postfix-lmdb: fix build issue with glibc 2.34; add more restriction DB checks

2021-09-15 16:51:01 +02:00 · 2021-09-15 16:51:01 +02:00 · 306ab79303
commit 306ab79303
parent e9c148a706
9 changed files with 102 additions and 33 deletions
--- a/postfix-lmdb/.signature
+++ b/postfix-lmdb/.signature
@ -1,15 +1,18 @@
 untrusted comment: verify with /etc/ports/contrib.pub
-RWSagIOpLGJF39bkSvldtd/SVdx+xx3/eNfYpWu8wQN39lwEQ5KTnKSOllpvtKo+qZCxvpJ1Y4xxuMAHd1ai/zjQLvfYb+zFZw0=
-SHA256 (Pkgfile) = f8619f91dc10a51b2f50f1ee7523ad961092be53bf9ee9ac71545e8aafe0138a
+RWSagIOpLGJF3xVKFyl74o/CWPcktzQbYC7i6VGVJ7Nvj6qVGhCk6g9tXb5KmwDOCznI8Rery/ABmKeYQAABl7BPkBdtdStlyQw=
+SHA256 (Pkgfile) = 85789a7f4b4ad2cd351a9deb394d954cb3d48160f343a12f1b363e7e5392d71f
 SHA256 (.footprint) = c4bef46624508b9105e8c5816c322560a560c09e9c5507509eb95c886d52a387
 SHA256 (postfix-3.6.2.tar.gz) = 507323d20d7b3f705f49cf8c07d437c6d8090bed07e15a3c0ec405edad54a7d4
 SHA256 (lmdb-default.patch) = 11f42333ae0640a3ca579463ed28007973693b93bc734b5d82225fcb516bf05e
 SHA256 (postfix-install.patch) = 7185d2b2e4d7cc090b958c1d372c16e15f274465e2123686a0d97db20e2b5943
-SHA256 (post-install) = b459d6e4c56384c24d5f3473964ed6442b2c501406745d1fd46c6b453e393138
+SHA256 (closefrom.patch) = e7b07aefa319c67b0b44a95a5701f3ef3d35d8e58c126de841ec2e4b16b29c8f
+SHA256 (post-install) = 2d7a4e57ea09916dba84bc388399dce162756809c2e914b54d617faeda89161c
 SHA256 (postfix.rc) = 5ac60205a95faf4633c64bc60d2689f654b997932e3bbc1204b66df7b5dce1d2
-SHA256 (aliases) = 60ae98d869800055b248c32c183a1836cc5a698cf337cb7ad734e862ae80e95a
 SHA256 (README) = a51f96a1f17cdc075d307c44f146e761e0c795812710b1db6e049b7bdee84210
+SHA256 (aliases) = 60ae98d869800055b248c32c183a1836cc5a698cf337cb7ad734e862ae80e95a
 SHA256 (relay_clientcerts) = 2aa69a949c06826e2f5a760791fb5cebb37e6797613270fd11381c33afa38297
-SHA256 (sender_restrict) = b83ab2c27d6966876c6cfa7f12d5c3d3065fb11507a69199ce8d30a757217e4c
-SHA256 (main-addon.cf) = 5d4b2e895c6a80b97923170170277adb1a4f44e7c8c726981e653d3d0097e013
-SHA256 (master.patch) = 2554c5e37ae7a87ee771aa46502aa99bf3668da0bbf3313664dd63e9336e794b
+SHA256 (client_restrict) = 9496a99f6714625c5883a41f8a5f9db8aa43199ef2167c18d83a2b39469622e3
+SHA256 (sender_access) = c9b9b86c985facdc18e6bfe436c78340174fc315478e578d82c956e35355e678
+SHA256 (sender_restrict) = 9b672511eac1971f8cd72b045e200aac8e0fe6407f1a055085fc1b85c1f24ed7
+SHA256 (main-addon.cf) = 3ab7e6882fbd302a95cfe7476c162fe63e0989c2be235778daabd871184f1fbb
+SHA256 (master.patch) = 062960dbabd1ae4890d7bb3dc364215f5755c04d1a2d6138f9871dbd66301009
--- a/postfix-lmdb/Pkgfile
+++ b/postfix-lmdb/Pkgfile
@ -7,12 +7,18 @@
 rname=postfix
 name=postfix-lmdb
 version=3.6.2
-release=1
+release=2
 source=(
   https://de.${rname}.org/ftpmirror/official/${rname}-${version}.tar.gz
-   lmdb-default.patch postfix-install.patch post-install
+   lmdb-default.patch
+   postfix-install.patch
+   closefrom.patch
+   post-install
   ${rname}.rc
-   aliases README relay_clientcerts sender_restrict
+   README 
+   aliases
+   relay_clientcerts
+   client_restrict sender_access sender_restrict
   main-addon.cf master.patch
 )

@ -21,6 +27,7 @@ build() {

   patch -p1 < "${SRC}"/lmdb-default.patch
   patch -p1 < "${SRC}"/postfix-install.patch
+   patch -p1 < "${SRC}"/closefrom.patch

   cca='-DNO_DB -DNO_EAI -DNO_NIS -DNO_NISPLUS '
   cca=${cca}' -DHAS_LMDB -DDEF_DB_TYPE=\"lmdb\" -DHAS_PCRE -DUSE_TLS'
--- a/postfix-lmdb/client_restrict
+++ b/postfix-lmdb/client_restrict
@ -0,0 +1,2 @@
+# See access(5) for format (REJECT,OK,HOLD,DUNNO)
+
--- a/postfix-lmdb/closefrom.patch
+++ b/postfix-lmdb/closefrom.patch
@ -0,0 +1,40 @@
+diff -ru postfix-3.6.2.orig/src/util/sys_compat.c postfix-3.6.2/src/util/sys_compat.c
+--- postfix-3.6.2.orig/src/util/sys_compat.c	2021-09-15 16:42:06.337124020 +0200
+++ postfix-3.6.2/src/util/sys_compat.c	2021-09-15 16:43:00.893791647 +0200
+@@ -286,7 +286,7 @@
+ 
+ /* closefrom() - closes all file descriptors from the given one up */
+ 
+-int     closefrom(int lowfd)
+void     closefrom(int lowfd)
+ {
+     int     fd_limit = open_limit(0);
+     int     fd;
+@@ -298,14 +298,12 @@
+      */
+     if (lowfd < 0) {
+ 	errno = EBADF;
+-	return (-1);
+	return;
+     }
+     if (fd_limit > 500)
+ 	fd_limit = 500;
+     for (fd = lowfd; fd < fd_limit; fd++)
+ 	(void) close(fd);
+-
+-    return (0);
+ }
+ 
+ #endif
+diff -ru postfix-3.6.2.orig/src/util/sys_defs.h postfix-3.6.2/src/util/sys_defs.h
+--- postfix-3.6.2.orig/src/util/sys_defs.h	2021-09-15 16:42:06.337124020 +0200
+++ postfix-3.6.2/src/util/sys_defs.h	2021-09-15 16:42:34.500457851 +0200
+@@ -1509,7 +1509,7 @@
+ #endif
+ 
+ #ifndef HAS_CLOSEFROM
+-extern int closefrom(int);
+extern void closefrom(int);
+ 
+ #endif
+ 
--- a/postfix-lmdb/main-addon.cf
+++ b/postfix-lmdb/main-addon.cf
@ -61,12 +61,13 @@ relay_domains = $mynetworks,$transport_maps
 # Only localhost for mailing-lists etc.; maybe $mynetworks?
 smtpd_authorized_verp_clients = 127.0.0.1

-# Clients which are allowed to invoke commands
+# Clients connection checks
 smtpd_client_restrictions =
 #  permit_inet_interfaces, OR
   permit_mynetworks,
 #RELAY   permit_tls_clientcerts,
-#  permit_sasl_authenticated,
+#[RELAY]  permit_sasl_authenticated,
+   check_client_access lmdb:/etc/postfix-lmdb/client_restrict,
   reject_unknown_client_hostname,
   # in case you want reject DNS blacklists rather than greylist them
   # with gross, exchange sleep (maybe) and uncomment the lines below
@ -89,11 +90,22 @@ smtpd_helo_restrictions =
 #  permit_inet_interfaces, OR
   permit_mynetworks,
 #RELAY   permit_tls_clientcerts,
-#  permit_sasl_authenticated,
+#[RELAY]  permit_sasl_authenticated,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_unknown_helo_hostname

+# MAIL FROM Checks
+smtpd_sender_restrictions =
+#  permit_inet_interfaces, OR
+   permit_mynetworks,
+#RELAY   permit_tls_clientcerts,
+#[RELAY]  permit_sasl_authenticated,
+    # Total no-goes database, eg: qq.com reject
+   check_sender_access lmdb:/etc/postfix-lmdb/sender_restrict,
+   reject_unknown_sender_domain,
+   permit
+
 smtpd_relay_before_recipient_restrictions = yes

 # RCPT TO checks, relay policy
@ -120,20 +132,16 @@ smtpd_recipient_restrictions =
   reject_unknown_sender_domain,
   reject_unknown_reverse_client_hostname,
   reject_unknown_recipient_domain,
+   # (SMTPD_POLICY_README says
+   #   reject_unauth_destination is not needed here if the mail relay policy is
+   #   specified with smtpd_relay_restrictions (available with Postfix 2.10 and
+   #   later))
   reject_unauth_destination,
-   # better not reject_unverified_sender,
-   #check_policy_service inet:127.0.0.1:5525,
-   permit
-
-# MAIL FROM Checks
-smtpd_sender_restrictions =
-#  permit_inet_interfaces, OR
-   permit_mynetworks,
-#RELAY   permit_tls_clientcerts,
-#[RELAY]  permit_sasl_authenticated,
-    # Eg: qq.com reject
-   lmdb:/etc/postfix-lmdb/sender_restrict,
-   reject_unknown_sender_domain,
+   # better not: reject_unverified_sender,
+   # DB of MAIL FROM's without policy server checks (one way, or another)
+   check_sender_access lmdb:/etc/postfix-lmdb/sender_access,
+   #check_policy_service unix:/run/greylistd.socket,
+   ##check_policy_service inet:127.0.0.1:5525,
   permit

 # i would turn that on..
@ -195,7 +203,8 @@ smtp_tls_security_level = may
 smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
 smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
 smtp_tls_protocols = $smtpd_tls_protocols
-#SMART When only relaying to smarthost, the next can be =high !?!
+#SMART When only relaying to smarthost, the next should be =high
+#SMART smtp_tls_mandatory_ciphers = high
 smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
 smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
 smtp_tls_ciphers = $smtpd_tls_ciphers
--- a/postfix-lmdb/master.patch
+++ b/postfix-lmdb/master.patch
@ -1,6 +1,6 @@
--- master.cf.orig	2021-04-12 20:30:45.650213781 +0200
-+++ master.cf	2021-04-12 20:32:34.676882357 +0200
-@@ -10,6 +10,18 @@
+--- master.cf.orig	2021-09-15 16:42:06.307124019 +0200
+++ master.cf	2021-09-15 16:47:11.560462685 +0200
+@@ -10,6 +10,20 @@
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 smtp      inet  n       -       n       -       -       smtpd
@ -8,14 +8,16 @@
 +#TLS   -o smtpd_tls_security_level=may
 +#TLS   -o smtpd_sasl_auth_enable=no
 +#TLS submission inet n       -       n       -       -       smtpd
+#TLS  -o syslog_name=postfix/submission
 +#TLS  -o smtpd_tls_security_level=encrypt
 +#TLS  -o smtpd_sasl_auth_enable=yes
 +#TLS # This was SMTPS aka :465. I use it as that.
 +#TLS submissions     inet  n       -       n       -       -       smtpd
+#TLS  -o syslog_name=postfix/submissions
 +#TLS  -o smtpd_tls_wrappermode=yes
 +#TLS  -o smtpd_sasl_auth_enable=no
 +tlsproxy  unix  -       -       n       -       0       tlsproxy
-+   -o tlsproxy_tls_security_level=encrypt
+  -o tlsproxy_tls_security_level=encrypt
 #smtp      inet  n       -       n       -       1       postscreen
 #smtpd     pass  -       -       n       -       -       smtpd
 #dnsblog   unix  -       -       n       -       0       dnsblog
--- a/postfix-lmdb/post-install
+++ b/postfix-lmdb/post-install
@ -51,5 +51,8 @@ p_i upgrade-permissions

 /usr/sbin/postalias /etc/${name}/aliases

-/usr/sbin/postmap lmdb:/etc/${name}/sender_restrict
 /usr/sbin/postmap lmdb:/etc/${name}/relay_clientcerts
+
+/usr/sbin/postmap lmdb:/etc/${name}/client_restrict
+/usr/sbin/postmap lmdb:/etc/${name}/sender_access
+/usr/sbin/postmap lmdb:/etc/${name}/sender_restrict
--- a/postfix-lmdb/sender_access
+++ b/postfix-lmdb/sender_access
@ -0,0 +1,3 @@
+# See access(5) for format (REJECT,OK,HOLD,DUNNO)
+
+crux.nu OK
--- a/postfix-lmdb/sender_restrict
+++ b/postfix-lmdb/sender_restrict
@ -1,3 +1,3 @@
-# See access(5) for format
+# See access(5) for format (REJECT,OK,HOLD,DUNNO)

 qq.com reject
				`@ -0,0 +1,2 @@`
				`# See access(5) for format (REJECT,OK,HOLD,DUNNO)`