mail-mta/postfix: Revision bump, fix runtime failures with libressl

The libressl patch allowed postfix to compile, but TLS was failing
to initialize at runtime. This makes postfix actually work with
libressl rather than simply compile.

Patch constructed from a set of diffs on the FreeBSD git.

Package-Manager: portage-2.3.1

2 files changed, 411 insertions, 0 deletions

diff --git a/mail-mta/postfix/files/postfix-libressl-runtime.patch b/mail-mta/postfix/files/postfix-libressl-runtime.patch
new file mode 100644
index 000000000000..814088610a8d
--- /dev/null
+++ b/mail-mta/postfix/files/postfix-libressl-runtime.patch
@@ -0,0 +1,102 @@
+--- src/posttls-finger/posttls-finger.c.orig	2016-08-27 20:27:50 UTC
++++ src/posttls-finger/posttls-finger.c
+@@ -1511,7 +1511,8 @@ static int finger(STATE *state)
+     return (0);
+ }
+ 
+-#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
++#if defined(USE_TLS) && \
++    ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
+ 
+ /* ssl_cleanup - free memory allocated in the OpenSSL library */
+ 
+@@ -1958,7 +1959,8 @@ int     main(int argc, char *argv[])
+     cleanup(&state);
+ 
+     /* OpenSSL 1.1.0 and later (de)initialization is implicit */
+-#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
++#if defined(USE_TLS) && \
++    ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
+     ssl_cleanup();
+ #endif
+ 
+--- src/tls/tls_client.c.orig	2016-08-27 20:27:50 UTC
++++ src/tls/tls_client.c
+@@ -299,7 +299,7 @@ TLS_APPL_STATE *tls_client_init(const TL
+      */
+     tls_check_version();
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+     /*
+      * Initialize the OpenSSL library by the book! To start with, we must
+@@ -441,7 +441,7 @@ TLS_APPL_STATE *tls_client_init(const TL
+     /*
+      * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+      */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+     /*
+      * According to the OpenSSL documentation, temporary RSA key is needed
+--- src/tls/tls_dane.c.orig	2016-08-27 20:27:50 UTC
++++ src/tls/tls_dane.c
+@@ -2163,7 +2163,7 @@ static SSL_CTX *ctx_init(const char *CAf
+     tls_param_init();
+     tls_check_version();
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     SSL_load_error_strings();
+     SSL_library_init();
+ #endif
+--- src/tls/tls_rsa.c.orig	2016-01-03 14:49:51 UTC
++++ src/tls/tls_rsa.c
+@@ -57,7 +57,7 @@
+  /*
+   * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+   */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ /* tls_tmp_rsa_cb - call-back to generate ephemeral RSA key */
+ 
+@@ -109,7 +109,7 @@ int     main(int unused_argc, char *cons
+     /*
+      * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+      */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     RSA    *rsa;
+ 
+     msg_vstream_init(argv[0], VSTREAM_ERR);
+--- src/tls/tls_server.c.orig	2016-08-27 20:27:50 UTC
++++ src/tls/tls_server.c
+@@ -174,7 +174,7 @@ static const char server_session_id_cont
+ #endif					/* OPENSSL_VERSION_NUMBER */
+ 
+  /* OpenSSL 1.1.0 bitrot */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ typedef const unsigned char *session_id_t;
+ 
+ #else
+@@ -377,7 +377,7 @@ TLS_APPL_STATE *tls_server_init(const TL
+      */
+     tls_check_version();
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+     /*
+      * Initialize the OpenSSL library by the book! To start with, we must
+@@ -588,7 +588,7 @@ TLS_APPL_STATE *tls_server_init(const TL
+     /*
+      * 2015-12-05: Ephemeral RSA removed from OpenSSL 1.1.0-dev
+      */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+     /*
+      * According to OpenSSL documentation, a temporary RSA key is needed when
diff --git a/mail-mta/postfix/postfix-3.1.2-r1.ebuild b/mail-mta/postfix/postfix-3.1.2-r1.ebuild
new file mode 100644
index 000000000000..15f8e1dcaf6a
--- /dev/null
+++ b/mail-mta/postfix/postfix-3.1.2-r1.ebuild
@@ -0,0 +1,309 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+inherit flag-o-matic pam systemd toolchain-funcs user
+
+MY_PV="${PV/_rc/-RC}"
+MY_SRC="${PN}-${MY_PV}"
+MY_URI="ftp://ftp.porcupine.org/mirrors/postfix-release/official"
+RC_VER="2.7"
+
+DESCRIPTION="A fast and secure drop-in replacement for sendmail"
+HOMEPAGE="http://www.postfix.org/"
+SRC_URI="${MY_URI}/${MY_SRC}.tar.gz"
+
+LICENSE="IBM"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="+berkdb cdb doc dovecot-sasl +eai hardened ldap ldap-bind libressl lmdb memcached mbox mysql nis pam postgres sasl selinux sqlite ssl"
+
+DEPEND=">=dev-libs/libpcre-3.4
+	dev-lang/perl
+	berkdb? ( >=sys-libs/db-3.2:* )
+	cdb? ( || ( >=dev-db/tinycdb-0.76 >=dev-db/cdb-0.75-r4 ) )
+	eai? ( dev-libs/icu:= )
+	ldap? ( net-nds/openldap )
+	ldap-bind? ( net-nds/openldap[sasl] )
+	lmdb? ( >=dev-db/lmdb-0.9.11 )
+	mysql? ( virtual/mysql )
+	pam? ( virtual/pam )
+	postgres? ( dev-db/postgresql:* )
+	sasl? (  >=dev-libs/cyrus-sasl-2 )
+	sqlite? ( dev-db/sqlite:3 )
+	ssl? (
+		!libressl? ( dev-libs/openssl:0 )
+		libressl? ( dev-libs/libressl )
+	)"
+
+RDEPEND="${DEPEND}
+	dovecot-sasl? ( net-mail/dovecot )
+	memcached? ( net-misc/memcached )
+	net-mail/mailbase
+	!mail-mta/courier
+	!mail-mta/esmtp
+	!mail-mta/exim
+	!mail-mta/mini-qmail
+	!mail-mta/msmtp[mta]
+	!mail-mta/netqmail
+	!mail-mta/nullmailer
+	!mail-mta/qmail-ldap
+	!mail-mta/sendmail
+	!mail-mta/opensmtpd
+	!<mail-mta/ssmtp-2.64-r2
+	!>=mail-mta/ssmtp-2.64-r2[mta]
+	!net-mail/fastforward
+	selinux? ( sec-policy/selinux-postfix )"
+
+REQUIRED_USE="ldap-bind? ( ldap sasl )"
+
+S="${WORKDIR}/${MY_SRC}"
+
+pkg_setup() {
+	# Add postfix, postdrop user/group (bug #77565)
+	enewgroup postfix 207
+	enewgroup postdrop 208
+	enewuser postfix 207 -1 /var/spool/postfix postfix,mail
+}
+
+src_prepare() {
+	default
+	sed -i -e "/^#define ALIAS_DB_MAP/s|:/etc/aliases|:/etc/mail/aliases|" \
+		src/util/sys_defs.h || die "sed failed"
+	# change default paths to better comply with portage standard paths
+	sed -i -e "s:/usr/local/:/usr/:g" conf/master.cf || die "sed failed"
+	eapply -p0 "${FILESDIR}/${PN}-libressl.patch"
+	eapply -p0 "${FILESDIR}/${PN}-libressl-runtime.patch"
+}
+
+src_configure() {
+	for name in CDB LDAP LMDB MYSQL PCRE PGSQL SDBM SQLITE
+	do
+		local AUXLIBS_${name}=""
+	done
+
+	# Make sure LDFLAGS get passed down to the executables.
+	local mycc="-DHAS_PCRE" mylibs="${LDFLAGS} -ldl"
+	AUXLIBS_PCRE="$(pcre-config --libs)"
+
+	use pam && mylibs="${mylibs} -lpam"
+
+	if use ldap; then
+		mycc="${mycc} -DHAS_LDAP"
+		AUXLIBS_LDAP="-lldap -llber"
+	fi
+
+	if use mysql; then
+		mycc="${mycc} -DHAS_MYSQL $(mysql_config --include)"
+		AUXLIBS_MYSQL="$(mysql_config --libs)"
+	fi
+
+	if use postgres; then
+		mycc="${mycc} -DHAS_PGSQL -I$(pg_config --includedir)"
+		AUXLIBS_PGSQL="-L$(pg_config --libdir) -lpq"
+	fi
+
+	if use sqlite; then
+		mycc="${mycc} -DHAS_SQLITE"
+		AUXLIBS_SQLITE="-lsqlite3 -lpthread"
+	fi
+
+	if use ssl; then
+		mycc="${mycc} -DUSE_TLS"
+		mylibs="${mylibs} -lssl -lcrypto"
+	fi
+
+	if use lmdb; then
+		mycc="${mycc} -DHAS_LMDB"
+		AUXLIBS_LMDB="-llmdb -lpthread"
+	fi
+
+	if ! use eai; then
+		mycc="${mycc} -DNO_EAI"
+	fi
+
+	# broken. and "in other words, not supported" by upstream.
+	# Use inet_protocols setting in main.cf
+	#if ! use ipv6; then
+	#	mycc="${mycc} -DNO_IPV6"
+	#fi
+
+	if use sasl; then
+		if use dovecot-sasl; then
+			# Set dovecot as default.
+			mycc="${mycc} -DDEF_SASL_SERVER=\\\"dovecot\\\""
+		fi
+		if use ldap-bind; then
+			mycc="${mycc} -DUSE_LDAP_SASL"
+		fi
+		mycc="${mycc} -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl"
+		mylibs="${mylibs} -lsasl2"
+	elif use dovecot-sasl; then
+		mycc="${mycc} -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\""
+	fi
+
+	if ! use nis; then
+		mycc="${mycc} -DNO_NIS"
+	fi
+
+	if ! use berkdb; then
+		mycc="${mycc} -DNO_DB"
+		if use cdb; then
+			# change default hash format from Berkeley DB to cdb
+			mycc="${mycc} -DDEF_DB_TYPE=\\\"cdb\\\""
+		fi
+	fi
+
+	if use cdb; then
+		mycc="${mycc} -DHAS_CDB -I/usr/include/cdb"
+		# Tinycdb is preferred.
+		if has_version dev-db/tinycdb ; then
+			einfo "Building with dev-db/tinycdb"
+			AUXLIBS_CDB="-lcdb"
+		else
+			einfo "Building with dev-db/cdb"
+			CDB_PATH="/usr/$(get_libdir)"
+			for i in cdb.a alloc.a buffer.a unix.a byte.a ; do
+				AUXLIBS_CDB="${AUXLIBS_CDB} ${CDB_PATH}/${i}"
+			done
+		fi
+	fi
+
+	# Robin H. Johnson <robbat2@gentoo.org> 17/Nov/2006
+	# Fix because infra boxes hit 2Gb .db files that fail a 32-bit fstat signed check.
+	mycc="${mycc} -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
+	filter-lfs-flags
+
+	# Workaround for bug #76512
+	if use hardened; then
+		[[ "$(gcc-version)" == "3.4" ]] && replace-flags -O? -Os
+	fi
+
+	# Remove annoying C++ comment style warnings - bug #378099
+	append-flags -Wno-comment
+
+	sed -i -e "/^RANLIB/s/ranlib/$(tc-getRANLIB)/g" "${S}"/makedefs
+	sed -i -e "/^AR/s/ar/$(tc-getAR)/g" "${S}"/makedefs
+
+	emake makefiles shared=yes dynamicmaps=no pie=yes \
+		shlib_directory="/usr/$(get_libdir)/postfix/MAIL_VERSION" \
+		DEBUG="" CC="$(tc-getCC)" OPT="${CFLAGS}" CCARGS="${mycc}" AUXLIBS="${mylibs}" \
+		AUXLIBS_CDB="${AUXLIBS_CDB}" AUXLIBS_LDAP="${AUXLIBS_LDAP}" \
+		AUXLIBS_LMDB="${AUXLIBS_LMDB}" AUXLIBS_MYSQL="${AUXLIBS_MYSQL}" \
+		AUXLIBS_PCRE="${AUXLIBS_PCRE}" AUXLIBS_PGSQL="${AUXLIBS_PGSQL}" \
+		AUXLIBS_SQLITE="${AUXLIBS_SQLITE}"
+}
+
+src_install () {
+	local myconf
+	use doc && myconf="readme_directory=\"/usr/share/doc/${PF}/readme\" \
+		html_directory=\"/usr/share/doc/${PF}/html\""
+
+	LD_LIBRARY_PATH="${S}/lib" \
+	/bin/sh postfix-install \
+		-non-interactive \
+		install_root="${D}" \
+		config_directory="/etc/postfix" \
+		manpage_directory="/usr/share/man" \
+		command_directory="/usr/sbin" \
+		mailq_path="/usr/bin/mailq" \
+		newaliases_path="/usr/bin/newaliases" \
+		sendmail_path="/usr/sbin/sendmail" \
+		${myconf} \
+		|| die "postfix-install failed"
+
+	# Fix spool removal on upgrade
+	rm -Rf "${D}"/var
+	keepdir /var/spool/postfix
+
+	# Install rmail for UUCP, closes bug #19127
+	dobin auxiliary/rmail/rmail
+
+	# Provide another link for legacy FSH
+	dosym /usr/sbin/sendmail /usr/$(get_libdir)/sendmail
+
+	# Install qshape and posttls-finger
+	dobin auxiliary/qshape/qshape.pl
+	doman man/man1/qshape.1
+	dobin bin/posttls-finger
+	doman man/man1/posttls-finger.1
+
+	# Performance tuning tools and their manuals
+	dosbin bin/smtp-{source,sink} bin/qmqp-{source,sink}
+	doman man/man1/smtp-{source,sink}.1 man/man1/qmqp-{source,sink}.1
+
+	# Set proper permissions on required files/directories
+	dodir /var/lib/postfix
+	keepdir /var/lib/postfix
+	fowners -R postfix:postfix /var/lib/postfix
+	fperms 0750 /var/lib/postfix
+	fowners root:postdrop /usr/sbin/post{drop,queue}
+	fperms 02711 /usr/sbin/post{drop,queue}
+
+	keepdir /etc/postfix
+	if use mbox; then
+		mypostconf="mail_spool_directory=/var/spool/mail"
+	else
+		mypostconf="home_mailbox=.maildir/"
+	fi
+	LD_LIBRARY_PATH="${S}/lib" \
+	"${D}"/usr/sbin/postconf -c "${D}"/etc/postfix \
+		-e ${mypostconf} || die "postconf failed"
+
+	insinto /etc/postfix
+	newins "${FILESDIR}"/smtp.pass saslpass
+	fperms 600 /etc/postfix/saslpass
+
+	newinitd "${FILESDIR}"/postfix.rc6.${RC_VER} postfix
+	# do not start mysql/postgres unnecessarily - bug #359913
+	use mysql || sed -i -e "s/mysql //" "${D}/etc/init.d/postfix"
+	use postgres || sed -i -e "s/postgresql //" "${D}/etc/init.d/postfix"
+
+	dodoc *README COMPATIBILITY HISTORY PORTING RELEASE_NOTES*
+	use doc && mv "${S}"/examples "${D}"/usr/share/doc/${PF}/
+
+	pamd_mimic_system smtp auth account
+
+	if use sasl; then
+		insinto /etc/sasl2
+		newins "${FILESDIR}"/smtp.sasl smtpd.conf
+	fi
+
+	# header files
+	insinto /usr/include/postfix
+	doins include/*.h
+
+	# Keep config_dir clean
+	rm -f "${D}"/etc/postfix/{*LICENSE,access,aliases,canonical,generic}
+	rm -f "${D}"/etc/postfix/{header_checks,relocated,transport,virtual}
+
+	if has_version mail-mta/postfix; then
+		# let the sysadmin decide when to change the compatibility_level
+		sed -i -e /^compatibility_level/"s/^/#/" "${D}"/etc/postfix/main.cf || die
+	fi
+
+	systemd_dounit "${FILESDIR}/${PN}.service"
+}
+
+pkg_postinst() {
+	if [[ ! -e /etc/mail/aliases.db ]] ; then
+		ewarn
+		ewarn "You must edit /etc/mail/aliases to suit your needs"
+		ewarn "and then run /usr/bin/newaliases. Postfix will not"
+		ewarn "work correctly without it."
+		ewarn
+	fi
+
+	# configure tls
+	if use ssl ; then
+		if "${EROOT}"/usr/sbin/postfix tls all-default-client; then
+			elog "To configure client side TLS settings:"
+			elog "${EROOT}"usr/sbin/postfix tls enable-client
+		fi
+		if "${EROOT}"/usr/sbin/postfix tls all-default-server; then
+			elog "To configure server side TLS settings:"
+			elog "${EROOT}"usr/sbin/postfix tls enable-server
+		fi
+	fi
+}