search

opnsense / ports

OPNsense ports on top of FreeBSD
https://opnsense.org/
Other
157 stars 114 forks source link

mail/postfix: Upstream version Postfix 3.6 not compatible with LibreSSL #128

Closed windgmbh closed 1 year ago

windgmbh commented 3 years ago

The HardenedBSD ports tree already includes Postfix 3.6.0. In order to include this version in OPNsense, we require OpenSSL and LibreSSL compatibility.

As stated in Postfix' 3.6.0 release notes, it will require the OpenSSL 1.1.1 API. The release notes of the most recent LibreSSL 3.3.3 indicate that "OpenSSL 1.1 TLSv1.3 API is not yet available".

For this reason, compilation with LibreSSL will fail with several errors/ warnings:

```bash --- tls_misc.o --- tls_misc.c:892:28: error: use of undeclared identifier 'TLS1_3_VERSION' if (SSL_version(ssl) < TLS1_3_VERSION) ^ tls_misc.c:895:9: warning: implicit declaration of function 'SSL_get_peer_tmp_key' is invalid in C99 [-Wimplicit-function-declaration] if (tls_get_peer_dh_pubkey(ssl, &dh_pkey)) { ^ ./tls.h:103:32: note: expanded from macro 'tls_get_peer_dh_pubkey' #define tls_get_peer_dh_pubkey SSL_get_peer_tmp_key ^ tls_misc.c:925:17: warning: implicit declaration of function 'SSL_get_signature_nid' is invalid in C99 [-Wimplicit-function-declaration] if (srvr || SSL_get_signature_nid(ssl, &nid)) ^ tls_misc.c:1010:6: warning: implicit declaration of function 'SSL_get_peer_signature_nid' is invalid in C99 [-Wimplicit-function-declaration] if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef) ^ 3 warnings and 2 errors generated. *** [tls_misc.o] Error code 1 make[3]: stopped in /usr/obj/usr/ports/mail/postfix/work/postfix-3.6.0/src/tls --- tls_client.o --- tls_client.c:459:10: warning: implicit declaration of function 'SSL_add1_host' is invalid in C99 [-Wimplicit-function-declaration] if (SSL_add1_host(ssl, name)) ^ tls_client.c:467:10: warning: implicit declaration of function 'SSL_add1_host' is invalid in C99 [-Wimplicit-function-declaration] if (SSL_add1_host(ssl, dot_name)) ^ tls_client.c:539:6: warning: implicit declaration of function 'SSL_dane_enable' is invalid in C99 [-Wimplicit-function-declaration] if (SSL_dane_enable(TLScontext->con, 0) <= 0) { ^ tls_client.c:546:2: warning: implicit declaration of function 'SSL_dane_set_flags' is invalid in C99 [-Wimplicit-function-declaration] SSL_dane_set_flags(TLScontext->con, DANE_FLAG_NO_DANE_EE_NAMECHECKS); ^ tls_client.c:546:38: error: use of undeclared identifier 'DANE_FLAG_NO_DANE_EE_NAMECHECKS' SSL_dane_set_flags(TLScontext->con, DANE_FLAG_NO_DANE_EE_NAMECHECKS); ^ tls_client.c:561:38: error: use of undeclared identifier 'DANE_FLAG_NO_DANE_EE_NAMECHECKS' SSL_dane_set_flags(TLScontext->con, DANE_FLAG_NO_DANE_EE_NAMECHECKS); ^ tls_client.c:709:9: warning: implicit declaration of function 'SSL_CTX_dane_enable' is invalid in C99 [-Wimplicit-function-declaration] if (SSL_CTX_dane_enable(client_ctx) <= 0) { ^ tls_client.c:1069:2: warning: implicit declaration of function 'SSL_set_security_level' is invalid in C99 [-Wimplicit-function-declaration] SSL_set_security_level(TLScontext->con, 1); ^ 6 warnings and 2 errors generated. *** [tls_client.o] Error code 1 make[3]: stopped in /usr/obj/usr/ports/mail/postfix/work/postfix-3.6.0/src/tls 2 errors make[3]: stopped in /usr/obj/usr/ports/mail/postfix/work/postfix-3.6.0/src/tls *** [update] Error code 1 make[2]: stopped in /usr/obj/usr/ports/mail/postfix/work/postfix-3.6.0 1 error make[2]: stopped in /usr/obj/usr/ports/mail/postfix/work/postfix-3.6.0 ===> Compilation failed unexpectedly. Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. *** Error code 1 Stop. make[1]: stopped in /usr/ports/mail/postfix *** Error code 1 Stop. make: stopped in /usr/ports/mail/postfix ```

In OpenBSD's ports, which use LibreSSL as well, mail/postfix/snapshot (should be Postfix 3.6.0) is disabled at the moment, because of incompatibility. They say:

2021-04-13 14:43:11 by Stuart Henderson

update postfix/stable to 3.5.10, ok Brad naddy@ various null pointer-related fixes, also present in postfix/snapshot but that will require some diffing and backporting as upstream has removed support for libressl and older openssl.

2021-05-04 08:42:48 by Stuart Henderson

Disable postfix/snapshot for now, it is currently stuck at 2020-06-27 as newer versions on the 3.6 branch require OpenSSL 1.1.1. ok Brad (maintainer).

Camo30 commented 2 years ago

The release notes of the recent LibreSSL 3.4.1 indicate that support for OpenSSL 1.1.1 TLSv1.3 APIs have been added. Last recent release is LibreSSL 3.4.2.

fraenki commented 1 year ago

AFAICT, this issue can be closed, because the LibreSSL flavour has been discontinued.

windgmbh commented 1 year ago

AFAICT, this issue can be closed, because the LibreSSL flavour has been discontinued.

I agree. It does not matter whether the issue is resolved or not; it simply isn't OPNsense's problem anymore.

fichtner commented 1 year ago

@windgmbh would you mind redoing the postfix update or is a PR still open?