Import rpm: c8s
This commit is contained in:
parent
4213c74b40
commit
801777824f
4
.gitignore
vendored
Normal file
4
.gitignore
vendored
Normal file
@ -0,0 +1,4 @@
|
||||
SOURCES/pflogsumm-1.1.5.tar.gz
|
||||
SOURCES/postfix-3.5.8.tar.gz
|
||||
/pflogsumm-1.1.5.tar.gz
|
||||
/postfix-3.5.8.tar.gz
|
440
README-Postfix-SASL-RedHat.txt
Normal file
440
README-Postfix-SASL-RedHat.txt
Normal file
@ -0,0 +1,440 @@
|
||||
Quick Start to Authenticate with SASL and PAM:
|
||||
----------------------------------------------
|
||||
|
||||
If you don't need the details and are an experienced system
|
||||
administrator you can just do this, otherwise read on.
|
||||
|
||||
1) Edit /etc/postfix/main.cf and set this:
|
||||
|
||||
smtpd_sasl_auth_enable = yes
|
||||
smtpd_sasl_security_options = noanonymous
|
||||
broken_sasl_auth_clients = yes
|
||||
|
||||
smtpd_recipient_restrictions =
|
||||
permit_sasl_authenticated,
|
||||
permit_mynetworks,
|
||||
reject_unauth_destination
|
||||
|
||||
2) Turn on saslauthd:
|
||||
|
||||
/sbin/chkconfig --level 345 saslauthd on
|
||||
/sbin/service saslauthd start
|
||||
|
||||
3) Edit /etc/sysconfig/saslauthd and set this:
|
||||
|
||||
MECH=pam
|
||||
|
||||
4) Restart Postfix:
|
||||
|
||||
/sbin/service postfix restart
|
||||
|
||||
A crash course in using SASL with Postfix:
|
||||
------------------------------------------
|
||||
|
||||
Red Hat's Postfix RPMs include support for both SASL and TLS. SASL, the
|
||||
Simple Authentication and Security Layer, allows Postfix to implement RFC
|
||||
2554, which defines an extension to ESMTP, SMTP AUTH, which compliant
|
||||
ESMTP clients can use to authenticate themselves to ESMTP servers.
|
||||
Typically, this is used to allow roaming users to relay mail through a
|
||||
server safely without configuring the SMTP server to be an open relay.
|
||||
Inclusion of TLS support allows Postfix to implement RFC 2487, which
|
||||
defines an extension to ESMTP, SMTP STARTTLS, which compliant ESMTP
|
||||
clients and servers can use to encrypt the SMTP session. This is a
|
||||
security enhancement -- normally SMTP is transmitted as cleartext over the
|
||||
wire, making it vulnerable to both passive sniffing and active alteration
|
||||
via monkey-in-the-middle attacks. In addition, STARTTLS can also be
|
||||
used by either or both server and client to verify the identity of the
|
||||
other end, making it useful for the same sorts of purposes as SMTP AUTH.
|
||||
The two can even be combined. Typically, this is done by first starting
|
||||
TLS, to encrypt the SMTP session, and then issuing the SMTP AUTH command,
|
||||
to authenticate the client; this combination ensures that the username
|
||||
and password transferred as part of the SMTP AUTH are protected by the
|
||||
TLS encrypted session.
|
||||
|
||||
SMTP AUTH is implemented using SASL, an abstraction layer which can
|
||||
authenticate against a variety of sources. On Red Hat, SASL can use
|
||||
the /etc/shadow file, or it can use PAM libraries, or it can use its own
|
||||
password database (/etc/sasldb), or it can do various more exotic things.
|
||||
|
||||
Authentication raises a number of security concerns for obvious
|
||||
reasons. As a consequence authentication services on Red Hat systems
|
||||
are restricted to processes running with root privileges. However for
|
||||
security reasons it is also essential that a mail server such as
|
||||
Postfix run without root privileges so that mail operations cannot
|
||||
compromise the host system. This means that Postfix cannot directly
|
||||
use authentication services because it does not execute with root
|
||||
privileges. The answer to this this problem is to introduce an
|
||||
intermediary process that runs with root privileges which Postfix can
|
||||
communicate with and will perform authentication on behalf of
|
||||
Postfix. The SASL package includes an authentication daemon called
|
||||
saslauthd which provided this service, think of it as an
|
||||
authentication proxy.
|
||||
|
||||
Using Saslauthd:
|
||||
----------------
|
||||
|
||||
To use saslauthd there are several things you must assure are
|
||||
configured.
|
||||
|
||||
Selecting an Authentication Method:
|
||||
-----------------------------------
|
||||
|
||||
Recall that it is saslauthd which is authenticating, not
|
||||
Postfix. To start with you must tell Postfix to use saslauthd, in
|
||||
main.cf edit this configuration parameter:
|
||||
|
||||
smtpd_sasl_auth_enable = yes
|
||||
|
||||
It is also recommended that you disable anonymous logins otherwise
|
||||
you've left your system open, so also add this configuration
|
||||
parameter.
|
||||
|
||||
smtpd_sasl_security_options = noanonymous
|
||||
|
||||
Now you must tell saslauthd which authentication method to use. To
|
||||
determine the authentication methods currently supported by saslauthd
|
||||
invoke saslauthd with the -v parameter, it will print its version and
|
||||
its list of methods and then exit, for example:
|
||||
|
||||
/usr/sbin/saslauthd -v
|
||||
saslauthd 2.1.10
|
||||
authentication mechanisms: getpwent kerberos5 pam rimap shadow
|
||||
|
||||
When saslauthd starts up it reads its configuration options from the
|
||||
file /etc/sysconfig/saslauthd. Currently there are two parameters
|
||||
which can be set in this file, MECH and FLAGS. MECH is the
|
||||
authentication mechanism and FLAGS is any command line flags you may
|
||||
wish to pass to saslauthd. To tell saslauthd to use a specific
|
||||
mechanism edit /etc/sysconfig/saslauthd and set the MECH parameter,
|
||||
for example to use PAM it would look like this:
|
||||
|
||||
MECH=pam
|
||||
|
||||
Of course you may use any of the other authentication mechanisms that
|
||||
saslauthd reported it supports. PAM is an excellent choice as PAM
|
||||
supports many of the same authentication methods that saslauthd does,
|
||||
but by using PAM you will have centralized all of your authentication
|
||||
configuration under PAM which is one of PAM's greatest assets.
|
||||
|
||||
How Postfix Interacts with SASL to Name its Authentication Services:
|
||||
--------------------------------------------------------------------
|
||||
|
||||
It can be very helpful to understand how Postfix communicates with
|
||||
SASL to name its authentication services. Knowing this will let you
|
||||
identify the configuration files the various components will access.
|
||||
|
||||
When Postfix invokes SASL it must give SASL an application name that
|
||||
SASL will use among other things to locate a configuration file for
|
||||
the application. The application name Postfix identifies itself as is
|
||||
"smtpd". SASL will append ".conf" to the application name and look for
|
||||
a config file in its library and config directories. Thus SASL will
|
||||
read Postfix's configuration from
|
||||
|
||||
/etc/sasl2/smtpd.conf
|
||||
|
||||
This file names the authentication method SASL will use for Postfix
|
||||
(actually for smtpd, other MTA's such as sendmail may use the same
|
||||
file). Because we want to use the saslauthd authentication proxy
|
||||
daemon the contents of this file is:
|
||||
|
||||
pwcheck_method: saslauthd
|
||||
|
||||
This tells SASL when being invoked to authentication for Postfix that
|
||||
it should use saslauthd. Saslauthd's mechanism is set in
|
||||
/etc/sysconfig/saslauthd (see below).
|
||||
|
||||
When Postfix calls on SASL to authenticate it passes to SASL a service
|
||||
name. This service name is used in authentication method specific
|
||||
way. The service name Postfix passes to SASL is "smtp" (note this is
|
||||
not the same as the application name which is "smtpd"). To understand
|
||||
this better consider the case of using PAM authentication. When SASL,
|
||||
or in our case saslauthd, invokes PAM it passes the service name of
|
||||
"smtp" to PAM which means that when PAM wants to read configuration
|
||||
information for this client it will find it under the name of "smtp".
|
||||
|
||||
Turning on the Authentication Daemon:
|
||||
-------------------------------------
|
||||
|
||||
Red Hat security policy is not to automatically enable services
|
||||
belonging to a package when the package is installed. The system
|
||||
administrator must explicitly enable the service. To enable saslauthd
|
||||
do the following:
|
||||
|
||||
1) Tell the init process to launch saslauthd when entering various run
|
||||
levels. Assuming you want saslauthd to run at run levels 3,4,5
|
||||
invoke chkconfig.
|
||||
|
||||
/sbin/chkconfig --level 345 saslauthd on
|
||||
|
||||
2) You will probably want to start saslauthd now without having to
|
||||
reboot, to do this:
|
||||
|
||||
/sbin/service saslauthd start
|
||||
|
||||
Trouble Shooting Authentication:
|
||||
--------------------------------
|
||||
|
||||
The best way to debug authentication problems is to examine log
|
||||
messages from the authentication components. However, normally these
|
||||
log messages are suppressed. There are two principle reasons the
|
||||
messages are suppressed. The first is that they are typically logged
|
||||
at the DEBUG logging priority level which is the lowest priority and
|
||||
the syslog configuration typically logs only higher priority
|
||||
messages. The second reason is that for security reasons authentication
|
||||
logging is considered a risk. Authentication logging has been divided
|
||||
into two different facilities, auth and authpriv. authpriv is private
|
||||
and is typically shunted off to a different log file with higher
|
||||
protection. You will want to be able to see both auth and authpriv
|
||||
messages at all priorities. To do this as root edit /etc/syslog.conf
|
||||
file, find the following line
|
||||
|
||||
authpriv.* /var/log/secure
|
||||
|
||||
edit the line to:
|
||||
|
||||
authpriv.*;auth.* /var/log/secure
|
||||
|
||||
Then restart syslogd so the syslog configuration changes will be
|
||||
picked up:
|
||||
|
||||
/sbin/service syslog restart
|
||||
|
||||
Now all authentication messages at all priorities will log to
|
||||
/var/log/secure.
|
||||
|
||||
Using PAM to Authenticate:
|
||||
--------------------------
|
||||
|
||||
Edit /etc/sysconfig/saslauthd and set MECH to PAM like this:
|
||||
|
||||
MECH=pam
|
||||
|
||||
When PAM is invoked via SASL it is passed a service name of
|
||||
"smtp". This means that PAM will read its configuration parameters for
|
||||
Postfix from the file: /etc/pam.d/smtp. By default this file is set to
|
||||
refer to the global system PAM authentication policy, thus by default
|
||||
you'll get whatever PAM authentication your system is configured for
|
||||
and virtually all applications use. Configuring PAM authentication is
|
||||
beyond the scope of this document, please refer to the PAM
|
||||
documentation if you which to modify PAM.
|
||||
|
||||
Trouble Shooting PAM Authentication:
|
||||
------------------------------------
|
||||
|
||||
1) One possible reason PAM may fail to authenticate even if the user
|
||||
is known to the system is if PAM fails to find the service
|
||||
configuration file in /etc/pam.d. Service configuration files are not
|
||||
required by PAM, if it does not find a service configuration file it
|
||||
will default to "other". Since PAM does not consider the absence of a
|
||||
service configuration file a problem it does not log anything nor does
|
||||
it return an error to the calling application. In other words it is
|
||||
completely silent about the fact it did not find a service
|
||||
configuration file. On Red Hat system the default implementation of
|
||||
"other" for PAM is to deny access. This means on Red Hat systems the
|
||||
absence of a PAM service configuration file will mean PAM will
|
||||
silently fail authentication. The PAM service configuration file for
|
||||
postfix is /etc/pam.d/smtp and is intalled by the Red Hat Postfix rpm
|
||||
and put under control of "alternatives" with name mta. Alternatives
|
||||
allows one to select between the sendmail and postfix MTA's and
|
||||
manages symbolic links for files the two MTA's share. /etc/pam.d/smtp
|
||||
is one such file, if you have not selected Postfix as your prefered
|
||||
MTA the link to this file will not be present. To select Postfix as
|
||||
your MTA do this: "/usr/sbin/alternatives --config mta" and follow the
|
||||
prompt to select postfix.
|
||||
|
||||
2) Is SASL appending a realm or domain to a username? PAM
|
||||
authentication requires a bare username and password, other
|
||||
authentication methods require the username to be qualified with a
|
||||
realm. Typically the username will be rewritten as user@realm
|
||||
(e.g. user@foo.com) PAM does not understand a username with
|
||||
"@realm" appended to it and will fail the authentication with the
|
||||
message that the user is unknown. If the log files shows saslauthd
|
||||
usernames with "@realm" appended to it then the
|
||||
smtpd_sasl_local_domain configuration parameter is likely set in
|
||||
/etc/postfix/main.cf file, make sure its either not set or set it
|
||||
to an empty string. Restart postfix and test authtentication again,
|
||||
the log file should show only a bare username.
|
||||
|
||||
|
||||
|
||||
Using saslpasswd to Authenticate:
|
||||
---------------------------------
|
||||
|
||||
SASL can maintain its own password database independent of the host
|
||||
system's authentication setup, it is called saslpasswd. You may wish
|
||||
to use saslpasswd if you want to isolate who can smtp authenticate
|
||||
from general system users. However, it does add another password
|
||||
database that a system administrator must maintain.
|
||||
|
||||
To authenticate against sasldb, you'll first have to create accounts.
|
||||
These accounts are entirely separate from system accounts, and are used
|
||||
only by connecting SMTP clients to authenticate themselves. Use the
|
||||
saslpassword command:
|
||||
|
||||
saslpasswd -u `postconf -h myhostname` -c user
|
||||
|
||||
to create an account named user which can log into realm. For the
|
||||
realm, make absolutely certain that you use the same value as is set for
|
||||
myhostname in /etc/postfix/main.cf. If you don't, it likely won't work.
|
||||
|
||||
Also, be aware that saslpasswd is somewhat buggy. The first time you
|
||||
run it, it may generate an error message while initializing the sasldb.
|
||||
If it does, just add that user a second time.
|
||||
|
||||
You'll need to set permissions on the SASL password database so that
|
||||
the Postfix daemons can read it:
|
||||
|
||||
chgrp postfix /etc/sasldb
|
||||
chmod g+r /etc/sasldb
|
||||
|
||||
Now, you'll need to modify /etc/postfix/main.cf to tell it to
|
||||
support SASL. The complete options you might want to use are in the
|
||||
sample-auth.cf file in the Postfix documentation directory. An option
|
||||
you will definitely need is:
|
||||
|
||||
# enable SASL support
|
||||
smtpd_sasl_auth_enable = yes
|
||||
|
||||
You might also need to set the SASL authentication realm to whatever
|
||||
realm you used when you created your sasldb; by default, this is set to
|
||||
$myhostname, but you instead might need something like:
|
||||
|
||||
# set SASL realm to domain instead
|
||||
smtpd_sasl_local_domain = $mydomain
|
||||
|
||||
Other Postfix Authentication Parameters:
|
||||
----------------------------------------
|
||||
|
||||
If you want to allow your already configured users to still use your SMTP
|
||||
server, and to allow users authenticated via SMTP AUTH to use your server
|
||||
as well, then modify your existing smtpd_recipient_restrictions line to;
|
||||
|
||||
# also allow authenticated (RFC 2554) users
|
||||
smtpd_recipient_restrictions = permit_sasl_authenticated ...
|
||||
|
||||
If you want to restrict use of your server to just authenticated clients
|
||||
(Note: this is a bad idea for public mail servers), then instead use:
|
||||
|
||||
# restrict server access to authenticated (RFC 2554) clients
|
||||
smtpd_delay_reject = yes
|
||||
smtpd_client_restrictions = permit_sasl_authenticated ...
|
||||
|
||||
SASL supports several password types which have differing security
|
||||
properties. Different SMTP clients may support some or all of these
|
||||
password types. When the client issues an EHLO command, the server
|
||||
tells it which types it supports:
|
||||
|
||||
$ telnet station6 25
|
||||
Trying 10.100.0.6...
|
||||
Connected to station6.example.com.
|
||||
Escape character is '^]'.
|
||||
220 station6.example.com ESMTP Postfix
|
||||
ehlo station7
|
||||
250-station6.example.com
|
||||
250-PIPELINING
|
||||
250-SIZE 10240000
|
||||
250-VRFY
|
||||
250-ETRN
|
||||
250-STARTTLS
|
||||
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
|
||||
250-XVERP
|
||||
250 8BITMIME
|
||||
|
||||
Here, the server supports PLAIN, LOGIN, DIGEST-MD5, and CRAM-MD5 password
|
||||
methods.
|
||||
|
||||
The client then chooses the first of these listed methods which it also
|
||||
supports, and issues an SMTP AUTH request.
|
||||
|
||||
For security, PLAIN and LOGIN methods are typically disabled. These two
|
||||
methods use trivially decryptable encryption, making the username and
|
||||
password issued by the client vulnerable to interception via a sniffer
|
||||
in between the server and client. Unfortunately, they can't always
|
||||
be disabled. Some popular SMTP clients, including MS Outlook 5.x,
|
||||
only support PLAIN authentication, for example.
|
||||
|
||||
To limit the login methods offered by the server:
|
||||
|
||||
# disable unsafe password methods
|
||||
smtpd_sasl_security_options = noplaintext noanonymous
|
||||
|
||||
Available options are:
|
||||
|
||||
noplaintext, which disables LOGIN and PLAIN
|
||||
noanonymous, which disables disables ANON
|
||||
nodictionary, which disables methods vulnerable to dictionary attacks
|
||||
noactive, which disables methods vulnerable to active attacks
|
||||
|
||||
The last two are rarely used, since almost all supported methods are
|
||||
vulnerable to those attacks ;-).
|
||||
|
||||
Also be aware that some broken clients mis-implement the SMTP AUTH
|
||||
protocol, and send commands using incorrect syntax (AUTH=foo instead of
|
||||
the correct AUTH foo). MS Outlook 4.x clients have this bug, among
|
||||
a legion of others.... If you need to support these clients, use:
|
||||
|
||||
# support braindead MS products
|
||||
broken_sasl_auth_clients = yes
|
||||
|
||||
To help prevent spoofing, you can also create a map file of SASL login
|
||||
names which are allowed to use specific envelope sender (MAIL FROM)
|
||||
addresses. If you choose to do this, you also have to tell Postfix to
|
||||
reject addresses which don't match login names:
|
||||
|
||||
# prevent spoofing by authenticated users
|
||||
reject_sender_login_mismatch
|
||||
smtpd_sender_login_maps=type:/path/to/file
|
||||
|
||||
Configuration of SASL clients is much simpler. Postfix itself can be
|
||||
made a SASL client; this is typically useful when roaming users run Linux
|
||||
on their laptop and need to relay mail back through the organization's
|
||||
main server.
|
||||
|
||||
To enable Postfix to act as an SMTP AUTH client, simply add to
|
||||
/etc/postfix/main.cf:
|
||||
|
||||
# support authentication (RFC 2557) when relaying through a server
|
||||
smtp_sasl_auth_enable = yes
|
||||
|
||||
and tell Postfix where to find the usernames and passwords it should
|
||||
use to authenticate:
|
||||
|
||||
# location of passwords for authentication client
|
||||
smtp_sasl_password_maps = type:/path/to/file
|
||||
|
||||
The file itself should have the format:
|
||||
|
||||
destination username:password
|
||||
|
||||
where destination is the name of the server, and username:password are
|
||||
the username and password which should be presented to that server to
|
||||
authenticate when connecting to it as a client.
|
||||
|
||||
Optionally, the authentication methods to be used can be specified for
|
||||
the Postfix client, just as they can be for the Postfix server:
|
||||
|
||||
# disable plaintext and anonymous
|
||||
smtp_sasl_security_options = noplaintext noanonymous
|
||||
|
||||
Many popular end-user MUAs can also be configured as SMTP AUTH clients.
|
||||
Clients capable of this supplied with Red Hat include pine, Netscape,
|
||||
and Mozilla.
|
||||
|
||||
Other Sources of Documentation:
|
||||
-------------------------------
|
||||
|
||||
/usr/share/doc/postfix-<version>/README_FILES/SASL_README
|
||||
|
||||
Local configuration examples:
|
||||
|
||||
/usr/share/doc/postfix-*/samples
|
||||
|
||||
Postfix Howtos, Guides and Tips by Ralf Hildebrandt and Patrick
|
||||
Koetter can be found at: http://postfix.state-of-mind.de
|
||||
|
||||
------------------------------------------------------------------------------
|
||||
|
||||
Please send any comments / corrections to Chris Ricker
|
||||
<kaboom@gatech.edu>. This material can be freely modified and
|
||||
redistributed. Additional material provided by John Dennis
|
||||
<jdennis@redhat.com> and Dax Kelson <dax@gurulabs.com>.
|
65
README-RedHat.txt
Normal file
65
README-RedHat.txt
Normal file
@ -0,0 +1,65 @@
|
||||
This Postfix build behaves differently from the upstream postfix-3.5.8.
|
||||
It's because in RHEL-8 backward compatibility is kept to postfix-3.3.1.
|
||||
|
||||
For the upstream postfix-3.5.8 behavior either run the following commands:
|
||||
|
||||
# postconf info_log_address_format=external
|
||||
# postconf smtpd_discard_ehlo_keywords=
|
||||
# postconf rhel_ipv6_normalize=yes
|
||||
|
||||
Or go through the following steps:
|
||||
|
||||
1. Change the configuration option 'info_log_address_format' to 'external'.
|
||||
In RHEL-8 it's by default set to 'internal' to mitigate [Incompat 20191109].
|
||||
|
||||
2. Change the configuration option 'smtpd_discard_ehlo_keywords' to ''.
|
||||
In RHEL-8 it's by default set to 'chunking' to mitigate [Incompat 20180826].
|
||||
|
||||
3. Add RHEL-8 specific configuration option 'rhel_ipv6_normalize' and set it
|
||||
to 'yes'. In RHEL-8 this option was added to mitigate [Incompat 20190427].
|
||||
|
||||
Details from the upstream RELEASE_NOTES:
|
||||
|
||||
[Incompat 20191109]
|
||||
Postfix daemon processes now log the from= and
|
||||
to= addresses in external (quoted) form in non-debug logging (info,
|
||||
warning, etc.). This means that when an address localpart contains
|
||||
spaces or other special characters, the localpart will be quoted,
|
||||
for example:
|
||||
|
||||
from=<"name with spaces"@example.com>
|
||||
|
||||
Older Postfix versions would log the internal (unquoted) form:
|
||||
|
||||
from=<name with spaces@example.com>
|
||||
|
||||
The external and internal forms are identical for the vast majority
|
||||
of email addresses that contain no spaces or other special characters
|
||||
in the localpart.
|
||||
|
||||
Specify "info_log_address_format = internal" for backwards
|
||||
compatibility.
|
||||
|
||||
The logging in external form is consistent with the address form
|
||||
that Postfix 3.2 and later prefer for table lookups. It is therefore
|
||||
the more useful form for non-debug logging.
|
||||
|
||||
[Incompat 20180826]
|
||||
The Postfix SMTP server announces CHUNKING (BDAT
|
||||
command) by default. In the unlikely case that this breaks some
|
||||
important remote SMTP client, disable the feature as follows:
|
||||
|
||||
/etc/postfix/main.cf:
|
||||
# The logging alternative:
|
||||
smtpd_discard_ehlo_keywords = chunking
|
||||
# The non-logging alternative:
|
||||
smtpd_discard_ehlo_keywords = chunking, silent_discard
|
||||
|
||||
See BDAT_README for more.
|
||||
|
||||
[Incompat 20190427]
|
||||
Postfix now normalizes IP addresses received
|
||||
with XCLIENT, XFORWARD, or with the HaProxy protocol, for consistency
|
||||
with direct connections to Postfix. This may change the appearance
|
||||
of logging, and the way that check_client_access will match subnets
|
||||
of an IPv6 address.
|
15
pflogsumm-1.1.5-datecalc.patch
Normal file
15
pflogsumm-1.1.5-datecalc.patch
Normal file
@ -0,0 +1,15 @@
|
||||
diff --git pflogsumm-1.1.5/pflogsumm.pl pflogsumm-1.1.5/pflogsumm.pl
|
||||
index 31de5bd..36384dd 100755
|
||||
--- pflogsumm-1.1.5/pflogsumm.pl
|
||||
+++ pflogsumm-1.1.5/pflogsumm.pl
|
||||
@@ -398,8 +398,8 @@ Copyright (C) 1998-2010 by James S. Seymour, Release 1.1.5
|
||||
use strict;
|
||||
use locale;
|
||||
use Getopt::Long;
|
||||
-eval { require Date::Calc };
|
||||
-my $hasDateCalc = $@ ? 0 : 1;
|
||||
+require Date::Calc;
|
||||
+my $hasDateCalc = 1;
|
||||
|
||||
my $mailqCmd = "mailq";
|
||||
my $release = "1.1.5";
|
13
pflogsumm-1.1.5-ipv6-warnings-fix.patch
Normal file
13
pflogsumm-1.1.5-ipv6-warnings-fix.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git pflogsumm-1.1.5/pflogsumm.pl pflogsumm-1.1.5/pflogsumm.pl
|
||||
index 36384dd..eb527d0 100755
|
||||
--- pflogsumm-1.1.5/pflogsumm.pl
|
||||
+++ pflogsumm-1.1.5/pflogsumm.pl
|
||||
@@ -1536,7 +1536,7 @@ sub gimme_domain {
|
||||
# split domain/ipaddr into separates
|
||||
# newer versions of Postfix have them "dom.ain[i.p.add.ress]"
|
||||
# older versions of Postfix have them "dom.ain/i.p.add.ress"
|
||||
- unless((($domain, $ipAddr) = /^([^\[]+)\[((?:\d{1,3}\.){3}\d{1,3})\]/) == 2 ||
|
||||
+ unless((($domain, $ipAddr) = /^([^\[]+)\[((?:\d{1,3}\.){3}\d{1,3}|[0-9a-f:]+)\]/) == 2 ||
|
||||
(($domain, $ipAddr) = /^([^\/]+)\/([0-9a-f.:]+)/i) == 2) {
|
||||
# more exhaustive method
|
||||
($domain, $ipAddr) = /^([^\[\(\/]+)[\[\(\/]([^\]\)]+)[\]\)]?:?\s*$/;
|
18
pflogsumm-1.1.5-syslog-name-underscore-fix.patch
Normal file
18
pflogsumm-1.1.5-syslog-name-underscore-fix.patch
Normal file
@ -0,0 +1,18 @@
|
||||
diff --git a/pflogsumm-1.1.5/pflogsumm.pl b/pflogsumm-1.1.5/pflogsumm.pl
|
||||
index eb527d0..7e26206 100755
|
||||
--- a/pflogsumm-1.1.5/pflogsumm.pl
|
||||
+++ b/pflogsumm-1.1.5/pflogsumm.pl
|
||||
@@ -503,7 +503,12 @@ $usageMsg =
|
||||
# Accept either "_"s or "-"s in --switches
|
||||
foreach (@ARGV) {
|
||||
last if($_ eq "--");
|
||||
- tr/_/-/ if(/^--\w/);
|
||||
+ if (/^--\w/)
|
||||
+ {
|
||||
+ my @argspl = split("=", $_, 2);
|
||||
+ $argspl[0] =~ tr/_/-/;
|
||||
+ $_ = join("=", @argspl);
|
||||
+ }
|
||||
}
|
||||
|
||||
# Some pre-inits for convenience
|
22
postfix-3.3.3-alternatives.patch
Normal file
22
postfix-3.3.3-alternatives.patch
Normal file
@ -0,0 +1,22 @@
|
||||
diff --git a/conf/post-install b/conf/post-install
|
||||
index 25ef7e6..4fd6434 100644
|
||||
--- a/conf/post-install
|
||||
+++ b/conf/post-install
|
||||
@@ -537,6 +537,17 @@ test -n "$create" && {
|
||||
case $path in
|
||||
no|no/*) continue;;
|
||||
esac
|
||||
+ # Munge paths for alternatives.
|
||||
+ case $path in
|
||||
+ /usr/bin/mailq) path=$path.postfix ;;
|
||||
+ /usr/bin/newaliases) path=$path.postfix ;;
|
||||
+ /usr/bin/rmail) path=$path.postfix ;;
|
||||
+ /usr/sbin/sendmail) path=$path.postfix ;;
|
||||
+ /usr/share/man/man1/mailq.1.gz) path=/usr/share/man/man1/mailq.postfix.1.gz ;;
|
||||
+ /usr/share/man/man1/newaliases.1.gz) path=/usr/share/man/man1/newaliases.postfix.1.gz ;;
|
||||
+ /usr/share/man/man5/aliases.5.gz) path=/usr/share/man/man5/aliases.postfix.5.gz ;;
|
||||
+ /usr/share/man/man8/smtpd.8.gz) path=/usr/share/man/man8/smtpd.postfix.8.gz ;;
|
||||
+ esac
|
||||
# Pick up the flags.
|
||||
case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac
|
||||
case $flags in *c*) create_flag=1;; *) create_flag=;; esac
|
63
postfix-3.4.0-files.patch
Normal file
63
postfix-3.4.0-files.patch
Normal file
@ -0,0 +1,63 @@
|
||||
diff --git a/conf/postfix-files b/conf/postfix-files
|
||||
index 4ed9d1f..19711d2 100644
|
||||
--- a/conf/postfix-files
|
||||
+++ b/conf/postfix-files
|
||||
@@ -83,7 +83,6 @@ $shlib_directory/${LIB_PREFIX}sqlite${LIB_SUFFIX}:f:root:-:755
|
||||
$meta_directory/dynamicmaps.cf.d:d:root:-:755
|
||||
$meta_directory/dynamicmaps.cf:f:root:-:644
|
||||
$meta_directory/main.cf.proto:f:root:-:644
|
||||
-$meta_directory/makedefs.out:f:root:-:644
|
||||
$meta_directory/master.cf.proto:f:root:-:644
|
||||
$meta_directory/postfix-files.d:d:root:-:755
|
||||
$meta_directory/postfix-files:f:root:-:644
|
||||
@@ -141,18 +140,13 @@ $command_directory/postqueue:f:root:$setgid_group:2755:u
|
||||
$sendmail_path:f:root:-:755
|
||||
$newaliases_path:l:$sendmail_path
|
||||
$mailq_path:l:$sendmail_path
|
||||
-$config_directory/LICENSE:f:root:-:644:1
|
||||
-$config_directory/TLS_LICENSE:f:root:-:644:1
|
||||
$config_directory/access:f:root:-:644:p1
|
||||
-$config_directory/aliases:f:root:-:644:p1
|
||||
-$config_directory/bounce.cf.default:f:root:-:644:1
|
||||
$config_directory/canonical:f:root:-:644:p1
|
||||
$config_directory/cidr_table:f:root:-:644:o
|
||||
$config_directory/generic:f:root:-:644:p1
|
||||
$config_directory/generics:f:root:-:644:o
|
||||
$config_directory/header_checks:f:root:-:644:p1
|
||||
$config_directory/install.cf:f:root:-:644:o
|
||||
-$config_directory/main.cf.default:f:root:-:644:1
|
||||
$config_directory/main.cf:f:root:-:644:p
|
||||
$config_directory/master.cf:f:root:-:644:p
|
||||
$config_directory/pcre_table:f:root:-:644:o
|
||||
@@ -165,8 +159,8 @@ $config_directory/postfix-script:f:root:-:755:o
|
||||
$config_directory/postfix-script-sgid:f:root:-:755:o
|
||||
$config_directory/postfix-script-nosgid:f:root:-:755:o
|
||||
$config_directory/post-install:f:root:-:755:o
|
||||
-$manpage_directory/man1/mailq.1:f:root:-:644
|
||||
-$manpage_directory/man1/newaliases.1:f:root:-:644
|
||||
+$manpage_directory/man1/mailq.postfix.1:f:root:-:644
|
||||
+$manpage_directory/man1/newaliases.postfix.1:f:root:-:644
|
||||
$manpage_directory/man1/postalias.1:f:root:-:644
|
||||
$manpage_directory/man1/postcat.1:f:root:-:644
|
||||
$manpage_directory/man1/postconf.1:f:root:-:644
|
||||
@@ -180,9 +174,9 @@ $manpage_directory/man1/postmap.1:f:root:-:644
|
||||
$manpage_directory/man1/postmulti.1:f:root:-:644
|
||||
$manpage_directory/man1/postqueue.1:f:root:-:644
|
||||
$manpage_directory/man1/postsuper.1:f:root:-:644
|
||||
-$manpage_directory/man1/sendmail.1:f:root:-:644
|
||||
+$manpage_directory/man1/sendmail.postfix.1:f:root:-:644
|
||||
$manpage_directory/man5/access.5:f:root:-:644
|
||||
-$manpage_directory/man5/aliases.5:f:root:-:644
|
||||
+$manpage_directory/man5/aliases.postfix.5:f:root:-:644
|
||||
$manpage_directory/man5/body_checks.5:f:root:-:644
|
||||
$manpage_directory/man5/bounce.5:f:root:-:644
|
||||
$manpage_directory/man5/canonical.5:f:root:-:644
|
||||
@@ -230,7 +224,7 @@ $manpage_directory/man8/qmqpd.8:f:root:-:644
|
||||
$manpage_directory/man8/scache.8:f:root:-:644
|
||||
$manpage_directory/man8/showq.8:f:root:-:644
|
||||
$manpage_directory/man8/smtp.8:f:root:-:644
|
||||
-$manpage_directory/man8/smtpd.8:f:root:-:644
|
||||
+$manpage_directory/man8/smtpd.postfix.8:f:root:-:644
|
||||
$manpage_directory/man8/spawn.8:f:root:-:644
|
||||
$manpage_directory/man8/tlsproxy.8:f:root:-:644
|
||||
$manpage_directory/man8/tlsmgr.8:f:root:-:644
|
37
postfix-3.4.0-large-fs.patch
Normal file
37
postfix-3.4.0-large-fs.patch
Normal file
@ -0,0 +1,37 @@
|
||||
diff --git a/src/util/fsspace.c b/src/util/fsspace.c
|
||||
index 50a4aa7..beef3db 100644
|
||||
--- a/src/util/fsspace.c
|
||||
+++ b/src/util/fsspace.c
|
||||
@@ -91,8 +91,15 @@ void fsspace(const char *path, struct fsspace * sp)
|
||||
|
||||
if (statvfs(path, &fsbuf) < 0)
|
||||
msg_fatal("statvfs %s: %m", path);
|
||||
- sp->block_size = fsbuf.f_frsize;
|
||||
- sp->block_free = fsbuf.f_bavail;
|
||||
+ if (fsbuf.f_frsize > 0)
|
||||
+ sp->block_size = fsbuf.f_frsize;
|
||||
+ else
|
||||
+ sp->block_size = fsbuf.f_bsize;
|
||||
+ /* 4G of FS blocks is surely enough space to put a mail in */
|
||||
+ sp->block_free = 0;
|
||||
+ sp->block_free = ~sp->block_free;
|
||||
+ if (fsbuf.f_bavail < sp->block_free)
|
||||
+ sp->block_free = fsbuf.f_bavail;
|
||||
#endif
|
||||
if (msg_verbose)
|
||||
msg_info("%s: %s: block size %lu, blocks free %lu",
|
||||
diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h
|
||||
index a8d2571..ad07498 100644
|
||||
--- a/src/util/sys_defs.h
|
||||
+++ b/src/util/sys_defs.h
|
||||
@@ -769,8 +769,8 @@ extern int initgroups(const char *, int);
|
||||
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
|
||||
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin"
|
||||
#define FIONREAD_IN_TERMIOS_H
|
||||
-#define USE_STATFS
|
||||
-#define STATFS_IN_SYS_VFS_H
|
||||
+#define USE_STATVFS
|
||||
+#define STATVFS_IN_SYS_STATVFS_H
|
||||
#define PREPEND_PLUS_TO_OPTSTRING
|
||||
#define HAS_POSIX_REGEXP
|
||||
#define HAS_DLOPEN
|
35
postfix-3.4.4-chroot-example-fix.patch
Normal file
35
postfix-3.4.4-chroot-example-fix.patch
Normal file
@ -0,0 +1,35 @@
|
||||
--- a/examples/chroot-setup/LINUX2 2006-01-01 15:53:58.000000000 -0800
|
||||
+++ b/examples/chroot-setup/LINUX2 2016-11-27 00:45:52.145301784 -0800
|
||||
@@ -45,14 +45,14 @@
|
||||
# 20060101 /lib64 support by Keith Owens.
|
||||
#
|
||||
|
||||
-CP="cp -p"
|
||||
+CP="cp -p -Z"
|
||||
|
||||
cond_copy() {
|
||||
# find files as per pattern in $1
|
||||
# if any, copy to directory $2
|
||||
dir=`dirname "$1"`
|
||||
pat=`basename "$1"`
|
||||
- lr=`find "$dir" -maxdepth 1 -name "$pat"`
|
||||
+ lr=`find "$dir/" -maxdepth 1 -name "$pat"`
|
||||
if test ! -d "$2" ; then exit 1 ; fi
|
||||
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi
|
||||
}
|
||||
@@ -63,8 +63,8 @@
|
||||
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}
|
||||
cd ${POSTFIX_DIR}
|
||||
|
||||
-mkdir -p etc lib usr/lib/zoneinfo
|
||||
-test -d /lib64 && mkdir -p lib64
|
||||
+mkdir -p -Z etc lib usr/lib/zoneinfo
|
||||
+test -d /lib64 && mkdir -p -Z lib64
|
||||
|
||||
# find localtime (SuSE 5.3 does not have /etc/localtime)
|
||||
lt=/etc/localtime
|
||||
@@ -88,4 +88,3 @@
|
||||
cond_copy '/lib64/libdb.so*' lib64
|
||||
fi
|
||||
|
||||
-postfix reload
|
145
postfix-3.5.0-config.patch
Normal file
145
postfix-3.5.0-config.patch
Normal file
@ -0,0 +1,145 @@
|
||||
diff --git a/conf/main.cf b/conf/main.cf
|
||||
index 7af8bde..495e346 100644
|
||||
--- a/conf/main.cf
|
||||
+++ b/conf/main.cf
|
||||
@@ -132,6 +132,10 @@ mail_owner = postfix
|
||||
#inet_interfaces = all
|
||||
#inet_interfaces = $myhostname
|
||||
#inet_interfaces = $myhostname, localhost
|
||||
+inet_interfaces = localhost
|
||||
+
|
||||
+# Enable IPv4, and IPv6 if supported
|
||||
+inet_protocols = all
|
||||
|
||||
# The proxy_interfaces parameter specifies the network interface
|
||||
# addresses that this mail system receives mail on by way of a
|
||||
@@ -176,7 +180,7 @@ mail_owner = postfix
|
||||
#
|
||||
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
|
||||
#
|
||||
-#mydestination = $myhostname, localhost.$mydomain, localhost
|
||||
+mydestination = $myhostname, localhost.$mydomain, localhost
|
||||
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
|
||||
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
|
||||
# mail.$mydomain, www.$mydomain, ftp.$mydomain
|
||||
@@ -398,7 +402,7 @@ unknown_local_recipient_reject_code = 550
|
||||
# "postfix reload" to eliminate the delay.
|
||||
#
|
||||
#alias_maps = dbm:/etc/aliases
|
||||
-#alias_maps = hash:/etc/aliases
|
||||
+alias_maps = hash:/etc/aliases
|
||||
#alias_maps = hash:/etc/aliases, nis:mail.aliases
|
||||
#alias_maps = netinfo:/aliases
|
||||
|
||||
@@ -409,7 +413,7 @@ unknown_local_recipient_reject_code = 550
|
||||
#
|
||||
#alias_database = dbm:/etc/aliases
|
||||
#alias_database = dbm:/etc/mail/aliases
|
||||
-#alias_database = hash:/etc/aliases
|
||||
+alias_database = hash:/etc/aliases
|
||||
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
|
||||
|
||||
# ADDRESS EXTENSIONS (e.g., user+foo)
|
||||
@@ -479,7 +483,27 @@ unknown_local_recipient_reject_code = 550
|
||||
#
|
||||
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
|
||||
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
|
||||
-#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
|
||||
+#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
|
||||
+
|
||||
+# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
|
||||
+# server using LMTP (Local Mail Transport Protocol), this is prefered
|
||||
+# over the older cyrus deliver program by setting the
|
||||
+# mailbox_transport as below:
|
||||
+#
|
||||
+# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
|
||||
+#
|
||||
+# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
|
||||
+# these settings.
|
||||
+#
|
||||
+# local_destination_recipient_limit = 300
|
||||
+# local_destination_concurrency_limit = 5
|
||||
+#
|
||||
+# Of course you should adjust these settings as appropriate for the
|
||||
+# capacity of the hardware you are using. The recipient limit setting
|
||||
+# can be used to take advantage of the single instance message store
|
||||
+# capability of Cyrus. The concurrency limit can be used to control
|
||||
+# how many simultaneous LMTP sessions will be permitted to the Cyrus
|
||||
+# message store.
|
||||
#
|
||||
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
|
||||
# subsequent line in master.cf.
|
||||
@@ -499,8 +523,7 @@ unknown_local_recipient_reject_code = 550
|
||||
# the main.cf file, otherwise the SMTP server will reject mail for
|
||||
# non-UNIX accounts with "User unknown in local recipient table".
|
||||
#
|
||||
-#fallback_transport = lmtp:unix:/file/name
|
||||
-#fallback_transport = cyrus
|
||||
+#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
|
||||
#fallback_transport =
|
||||
|
||||
# The luser_relay parameter specifies an optional destination address
|
||||
@@ -673,4 +696,41 @@ sample_directory =
|
||||
# readme_directory: The location of the Postfix README files.
|
||||
#
|
||||
readme_directory =
|
||||
-inet_protocols = ipv4
|
||||
+
|
||||
+# TLS CONFIGURATION
|
||||
+#
|
||||
+# Basic Postfix TLS configuration by default with self-signed certificate
|
||||
+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
|
||||
+
|
||||
+# The full pathname of a file with the Postfix SMTP server RSA certificate
|
||||
+# in PEM format. Intermediate certificates should be included in general,
|
||||
+# the server certificate first, then the issuing CA(s) (bottom-up order).
|
||||
+#
|
||||
+smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
|
||||
+
|
||||
+# The full pathname of a file with the Postfix SMTP server RSA private key
|
||||
+# in PEM format. The private key must be accessible without a pass-phrase,
|
||||
+# i.e. it must not be encrypted.
|
||||
+#
|
||||
+smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
|
||||
+
|
||||
+# Announce STARTTLS support to remote SMTP clients, but do not require that
|
||||
+# clients use TLS encryption (opportunistic TLS inbound).
|
||||
+#
|
||||
+smtpd_tls_security_level = may
|
||||
+
|
||||
+# Directory with PEM format Certification Authority certificates that the
|
||||
+# Postfix SMTP client uses to verify a remote SMTP server certificate.
|
||||
+#
|
||||
+smtp_tls_CApath = /etc/pki/tls/certs
|
||||
+
|
||||
+# The full pathname of a file containing CA certificates of root CAs
|
||||
+# trusted to sign either remote SMTP server certificates or intermediate CA
|
||||
+# certificates.
|
||||
+#
|
||||
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
|
||||
+
|
||||
+# Use TLS if this is supported by the remote SMTP server, otherwise use
|
||||
+# plaintext (opportunistic TLS outbound).
|
||||
+#
|
||||
+smtp_tls_security_level = may
|
||||
diff --git a/conf/master.cf b/conf/master.cf
|
||||
index c0f2508..05c5d07 100644
|
||||
--- a/conf/master.cf
|
||||
+++ b/conf/master.cf
|
||||
@@ -98,14 +98,14 @@ postlog unix-dgram n - n - 1 postlogd
|
||||
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||
#
|
||||
#cyrus unix - n n - - pipe
|
||||
-# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
|
||||
+# flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Old example of delivery via Cyrus.
|
||||
#
|
||||
#old-cyrus unix - n n - - pipe
|
||||
-# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
|
||||
+# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
158
postfix-3.5.8-back-compat-3.3.1.patch
Normal file
158
postfix-3.5.8-back-compat-3.3.1.patch
Normal file
@ -0,0 +1,158 @@
|
||||
diff --git a/src/global/mail_params.c b/src/global/mail_params.c
|
||||
index 91c70f7..483613c 100644
|
||||
--- a/src/global/mail_params.c
|
||||
+++ b/src/global/mail_params.c
|
||||
@@ -379,6 +379,8 @@ int warn_compat_break_smtputf8_enable;
|
||||
int warn_compat_break_chroot;
|
||||
int warn_compat_break_relay_restrictions;
|
||||
|
||||
+bool var_rhel_ipv6_normalize;
|
||||
+
|
||||
/* check_myhostname - lookup hostname and validate */
|
||||
|
||||
static const char *check_myhostname(void)
|
||||
@@ -825,6 +827,7 @@ void mail_params_init()
|
||||
VAR_LONG_QUEUE_IDS, DEF_LONG_QUEUE_IDS, &var_long_queue_ids,
|
||||
VAR_STRICT_SMTPUTF8, DEF_STRICT_SMTPUTF8, &var_strict_smtputf8,
|
||||
VAR_ENABLE_ORCPT, DEF_ENABLE_ORCPT, &var_enable_orcpt,
|
||||
+ VAR_RHEL_IPV6_NORMALIZE, DEF_RHEL_IPV6_NORMALIZE, &var_rhel_ipv6_normalize,
|
||||
0,
|
||||
};
|
||||
const char *cp;
|
||||
diff --git a/src/global/mail_params.h b/src/global/mail_params.h
|
||||
index e4358ca..74459d9 100644
|
||||
--- a/src/global/mail_params.h
|
||||
+++ b/src/global/mail_params.h
|
||||
@@ -3153,7 +3153,7 @@ extern char *var_local_rwr_clients;
|
||||
* EHLO keyword filter.
|
||||
*/
|
||||
#define VAR_SMTPD_EHLO_DIS_WORDS "smtpd_discard_ehlo_keywords"
|
||||
-#define DEF_SMTPD_EHLO_DIS_WORDS ""
|
||||
+#define DEF_SMTPD_EHLO_DIS_WORDS "chunking"
|
||||
extern char *var_smtpd_ehlo_dis_words;
|
||||
|
||||
#define VAR_SMTPD_EHLO_DIS_MAPS "smtpd_discard_ehlo_keyword_address_maps"
|
||||
@@ -4199,9 +4199,13 @@ extern int var_postlogd_watchdog;
|
||||
#define INFO_LOG_ADDR_FORM_NAME_INTERNAL "internal"
|
||||
|
||||
#define VAR_INFO_LOG_ADDR_FORM "info_log_address_format"
|
||||
-#define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_EXTERNAL
|
||||
+#define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_INTERNAL
|
||||
extern char *var_info_log_addr_form;
|
||||
|
||||
+#define VAR_RHEL_IPV6_NORMALIZE "rhel_ipv6_normalize"
|
||||
+#define DEF_RHEL_IPV6_NORMALIZE 0
|
||||
+extern bool var_rhel_ipv6_normalize;
|
||||
+
|
||||
/* LICENSE
|
||||
/* .ad
|
||||
/* .fi
|
||||
diff --git a/src/smtpd/smtpd.c b/src/smtpd/smtpd.c
|
||||
index da7227f..53e640e 100644
|
||||
--- a/src/smtpd/smtpd.c
|
||||
+++ b/src/smtpd/smtpd.c
|
||||
@@ -4334,6 +4334,7 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
|
||||
SMTPD_TOKEN *argp;
|
||||
char *raw_value;
|
||||
char *attr_value;
|
||||
+ const char *bare_value;
|
||||
char *attr_name;
|
||||
int update_namaddr = 0;
|
||||
int name_status;
|
||||
@@ -4481,15 +4482,31 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
|
||||
UPDATE_STR(state->addr, attr_value);
|
||||
UPDATE_STR(state->rfc_addr, attr_value);
|
||||
} else {
|
||||
- neuter(attr_value, NEUTER_CHARACTERS, '?');
|
||||
- if (normalize_mailhost_addr(attr_value, &state->rfc_addr,
|
||||
+ if (var_rhel_ipv6_normalize) {
|
||||
+ neuter(attr_value, NEUTER_CHARACTERS, '?');
|
||||
+ }
|
||||
+ if ((var_rhel_ipv6_normalize &&
|
||||
+ normalize_mailhost_addr(attr_value, &state->rfc_addr,
|
||||
&state->addr,
|
||||
- &state->addr_family) < 0) {
|
||||
+ &state->addr_family) < 0) ||
|
||||
+ (!var_rhel_ipv6_normalize &&
|
||||
+ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
|
||||
state->error_mask |= MAIL_ERROR_PROTOCOL;
|
||||
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
|
||||
XCLIENT_ADDR, attr_value);
|
||||
return (-1);
|
||||
}
|
||||
+ if (!var_rhel_ipv6_normalize) {
|
||||
+ UPDATE_STR(state->addr, bare_value);
|
||||
+ UPDATE_STR(state->rfc_addr, attr_value);
|
||||
+#ifdef HAS_IPV6
|
||||
+ if (strncasecmp(attr_value, INET_PROTO_NAME_IPV6 ":",
|
||||
+ sizeof(INET_PROTO_NAME_IPV6 ":") - 1) == 0)
|
||||
+ state->addr_family = AF_INET6;
|
||||
+ else
|
||||
+#endif
|
||||
+ state->addr_family = AF_INET;
|
||||
+ }
|
||||
}
|
||||
update_namaddr = 1;
|
||||
}
|
||||
@@ -4569,17 +4586,25 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
|
||||
attr_value = SERVER_ADDR_UNKNOWN;
|
||||
UPDATE_STR(state->dest_addr, attr_value);
|
||||
} else {
|
||||
+ if (var_rhel_ipv6_normalize) {
|
||||
#define NO_NORM_RFC_ADDR ((char **) 0)
|
||||
#define NO_NORM_ADDR_FAMILY ((int *) 0)
|
||||
- neuter(attr_value, NEUTER_CHARACTERS, '?');
|
||||
- if (normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR,
|
||||
+ neuter(attr_value, NEUTER_CHARACTERS, '?');
|
||||
+ }
|
||||
+ if ((var_rhel_ipv6_normalize &&
|
||||
+ normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR,
|
||||
&state->dest_addr,
|
||||
- NO_NORM_ADDR_FAMILY) < 0) {
|
||||
+ NO_NORM_ADDR_FAMILY) < 0) ||
|
||||
+ (!var_rhel_ipv6_normalize &&
|
||||
+ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
|
||||
state->error_mask |= MAIL_ERROR_PROTOCOL;
|
||||
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
|
||||
XCLIENT_DESTADDR, attr_value);
|
||||
return (-1);
|
||||
}
|
||||
+ if (!var_rhel_ipv6_normalize) {
|
||||
+ UPDATE_STR(state->dest_addr, bare_value);
|
||||
+ }
|
||||
}
|
||||
/* XXX Require same address family as client address. */
|
||||
}
|
||||
@@ -4690,6 +4715,7 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
|
||||
SMTPD_TOKEN *argp;
|
||||
char *raw_value;
|
||||
char *attr_value;
|
||||
+ const char *bare_value;
|
||||
char *attr_name;
|
||||
int updated = 0;
|
||||
static const NAME_CODE xforward_flags[] = {
|
||||
@@ -4808,15 +4834,22 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
|
||||
UPDATE_STR(state->xforward.addr, attr_value);
|
||||
} else {
|
||||
neuter(attr_value, NEUTER_CHARACTERS, '?');
|
||||
- if (normalize_mailhost_addr(attr_value,
|
||||
+ if ((var_rhel_ipv6_normalize &&
|
||||
+ normalize_mailhost_addr(attr_value,
|
||||
&state->xforward.rfc_addr,
|
||||
&state->xforward.addr,
|
||||
- NO_NORM_ADDR_FAMILY) < 0) {
|
||||
+ NO_NORM_ADDR_FAMILY) < 0) ||
|
||||
+ (!var_rhel_ipv6_normalize &&
|
||||
+ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
|
||||
state->error_mask |= MAIL_ERROR_PROTOCOL;
|
||||
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
|
||||
XFORWARD_ADDR, attr_value);
|
||||
return (-1);
|
||||
}
|
||||
+ if (!var_rhel_ipv6_normalize) {
|
||||
+ UPDATE_STR(state->xforward.addr, bare_value);
|
||||
+ UPDATE_STR(state->xforward.rfc_addr, attr_value);
|
||||
+ }
|
||||
}
|
||||
break;
|
||||
|
13
postfix-3.5.8-whitespace-name-fix.patch
Normal file
13
postfix-3.5.8-whitespace-name-fix.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/src/cleanup/cleanup_message.c b/src/cleanup/cleanup_message.c
|
||||
index 391c711..be5ce42 100644
|
||||
--- a/src/cleanup/cleanup_message.c
|
||||
+++ b/src/cleanup/cleanup_message.c
|
||||
@@ -773,6 +773,8 @@ static void cleanup_header_done_callback(void *context)
|
||||
/* Normalize whitespace. */
|
||||
token = tok822_scan_limit(state->fullname, &dummy_token,
|
||||
var_token_limit);
|
||||
+ if (!token)
|
||||
+ token = tok822_alloc(TOK822_QSTRING, state->fullname);
|
||||
} else {
|
||||
token = tok822_alloc(TOK822_QSTRING, state->fullname);
|
||||
}
|
4
postfix-chroot-update
Normal file
4
postfix-chroot-update
Normal file
@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
|
||||
[ -x /etc/postfix/chroot-update ] && exec /etc/postfix/chroot-update
|
||||
exit 0
|
3
postfix-pam.conf
Normal file
3
postfix-pam.conf
Normal file
@ -0,0 +1,3 @@
|
||||
#%PAM-1.0
|
||||
auth include password-auth
|
||||
account include password-auth
|
2
postfix-sasl.conf
Normal file
2
postfix-sasl.conf
Normal file
@ -0,0 +1,2 @@
|
||||
pwcheck_method: saslauthd
|
||||
mech_list: plain login
|
20
postfix.aliasesdb
Normal file
20
postfix.aliasesdb
Normal file
@ -0,0 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
ALIASESDB_STAMP=/var/lib/misc/postfix.aliasesdb-stamp
|
||||
|
||||
make_aliasesdb() {
|
||||
if [ "$(/usr/sbin/postconf -h alias_database)" == "hash:/etc/aliases" ]
|
||||
then
|
||||
# /etc/aliases.db may be used by other MTA, make sure nothing
|
||||
# has touched it since our last newaliases call
|
||||
[ /etc/aliases -nt /etc/aliases.db ] ||
|
||||
[ "$ALIASESDB_STAMP" -nt /etc/aliases.db ] ||
|
||||
[ "$ALIASESDB_STAMP" -ot /etc/aliases.db ] || return 0
|
||||
/usr/bin/newaliases
|
||||
touch -r /etc/aliases.db "$ALIASESDB_STAMP"
|
||||
else
|
||||
/usr/bin/newaliases
|
||||
fi
|
||||
}
|
||||
|
||||
make_aliasesdb
|
22
postfix.service
Normal file
22
postfix.service
Normal file
@ -0,0 +1,22 @@
|
||||
[Unit]
|
||||
Description=Postfix Mail Transport Agent
|
||||
After=syslog.target network.target
|
||||
Conflicts=sendmail.service exim.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/var/spool/postfix/pid/master.pid
|
||||
EnvironmentFile=-/etc/sysconfig/network
|
||||
PrivateTmp=true
|
||||
CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE
|
||||
ProtectSystem=true
|
||||
PrivateDevices=true
|
||||
ExecStartPre=-/usr/sbin/restorecon -R /var/spool/postfix/pid/master.pid
|
||||
ExecStartPre=-/usr/libexec/postfix/aliasesdb
|
||||
ExecStartPre=-/usr/libexec/postfix/chroot-update
|
||||
ExecStart=/usr/sbin/postfix start
|
||||
ExecReload=/usr/sbin/postfix reload
|
||||
ExecStop=/usr/sbin/postfix stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
1704
postfix.spec
Normal file
1704
postfix.spec
Normal file
File diff suppressed because it is too large
Load Diff
2
sources
Normal file
2
sources
Normal file
@ -0,0 +1,2 @@
|
||||
SHA512 (pflogsumm-1.1.5.tar.gz) = 994d660692dfea38a1dd9866d15f15035657e85131c1f5a2cd82baa5bd4ad987a00939cb5233f316d2090014c52ae68ef20db0c893f8634969484e0e74678f4d
|
||||
SHA512 (postfix-3.5.8.tar.gz) = 0abb07d99e343b76e6a26b4a090af9d592f4dfd03c8c737cc72bfb0f4267dafcbb0cb0aa7b6255f8b834c9289d89a5c47b167be3758239309937cb77e0d9464b
|
Loading…
Reference in New Issue
Block a user