state-of-mind.de
------------------------------------------------------------------------------
Please send any comments / corrections to Chris Ricker
<kaboom@gatech.edu>. This material can be freely modified and
redistributed. Additional material provided by John Dennis
<jdennis@redhat.com> and Dax Kelson <dax@gurulabs.com>.

65
README-RedHat.txt Normal file
View File

@ -0,0 +1,65 @@
This Postfix build behaves differently from the upstream postfix-3.5.8.
It's because in RHEL-8 backward compatibility is kept to postfix-3.3.1.
For the upstream postfix-3.5.8 behavior either run the following commands:
# postconf info_log_address_format=external
# postconf smtpd_discard_ehlo_keywords=
# postconf rhel_ipv6_normalize=yes
Or go through the following steps:
1. Change the configuration option 'info_log_address_format' to 'external'.
In RHEL-8 it's by default set to 'internal' to mitigate [Incompat 20191109].
2. Change the configuration option 'smtpd_discard_ehlo_keywords' to ''.
In RHEL-8 it's by default set to 'chunking' to mitigate [Incompat 20180826].
3. Add RHEL-8 specific configuration option 'rhel_ipv6_normalize' and set it
to 'yes'. In RHEL-8 this option was added to mitigate [Incompat 20190427].
Details from the upstream RELEASE_NOTES:
[Incompat 20191109]
Postfix daemon processes now log the from= and
to= addresses in external (quoted) form in non-debug logging (info,
warning, etc.). This means that when an address localpart contains
spaces or other special characters, the localpart will be quoted,
for example:
from=<"name with spaces"@example.com>
Older Postfix versions would log the internal (unquoted) form:
from=<name with spaces@example.com>
The external and internal forms are identical for the vast majority
of email addresses that contain no spaces or other special characters
in the localpart.
Specify "info_log_address_format = internal" for backwards
compatibility.
The logging in external form is consistent with the address form
that Postfix 3.2 and later prefer for table lookups. It is therefore
the more useful form for non-debug logging.
[Incompat 20180826]
The Postfix SMTP server announces CHUNKING (BDAT
command) by default. In the unlikely case that this breaks some
important remote SMTP client, disable the feature as follows:
/etc/postfix/main.cf:
# The logging alternative:
smtpd_discard_ehlo_keywords = chunking
# The non-logging alternative:
smtpd_discard_ehlo_keywords = chunking, silent_discard
See BDAT_README for more.
[Incompat 20190427]
Postfix now normalizes IP addresses received
with XCLIENT, XFORWARD, or with the HaProxy protocol, for consistency
with direct connections to Postfix. This may change the appearance
of logging, and the way that check_client_access will match subnets
of an IPv6 address.

View File

@ -0,0 +1,15 @@
diff --git pflogsumm-1.1.5/pflogsumm.pl pflogsumm-1.1.5/pflogsumm.pl
index 31de5bd..36384dd 100755
--- pflogsumm-1.1.5/pflogsumm.pl
+++ pflogsumm-1.1.5/pflogsumm.pl
@@ -398,8 +398,8 @@ Copyright (C) 1998-2010 by James S. Seymour, Release 1.1.5
use strict;
use locale;
use Getopt::Long;
-eval { require Date::Calc };
-my $hasDateCalc = $@ ? 0 : 1;
+require Date::Calc;
+my $hasDateCalc = 1;
my $mailqCmd = "mailq";
my $release = "1.1.5";

View File

@ -0,0 +1,13 @@
diff --git pflogsumm-1.1.5/pflogsumm.pl pflogsumm-1.1.5/pflogsumm.pl
index 36384dd..eb527d0 100755
--- pflogsumm-1.1.5/pflogsumm.pl
+++ pflogsumm-1.1.5/pflogsumm.pl
@@ -1536,7 +1536,7 @@ sub gimme_domain {
# split domain/ipaddr into separates
# newer versions of Postfix have them "dom.ain[i.p.add.ress]"
# older versions of Postfix have them "dom.ain/i.p.add.ress"
- unless((($domain, $ipAddr) = /^([^\[]+)\[((?:\d{1,3}\.){3}\d{1,3})\]/) == 2 ||
+ unless((($domain, $ipAddr) = /^([^\[]+)\[((?:\d{1,3}\.){3}\d{1,3}|[0-9a-f:]+)\]/) == 2 ||
(($domain, $ipAddr) = /^([^\/]+)\/([0-9a-f.:]+)/i) == 2) {
# more exhaustive method
($domain, $ipAddr) = /^([^\[\(\/]+)[\[\(\/]([^\]\)]+)[\]\)]?:?\s*$/;

View File

@ -0,0 +1,18 @@
diff --git a/pflogsumm-1.1.5/pflogsumm.pl b/pflogsumm-1.1.5/pflogsumm.pl
index eb527d0..7e26206 100755
--- a/pflogsumm-1.1.5/pflogsumm.pl
+++ b/pflogsumm-1.1.5/pflogsumm.pl
@@ -503,7 +503,12 @@ $usageMsg =
# Accept either "_"s or "-"s in --switches
foreach (@ARGV) {
last if($_ eq "--");
- tr/_/-/ if(/^--\w/);
+ if (/^--\w/)
+ {
+ my @argspl = split("=", $_, 2);
+ $argspl[0] =~ tr/_/-/;
+ $_ = join("=", @argspl);
+ }
}
# Some pre-inits for convenience

View File

@ -0,0 +1,22 @@
diff --git a/conf/post-install b/conf/post-install
index 25ef7e6..4fd6434 100644
--- a/conf/post-install
+++ b/conf/post-install
@@ -537,6 +537,17 @@ test -n "$create" && {
case $path in
no|no/*) continue;;
esac
+ # Munge paths for alternatives.
+ case $path in
+ /usr/bin/mailq) path=$path.postfix ;;
+ /usr/bin/newaliases) path=$path.postfix ;;
+ /usr/bin/rmail) path=$path.postfix ;;
+ /usr/sbin/sendmail) path=$path.postfix ;;
+ /usr/share/man/man1/mailq.1.gz) path=/usr/share/man/man1/mailq.postfix.1.gz ;;
+ /usr/share/man/man1/newaliases.1.gz) path=/usr/share/man/man1/newaliases.postfix.1.gz ;;
+ /usr/share/man/man5/aliases.5.gz) path=/usr/share/man/man5/aliases.postfix.5.gz ;;
+ /usr/share/man/man8/smtpd.8.gz) path=/usr/share/man/man8/smtpd.postfix.8.gz ;;
+ esac
# Pick up the flags.
case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac
case $flags in *c*) create_flag=1;; *) create_flag=;; esac

63
postfix-3.4.0-files.patch Normal file
View File

@ -0,0 +1,63 @@
diff --git a/conf/postfix-files b/conf/postfix-files
index 4ed9d1f..19711d2 100644
--- a/conf/postfix-files
+++ b/conf/postfix-files
@@ -83,7 +83,6 @@ $shlib_directory/${LIB_PREFIX}sqlite${LIB_SUFFIX}:f:root:-:755
$meta_directory/dynamicmaps.cf.d:d:root:-:755
$meta_directory/dynamicmaps.cf:f:root:-:644
$meta_directory/main.cf.proto:f:root:-:644
-$meta_directory/makedefs.out:f:root:-:644
$meta_directory/master.cf.proto:f:root:-:644
$meta_directory/postfix-files.d:d:root:-:755
$meta_directory/postfix-files:f:root:-:644
@@ -141,18 +140,13 @@ $command_directory/postqueue:f:root:$setgid_group:2755:u
$sendmail_path:f:root:-:755
$newaliases_path:l:$sendmail_path
$mailq_path:l:$sendmail_path
-$config_directory/LICENSE:f:root:-:644:1
-$config_directory/TLS_LICENSE:f:root:-:644:1
$config_directory/access:f:root:-:644:p1
-$config_directory/aliases:f:root:-:644:p1
-$config_directory/bounce.cf.default:f:root:-:644:1
$config_directory/canonical:f:root:-:644:p1
$config_directory/cidr_table:f:root:-:644:o
$config_directory/generic:f:root:-:644:p1
$config_directory/generics:f:root:-:644:o
$config_directory/header_checks:f:root:-:644:p1
$config_directory/install.cf:f:root:-:644:o
-$config_directory/main.cf.default:f:root:-:644:1
$config_directory/main.cf:f:root:-:644:p
$config_directory/master.cf:f:root:-:644:p
$config_directory/pcre_table:f:root:-:644:o
@@ -165,8 +159,8 @@ $config_directory/postfix-script:f:root:-:755:o
$config_directory/postfix-script-sgid:f:root:-:755:o
$config_directory/postfix-script-nosgid:f:root:-:755:o
$config_directory/post-install:f:root:-:755:o
-$manpage_directory/man1/mailq.1:f:root:-:644
-$manpage_directory/man1/newaliases.1:f:root:-:644
+$manpage_directory/man1/mailq.postfix.1:f:root:-:644
+$manpage_directory/man1/newaliases.postfix.1:f:root:-:644
$manpage_directory/man1/postalias.1:f:root:-:644
$manpage_directory/man1/postcat.1:f:root:-:644
$manpage_directory/man1/postconf.1:f:root:-:644
@@ -180,9 +174,9 @@ $manpage_directory/man1/postmap.1:f:root:-:644
$manpage_directory/man1/postmulti.1:f:root:-:644
$manpage_directory/man1/postqueue.1:f:root:-:644
$manpage_directory/man1/postsuper.1:f:root:-:644
-$manpage_directory/man1/sendmail.1:f:root:-:644
+$manpage_directory/man1/sendmail.postfix.1:f:root:-:644
$manpage_directory/man5/access.5:f:root:-:644
-$manpage_directory/man5/aliases.5:f:root:-:644
+$manpage_directory/man5/aliases.postfix.5:f:root:-:644
$manpage_directory/man5/body_checks.5:f:root:-:644
$manpage_directory/man5/bounce.5:f:root:-:644
$manpage_directory/man5/canonical.5:f:root:-:644
@@ -230,7 +224,7 @@ $manpage_directory/man8/qmqpd.8:f:root:-:644
$manpage_directory/man8/scache.8:f:root:-:644
$manpage_directory/man8/showq.8:f:root:-:644
$manpage_directory/man8/smtp.8:f:root:-:644
-$manpage_directory/man8/smtpd.8:f:root:-:644
+$manpage_directory/man8/smtpd.postfix.8:f:root:-:644
$manpage_directory/man8/spawn.8:f:root:-:644
$manpage_directory/man8/tlsproxy.8:f:root:-:644
$manpage_directory/man8/tlsmgr.8:f:root:-:644

View File

@ -0,0 +1,37 @@
diff --git a/src/util/fsspace.c b/src/util/fsspace.c
index 50a4aa7..beef3db 100644
--- a/src/util/fsspace.c
+++ b/src/util/fsspace.c
@@ -91,8 +91,15 @@ void fsspace(const char *path, struct fsspace * sp)
if (statvfs(path, &fsbuf) < 0)
msg_fatal("statvfs %s: %m", path);
- sp->block_size = fsbuf.f_frsize;
- sp->block_free = fsbuf.f_bavail;
+ if (fsbuf.f_frsize > 0)
+ sp->block_size = fsbuf.f_frsize;
+ else
+ sp->block_size = fsbuf.f_bsize;
+ /* 4G of FS blocks is surely enough space to put a mail in */
+ sp->block_free = 0;
+ sp->block_free = ~sp->block_free;
+ if (fsbuf.f_bavail < sp->block_free)
+ sp->block_free = fsbuf.f_bavail;
#endif
if (msg_verbose)
msg_info("%s: %s: block size %lu, blocks free %lu",
diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h
index a8d2571..ad07498 100644
--- a/src/util/sys_defs.h
+++ b/src/util/sys_defs.h
@@ -769,8 +769,8 @@ extern int initgroups(const char *, int);
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin"
#define FIONREAD_IN_TERMIOS_H
-#define USE_STATFS
-#define STATFS_IN_SYS_VFS_H
+#define USE_STATVFS
+#define STATVFS_IN_SYS_STATVFS_H
#define PREPEND_PLUS_TO_OPTSTRING
#define HAS_POSIX_REGEXP
#define HAS_DLOPEN

View File

@ -0,0 +1,35 @@
--- a/examples/chroot-setup/LINUX2 2006-01-01 15:53:58.000000000 -0800
+++ b/examples/chroot-setup/LINUX2 2016-11-27 00:45:52.145301784 -0800
@@ -45,14 +45,14 @@
# 20060101 /lib64 support by Keith Owens.
#
-CP="cp -p"
+CP="cp -p -Z"
cond_copy() {
# find files as per pattern in $1
# if any, copy to directory $2
dir=`dirname "$1"`
pat=`basename "$1"`
- lr=`find "$dir" -maxdepth 1 -name "$pat"`
+ lr=`find "$dir/" -maxdepth 1 -name "$pat"`
if test ! -d "$2" ; then exit 1 ; fi
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi
}
@@ -63,8 +63,8 @@
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}
cd ${POSTFIX_DIR}
-mkdir -p etc lib usr/lib/zoneinfo
-test -d /lib64 && mkdir -p lib64
+mkdir -p -Z etc lib usr/lib/zoneinfo
+test -d /lib64 && mkdir -p -Z lib64
# find localtime (SuSE 5.3 does not have /etc/localtime)
lt=/etc/localtime
@@ -88,4 +88,3 @@
cond_copy '/lib64/libdb.so*' lib64
fi
-postfix reload

145
postfix-3.5.0-config.patch Normal file
View File

@ -0,0 +1,145 @@
diff --git a/conf/main.cf b/conf/main.cf
index 7af8bde..495e346 100644
--- a/conf/main.cf
+++ b/conf/main.cf
@@ -132,6 +132,10 @@ mail_owner = postfix
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
+inet_interfaces = localhost
+
+# Enable IPv4, and IPv6 if supported
+inet_protocols = all
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
@@ -176,7 +180,7 @@ mail_owner = postfix
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
-#mydestination = $myhostname, localhost.$mydomain, localhost
+mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
@@ -398,7 +402,7 @@ unknown_local_recipient_reject_code = 550
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
-#alias_maps = hash:/etc/aliases
+alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
@@ -409,7 +413,7 @@ unknown_local_recipient_reject_code = 550
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
-#alias_database = hash:/etc/aliases
+alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)
@@ -479,7 +483,27 @@ unknown_local_recipient_reject_code = 550
#
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
-#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
+#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+
+# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
+# server using LMTP (Local Mail Transport Protocol), this is prefered
+# over the older cyrus deliver program by setting the
+# mailbox_transport as below:
+#
+# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+#
+# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
+# these settings.
+#
+# local_destination_recipient_limit = 300
+# local_destination_concurrency_limit = 5
+#
+# Of course you should adjust these settings as appropriate for the
+# capacity of the hardware you are using. The recipient limit setting
+# can be used to take advantage of the single instance message store
+# capability of Cyrus. The concurrency limit can be used to control
+# how many simultaneous LMTP sessions will be permitted to the Cyrus
+# message store.
#
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
# subsequent line in master.cf.
@@ -499,8 +523,7 @@ unknown_local_recipient_reject_code = 550
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
-#fallback_transport = lmtp:unix:/file/name
-#fallback_transport = cyrus
+#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
# The luser_relay parameter specifies an optional destination address
@@ -673,4 +696,41 @@ sample_directory =
# readme_directory: The location of the Postfix README files.
#
readme_directory =
-inet_protocols = ipv4
+
+# TLS CONFIGURATION
+#
+# Basic Postfix TLS configuration by default with self-signed certificate
+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
+
+# The full pathname of a file with the Postfix SMTP server RSA certificate
+# in PEM format. Intermediate certificates should be included in general,
+# the server certificate first, then the issuing CA(s) (bottom-up order).
+#
+smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
+
+# The full pathname of a file with the Postfix SMTP server RSA private key
+# in PEM format. The private key must be accessible without a pass-phrase,
+# i.e. it must not be encrypted.
+#
+smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
+
+# Announce STARTTLS support to remote SMTP clients, but do not require that
+# clients use TLS encryption (opportunistic TLS inbound).
+#
+smtpd_tls_security_level = may
+
+# Directory with PEM format Certification Authority certificates that the
+# Postfix SMTP client uses to verify a remote SMTP server certificate.
+#
+smtp_tls_CApath = /etc/pki/tls/certs
+
+# The full pathname of a file containing CA certificates of root CAs
+# trusted to sign either remote SMTP server certificates or intermediate CA
+# certificates.
+#
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+
+# Use TLS if this is supported by the remote SMTP server, otherwise use
+# plaintext (opportunistic TLS outbound).
+#
+smtp_tls_security_level = may
diff --git a/conf/master.cf b/conf/master.cf
index c0f2508..05c5d07 100644
--- a/conf/master.cf
+++ b/conf/master.cf
@@ -98,14 +98,14 @@ postlog unix-dgram n - n - 1 postlogd
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
-# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+# flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
-# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#

View File

@ -0,0 +1,158 @@
diff --git a/src/global/mail_params.c b/src/global/mail_params.c
index 91c70f7..483613c 100644
--- a/src/global/mail_params.c
+++ b/src/global/mail_params.c
@@ -379,6 +379,8 @@ int warn_compat_break_smtputf8_enable;
int warn_compat_break_chroot;
int warn_compat_break_relay_restrictions;
+bool var_rhel_ipv6_normalize;
+
/* check_myhostname - lookup hostname and validate */
static const char *check_myhostname(void)
@@ -825,6 +827,7 @@ void mail_params_init()
VAR_LONG_QUEUE_IDS, DEF_LONG_QUEUE_IDS, &var_long_queue_ids,
VAR_STRICT_SMTPUTF8, DEF_STRICT_SMTPUTF8, &var_strict_smtputf8,
VAR_ENABLE_ORCPT, DEF_ENABLE_ORCPT, &var_enable_orcpt,
+ VAR_RHEL_IPV6_NORMALIZE, DEF_RHEL_IPV6_NORMALIZE, &var_rhel_ipv6_normalize,
0,
};
const char *cp;
diff --git a/src/global/mail_params.h b/src/global/mail_params.h
index e4358ca..74459d9 100644
--- a/src/global/mail_params.h
+++ b/src/global/mail_params.h
@@ -3153,7 +3153,7 @@ extern char *var_local_rwr_clients;
* EHLO keyword filter.
*/
#define VAR_SMTPD_EHLO_DIS_WORDS "smtpd_discard_ehlo_keywords"
-#define DEF_SMTPD_EHLO_DIS_WORDS ""
+#define DEF_SMTPD_EHLO_DIS_WORDS "chunking"
extern char *var_smtpd_ehlo_dis_words;
#define VAR_SMTPD_EHLO_DIS_MAPS "smtpd_discard_ehlo_keyword_address_maps"
@@ -4199,9 +4199,13 @@ extern int var_postlogd_watchdog;
#define INFO_LOG_ADDR_FORM_NAME_INTERNAL "internal"
#define VAR_INFO_LOG_ADDR_FORM "info_log_address_format"
-#define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_EXTERNAL
+#define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_INTERNAL
extern char *var_info_log_addr_form;
+#define VAR_RHEL_IPV6_NORMALIZE "rhel_ipv6_normalize"
+#define DEF_RHEL_IPV6_NORMALIZE 0
+extern bool var_rhel_ipv6_normalize;
+
/* LICENSE
/* .ad
/* .fi
diff --git a/src/smtpd/smtpd.c b/src/smtpd/smtpd.c
index da7227f..53e640e 100644
--- a/src/smtpd/smtpd.c
+++ b/src/smtpd/smtpd.c
@@ -4334,6 +4334,7 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
SMTPD_TOKEN *argp;
char *raw_value;
char *attr_value;
+ const char *bare_value;
char *attr_name;
int update_namaddr = 0;
int name_status;
@@ -4481,15 +4482,31 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
UPDATE_STR(state->addr, attr_value);
UPDATE_STR(state->rfc_addr, attr_value);
} else {
- neuter(attr_value, NEUTER_CHARACTERS, '?');
- if (normalize_mailhost_addr(attr_value, &state->rfc_addr,
+ if (var_rhel_ipv6_normalize) {
+ neuter(attr_value, NEUTER_CHARACTERS, '?');
+ }
+ if ((var_rhel_ipv6_normalize &&
+ normalize_mailhost_addr(attr_value, &state->rfc_addr,
&state->addr,
- &state->addr_family) < 0) {
+ &state->addr_family) < 0) ||
+ (!var_rhel_ipv6_normalize &&
+ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
state->error_mask |= MAIL_ERROR_PROTOCOL;
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
XCLIENT_ADDR, attr_value);
return (-1);
}
+ if (!var_rhel_ipv6_normalize) {
+ UPDATE_STR(state->addr, bare_value);
+ UPDATE_STR(state->rfc_addr, attr_value);
+#ifdef HAS_IPV6
+ if (strncasecmp(attr_value, INET_PROTO_NAME_IPV6 ":",
+ sizeof(INET_PROTO_NAME_IPV6 ":") - 1) == 0)
+ state->addr_family = AF_INET6;
+ else
+#endif
+ state->addr_family = AF_INET;
+ }
}
update_namaddr = 1;
}
@@ -4569,17 +4586,25 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
attr_value = SERVER_ADDR_UNKNOWN;
UPDATE_STR(state->dest_addr, attr_value);
} else {
+ if (var_rhel_ipv6_normalize) {
#define NO_NORM_RFC_ADDR ((char **) 0)
#define NO_NORM_ADDR_FAMILY ((int *) 0)
- neuter(attr_value, NEUTER_CHARACTERS, '?');
- if (normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR,
+ neuter(attr_value, NEUTER_CHARACTERS, '?');
+ }
+ if ((var_rhel_ipv6_normalize &&
+ normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR,
&state->dest_addr,
- NO_NORM_ADDR_FAMILY) < 0) {
+ NO_NORM_ADDR_FAMILY) < 0) ||
+ (!var_rhel_ipv6_normalize &&
+ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
state->error_mask |= MAIL_ERROR_PROTOCOL;
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
XCLIENT_DESTADDR, attr_value);
return (-1);
}
+ if (!var_rhel_ipv6_normalize) {
+ UPDATE_STR(state->dest_addr, bare_value);
+ }
}
/* XXX Require same address family as client address. */
}
@@ -4690,6 +4715,7 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
SMTPD_TOKEN *argp;
char *raw_value;
char *attr_value;
+ const char *bare_value;
char *attr_name;
int updated = 0;
static const NAME_CODE xforward_flags[] = {
@@ -4808,15 +4834,22 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
UPDATE_STR(state->xforward.addr, attr_value);
} else {
neuter(attr_value, NEUTER_CHARACTERS, '?');
- if (normalize_mailhost_addr(attr_value,
+ if ((var_rhel_ipv6_normalize &&
+ normalize_mailhost_addr(attr_value,
&state->xforward.rfc_addr,
&state->xforward.addr,
- NO_NORM_ADDR_FAMILY) < 0) {
+ NO_NORM_ADDR_FAMILY) < 0) ||
+ (!var_rhel_ipv6_normalize &&
+ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
state->error_mask |= MAIL_ERROR_PROTOCOL;
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
XFORWARD_ADDR, attr_value);
return (-1);
}
+ if (!var_rhel_ipv6_normalize) {
+ UPDATE_STR(state->xforward.addr, bare_value);
+ UPDATE_STR(state->xforward.rfc_addr, attr_value);
+ }
}
break;

View File

@ -0,0 +1,13 @@
diff --git a/src/cleanup/cleanup_message.c b/src/cleanup/cleanup_message.c
index 391c711..be5ce42 100644
--- a/src/cleanup/cleanup_message.c
+++ b/src/cleanup/cleanup_message.c
@@ -773,6 +773,8 @@ static void cleanup_header_done_callback(void *context)
/* Normalize whitespace. */
token = tok822_scan_limit(state->fullname, &dummy_token,
var_token_limit);
+ if (!token)
+ token = tok822_alloc(TOK822_QSTRING, state->fullname);
} else {
token = tok822_alloc(TOK822_QSTRING, state->fullname);
}

4
postfix-chroot-update Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
[ -x /etc/postfix/chroot-update ] && exec /etc/postfix/chroot-update
exit 0

3
postfix-pam.conf Normal file
View File

@ -0,0 +1,3 @@
#%PAM-1.0
auth include password-auth
account include password-auth

2
postfix-sasl.conf Normal file
View File

@ -0,0 +1,2 @@
pwcheck_method: saslauthd
mech_list: plain login

20
postfix.aliasesdb Normal file
View File

@ -0,0 +1,20 @@
#!/bin/bash
ALIASESDB_STAMP=/var/lib/misc/postfix.aliasesdb-stamp
make_aliasesdb() {
if [ "$(/usr/sbin/postconf -h alias_database)" == "hash:/etc/aliases" ]
then
# /etc/aliases.db may be used by other MTA, make sure nothing
# has touched it since our last newaliases call
[ /etc/aliases -nt /etc/aliases.db ] ||
[ "$ALIASESDB_STAMP" -nt /etc/aliases.db ] ||
[ "$ALIASESDB_STAMP" -ot /etc/aliases.db ] || return 0
/usr/bin/newaliases
touch -r /etc/aliases.db "$ALIASESDB_STAMP"
else
/usr/bin/newaliases
fi
}
make_aliasesdb

22
postfix.service Normal file
View File

@ -0,0 +1,22 @@
[Unit]
Description=Postfix Mail Transport Agent
After=syslog.target network.target
Conflicts=sendmail.service exim.service
[Service]
Type=forking
PIDFile=/var/spool/postfix/pid/master.pid
EnvironmentFile=-/etc/sysconfig/network
PrivateTmp=true
CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE
ProtectSystem=true
PrivateDevices=true
ExecStartPre=-/usr/sbin/restorecon -R /var/spool/postfix/pid/master.pid
ExecStartPre=-/usr/libexec/postfix/aliasesdb
ExecStartPre=-/usr/libexec/postfix/chroot-update
ExecStart=/usr/sbin/postfix start
ExecReload=/usr/sbin/postfix reload
ExecStop=/usr/sbin/postfix stop
[Install]
WantedBy=multi-user.target

1704
postfix.spec Normal file

File diff suppressed because it is too large Load Diff

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (pflogsumm-1.1.5.tar.gz) = 994d660692dfea38a1dd9866d15f15035657e85131c1f5a2cd82baa5bd4ad987a00939cb5233f316d2090014c52ae68ef20db0c893f8634969484e0e74678f4d
SHA512 (postfix-3.5.8.tar.gz) = 0abb07d99e343b76e6a26b4a090af9d592f4dfd03c8c737cc72bfb0f4267dafcbb0cb0aa7b6255f8b834c9289d89a5c47b167be3758239309937cb77e0d9464b