Import rpm: c8s
This commit is contained in:
parent
4213c74b40
commit
801777824f
4
.gitignore
vendored
Normal file
4
.gitignore
vendored
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
SOURCES/pflogsumm-1.1.5.tar.gz
|
||||||
|
SOURCES/postfix-3.5.8.tar.gz
|
||||||
|
/pflogsumm-1.1.5.tar.gz
|
||||||
|
/postfix-3.5.8.tar.gz
|
440
README-Postfix-SASL-RedHat.txt
Normal file
440
README-Postfix-SASL-RedHat.txt
Normal file
@ -0,0 +1,440 @@
|
|||||||
|
Quick Start to Authenticate with SASL and PAM:
|
||||||
|
----------------------------------------------
|
||||||
|
|
||||||
|
If you don't need the details and are an experienced system
|
||||||
|
administrator you can just do this, otherwise read on.
|
||||||
|
|
||||||
|
1) Edit /etc/postfix/main.cf and set this:
|
||||||
|
|
||||||
|
smtpd_sasl_auth_enable = yes
|
||||||
|
smtpd_sasl_security_options = noanonymous
|
||||||
|
broken_sasl_auth_clients = yes
|
||||||
|
|
||||||
|
smtpd_recipient_restrictions =
|
||||||
|
permit_sasl_authenticated,
|
||||||
|
permit_mynetworks,
|
||||||
|
reject_unauth_destination
|
||||||
|
|
||||||
|
2) Turn on saslauthd:
|
||||||
|
|
||||||
|
/sbin/chkconfig --level 345 saslauthd on
|
||||||
|
/sbin/service saslauthd start
|
||||||
|
|
||||||
|
3) Edit /etc/sysconfig/saslauthd and set this:
|
||||||
|
|
||||||
|
MECH=pam
|
||||||
|
|
||||||
|
4) Restart Postfix:
|
||||||
|
|
||||||
|
/sbin/service postfix restart
|
||||||
|
|
||||||
|
A crash course in using SASL with Postfix:
|
||||||
|
------------------------------------------
|
||||||
|
|
||||||
|
Red Hat's Postfix RPMs include support for both SASL and TLS. SASL, the
|
||||||
|
Simple Authentication and Security Layer, allows Postfix to implement RFC
|
||||||
|
2554, which defines an extension to ESMTP, SMTP AUTH, which compliant
|
||||||
|
ESMTP clients can use to authenticate themselves to ESMTP servers.
|
||||||
|
Typically, this is used to allow roaming users to relay mail through a
|
||||||
|
server safely without configuring the SMTP server to be an open relay.
|
||||||
|
Inclusion of TLS support allows Postfix to implement RFC 2487, which
|
||||||
|
defines an extension to ESMTP, SMTP STARTTLS, which compliant ESMTP
|
||||||
|
clients and servers can use to encrypt the SMTP session. This is a
|
||||||
|
security enhancement -- normally SMTP is transmitted as cleartext over the
|
||||||
|
wire, making it vulnerable to both passive sniffing and active alteration
|
||||||
|
via monkey-in-the-middle attacks. In addition, STARTTLS can also be
|
||||||
|
used by either or both server and client to verify the identity of the
|
||||||
|
other end, making it useful for the same sorts of purposes as SMTP AUTH.
|
||||||
|
The two can even be combined. Typically, this is done by first starting
|
||||||
|
TLS, to encrypt the SMTP session, and then issuing the SMTP AUTH command,
|
||||||
|
to authenticate the client; this combination ensures that the username
|
||||||
|
and password transferred as part of the SMTP AUTH are protected by the
|
||||||
|
TLS encrypted session.
|
||||||
|
|
||||||
|
SMTP AUTH is implemented using SASL, an abstraction layer which can
|
||||||
|
authenticate against a variety of sources. On Red Hat, SASL can use
|
||||||
|
the /etc/shadow file, or it can use PAM libraries, or it can use its own
|
||||||
|
password database (/etc/sasldb), or it can do various more exotic things.
|
||||||
|
|
||||||
|
Authentication raises a number of security concerns for obvious
|
||||||
|
reasons. As a consequence authentication services on Red Hat systems
|
||||||
|
are restricted to processes running with root privileges. However for
|
||||||
|
security reasons it is also essential that a mail server such as
|
||||||
|
Postfix run without root privileges so that mail operations cannot
|
||||||
|
compromise the host system. This means that Postfix cannot directly
|
||||||
|
use authentication services because it does not execute with root
|
||||||
|
privileges. The answer to this this problem is to introduce an
|
||||||
|
intermediary process that runs with root privileges which Postfix can
|
||||||
|
communicate with and will perform authentication on behalf of
|
||||||
|
Postfix. The SASL package includes an authentication daemon called
|
||||||
|
saslauthd which provided this service, think of it as an
|
||||||
|
authentication proxy.
|
||||||
|
|
||||||
|
Using Saslauthd:
|
||||||
|
----------------
|
||||||
|
|
||||||
|
To use saslauthd there are several things you must assure are
|
||||||
|
configured.
|
||||||
|
|
||||||
|
Selecting an Authentication Method:
|
||||||
|
-----------------------------------
|
||||||
|
|
||||||
|
Recall that it is saslauthd which is authenticating, not
|
||||||
|
Postfix. To start with you must tell Postfix to use saslauthd, in
|
||||||
|
main.cf edit this configuration parameter:
|
||||||
|
|
||||||
|
smtpd_sasl_auth_enable = yes
|
||||||
|
|
||||||
|
It is also recommended that you disable anonymous logins otherwise
|
||||||
|
you've left your system open, so also add this configuration
|
||||||
|
parameter.
|
||||||
|
|
||||||
|
smtpd_sasl_security_options = noanonymous
|
||||||
|
|
||||||
|
Now you must tell saslauthd which authentication method to use. To
|
||||||
|
determine the authentication methods currently supported by saslauthd
|
||||||
|
invoke saslauthd with the -v parameter, it will print its version and
|
||||||
|
its list of methods and then exit, for example:
|
||||||
|
|
||||||
|
/usr/sbin/saslauthd -v
|
||||||
|
saslauthd 2.1.10
|
||||||
|
authentication mechanisms: getpwent kerberos5 pam rimap shadow
|
||||||
|
|
||||||
|
When saslauthd starts up it reads its configuration options from the
|
||||||
|
file /etc/sysconfig/saslauthd. Currently there are two parameters
|
||||||
|
which can be set in this file, MECH and FLAGS. MECH is the
|
||||||
|
authentication mechanism and FLAGS is any command line flags you may
|
||||||
|
wish to pass to saslauthd. To tell saslauthd to use a specific
|
||||||
|
mechanism edit /etc/sysconfig/saslauthd and set the MECH parameter,
|
||||||
|
for example to use PAM it would look like this:
|
||||||
|
|
||||||
|
MECH=pam
|
||||||
|
|
||||||
|
Of course you may use any of the other authentication mechanisms that
|
||||||
|
saslauthd reported it supports. PAM is an excellent choice as PAM
|
||||||
|
supports many of the same authentication methods that saslauthd does,
|
||||||
|
but by using PAM you will have centralized all of your authentication
|
||||||
|
configuration under PAM which is one of PAM's greatest assets.
|
||||||
|
|
||||||
|
How Postfix Interacts with SASL to Name its Authentication Services:
|
||||||
|
--------------------------------------------------------------------
|
||||||
|
|
||||||
|
It can be very helpful to understand how Postfix communicates with
|
||||||
|
SASL to name its authentication services. Knowing this will let you
|
||||||
|
identify the configuration files the various components will access.
|
||||||
|
|
||||||
|
When Postfix invokes SASL it must give SASL an application name that
|
||||||
|
SASL will use among other things to locate a configuration file for
|
||||||
|
the application. The application name Postfix identifies itself as is
|
||||||
|
"smtpd". SASL will append ".conf" to the application name and look for
|
||||||
|
a config file in its library and config directories. Thus SASL will
|
||||||
|
read Postfix's configuration from
|
||||||
|
|
||||||
|
/etc/sasl2/smtpd.conf
|
||||||
|
|
||||||
|
This file names the authentication method SASL will use for Postfix
|
||||||
|
(actually for smtpd, other MTA's such as sendmail may use the same
|
||||||
|
file). Because we want to use the saslauthd authentication proxy
|
||||||
|
daemon the contents of this file is:
|
||||||
|
|
||||||
|
pwcheck_method: saslauthd
|
||||||
|
|
||||||
|
This tells SASL when being invoked to authentication for Postfix that
|
||||||
|
it should use saslauthd. Saslauthd's mechanism is set in
|
||||||
|
/etc/sysconfig/saslauthd (see below).
|
||||||
|
|
||||||
|
When Postfix calls on SASL to authenticate it passes to SASL a service
|
||||||
|
name. This service name is used in authentication method specific
|
||||||
|
way. The service name Postfix passes to SASL is "smtp" (note this is
|
||||||
|
not the same as the application name which is "smtpd"). To understand
|
||||||
|
this better consider the case of using PAM authentication. When SASL,
|
||||||
|
or in our case saslauthd, invokes PAM it passes the service name of
|
||||||
|
"smtp" to PAM which means that when PAM wants to read configuration
|
||||||
|
information for this client it will find it under the name of "smtp".
|
||||||
|
|
||||||
|
Turning on the Authentication Daemon:
|
||||||
|
-------------------------------------
|
||||||
|
|
||||||
|
Red Hat security policy is not to automatically enable services
|
||||||
|
belonging to a package when the package is installed. The system
|
||||||
|
administrator must explicitly enable the service. To enable saslauthd
|
||||||
|
do the following:
|
||||||
|
|
||||||
|
1) Tell the init process to launch saslauthd when entering various run
|
||||||
|
levels. Assuming you want saslauthd to run at run levels 3,4,5
|
||||||
|
invoke chkconfig.
|
||||||
|
|
||||||
|
/sbin/chkconfig --level 345 saslauthd on
|
||||||
|
|
||||||
|
2) You will probably want to start saslauthd now without having to
|
||||||
|
reboot, to do this:
|
||||||
|
|
||||||
|
/sbin/service saslauthd start
|
||||||
|
|
||||||
|
Trouble Shooting Authentication:
|
||||||
|
--------------------------------
|
||||||
|
|
||||||
|
The best way to debug authentication problems is to examine log
|
||||||
|
messages from the authentication components. However, normally these
|
||||||
|
log messages are suppressed. There are two principle reasons the
|
||||||
|
messages are suppressed. The first is that they are typically logged
|
||||||
|
at the DEBUG logging priority level which is the lowest priority and
|
||||||
|
the syslog configuration typically logs only higher priority
|
||||||
|
messages. The second reason is that for security reasons authentication
|
||||||
|
logging is considered a risk. Authentication logging has been divided
|
||||||
|
into two different facilities, auth and authpriv. authpriv is private
|
||||||
|
and is typically shunted off to a different log file with higher
|
||||||
|
protection. You will want to be able to see both auth and authpriv
|
||||||
|
messages at all priorities. To do this as root edit /etc/syslog.conf
|
||||||
|
file, find the following line
|
||||||
|
|
||||||
|
authpriv.* /var/log/secure
|
||||||
|
|
||||||
|
edit the line to:
|
||||||
|
|
||||||
|
authpriv.*;auth.* /var/log/secure
|
||||||
|
|
||||||
|
Then restart syslogd so the syslog configuration changes will be
|
||||||
|
picked up:
|
||||||
|
|
||||||
|
/sbin/service syslog restart
|
||||||
|
|
||||||
|
Now all authentication messages at all priorities will log to
|
||||||
|
/var/log/secure.
|
||||||
|
|
||||||
|
Using PAM to Authenticate:
|
||||||
|
--------------------------
|
||||||
|
|
||||||
|
Edit /etc/sysconfig/saslauthd and set MECH to PAM like this:
|
||||||
|
|
||||||
|
MECH=pam
|
||||||
|
|
||||||
|
When PAM is invoked via SASL it is passed a service name of
|
||||||
|
"smtp". This means that PAM will read its configuration parameters for
|
||||||
|
Postfix from the file: /etc/pam.d/smtp. By default this file is set to
|
||||||
|
refer to the global system PAM authentication policy, thus by default
|
||||||
|
you'll get whatever PAM authentication your system is configured for
|
||||||
|
and virtually all applications use. Configuring PAM authentication is
|
||||||
|
beyond the scope of this document, please refer to the PAM
|
||||||
|
documentation if you which to modify PAM.
|
||||||
|
|
||||||
|
Trouble Shooting PAM Authentication:
|
||||||
|
------------------------------------
|
||||||
|
|
||||||
|
1) One possible reason PAM may fail to authenticate even if the user
|
||||||
|
is known to the system is if PAM fails to find the service
|
||||||
|
configuration file in /etc/pam.d. Service configuration files are not
|
||||||
|
required by PAM, if it does not find a service configuration file it
|
||||||
|
will default to "other". Since PAM does not consider the absence of a
|
||||||
|
service configuration file a problem it does not log anything nor does
|
||||||
|
it return an error to the calling application. In other words it is
|
||||||
|
completely silent about the fact it did not find a service
|
||||||
|
configuration file. On Red Hat system the default implementation of
|
||||||
|
"other" for PAM is to deny access. This means on Red Hat systems the
|
||||||
|
absence of a PAM service configuration file will mean PAM will
|
||||||
|
silently fail authentication. The PAM service configuration file for
|
||||||
|
postfix is /etc/pam.d/smtp and is intalled by the Red Hat Postfix rpm
|
||||||
|
and put under control of "alternatives" with name mta. Alternatives
|
||||||
|
allows one to select between the sendmail and postfix MTA's and
|
||||||
|
manages symbolic links for files the two MTA's share. /etc/pam.d/smtp
|
||||||
|
is one such file, if you have not selected Postfix as your prefered
|
||||||
|
MTA the link to this file will not be present. To select Postfix as
|
||||||
|
your MTA do this: "/usr/sbin/alternatives --config mta" and follow the
|
||||||
|
prompt to select postfix.
|
||||||
|
|
||||||
|
2) Is SASL appending a realm or domain to a username? PAM
|
||||||
|
authentication requires a bare username and password, other
|
||||||
|
authentication methods require the username to be qualified with a
|
||||||
|
realm. Typically the username will be rewritten as user@realm
|
||||||
|
(e.g. user@foo.com) PAM does not understand a username with
|
||||||
|
"@realm" appended to it and will fail the authentication with the
|
||||||
|
message that the user is unknown. If the log files shows saslauthd
|
||||||
|
usernames with "@realm" appended to it then the
|
||||||
|
smtpd_sasl_local_domain configuration parameter is likely set in
|
||||||
|
/etc/postfix/main.cf file, make sure its either not set or set it
|
||||||
|
to an empty string. Restart postfix and test authtentication again,
|
||||||
|
the log file should show only a bare username.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Using saslpasswd to Authenticate:
|
||||||
|
---------------------------------
|
||||||
|
|
||||||
|
SASL can maintain its own password database independent of the host
|
||||||
|
system's authentication setup, it is called saslpasswd. You may wish
|
||||||
|
to use saslpasswd if you want to isolate who can smtp authenticate
|
||||||
|
from general system users. However, it does add another password
|
||||||
|
database that a system administrator must maintain.
|
||||||
|
|
||||||
|
To authenticate against sasldb, you'll first have to create accounts.
|
||||||
|
These accounts are entirely separate from system accounts, and are used
|
||||||
|
only by connecting SMTP clients to authenticate themselves. Use the
|
||||||
|
saslpassword command:
|
||||||
|
|
||||||
|
saslpasswd -u `postconf -h myhostname` -c user
|
||||||
|
|
||||||
|
to create an account named user which can log into realm. For the
|
||||||
|
realm, make absolutely certain that you use the same value as is set for
|
||||||
|
myhostname in /etc/postfix/main.cf. If you don't, it likely won't work.
|
||||||
|
|
||||||
|
Also, be aware that saslpasswd is somewhat buggy. The first time you
|
||||||
|
run it, it may generate an error message while initializing the sasldb.
|
||||||
|
If it does, just add that user a second time.
|
||||||
|
|
||||||
|
You'll need to set permissions on the SASL password database so that
|
||||||
|
the Postfix daemons can read it:
|
||||||
|
|
||||||
|
chgrp postfix /etc/sasldb
|
||||||
|
chmod g+r /etc/sasldb
|
||||||
|
|
||||||
|
Now, you'll need to modify /etc/postfix/main.cf to tell it to
|
||||||
|
support SASL. The complete options you might want to use are in the
|
||||||
|
sample-auth.cf file in the Postfix documentation directory. An option
|
||||||
|
you will definitely need is:
|
||||||
|
|
||||||
|
# enable SASL support
|
||||||
|
smtpd_sasl_auth_enable = yes
|
||||||
|
|
||||||
|
You might also need to set the SASL authentication realm to whatever
|
||||||
|
realm you used when you created your sasldb; by default, this is set to
|
||||||
|
$myhostname, but you instead might need something like:
|
||||||
|
|
||||||
|
# set SASL realm to domain instead
|
||||||
|
smtpd_sasl_local_domain = $mydomain
|
||||||
|
|
||||||
|
Other Postfix Authentication Parameters:
|
||||||
|
----------------------------------------
|
||||||
|
|
||||||
|
If you want to allow your already configured users to still use your SMTP
|
||||||
|
server, and to allow users authenticated via SMTP AUTH to use your server
|
||||||
|
as well, then modify your existing smtpd_recipient_restrictions line to;
|
||||||
|
|
||||||
|
# also allow authenticated (RFC 2554) users
|
||||||
|
smtpd_recipient_restrictions = permit_sasl_authenticated ...
|
||||||
|
|
||||||
|
If you want to restrict use of your server to just authenticated clients
|
||||||
|
(Note: this is a bad idea for public mail servers), then instead use:
|
||||||
|
|
||||||
|
# restrict server access to authenticated (RFC 2554) clients
|
||||||
|
smtpd_delay_reject = yes
|
||||||
|
smtpd_client_restrictions = permit_sasl_authenticated ...
|
||||||
|
|
||||||
|
SASL supports several password types which have differing security
|
||||||
|
properties. Different SMTP clients may support some or all of these
|
||||||
|
password types. When the client issues an EHLO command, the server
|
||||||
|
tells it which types it supports:
|
||||||
|
|
||||||
|
$ telnet station6 25
|
||||||
|
Trying 10.100.0.6...
|
||||||
|
Connected to station6.example.com.
|
||||||
|
Escape character is '^]'.
|
||||||
|
220 station6.example.com ESMTP Postfix
|
||||||
|
ehlo station7
|
||||||
|
250-station6.example.com
|
||||||
|
250-PIPELINING
|
||||||
|
250-SIZE 10240000
|
||||||
|
250-VRFY
|
||||||
|
250-ETRN
|
||||||
|
250-STARTTLS
|
||||||
|
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
|
||||||
|
250-XVERP
|
||||||
|
250 8BITMIME
|
||||||
|
|
||||||
|
Here, the server supports PLAIN, LOGIN, DIGEST-MD5, and CRAM-MD5 password
|
||||||
|
methods.
|
||||||
|
|
||||||
|
The client then chooses the first of these listed methods which it also
|
||||||
|
supports, and issues an SMTP AUTH request.
|
||||||
|
|
||||||
|
For security, PLAIN and LOGIN methods are typically disabled. These two
|
||||||
|
methods use trivially decryptable encryption, making the username and
|
||||||
|
password issued by the client vulnerable to interception via a sniffer
|
||||||
|
in between the server and client. Unfortunately, they can't always
|
||||||
|
be disabled. Some popular SMTP clients, including MS Outlook 5.x,
|
||||||
|
only support PLAIN authentication, for example.
|
||||||
|
|
||||||
|
To limit the login methods offered by the server:
|
||||||
|
|
||||||
|
# disable unsafe password methods
|
||||||
|
smtpd_sasl_security_options = noplaintext noanonymous
|
||||||
|
|
||||||
|
Available options are:
|
||||||
|
|
||||||
|
noplaintext, which disables LOGIN and PLAIN
|
||||||
|
noanonymous, which disables disables ANON
|
||||||
|
nodictionary, which disables methods vulnerable to dictionary attacks
|
||||||
|
noactive, which disables methods vulnerable to active attacks
|
||||||
|
|
||||||
|
The last two are rarely used, since almost all supported methods are
|
||||||
|
vulnerable to those attacks ;-).
|
||||||
|
|
||||||
|
Also be aware that some broken clients mis-implement the SMTP AUTH
|
||||||
|
protocol, and send commands using incorrect syntax (AUTH=foo instead of
|
||||||
|
the correct AUTH foo). MS Outlook 4.x clients have this bug, among
|
||||||
|
a legion of others.... If you need to support these clients, use:
|
||||||
|
|
||||||
|
# support braindead MS products
|
||||||
|
broken_sasl_auth_clients = yes
|
||||||
|
|
||||||
|
To help prevent spoofing, you can also create a map file of SASL login
|
||||||
|
names which are allowed to use specific envelope sender (MAIL FROM)
|
||||||
|
addresses. If you choose to do this, you also have to tell Postfix to
|
||||||
|
reject addresses which don't match login names:
|
||||||
|
|
||||||
|
# prevent spoofing by authenticated users
|
||||||
|
reject_sender_login_mismatch
|
||||||
|
smtpd_sender_login_maps=type:/path/to/file
|
||||||
|
|
||||||
|
Configuration of SASL clients is much simpler. Postfix itself can be
|
||||||
|
made a SASL client; this is typically useful when roaming users run Linux
|
||||||
|
on their laptop and need to relay mail back through the organization's
|
||||||
|
main server.
|
||||||
|
|
||||||
|
To enable Postfix to act as an SMTP AUTH client, simply add to
|
||||||
|
/etc/postfix/main.cf:
|
||||||
|
|
||||||
|
# support authentication (RFC 2557) when relaying through a server
|
||||||
|
smtp_sasl_auth_enable = yes
|
||||||
|
|
||||||
|
and tell Postfix where to find the usernames and passwords it should
|
||||||
|
use to authenticate:
|
||||||
|
|
||||||
|
# location of passwords for authentication client
|
||||||
|
smtp_sasl_password_maps = type:/path/to/file
|
||||||
|
|
||||||
|
The file itself should have the format:
|
||||||
|
|
||||||
|
destination username:password
|
||||||
|
|
||||||
|
where destination is the name of the server, and username:password are
|
||||||
|
the username and password which should be presented to that server to
|
||||||
|
authenticate when connecting to it as a client.
|
||||||
|
|
||||||
|
Optionally, the authentication methods to be used can be specified for
|
||||||
|
the Postfix client, just as they can be for the Postfix server:
|
||||||
|
|
||||||
|
# disable plaintext and anonymous
|
||||||
|
smtp_sasl_security_options = noplaintext noanonymous
|
||||||
|
|
||||||
|
Many popular end-user MUAs can also be configured as SMTP AUTH clients.
|
||||||
|
Clients capable of this supplied with Red Hat include pine, Netscape,
|
||||||
|
and Mozilla.
|
||||||
|
|
||||||
|
Other Sources of Documentation:
|
||||||
|
-------------------------------
|
||||||
|
|
||||||
|
/usr/share/doc/postfix-<version>/README_FILES/SASL_README
|
||||||
|
|
||||||
|
Local configuration examples:
|
||||||
|
|
||||||
|
/usr/share/doc/postfix-*/samples
|
||||||
|
|
||||||
|
Postfix Howtos, Guides and Tips by Ralf Hildebrandt and Patrick
|
||||||
|
Koetter can be found at: http://postfix.state-of-mind.de
|
||||||
|
|
||||||
|
------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Please send any comments / corrections to Chris Ricker
|
||||||
|
<kaboom@gatech.edu>. This material can be freely modified and
|
||||||
|
redistributed. Additional material provided by John Dennis
|
||||||
|
<jdennis@redhat.com> and Dax Kelson <dax@gurulabs.com>.
|
65
README-RedHat.txt
Normal file
65
README-RedHat.txt
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
This Postfix build behaves differently from the upstream postfix-3.5.8.
|
||||||
|
It's because in RHEL-8 backward compatibility is kept to postfix-3.3.1.
|
||||||
|
|
||||||
|
For the upstream postfix-3.5.8 behavior either run the following commands:
|
||||||
|
|
||||||
|
# postconf info_log_address_format=external
|
||||||
|
# postconf smtpd_discard_ehlo_keywords=
|
||||||
|
# postconf rhel_ipv6_normalize=yes
|
||||||
|
|
||||||
|
Or go through the following steps:
|
||||||
|
|
||||||
|
1. Change the configuration option 'info_log_address_format' to 'external'.
|
||||||
|
In RHEL-8 it's by default set to 'internal' to mitigate [Incompat 20191109].
|
||||||
|
|
||||||
|
2. Change the configuration option 'smtpd_discard_ehlo_keywords' to ''.
|
||||||
|
In RHEL-8 it's by default set to 'chunking' to mitigate [Incompat 20180826].
|
||||||
|
|
||||||
|
3. Add RHEL-8 specific configuration option 'rhel_ipv6_normalize' and set it
|
||||||
|
to 'yes'. In RHEL-8 this option was added to mitigate [Incompat 20190427].
|
||||||
|
|
||||||
|
Details from the upstream RELEASE_NOTES:
|
||||||
|
|
||||||
|
[Incompat 20191109]
|
||||||
|
Postfix daemon processes now log the from= and
|
||||||
|
to= addresses in external (quoted) form in non-debug logging (info,
|
||||||
|
warning, etc.). This means that when an address localpart contains
|
||||||
|
spaces or other special characters, the localpart will be quoted,
|
||||||
|
for example:
|
||||||
|
|
||||||
|
from=<"name with spaces"@example.com>
|
||||||
|
|
||||||
|
Older Postfix versions would log the internal (unquoted) form:
|
||||||
|
|
||||||
|
from=<name with spaces@example.com>
|
||||||
|
|
||||||
|
The external and internal forms are identical for the vast majority
|
||||||
|
of email addresses that contain no spaces or other special characters
|
||||||
|
in the localpart.
|
||||||
|
|
||||||
|
Specify "info_log_address_format = internal" for backwards
|
||||||
|
compatibility.
|
||||||
|
|
||||||
|
The logging in external form is consistent with the address form
|
||||||
|
that Postfix 3.2 and later prefer for table lookups. It is therefore
|
||||||
|
the more useful form for non-debug logging.
|
||||||
|
|
||||||
|
[Incompat 20180826]
|
||||||
|
The Postfix SMTP server announces CHUNKING (BDAT
|
||||||
|
command) by default. In the unlikely case that this breaks some
|
||||||
|
important remote SMTP client, disable the feature as follows:
|
||||||
|
|
||||||
|
/etc/postfix/main.cf:
|
||||||
|
# The logging alternative:
|
||||||
|
smtpd_discard_ehlo_keywords = chunking
|
||||||
|
# The non-logging alternative:
|
||||||
|
smtpd_discard_ehlo_keywords = chunking, silent_discard
|
||||||
|
|
||||||
|
See BDAT_README for more.
|
||||||
|
|
||||||
|
[Incompat 20190427]
|
||||||
|
Postfix now normalizes IP addresses received
|
||||||
|
with XCLIENT, XFORWARD, or with the HaProxy protocol, for consistency
|
||||||
|
with direct connections to Postfix. This may change the appearance
|
||||||
|
of logging, and the way that check_client_access will match subnets
|
||||||
|
of an IPv6 address.
|
15
pflogsumm-1.1.5-datecalc.patch
Normal file
15
pflogsumm-1.1.5-datecalc.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
diff --git pflogsumm-1.1.5/pflogsumm.pl pflogsumm-1.1.5/pflogsumm.pl
|
||||||
|
index 31de5bd..36384dd 100755
|
||||||
|
--- pflogsumm-1.1.5/pflogsumm.pl
|
||||||
|
+++ pflogsumm-1.1.5/pflogsumm.pl
|
||||||
|
@@ -398,8 +398,8 @@ Copyright (C) 1998-2010 by James S. Seymour, Release 1.1.5
|
||||||
|
use strict;
|
||||||
|
use locale;
|
||||||
|
use Getopt::Long;
|
||||||
|
-eval { require Date::Calc };
|
||||||
|
-my $hasDateCalc = $@ ? 0 : 1;
|
||||||
|
+require Date::Calc;
|
||||||
|
+my $hasDateCalc = 1;
|
||||||
|
|
||||||
|
my $mailqCmd = "mailq";
|
||||||
|
my $release = "1.1.5";
|
13
pflogsumm-1.1.5-ipv6-warnings-fix.patch
Normal file
13
pflogsumm-1.1.5-ipv6-warnings-fix.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff --git pflogsumm-1.1.5/pflogsumm.pl pflogsumm-1.1.5/pflogsumm.pl
|
||||||
|
index 36384dd..eb527d0 100755
|
||||||
|
--- pflogsumm-1.1.5/pflogsumm.pl
|
||||||
|
+++ pflogsumm-1.1.5/pflogsumm.pl
|
||||||
|
@@ -1536,7 +1536,7 @@ sub gimme_domain {
|
||||||
|
# split domain/ipaddr into separates
|
||||||
|
# newer versions of Postfix have them "dom.ain[i.p.add.ress]"
|
||||||
|
# older versions of Postfix have them "dom.ain/i.p.add.ress"
|
||||||
|
- unless((($domain, $ipAddr) = /^([^\[]+)\[((?:\d{1,3}\.){3}\d{1,3})\]/) == 2 ||
|
||||||
|
+ unless((($domain, $ipAddr) = /^([^\[]+)\[((?:\d{1,3}\.){3}\d{1,3}|[0-9a-f:]+)\]/) == 2 ||
|
||||||
|
(($domain, $ipAddr) = /^([^\/]+)\/([0-9a-f.:]+)/i) == 2) {
|
||||||
|
# more exhaustive method
|
||||||
|
($domain, $ipAddr) = /^([^\[\(\/]+)[\[\(\/]([^\]\)]+)[\]\)]?:?\s*$/;
|
18
pflogsumm-1.1.5-syslog-name-underscore-fix.patch
Normal file
18
pflogsumm-1.1.5-syslog-name-underscore-fix.patch
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
diff --git a/pflogsumm-1.1.5/pflogsumm.pl b/pflogsumm-1.1.5/pflogsumm.pl
|
||||||
|
index eb527d0..7e26206 100755
|
||||||
|
--- a/pflogsumm-1.1.5/pflogsumm.pl
|
||||||
|
+++ b/pflogsumm-1.1.5/pflogsumm.pl
|
||||||
|
@@ -503,7 +503,12 @@ $usageMsg =
|
||||||
|
# Accept either "_"s or "-"s in --switches
|
||||||
|
foreach (@ARGV) {
|
||||||
|
last if($_ eq "--");
|
||||||
|
- tr/_/-/ if(/^--\w/);
|
||||||
|
+ if (/^--\w/)
|
||||||
|
+ {
|
||||||
|
+ my @argspl = split("=", $_, 2);
|
||||||
|
+ $argspl[0] =~ tr/_/-/;
|
||||||
|
+ $_ = join("=", @argspl);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
# Some pre-inits for convenience
|
22
postfix-3.3.3-alternatives.patch
Normal file
22
postfix-3.3.3-alternatives.patch
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
diff --git a/conf/post-install b/conf/post-install
|
||||||
|
index 25ef7e6..4fd6434 100644
|
||||||
|
--- a/conf/post-install
|
||||||
|
+++ b/conf/post-install
|
||||||
|
@@ -537,6 +537,17 @@ test -n "$create" && {
|
||||||
|
case $path in
|
||||||
|
no|no/*) continue;;
|
||||||
|
esac
|
||||||
|
+ # Munge paths for alternatives.
|
||||||
|
+ case $path in
|
||||||
|
+ /usr/bin/mailq) path=$path.postfix ;;
|
||||||
|
+ /usr/bin/newaliases) path=$path.postfix ;;
|
||||||
|
+ /usr/bin/rmail) path=$path.postfix ;;
|
||||||
|
+ /usr/sbin/sendmail) path=$path.postfix ;;
|
||||||
|
+ /usr/share/man/man1/mailq.1.gz) path=/usr/share/man/man1/mailq.postfix.1.gz ;;
|
||||||
|
+ /usr/share/man/man1/newaliases.1.gz) path=/usr/share/man/man1/newaliases.postfix.1.gz ;;
|
||||||
|
+ /usr/share/man/man5/aliases.5.gz) path=/usr/share/man/man5/aliases.postfix.5.gz ;;
|
||||||
|
+ /usr/share/man/man8/smtpd.8.gz) path=/usr/share/man/man8/smtpd.postfix.8.gz ;;
|
||||||
|
+ esac
|
||||||
|
# Pick up the flags.
|
||||||
|
case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac
|
||||||
|
case $flags in *c*) create_flag=1;; *) create_flag=;; esac
|
63
postfix-3.4.0-files.patch
Normal file
63
postfix-3.4.0-files.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
diff --git a/conf/postfix-files b/conf/postfix-files
|
||||||
|
index 4ed9d1f..19711d2 100644
|
||||||
|
--- a/conf/postfix-files
|
||||||
|
+++ b/conf/postfix-files
|
||||||
|
@@ -83,7 +83,6 @@ $shlib_directory/${LIB_PREFIX}sqlite${LIB_SUFFIX}:f:root:-:755
|
||||||
|
$meta_directory/dynamicmaps.cf.d:d:root:-:755
|
||||||
|
$meta_directory/dynamicmaps.cf:f:root:-:644
|
||||||
|
$meta_directory/main.cf.proto:f:root:-:644
|
||||||
|
-$meta_directory/makedefs.out:f:root:-:644
|
||||||
|
$meta_directory/master.cf.proto:f:root:-:644
|
||||||
|
$meta_directory/postfix-files.d:d:root:-:755
|
||||||
|
$meta_directory/postfix-files:f:root:-:644
|
||||||
|
@@ -141,18 +140,13 @@ $command_directory/postqueue:f:root:$setgid_group:2755:u
|
||||||
|
$sendmail_path:f:root:-:755
|
||||||
|
$newaliases_path:l:$sendmail_path
|
||||||
|
$mailq_path:l:$sendmail_path
|
||||||
|
-$config_directory/LICENSE:f:root:-:644:1
|
||||||
|
-$config_directory/TLS_LICENSE:f:root:-:644:1
|
||||||
|
$config_directory/access:f:root:-:644:p1
|
||||||
|
-$config_directory/aliases:f:root:-:644:p1
|
||||||
|
-$config_directory/bounce.cf.default:f:root:-:644:1
|
||||||
|
$config_directory/canonical:f:root:-:644:p1
|
||||||
|
$config_directory/cidr_table:f:root:-:644:o
|
||||||
|
$config_directory/generic:f:root:-:644:p1
|
||||||
|
$config_directory/generics:f:root:-:644:o
|
||||||
|
$config_directory/header_checks:f:root:-:644:p1
|
||||||
|
$config_directory/install.cf:f:root:-:644:o
|
||||||
|
-$config_directory/main.cf.default:f:root:-:644:1
|
||||||
|
$config_directory/main.cf:f:root:-:644:p
|
||||||
|
$config_directory/master.cf:f:root:-:644:p
|
||||||
|
$config_directory/pcre_table:f:root:-:644:o
|
||||||
|
@@ -165,8 +159,8 @@ $config_directory/postfix-script:f:root:-:755:o
|
||||||
|
$config_directory/postfix-script-sgid:f:root:-:755:o
|
||||||
|
$config_directory/postfix-script-nosgid:f:root:-:755:o
|
||||||
|
$config_directory/post-install:f:root:-:755:o
|
||||||
|
-$manpage_directory/man1/mailq.1:f:root:-:644
|
||||||
|
-$manpage_directory/man1/newaliases.1:f:root:-:644
|
||||||
|
+$manpage_directory/man1/mailq.postfix.1:f:root:-:644
|
||||||
|
+$manpage_directory/man1/newaliases.postfix.1:f:root:-:644
|
||||||
|
$manpage_directory/man1/postalias.1:f:root:-:644
|
||||||
|
$manpage_directory/man1/postcat.1:f:root:-:644
|
||||||
|
$manpage_directory/man1/postconf.1:f:root:-:644
|
||||||
|
@@ -180,9 +174,9 @@ $manpage_directory/man1/postmap.1:f:root:-:644
|
||||||
|
$manpage_directory/man1/postmulti.1:f:root:-:644
|
||||||
|
$manpage_directory/man1/postqueue.1:f:root:-:644
|
||||||
|
$manpage_directory/man1/postsuper.1:f:root:-:644
|
||||||
|
-$manpage_directory/man1/sendmail.1:f:root:-:644
|
||||||
|
+$manpage_directory/man1/sendmail.postfix.1:f:root:-:644
|
||||||
|
$manpage_directory/man5/access.5:f:root:-:644
|
||||||
|
-$manpage_directory/man5/aliases.5:f:root:-:644
|
||||||
|
+$manpage_directory/man5/aliases.postfix.5:f:root:-:644
|
||||||
|
$manpage_directory/man5/body_checks.5:f:root:-:644
|
||||||
|
$manpage_directory/man5/bounce.5:f:root:-:644
|
||||||
|
$manpage_directory/man5/canonical.5:f:root:-:644
|
||||||
|
@@ -230,7 +224,7 @@ $manpage_directory/man8/qmqpd.8:f:root:-:644
|
||||||
|
$manpage_directory/man8/scache.8:f:root:-:644
|
||||||
|
$manpage_directory/man8/showq.8:f:root:-:644
|
||||||
|
$manpage_directory/man8/smtp.8:f:root:-:644
|
||||||
|
-$manpage_directory/man8/smtpd.8:f:root:-:644
|
||||||
|
+$manpage_directory/man8/smtpd.postfix.8:f:root:-:644
|
||||||
|
$manpage_directory/man8/spawn.8:f:root:-:644
|
||||||
|
$manpage_directory/man8/tlsproxy.8:f:root:-:644
|
||||||
|
$manpage_directory/man8/tlsmgr.8:f:root:-:644
|
37
postfix-3.4.0-large-fs.patch
Normal file
37
postfix-3.4.0-large-fs.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
diff --git a/src/util/fsspace.c b/src/util/fsspace.c
|
||||||
|
index 50a4aa7..beef3db 100644
|
||||||
|
--- a/src/util/fsspace.c
|
||||||
|
+++ b/src/util/fsspace.c
|
||||||
|
@@ -91,8 +91,15 @@ void fsspace(const char *path, struct fsspace * sp)
|
||||||
|
|
||||||
|
if (statvfs(path, &fsbuf) < 0)
|
||||||
|
msg_fatal("statvfs %s: %m", path);
|
||||||
|
- sp->block_size = fsbuf.f_frsize;
|
||||||
|
- sp->block_free = fsbuf.f_bavail;
|
||||||
|
+ if (fsbuf.f_frsize > 0)
|
||||||
|
+ sp->block_size = fsbuf.f_frsize;
|
||||||
|
+ else
|
||||||
|
+ sp->block_size = fsbuf.f_bsize;
|
||||||
|
+ /* 4G of FS blocks is surely enough space to put a mail in */
|
||||||
|
+ sp->block_free = 0;
|
||||||
|
+ sp->block_free = ~sp->block_free;
|
||||||
|
+ if (fsbuf.f_bavail < sp->block_free)
|
||||||
|
+ sp->block_free = fsbuf.f_bavail;
|
||||||
|
#endif
|
||||||
|
if (msg_verbose)
|
||||||
|
msg_info("%s: %s: block size %lu, blocks free %lu",
|
||||||
|
diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h
|
||||||
|
index a8d2571..ad07498 100644
|
||||||
|
--- a/src/util/sys_defs.h
|
||||||
|
+++ b/src/util/sys_defs.h
|
||||||
|
@@ -769,8 +769,8 @@ extern int initgroups(const char *, int);
|
||||||
|
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
|
||||||
|
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin"
|
||||||
|
#define FIONREAD_IN_TERMIOS_H
|
||||||
|
-#define USE_STATFS
|
||||||
|
-#define STATFS_IN_SYS_VFS_H
|
||||||
|
+#define USE_STATVFS
|
||||||
|
+#define STATVFS_IN_SYS_STATVFS_H
|
||||||
|
#define PREPEND_PLUS_TO_OPTSTRING
|
||||||
|
#define HAS_POSIX_REGEXP
|
||||||
|
#define HAS_DLOPEN
|
35
postfix-3.4.4-chroot-example-fix.patch
Normal file
35
postfix-3.4.4-chroot-example-fix.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
--- a/examples/chroot-setup/LINUX2 2006-01-01 15:53:58.000000000 -0800
|
||||||
|
+++ b/examples/chroot-setup/LINUX2 2016-11-27 00:45:52.145301784 -0800
|
||||||
|
@@ -45,14 +45,14 @@
|
||||||
|
# 20060101 /lib64 support by Keith Owens.
|
||||||
|
#
|
||||||
|
|
||||||
|
-CP="cp -p"
|
||||||
|
+CP="cp -p -Z"
|
||||||
|
|
||||||
|
cond_copy() {
|
||||||
|
# find files as per pattern in $1
|
||||||
|
# if any, copy to directory $2
|
||||||
|
dir=`dirname "$1"`
|
||||||
|
pat=`basename "$1"`
|
||||||
|
- lr=`find "$dir" -maxdepth 1 -name "$pat"`
|
||||||
|
+ lr=`find "$dir/" -maxdepth 1 -name "$pat"`
|
||||||
|
if test ! -d "$2" ; then exit 1 ; fi
|
||||||
|
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi
|
||||||
|
}
|
||||||
|
@@ -63,8 +63,8 @@
|
||||||
|
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}
|
||||||
|
cd ${POSTFIX_DIR}
|
||||||
|
|
||||||
|
-mkdir -p etc lib usr/lib/zoneinfo
|
||||||
|
-test -d /lib64 && mkdir -p lib64
|
||||||
|
+mkdir -p -Z etc lib usr/lib/zoneinfo
|
||||||
|
+test -d /lib64 && mkdir -p -Z lib64
|
||||||
|
|
||||||
|
# find localtime (SuSE 5.3 does not have /etc/localtime)
|
||||||
|
lt=/etc/localtime
|
||||||
|
@@ -88,4 +88,3 @@
|
||||||
|
cond_copy '/lib64/libdb.so*' lib64
|
||||||
|
fi
|
||||||
|
|
||||||
|
-postfix reload
|
145
postfix-3.5.0-config.patch
Normal file
145
postfix-3.5.0-config.patch
Normal file
@ -0,0 +1,145 @@
|
|||||||
|
diff --git a/conf/main.cf b/conf/main.cf
|
||||||
|
index 7af8bde..495e346 100644
|
||||||
|
--- a/conf/main.cf
|
||||||
|
+++ b/conf/main.cf
|
||||||
|
@@ -132,6 +132,10 @@ mail_owner = postfix
|
||||||
|
#inet_interfaces = all
|
||||||
|
#inet_interfaces = $myhostname
|
||||||
|
#inet_interfaces = $myhostname, localhost
|
||||||
|
+inet_interfaces = localhost
|
||||||
|
+
|
||||||
|
+# Enable IPv4, and IPv6 if supported
|
||||||
|
+inet_protocols = all
|
||||||
|
|
||||||
|
# The proxy_interfaces parameter specifies the network interface
|
||||||
|
# addresses that this mail system receives mail on by way of a
|
||||||
|
@@ -176,7 +180,7 @@ mail_owner = postfix
|
||||||
|
#
|
||||||
|
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
|
||||||
|
#
|
||||||
|
-#mydestination = $myhostname, localhost.$mydomain, localhost
|
||||||
|
+mydestination = $myhostname, localhost.$mydomain, localhost
|
||||||
|
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
|
||||||
|
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
|
||||||
|
# mail.$mydomain, www.$mydomain, ftp.$mydomain
|
||||||
|
@@ -398,7 +402,7 @@ unknown_local_recipient_reject_code = 550
|
||||||
|
# "postfix reload" to eliminate the delay.
|
||||||
|
#
|
||||||
|
#alias_maps = dbm:/etc/aliases
|
||||||
|
-#alias_maps = hash:/etc/aliases
|
||||||
|
+alias_maps = hash:/etc/aliases
|
||||||
|
#alias_maps = hash:/etc/aliases, nis:mail.aliases
|
||||||
|
#alias_maps = netinfo:/aliases
|
||||||
|
|
||||||
|
@@ -409,7 +413,7 @@ unknown_local_recipient_reject_code = 550
|
||||||
|
#
|
||||||
|
#alias_database = dbm:/etc/aliases
|
||||||
|
#alias_database = dbm:/etc/mail/aliases
|
||||||
|
-#alias_database = hash:/etc/aliases
|
||||||
|
+alias_database = hash:/etc/aliases
|
||||||
|
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
|
||||||
|
|
||||||
|
# ADDRESS EXTENSIONS (e.g., user+foo)
|
||||||
|
@@ -479,7 +483,27 @@ unknown_local_recipient_reject_code = 550
|
||||||
|
#
|
||||||
|
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
|
||||||
|
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
|
||||||
|
-#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
|
||||||
|
+#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
|
||||||
|
+
|
||||||
|
+# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
|
||||||
|
+# server using LMTP (Local Mail Transport Protocol), this is prefered
|
||||||
|
+# over the older cyrus deliver program by setting the
|
||||||
|
+# mailbox_transport as below:
|
||||||
|
+#
|
||||||
|
+# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
|
||||||
|
+#
|
||||||
|
+# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
|
||||||
|
+# these settings.
|
||||||
|
+#
|
||||||
|
+# local_destination_recipient_limit = 300
|
||||||
|
+# local_destination_concurrency_limit = 5
|
||||||
|
+#
|
||||||
|
+# Of course you should adjust these settings as appropriate for the
|
||||||
|
+# capacity of the hardware you are using. The recipient limit setting
|
||||||
|
+# can be used to take advantage of the single instance message store
|
||||||
|
+# capability of Cyrus. The concurrency limit can be used to control
|
||||||
|
+# how many simultaneous LMTP sessions will be permitted to the Cyrus
|
||||||
|
+# message store.
|
||||||
|
#
|
||||||
|
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
|
||||||
|
# subsequent line in master.cf.
|
||||||
|
@@ -499,8 +523,7 @@ unknown_local_recipient_reject_code = 550
|
||||||
|
# the main.cf file, otherwise the SMTP server will reject mail for
|
||||||
|
# non-UNIX accounts with "User unknown in local recipient table".
|
||||||
|
#
|
||||||
|
-#fallback_transport = lmtp:unix:/file/name
|
||||||
|
-#fallback_transport = cyrus
|
||||||
|
+#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
|
||||||
|
#fallback_transport =
|
||||||
|
|
||||||
|
# The luser_relay parameter specifies an optional destination address
|
||||||
|
@@ -673,4 +696,41 @@ sample_directory =
|
||||||
|
# readme_directory: The location of the Postfix README files.
|
||||||
|
#
|
||||||
|
readme_directory =
|
||||||
|
-inet_protocols = ipv4
|
||||||
|
+
|
||||||
|
+# TLS CONFIGURATION
|
||||||
|
+#
|
||||||
|
+# Basic Postfix TLS configuration by default with self-signed certificate
|
||||||
|
+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
|
||||||
|
+
|
||||||
|
+# The full pathname of a file with the Postfix SMTP server RSA certificate
|
||||||
|
+# in PEM format. Intermediate certificates should be included in general,
|
||||||
|
+# the server certificate first, then the issuing CA(s) (bottom-up order).
|
||||||
|
+#
|
||||||
|
+smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
|
||||||
|
+
|
||||||
|
+# The full pathname of a file with the Postfix SMTP server RSA private key
|
||||||
|
+# in PEM format. The private key must be accessible without a pass-phrase,
|
||||||
|
+# i.e. it must not be encrypted.
|
||||||
|
+#
|
||||||
|
+smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
|
||||||
|
+
|
||||||
|
+# Announce STARTTLS support to remote SMTP clients, but do not require that
|
||||||
|
+# clients use TLS encryption (opportunistic TLS inbound).
|
||||||
|
+#
|
||||||
|
+smtpd_tls_security_level = may
|
||||||
|
+
|
||||||
|
+# Directory with PEM format Certification Authority certificates that the
|
||||||
|
+# Postfix SMTP client uses to verify a remote SMTP server certificate.
|
||||||
|
+#
|
||||||
|
+smtp_tls_CApath = /etc/pki/tls/certs
|
||||||
|
+
|
||||||
|
+# The full pathname of a file containing CA certificates of root CAs
|
||||||
|
+# trusted to sign either remote SMTP server certificates or intermediate CA
|
||||||
|
+# certificates.
|
||||||
|
+#
|
||||||
|
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
|
||||||
|
+
|
||||||
|
+# Use TLS if this is supported by the remote SMTP server, otherwise use
|
||||||
|
+# plaintext (opportunistic TLS outbound).
|
||||||
|
+#
|
||||||
|
+smtp_tls_security_level = may
|
||||||
|
diff --git a/conf/master.cf b/conf/master.cf
|
||||||
|
index c0f2508..05c5d07 100644
|
||||||
|
--- a/conf/master.cf
|
||||||
|
+++ b/conf/master.cf
|
||||||
|
@@ -98,14 +98,14 @@ postlog unix-dgram n - n - 1 postlogd
|
||||||
|
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||||
|
#
|
||||||
|
#cyrus unix - n n - - pipe
|
||||||
|
-# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
|
||||||
|
+# flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
||||||
|
# Old example of delivery via Cyrus.
|
||||||
|
#
|
||||||
|
#old-cyrus unix - n n - - pipe
|
||||||
|
-# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
|
||||||
|
+# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
|
||||||
|
#
|
||||||
|
# ====================================================================
|
||||||
|
#
|
158
postfix-3.5.8-back-compat-3.3.1.patch
Normal file
158
postfix-3.5.8-back-compat-3.3.1.patch
Normal file
@ -0,0 +1,158 @@
|
|||||||
|
diff --git a/src/global/mail_params.c b/src/global/mail_params.c
|
||||||
|
index 91c70f7..483613c 100644
|
||||||
|
--- a/src/global/mail_params.c
|
||||||
|
+++ b/src/global/mail_params.c
|
||||||
|
@@ -379,6 +379,8 @@ int warn_compat_break_smtputf8_enable;
|
||||||
|
int warn_compat_break_chroot;
|
||||||
|
int warn_compat_break_relay_restrictions;
|
||||||
|
|
||||||
|
+bool var_rhel_ipv6_normalize;
|
||||||
|
+
|
||||||
|
/* check_myhostname - lookup hostname and validate */
|
||||||
|
|
||||||
|
static const char *check_myhostname(void)
|
||||||
|
@@ -825,6 +827,7 @@ void mail_params_init()
|
||||||
|
VAR_LONG_QUEUE_IDS, DEF_LONG_QUEUE_IDS, &var_long_queue_ids,
|
||||||
|
VAR_STRICT_SMTPUTF8, DEF_STRICT_SMTPUTF8, &var_strict_smtputf8,
|
||||||
|
VAR_ENABLE_ORCPT, DEF_ENABLE_ORCPT, &var_enable_orcpt,
|
||||||
|
+ VAR_RHEL_IPV6_NORMALIZE, DEF_RHEL_IPV6_NORMALIZE, &var_rhel_ipv6_normalize,
|
||||||
|
0,
|
||||||
|
};
|
||||||
|
const char *cp;
|
||||||
|
diff --git a/src/global/mail_params.h b/src/global/mail_params.h
|
||||||
|
index e4358ca..74459d9 100644
|
||||||
|
--- a/src/global/mail_params.h
|
||||||
|
+++ b/src/global/mail_params.h
|
||||||
|
@@ -3153,7 +3153,7 @@ extern char *var_local_rwr_clients;
|
||||||
|
* EHLO keyword filter.
|
||||||
|
*/
|
||||||
|
#define VAR_SMTPD_EHLO_DIS_WORDS "smtpd_discard_ehlo_keywords"
|
||||||
|
-#define DEF_SMTPD_EHLO_DIS_WORDS ""
|
||||||
|
+#define DEF_SMTPD_EHLO_DIS_WORDS "chunking"
|
||||||
|
extern char *var_smtpd_ehlo_dis_words;
|
||||||
|
|
||||||
|
#define VAR_SMTPD_EHLO_DIS_MAPS "smtpd_discard_ehlo_keyword_address_maps"
|
||||||
|
@@ -4199,9 +4199,13 @@ extern int var_postlogd_watchdog;
|
||||||
|
#define INFO_LOG_ADDR_FORM_NAME_INTERNAL "internal"
|
||||||
|
|
||||||
|
#define VAR_INFO_LOG_ADDR_FORM "info_log_address_format"
|
||||||
|
-#define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_EXTERNAL
|
||||||
|
+#define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_INTERNAL
|
||||||
|
extern char *var_info_log_addr_form;
|
||||||
|
|
||||||
|
+#define VAR_RHEL_IPV6_NORMALIZE "rhel_ipv6_normalize"
|
||||||
|
+#define DEF_RHEL_IPV6_NORMALIZE 0
|
||||||
|
+extern bool var_rhel_ipv6_normalize;
|
||||||
|
+
|
||||||
|
/* LICENSE
|
||||||
|
/* .ad
|
||||||
|
/* .fi
|
||||||
|
diff --git a/src/smtpd/smtpd.c b/src/smtpd/smtpd.c
|
||||||
|
index da7227f..53e640e 100644
|
||||||
|
--- a/src/smtpd/smtpd.c
|
||||||
|
+++ b/src/smtpd/smtpd.c
|
||||||
|
@@ -4334,6 +4334,7 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
|
||||||
|
SMTPD_TOKEN *argp;
|
||||||
|
char *raw_value;
|
||||||
|
char *attr_value;
|
||||||
|
+ const char *bare_value;
|
||||||
|
char *attr_name;
|
||||||
|
int update_namaddr = 0;
|
||||||
|
int name_status;
|
||||||
|
@@ -4481,15 +4482,31 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
|
||||||
|
UPDATE_STR(state->addr, attr_value);
|
||||||
|
UPDATE_STR(state->rfc_addr, attr_value);
|
||||||
|
} else {
|
||||||
|
- neuter(attr_value, NEUTER_CHARACTERS, '?');
|
||||||
|
- if (normalize_mailhost_addr(attr_value, &state->rfc_addr,
|
||||||
|
+ if (var_rhel_ipv6_normalize) {
|
||||||
|
+ neuter(attr_value, NEUTER_CHARACTERS, '?');
|
||||||
|
+ }
|
||||||
|
+ if ((var_rhel_ipv6_normalize &&
|
||||||
|
+ normalize_mailhost_addr(attr_value, &state->rfc_addr,
|
||||||
|
&state->addr,
|
||||||
|
- &state->addr_family) < 0) {
|
||||||
|
+ &state->addr_family) < 0) ||
|
||||||
|
+ (!var_rhel_ipv6_normalize &&
|
||||||
|
+ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
|
||||||
|
state->error_mask |= MAIL_ERROR_PROTOCOL;
|
||||||
|
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
|
||||||
|
XCLIENT_ADDR, attr_value);
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
+ if (!var_rhel_ipv6_normalize) {
|
||||||
|
+ UPDATE_STR(state->addr, bare_value);
|
||||||
|
+ UPDATE_STR(state->rfc_addr, attr_value);
|
||||||
|
+#ifdef HAS_IPV6
|
||||||
|
+ if (strncasecmp(attr_value, INET_PROTO_NAME_IPV6 ":",
|
||||||
|
+ sizeof(INET_PROTO_NAME_IPV6 ":") - 1) == 0)
|
||||||
|
+ state->addr_family = AF_INET6;
|
||||||
|
+ else
|
||||||
|
+#endif
|
||||||
|
+ state->addr_family = AF_INET;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
update_namaddr = 1;
|
||||||
|
}
|
||||||
|
@@ -4569,17 +4586,25 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
|
||||||
|
attr_value = SERVER_ADDR_UNKNOWN;
|
||||||
|
UPDATE_STR(state->dest_addr, attr_value);
|
||||||
|
} else {
|
||||||
|
+ if (var_rhel_ipv6_normalize) {
|
||||||
|
#define NO_NORM_RFC_ADDR ((char **) 0)
|
||||||
|
#define NO_NORM_ADDR_FAMILY ((int *) 0)
|
||||||
|
- neuter(attr_value, NEUTER_CHARACTERS, '?');
|
||||||
|
- if (normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR,
|
||||||
|
+ neuter(attr_value, NEUTER_CHARACTERS, '?');
|
||||||
|
+ }
|
||||||
|
+ if ((var_rhel_ipv6_normalize &&
|
||||||
|
+ normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR,
|
||||||
|
&state->dest_addr,
|
||||||
|
- NO_NORM_ADDR_FAMILY) < 0) {
|
||||||
|
+ NO_NORM_ADDR_FAMILY) < 0) ||
|
||||||
|
+ (!var_rhel_ipv6_normalize &&
|
||||||
|
+ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
|
||||||
|
state->error_mask |= MAIL_ERROR_PROTOCOL;
|
||||||
|
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
|
||||||
|
XCLIENT_DESTADDR, attr_value);
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
+ if (!var_rhel_ipv6_normalize) {
|
||||||
|
+ UPDATE_STR(state->dest_addr, bare_value);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
/* XXX Require same address family as client address. */
|
||||||
|
}
|
||||||
|
@@ -4690,6 +4715,7 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
|
||||||
|
SMTPD_TOKEN *argp;
|
||||||
|
char *raw_value;
|
||||||
|
char *attr_value;
|
||||||
|
+ const char *bare_value;
|
||||||
|
char *attr_name;
|
||||||
|
int updated = 0;
|
||||||
|
static const NAME_CODE xforward_flags[] = {
|
||||||
|
@@ -4808,15 +4834,22 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
|
||||||
|
UPDATE_STR(state->xforward.addr, attr_value);
|
||||||
|
} else {
|
||||||
|
neuter(attr_value, NEUTER_CHARACTERS, '?');
|
||||||
|
- if (normalize_mailhost_addr(attr_value,
|
||||||
|
+ if ((var_rhel_ipv6_normalize &&
|
||||||
|
+ normalize_mailhost_addr(attr_value,
|
||||||
|
&state->xforward.rfc_addr,
|
||||||
|
&state->xforward.addr,
|
||||||
|
- NO_NORM_ADDR_FAMILY) < 0) {
|
||||||
|
+ NO_NORM_ADDR_FAMILY) < 0) ||
|
||||||
|
+ (!var_rhel_ipv6_normalize &&
|
||||||
|
+ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) {
|
||||||
|
state->error_mask |= MAIL_ERROR_PROTOCOL;
|
||||||
|
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
|
||||||
|
XFORWARD_ADDR, attr_value);
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
+ if (!var_rhel_ipv6_normalize) {
|
||||||
|
+ UPDATE_STR(state->xforward.addr, bare_value);
|
||||||
|
+ UPDATE_STR(state->xforward.rfc_addr, attr_value);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
13
postfix-3.5.8-whitespace-name-fix.patch
Normal file
13
postfix-3.5.8-whitespace-name-fix.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff --git a/src/cleanup/cleanup_message.c b/src/cleanup/cleanup_message.c
|
||||||
|
index 391c711..be5ce42 100644
|
||||||
|
--- a/src/cleanup/cleanup_message.c
|
||||||
|
+++ b/src/cleanup/cleanup_message.c
|
||||||
|
@@ -773,6 +773,8 @@ static void cleanup_header_done_callback(void *context)
|
||||||
|
/* Normalize whitespace. */
|
||||||
|
token = tok822_scan_limit(state->fullname, &dummy_token,
|
||||||
|
var_token_limit);
|
||||||
|
+ if (!token)
|
||||||
|
+ token = tok822_alloc(TOK822_QSTRING, state->fullname);
|
||||||
|
} else {
|
||||||
|
token = tok822_alloc(TOK822_QSTRING, state->fullname);
|
||||||
|
}
|
4
postfix-chroot-update
Normal file
4
postfix-chroot-update
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
[ -x /etc/postfix/chroot-update ] && exec /etc/postfix/chroot-update
|
||||||
|
exit 0
|
3
postfix-pam.conf
Normal file
3
postfix-pam.conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include password-auth
|
||||||
|
account include password-auth
|
2
postfix-sasl.conf
Normal file
2
postfix-sasl.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
pwcheck_method: saslauthd
|
||||||
|
mech_list: plain login
|
20
postfix.aliasesdb
Normal file
20
postfix.aliasesdb
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ALIASESDB_STAMP=/var/lib/misc/postfix.aliasesdb-stamp
|
||||||
|
|
||||||
|
make_aliasesdb() {
|
||||||
|
if [ "$(/usr/sbin/postconf -h alias_database)" == "hash:/etc/aliases" ]
|
||||||
|
then
|
||||||
|
# /etc/aliases.db may be used by other MTA, make sure nothing
|
||||||
|
# has touched it since our last newaliases call
|
||||||
|
[ /etc/aliases -nt /etc/aliases.db ] ||
|
||||||
|
[ "$ALIASESDB_STAMP" -nt /etc/aliases.db ] ||
|
||||||
|
[ "$ALIASESDB_STAMP" -ot /etc/aliases.db ] || return 0
|
||||||
|
/usr/bin/newaliases
|
||||||
|
touch -r /etc/aliases.db "$ALIASESDB_STAMP"
|
||||||
|
else
|
||||||
|
/usr/bin/newaliases
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
make_aliasesdb
|
22
postfix.service
Normal file
22
postfix.service
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Postfix Mail Transport Agent
|
||||||
|
After=syslog.target network.target
|
||||||
|
Conflicts=sendmail.service exim.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
PIDFile=/var/spool/postfix/pid/master.pid
|
||||||
|
EnvironmentFile=-/etc/sysconfig/network
|
||||||
|
PrivateTmp=true
|
||||||
|
CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE
|
||||||
|
ProtectSystem=true
|
||||||
|
PrivateDevices=true
|
||||||
|
ExecStartPre=-/usr/sbin/restorecon -R /var/spool/postfix/pid/master.pid
|
||||||
|
ExecStartPre=-/usr/libexec/postfix/aliasesdb
|
||||||
|
ExecStartPre=-/usr/libexec/postfix/chroot-update
|
||||||
|
ExecStart=/usr/sbin/postfix start
|
||||||
|
ExecReload=/usr/sbin/postfix reload
|
||||||
|
ExecStop=/usr/sbin/postfix stop
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
1704
postfix.spec
Normal file
1704
postfix.spec
Normal file
File diff suppressed because it is too large
Load Diff
2
sources
Normal file
2
sources
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
SHA512 (pflogsumm-1.1.5.tar.gz) = 994d660692dfea38a1dd9866d15f15035657e85131c1f5a2cd82baa5bd4ad987a00939cb5233f316d2090014c52ae68ef20db0c893f8634969484e0e74678f4d
|
||||||
|
SHA512 (postfix-3.5.8.tar.gz) = 0abb07d99e343b76e6a26b4a090af9d592f4dfd03c8c737cc72bfb0f4267dafcbb0cb0aa7b6255f8b834c9289d89a5c47b167be3758239309937cb77e0d9464b
|
Loading…
Reference in New Issue
Block a user