Both Postfix ports are broken when build with LibreSSL since todays updates due to OPENSSL_VERSION_NUMBER checks introduced by Postfix to prepare for OpenSSL 1.1.0 Release compatibility. This broke my mailservers badly (no more SSL/TLS/STARTTLS) today and i had to switch from LibreSSL back to OpenSSL and recompile a whole bunch of ports as a workaround :(
Hi Markus, Is your ports tree up to date? The patches are in the ports tree as far as I know. Check for patch-src_tls_tls.h Alternatively, can you share build logs? Cheers, Bernard.
Hi Bernard, yes portstree is up-to-date. Looking at ftp://ftp.pca.dfn.de/pub/tools/net/postfix/official/postfix-3.1-patch02.gz i count at least six checks for OPENSSL_VERSION_NUMBER while the patch-src_tls_tls.h only fixes one. So there are five more to fix. Cheers, Markus
Just looked at some of them, not _all_ need changing... E.g. LibreSSL also added TLS_client_method... Are you saying it builds OK but is not OK when run? What is the behaviour?
After updating postfix today (build without error, linked against security/ibressl) i got messages like these in maillog everytime a user tried to sasl_auth: Aug 28 20:15:58 devgate postfix/smtpd[74237]: warning: Digest algorithm "md5" not found Aug 28 20:19:11 devgate postfix/submission/smtpd[87336]: warning: Digest algorithm "md5" not found Then i found out that there was no ssl/tls working anymore, so the whole mailtrafic (incoming/outgoing) was completely unencrypted :( I then looked at the original update-patch for postfix-3.1.2 (linked above) at postfix.org and found the OPENSSL_VERSION_NUMBER checks, which i recently fixed at the mysql57-server port. Opened this bug asap and now hoping at a fix.
grepping the source gives: # grep -rn 'OPENSSL_VERSION_NUMBER < 0x1010' postfix-3.1.2 postfix-3.1.2/src/tls/tls.h:92:#if OPENSSL_VERSION_NUMBER < 0x10100000L postfix-3.1.2/src/tls/tls_client.c:302:#if OPENSSL_VERSION_NUMBER < 0x10100000L postfix-3.1.2/src/tls/tls_client.c:444:#if OPENSSL_VERSION_NUMBER < 0x10100000L postfix-3.1.2/src/tls/tls_dane.c:2166:#if OPENSSL_VERSION_NUMBER < 0x10100000L postfix-3.1.2/src/tls/tls_rsa.c:60:#if OPENSSL_VERSION_NUMBER < 0x10100000L postfix-3.1.2/src/tls/tls_rsa.c:112:#if OPENSSL_VERSION_NUMBER < 0x10100000L postfix-3.1.2/src/tls/tls_server.c:380:#if OPENSSL_VERSION_NUMBER < 0x10100000L postfix-3.1.2/src/tls/tls_server.c:591:#if OPENSSL_VERSION_NUMBER < 0x10100000L postfix-3.1.2/src/posttls-finger/posttls-finger.c:1514:#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L postfix-3.1.2/src/posttls-finger/posttls-finger.c:1961:#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L hth
Created attachment 174167 [details] buildlog postfix libressl I did a quick rebuild of postfix against libressl again to provide the requested buildlog
Same issue for me.
Created attachment 174175 [details] svn diff for mail/postfix Patch to fix OPENSSL_VERSION_CHECKS where required. The SSLv23_method to TLS_method changes are NOT required, LibreSSL implements TLS_method as well.
Created attachment 174176 [details] Poudriere testport log with patch applied Built succesful Not checked functionally!
I'll test the runtime today asap when time permits.
Build is OK, but runtime fails again: Aug 29 11:25:01 devnoip postfix/smtp[63985]: warning: Digest algorithm "md5" not found Aug 29 11:25:01 devnoip postfix/smtp[63985]: warning: disabling TLS support Aug 29 11:25:01 devnoip postfix/smtp[63985]: 3sN5pP1YjkzdG5f: to=<admin@domain.tld>, orig_to=<postmaster>, relay=mail.domain.tld[2a01:4f8:xxxx:yyyy::2]:587, delay=0.35, delays=0.01/0.02/0.28/0.03, dsn=5.7.0, status=bounced (host mail.domain.tld[2a01:4f8:xxxx:yyyy::2] said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command))
Created attachment 174199 [details] quick&dirty patch This is a quick & dirty patch that builds and doesn't break runtime. Not sure if this is the right way to go, but at least it currently works. HTH
Hi Markus, How is that patch different apart from checking for OPENSSL_VERSION_NUMBER == 0x2 in stead of defined(LIBRESSL_VERSION_NUMBER) ? Cheers, Bernard.
Created attachment 174202 [details] svn diff for mail/postfix Sorry Markus, Checked the delta between your patch and mine and discovered grave logic errors in mine... "<1.1" AND "Libre" dowsn't match but "<1.1" OR "Libre" will! Attached another patch, can you please check if that's OK? If so I can commit the changes to the tree. Cheers, Bernard.
Poudriere testport log here: https://brnrd.eu/poudriere/data/103amd64-svn/2016-08-29_21h14m25s/logs/postfix-3.1.2,1.log
A commit references this bug: Author: brnrd Date: Mon Aug 29 19:23:50 UTC 2016 New revision: 421091 URL: https://svnweb.freebsd.org/changeset/ports/421091 Log: mail/postfix: Fix runtime issues with LibreSSL - Add LibreSSL checks to <> 1.1.0 OpenSSL checks - Bump portrevision PR: 212223 Submitted by: Markus Kohlmeier <rootservice@gmail.com> Reported by: Markus Kohlmeier <rootservice@gmail.com> Approved by: ohauer (via PR) MFH: 2016Q3 Changes: head/mail/postfix/Makefile head/mail/postfix/files/patch-src_posttls-finger_posttls-finger.c head/mail/postfix/files/patch-src_tls_tls__client.c head/mail/postfix/files/patch-src_tls_tls__dane.c head/mail/postfix/files/patch-src_tls_tls__rsa.c head/mail/postfix/files/patch-src_tls_tls__server.c
Committed as per Olli Hauer's request/approval (via email)
Committed to early :( There is a typo (missing L) in head/mail/postfix/files/patch-src_tls_tls__dane.c And it doesn't fix the runtime problem. I realy don't know why checking "OPENSSL_VERSION_NUMBER == 0x200000L" works and "defined(LIBRESSL_VERSION_NUMBER)" doesn't, but according to opensslv.h in LibreSSL source LibreSSL will always declare OPENSSL_VERSION_NUMBER as 0x200000L regardless of LIBRESSL_VERSION_NUMBER and some/most/all(?) other sources linking against OpenSSL/LibreSSL check currently only against OPENSSL_VERSION_NUMBER sometimes only against OPENSSL_MAJOR_VERSION (like MySQL for example). Maybe LIBRESSL_VERSION_NUMBER is not exported (correctly) by LibreSSL or otherwise not accessible during checking/linking? I'm not a programmer. All i can say is, that my patch works (buildtime *and runtime*) for me and yours doesn't. Just tell me if and how i can provide more help/info and i'll try my best. But keep in mind that i've currently only production systems, so i'm propably limited in some points.
Sorry, had tested the wrong server :( Your last/commited patch works, but the typo has to be corrected. Sorry again.
A commit references this bug: Author: brnrd Date: Tue Aug 30 05:54:02 UTC 2016 New revision: 421102 URL: https://svnweb.freebsd.org/changeset/ports/421102 Log: mail/postfix: Fix typo in LibreSSL patch - Fix DANE support with LibreSSL PR: 212223 Reported by: Markus Kohlmeyer <rootservice@gmail.com> Changes: head/mail/postfix/Makefile head/mail/postfix/files/patch-src_tls_tls__dane.c
A commit references this bug: Author: brnrd Date: Tue Aug 30 06:07:11 UTC 2016 New revision: 421104 URL: https://svnweb.freebsd.org/changeset/ports/421104 Log: mail/postfix-current: Fix runtime TLS failure with LibreSSL - Add LibreSSL checks to <> 1.1.0 OpenSSL checks - Bump portrevision PR: 212223 Submitted by: Markus Kohlmeier <rootservice@gmail.com> Reported by: Markus Kohlmeier <rootservice@gmail.com> Approved by: ohauer (via mail) MFH: 2016Q3 Changes: head/mail/postfix-current/Makefile head/mail/postfix-current/files/patch-src_posttls-finger_posttls-finger.c head/mail/postfix-current/files/patch-src_tls_tls__client.c head/mail/postfix-current/files/patch-src_tls_tls__dane.c head/mail/postfix-current/files/patch-src_tls_tls__rsa.c head/mail/postfix-current/files/patch-src_tls_tls__server.c
A commit references this bug: Author: brnrd Date: Sun Sep 11 09:03:27 UTC 2016 New revision: 421811 URL: https://svnweb.freebsd.org/changeset/ports/421811 Log: MFH: r421091 mail/postfix: Fix runtime issues with LibreSSL - Add LibreSSL checks to <> 1.1.0 OpenSSL checks - Bump portrevision PR: 212223 Submitted by: Markus Kohlmeier <rootservice@gmail.com> Reported by: Markus Kohlmeier <rootservice@gmail.com> Approved by: ohauer (via PR) Approved by: ports-secteam (delphij) Changes: _U branches/2016Q3/ branches/2016Q3/mail/postfix/Makefile branches/2016Q3/mail/postfix/files/patch-src_posttls-finger_posttls-finger.c branches/2016Q3/mail/postfix/files/patch-src_tls_tls__client.c branches/2016Q3/mail/postfix/files/patch-src_tls_tls__dane.c branches/2016Q3/mail/postfix/files/patch-src_tls_tls__rsa.c branches/2016Q3/mail/postfix/files/patch-src_tls_tls__server.c