mail-filter/spamassassin: new revision with LibreSSL and spamd fixes.

This new revision adds another patch for upstream bugs 7093/7199. The
sslv3 option for spamd didn't do what it was supposed to do, and
moreover, it broke LibreSSL which no longer supports SSLv3. The patch
removes the option and makes it an error. There is a simple fix for
users, to remove the --ssl-version option if they are using it. Thanks
to Reuben Farrelly for reporting the issue.

The second round of changes addresses a few old Gentoo bugs regarding
the spamd init scripts and configuration. First, the init script was
missing a call to "checkpath" to ensure that the PID file had some
place to live. That's now fixed. Second, it used to be the case that
some configuration was necessary if you opted to run spamd as a
non-root user. That is no longer the case, so all of the documentation
surrounding that issue has been removed, and the config/init scripts
greatly simplified. Finally, a SPAMD_TIMEOUT option was added to allow
spamd a little bit of time when restarting or shutting down.

Peter Gantner, Juan David Ibáñez Palomar, Marcin Mirosław, Frieder
Bürzele, and a few other people helped out on those bugs. Thanks!

Gentoo-Bug: 322025
Gentoo-Bug: 455604
Gentoo-Bug: 523960
Upstream-Bug: 7093
Upstream-Bug: 7199

Package-Manager: portage-2.2.28

mail-filter/spamassassin/files/3.4.1-spamd.conf

@@ -0,0 +1,25 @@
+# Config file for /etc/init.d/spamd
+#
+# ***WARNING***
+#
+# spamd was not designed to listed to an untrusted network. spamd
+# is vulnerable to DoS attacks (and eternal doom) if used to listen
+# to an untrusted network.
+#
+# ***WARNING***
+#
+
+# Additional options to pass to the spamd daemon. The spamd(1) man
+# page explains the available options. If you choose to listen on a
+# non-default interface, you will need to use OpenRC's "rc_need"
+# mechanism to ensure that your interface comes up before spamd
+# starts. The openrc-run(8) man page describes rc_need.
+SPAMD_OPTS="--max-children=5 --create-prefs --helper-home-dir"
+
+# Sets the 'nice' level of the spamd process.
+SPAMD_NICELEVEL=0
+
+# How long (in seconds) should we wait for spamd to stop after we've
+# asked it to? After this amount of time, if spamd is still running,
+# we will assume that it has failed to stop.
+SPAMD_TIMEOUT=15

mail-filter/spamassassin/files/3.4.1-spamd.init

@@ -0,0 +1,56 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+PIDDIR=/run/spamd
+PIDFILE=${PIDDIR}/spamd.pid
+
+extra_started_commands="reload"
+
+depend() {
+ before mta
+ use logger
+@USEPOSTGRES@ use postgresql
+@USEMYSQL@ use mysql
+}
+
+start() {
+ ebegin "Starting spamd"
+
+ # Ensure that the PID file's directory exists.
+ checkpath --directory "${PIDDIR}"
+
+ # Reloading spamd causes its PID to change, so we track it by
+ # name instead.
+ start-stop-daemon --start --quiet \
+ --name spamd \
+ --nicelevel ${SPAMD_NICELEVEL} \
+ --pidfile ${PIDFILE} \
+ --exec /usr/sbin/spamd -- \
+ --daemonize \
+ --pidfile=${PIDFILE} \
+ ${SPAMD_OPTS}
+
+ retval=$?
+
+ eend ${retval} "Failed to start spamd"
+}
+
+stop() {
+ ebegin "Stopping spamd"
+ # Retry after SPAMD_TIMEOUT seconds because spamd can take a
+ # while to kill off all of its children. This was bug 322025.
+ start-stop-daemon --stop \
+ --quiet \
+ --retry ${SPAMD_TIMEOUT} \
+ --pidfile ${PIDFILE}
+ eend $? "Failed to stop spamd"
+}
+
+reload() {
+ ebegin "Reloading configuration"
+ # Warning: causes the PID of the spamd process to change.
+ start-stop-daemon --signal HUP --quiet --pidfile ${PIDFILE}
+ eend $?
+}

mail-filter/spamassassin/files/spamassassin-3.4.1-bug_7199.patch

@@ -0,0 +1,280 @@
+The "sslv3" option doesn't do what it says (upstream bug 7093) and
+only makes things worse. The SSLv3 support also prevents SpamAssassin
+from working with LibreSSL, which no longer does SSLv3.
+
+Index: trunk/spamc/libspamc.c
+===================================================================
+--- trunk.orig/spamc/libspamc.c
++++ trunk/spamc/libspamc.c
+@@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp,
+ unsigned int throwaway;
+ SSL_CTX *ctx = NULL;
+ SSL *ssl = NULL;
+- SSL_METHOD *meth;
++ const SSL_METHOD *meth;
+ char zlib_on = 0;
+ unsigned char *zlib_buf = NULL;
+ int zlib_bufsiz = 0;
+@@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp,
+ if (flags & SPAMC_USE_SSL) {
+ #ifdef SPAMC_SSL
+ SSLeay_add_ssl_algorithms();
+- if (flags & SPAMC_TLSV1) {
+- meth = TLSv1_client_method();
+- } else {
+- meth = SSLv3_client_method(); /* default */
+- }
++ meth = SSLv23_client_method();
+ SSL_load_error_strings();
+ ctx = SSL_CTX_new(meth);
+ #else
+@@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c
+ int failureval;
+ SSL_CTX *ctx = NULL;
+ SSL *ssl = NULL;
+- SSL_METHOD *meth;
++ const SSL_METHOD *meth;
+
+ assert(tp != NULL);
+ assert(m != NULL);
+@@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c
+ if (flags & SPAMC_USE_SSL) {
+ #ifdef SPAMC_SSL
+ SSLeay_add_ssl_algorithms();
+- meth = SSLv3_client_method();
++ meth = SSLv23_client_method();
+ SSL_load_error_strings();
+ ctx = SSL_CTX_new(meth);
+ #else
+Index: trunk/spamc/spamc.c
+===================================================================
+--- trunk.orig/spamc/spamc.c
++++ trunk/spamc/spamc.c
+@@ -368,16 +368,11 @@ read_args(int argc, char **argv,
+ case 'S':
+ {
+ flags |= SPAMC_USE_SSL;
+- if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) {
+- flags |= SPAMC_SSLV3;
+- }
+- else if (strcmp(spamc_optarg,"tlsv1") == 0) {
+- flags |= SPAMC_TLSV1;
+- }
+- else {
+- libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
+- ret = EX_USAGE;
+- }
++ if(spamc_optarg) {
++ libspamc_log(flags, LOG_ERR,
++ "Explicit specification of an SSL/TLS version no longer supported.");
++ ret = EX_USAGE;
++ }
+ break;
+ }
+ #endif
+Index: trunk/spamd/spamd.raw
+===================================================================
+--- trunk.orig/spamd/spamd.raw
++++ trunk/spamd/spamd.raw
+@@ -409,7 +409,6 @@ GetOptions(
+ 'sql-config!' => \$opt{'sql-config'},
+ 'ssl' => \$opt{'ssl'},
+ 'ssl-port=s' => \$opt{'ssl-port'},
+- 'ssl-version=s' => \$opt{'ssl-version'},
+ 'syslog-socket=s' => \$opt{'syslog-socket'},
+ 'syslog|s=s' => \$opt{'syslog'},
+ 'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'},
+@@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) {
+
+ # Do whitelist later in tmp dir. Side effect: this will be done as -u user.
+
+-my $sslversion = $opt{'ssl-version'} || 'sslv3';
+-if ($sslversion !~ /^(?:sslv3|tlsv1)$/) {
+- die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
+-}
+-
+ $opt{'server-key'} ||= "$LOCAL_RULES_DIR/certs/server-key.pem";
+ $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";
+
+@@ -899,9 +893,8 @@ sub compose_listen_info_string {
+ $socket_info->{ip_addr}, $socket_info->{port}));
+
+ } elsif ($socket->isa('IO::Socket::SSL')) {
+- push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s",
+- $socket_info->{ip_addr}, $socket_info->{port},
+- $opt{'ssl-version'}||'sslv3'));
++ push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
++ $socket_info->{port}));
+ }
+ }
+
+@@ -1072,7 +1065,6 @@ sub server_sock_setup_inet {
+ $sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP'
+ && IO::Socket::IP->VERSION >= 0.09;
+ %sockopt = (%sockopt, (
+- SSL_version => $sslversion,
+ SSL_verify_mode => 0x00,
+ SSL_key_file => $opt{'server-key'},
+ SSL_cert_file => $opt{'server-cert'},
+@@ -1093,7 +1085,8 @@ sub server_sock_setup_inet {
+ if (!$server_inet) {
+ $diag = sprintf("could not create %s socket on [%s]:%s: %s",
+ $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
+- $adr, $port, $!);
++ $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
++ "$!,$IO::Socket::SSL::SSL_ERROR" : $!);
+ push(@diag_fail, $diag);
+ } else {
+ $diag = sprintf("created %s socket on [%s]:%s",
+@@ -3238,7 +3231,6 @@ Options:
+ -H [dir], --helper-home-dir[=dir] Specify a different HOME directory
+ --ssl Enable SSL on TCP connections
+ --ssl-port port Override --port setting for SSL connections
+- --ssl-version sslversion Specify SSL protocol version to use
+ --server-key keyfile Specify an SSL keyfile
+ --server-cert certfile Specify an SSL certificate
+ --socketpath=path Listen on a given UNIX domain socket
+@@ -3727,14 +3719,6 @@ Optionally specifies the port number for
+ SSL connections (default: whatever --port uses). See B<--ssl> for
+ more details.
+
+-=item B<--ssl-version>=I<sslversion>
+-
+-Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
+-The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
+-higher hello handshake, then negotiating use of SSLv3 or TLSv1
+-protocol if the client can accept it. Specifying B<--ssl-version>
+-implies B<--ssl>.
+-
+ =item B<--server-key> I<keyfile>
+
+ Specify the SSL key file to use for SSL connections.
+Index: trunk/spamc/spamc.pod
+===================================================================
+--- trunk.orig/spamc/spamc.pod
++++ trunk/spamc/spamc.pod
+@@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a
+ Sleep for I<sleep> seconds between failed spamd filtering attempts.
+ The default is 1 second.
+
+-=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion>
++=item B<-S>, B<--ssl>, B<--ssl>
+
+ If spamc was built with support for SSL, encrypt data to and from the
+ spamd process with SSL; spamd must support SSL as well.
+-I<sslversion> specifies the SSL protocol version to use, either
+-C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.
+
+ =item B<-t> I<timeout>, B<--timeout>=I<timeout>
+
+Index: trunk/t/spamd_ssl_tls.t
+===================================================================
+--- trunk.orig/t/spamd_ssl_tls.t
++++ /dev/null
+@@ -1,28 +0,0 @@
+-#!/usr/bin/perl
+-
+-use lib '.'; use lib 't';
+-use SATest; sa_t_init("spamd_ssl_tls");
+-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
+-
+-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
+-
+-# ---------------------------------------------------------------------------
+-
+-%patterns = (
+-
+-q{ Return-Path: [email protected]}, 'firstline',
+-q{ Subject: There yours for FREE!}, 'subj',
+-q{ X-Spam-Status: Yes, score=}, 'status',
+-q{ X-Spam-Flag: YES}, 'flag',
+-q{ X-Spam-Level: **********}, 'stars',
+-q{ TEST_ENDSNUMS}, 'endsinnums',
+-q{ TEST_NOREALNAME}, 'noreal',
+-q{ This must be the very last line}, 'lastline',
+-
+-
+-);
+-
+-ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
+- "--ssl=tlsv1 < data/spam/001",
+- \&patterns_run_cb));
+-ok_all_patterns();
+Index: trunk/t/spamd_ssl_v3.t
+===================================================================
+--- trunk.orig/t/spamd_ssl_v3.t
++++ /dev/null
+@@ -1,28 +0,0 @@
+-#!/usr/bin/perl
+-
+-use lib '.'; use lib 't';
+-use SATest; sa_t_init("spamd_sslv3");
+-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
+-
+-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
+-
+-# ---------------------------------------------------------------------------
+-
+-%patterns = (
+-
+-q{ Return-Path: [email protected]}, 'firstline',
+-q{ Subject: There yours for FREE!}, 'subj',
+-q{ X-Spam-Status: Yes, score=}, 'status',
+-q{ X-Spam-Flag: YES}, 'flag',
+-q{ X-Spam-Level: **********}, 'stars',
+-q{ TEST_ENDSNUMS}, 'endsinnums',
+-q{ TEST_NOREALNAME}, 'noreal',
+-q{ This must be the very last line}, 'lastline',
+-
+-
+-);
+-
+-ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
+- "--ssl=sslv3 < data/spam/001",
+- \&patterns_run_cb));
+-ok_all_patterns();
+Index: trunk/t/spamd_ssl_accept_fail.t
+===================================================================
+--- trunk.orig/t/spamd_ssl_accept_fail.t
++++ trunk/t/spamd_ssl_accept_fail.t
+@@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la
+
+ );
+
+-ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
++ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
+ ok (spamcrun ("< data/spam/001", \&patterns_run_cb));
+-ok (spamcrun ("--ssl=sslv3 < data/spam/001", \&patterns_run_cb));
++ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb));
+ ok (stop_spamd ());
+
+ ok_all_patterns();
+Index: trunk/t/spamd_ssl.t
+===================================================================
+--- trunk.orig/t/spamd_ssl.t
++++ trunk/t/spamd_ssl.t
+@@ -2,10 +2,7 @@
+
+ use lib '.'; use lib 't';
+ use SATest; sa_t_init("spamd_ssl");
+-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9),
+- onfail => sub {
+- warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" .
+- "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" };
++use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
+
+ exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
+
+Index: trunk/MANIFEST
+===================================================================
+--- trunk.orig/MANIFEST
++++ trunk/MANIFEST
+@@ -513,8 +513,6 @@ t/spamd_report_ifspam.t
+ t/spamd_sql_prefs.t
+ t/spamd_ssl.t
+ t/spamd_ssl_accept_fail.t
+-t/spamd_ssl_tls.t
+-t/spamd_ssl_v3.t
+ t/spamd_stop.t
+ t/spamd_symbols.t
+ t/spamd_syslog.t