forked from gentoo/gentoo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
mail-filter/spamassassin: new revision with LibreSSL and spamd fixes.
This new revision adds another patch for upstream bugs 7093/7199. The sslv3 option for spamd didn't do what it was supposed to do, and moreover, it broke LibreSSL which no longer supports SSLv3. The patch removes the option and makes it an error. There is a simple fix for users, to remove the --ssl-version option if they are using it. Thanks to Reuben Farrelly for reporting the issue. The second round of changes addresses a few old Gentoo bugs regarding the spamd init scripts and configuration. First, the init script was missing a call to "checkpath" to ensure that the PID file had some place to live. That's now fixed. Second, it used to be the case that some configuration was necessary if you opted to run spamd as a non-root user. That is no longer the case, so all of the documentation surrounding that issue has been removed, and the config/init scripts greatly simplified. Finally, a SPAMD_TIMEOUT option was added to allow spamd a little bit of time when restarting or shutting down. Peter Gantner, Juan David Ibáñez Palomar, Marcin Mirosław, Frieder Bürzele, and a few other people helped out on those bugs. Thanks! Gentoo-Bug: 322025 Gentoo-Bug: 455604 Gentoo-Bug: 523960 Upstream-Bug: 7093 Upstream-Bug: 7199 Package-Manager: portage-2.2.28
- Loading branch information
Showing
4 changed files
with
557 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# Config file for /etc/init.d/spamd | ||
# | ||
# ***WARNING*** | ||
# | ||
# spamd was not designed to listed to an untrusted network. spamd | ||
# is vulnerable to DoS attacks (and eternal doom) if used to listen | ||
# to an untrusted network. | ||
# | ||
# ***WARNING*** | ||
# | ||
|
||
# Additional options to pass to the spamd daemon. The spamd(1) man | ||
# page explains the available options. If you choose to listen on a | ||
# non-default interface, you will need to use OpenRC's "rc_need" | ||
# mechanism to ensure that your interface comes up before spamd | ||
# starts. The openrc-run(8) man page describes rc_need. | ||
SPAMD_OPTS="--max-children=5 --create-prefs --helper-home-dir" | ||
|
||
# Sets the 'nice' level of the spamd process. | ||
SPAMD_NICELEVEL=0 | ||
|
||
# How long (in seconds) should we wait for spamd to stop after we've | ||
# asked it to? After this amount of time, if spamd is still running, | ||
# we will assume that it has failed to stop. | ||
SPAMD_TIMEOUT=15 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
#!/sbin/openrc-run | ||
# Copyright 1999-2016 Gentoo Foundation | ||
# Distributed under the terms of the GNU General Public License v2 | ||
# $Id$ | ||
|
||
PIDDIR=/run/spamd | ||
PIDFILE=${PIDDIR}/spamd.pid | ||
|
||
extra_started_commands="reload" | ||
|
||
depend() { | ||
before mta | ||
use logger | ||
@USEPOSTGRES@ use postgresql | ||
@USEMYSQL@ use mysql | ||
} | ||
|
||
start() { | ||
ebegin "Starting spamd" | ||
|
||
# Ensure that the PID file's directory exists. | ||
checkpath --directory "${PIDDIR}" | ||
|
||
# Reloading spamd causes its PID to change, so we track it by | ||
# name instead. | ||
start-stop-daemon --start --quiet \ | ||
--name spamd \ | ||
--nicelevel ${SPAMD_NICELEVEL} \ | ||
--pidfile ${PIDFILE} \ | ||
--exec /usr/sbin/spamd -- \ | ||
--daemonize \ | ||
--pidfile=${PIDFILE} \ | ||
${SPAMD_OPTS} | ||
|
||
retval=$? | ||
|
||
eend ${retval} "Failed to start spamd" | ||
} | ||
|
||
stop() { | ||
ebegin "Stopping spamd" | ||
# Retry after SPAMD_TIMEOUT seconds because spamd can take a | ||
# while to kill off all of its children. This was bug 322025. | ||
start-stop-daemon --stop \ | ||
--quiet \ | ||
--retry ${SPAMD_TIMEOUT} \ | ||
--pidfile ${PIDFILE} | ||
eend $? "Failed to stop spamd" | ||
} | ||
|
||
reload() { | ||
ebegin "Reloading configuration" | ||
# Warning: causes the PID of the spamd process to change. | ||
start-stop-daemon --signal HUP --quiet --pidfile ${PIDFILE} | ||
eend $? | ||
} |
280 changes: 280 additions & 0 deletions
280
mail-filter/spamassassin/files/spamassassin-3.4.1-bug_7199.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,280 @@ | ||
The "sslv3" option doesn't do what it says (upstream bug 7093) and | ||
only makes things worse. The SSLv3 support also prevents SpamAssassin | ||
from working with LibreSSL, which no longer does SSLv3. | ||
|
||
Index: trunk/spamc/libspamc.c | ||
=================================================================== | ||
--- trunk.orig/spamc/libspamc.c | ||
+++ trunk/spamc/libspamc.c | ||
@@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp, | ||
unsigned int throwaway; | ||
SSL_CTX *ctx = NULL; | ||
SSL *ssl = NULL; | ||
- SSL_METHOD *meth; | ||
+ const SSL_METHOD *meth; | ||
char zlib_on = 0; | ||
unsigned char *zlib_buf = NULL; | ||
int zlib_bufsiz = 0; | ||
@@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp, | ||
if (flags & SPAMC_USE_SSL) { | ||
#ifdef SPAMC_SSL | ||
SSLeay_add_ssl_algorithms(); | ||
- if (flags & SPAMC_TLSV1) { | ||
- meth = TLSv1_client_method(); | ||
- } else { | ||
- meth = SSLv3_client_method(); /* default */ | ||
- } | ||
+ meth = SSLv23_client_method(); | ||
SSL_load_error_strings(); | ||
ctx = SSL_CTX_new(meth); | ||
#else | ||
@@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c | ||
int failureval; | ||
SSL_CTX *ctx = NULL; | ||
SSL *ssl = NULL; | ||
- SSL_METHOD *meth; | ||
+ const SSL_METHOD *meth; | ||
|
||
assert(tp != NULL); | ||
assert(m != NULL); | ||
@@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c | ||
if (flags & SPAMC_USE_SSL) { | ||
#ifdef SPAMC_SSL | ||
SSLeay_add_ssl_algorithms(); | ||
- meth = SSLv3_client_method(); | ||
+ meth = SSLv23_client_method(); | ||
SSL_load_error_strings(); | ||
ctx = SSL_CTX_new(meth); | ||
#else | ||
Index: trunk/spamc/spamc.c | ||
=================================================================== | ||
--- trunk.orig/spamc/spamc.c | ||
+++ trunk/spamc/spamc.c | ||
@@ -368,16 +368,11 @@ read_args(int argc, char **argv, | ||
case 'S': | ||
{ | ||
flags |= SPAMC_USE_SSL; | ||
- if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) { | ||
- flags |= SPAMC_SSLV3; | ||
- } | ||
- else if (strcmp(spamc_optarg,"tlsv1") == 0) { | ||
- flags |= SPAMC_TLSV1; | ||
- } | ||
- else { | ||
- libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg); | ||
- ret = EX_USAGE; | ||
- } | ||
+ if(spamc_optarg) { | ||
+ libspamc_log(flags, LOG_ERR, | ||
+ "Explicit specification of an SSL/TLS version no longer supported."); | ||
+ ret = EX_USAGE; | ||
+ } | ||
break; | ||
} | ||
#endif | ||
Index: trunk/spamd/spamd.raw | ||
=================================================================== | ||
--- trunk.orig/spamd/spamd.raw | ||
+++ trunk/spamd/spamd.raw | ||
@@ -409,7 +409,6 @@ GetOptions( | ||
'sql-config!' => \$opt{'sql-config'}, | ||
'ssl' => \$opt{'ssl'}, | ||
'ssl-port=s' => \$opt{'ssl-port'}, | ||
- 'ssl-version=s' => \$opt{'ssl-version'}, | ||
'syslog-socket=s' => \$opt{'syslog-socket'}, | ||
'syslog|s=s' => \$opt{'syslog'}, | ||
'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'}, | ||
@@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) { | ||
|
||
# Do whitelist later in tmp dir. Side effect: this will be done as -u user. | ||
|
||
-my $sslversion = $opt{'ssl-version'} || 'sslv3'; | ||
-if ($sslversion !~ /^(?:sslv3|tlsv1)$/) { | ||
- die "spamd: invalid ssl-version: $opt{'ssl-version'}\n"; | ||
-} | ||
- | ||
$opt{'server-key'} ||= "$LOCAL_RULES_DIR/certs/server-key.pem"; | ||
$opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem"; | ||
|
||
@@ -899,9 +893,8 @@ sub compose_listen_info_string { | ||
$socket_info->{ip_addr}, $socket_info->{port})); | ||
|
||
} elsif ($socket->isa('IO::Socket::SSL')) { | ||
- push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s", | ||
- $socket_info->{ip_addr}, $socket_info->{port}, | ||
- $opt{'ssl-version'}||'sslv3')); | ||
+ push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr}, | ||
+ $socket_info->{port})); | ||
} | ||
} | ||
|
||
@@ -1072,7 +1065,6 @@ sub server_sock_setup_inet { | ||
$sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP' | ||
&& IO::Socket::IP->VERSION >= 0.09; | ||
%sockopt = (%sockopt, ( | ||
- SSL_version => $sslversion, | ||
SSL_verify_mode => 0x00, | ||
SSL_key_file => $opt{'server-key'}, | ||
SSL_cert_file => $opt{'server-cert'}, | ||
@@ -1093,7 +1085,8 @@ sub server_sock_setup_inet { | ||
if (!$server_inet) { | ||
$diag = sprintf("could not create %s socket on [%s]:%s: %s", | ||
$ssl ? 'IO::Socket::SSL' : $io_socket_module_name, | ||
- $adr, $port, $!); | ||
+ $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ? | ||
+ "$!,$IO::Socket::SSL::SSL_ERROR" : $!); | ||
push(@diag_fail, $diag); | ||
} else { | ||
$diag = sprintf("created %s socket on [%s]:%s", | ||
@@ -3238,7 +3231,6 @@ Options: | ||
-H [dir], --helper-home-dir[=dir] Specify a different HOME directory | ||
--ssl Enable SSL on TCP connections | ||
--ssl-port port Override --port setting for SSL connections | ||
- --ssl-version sslversion Specify SSL protocol version to use | ||
--server-key keyfile Specify an SSL keyfile | ||
--server-cert certfile Specify an SSL certificate | ||
--socketpath=path Listen on a given UNIX domain socket | ||
@@ -3727,14 +3719,6 @@ Optionally specifies the port number for | ||
SSL connections (default: whatever --port uses). See B<--ssl> for | ||
more details. | ||
|
||
-=item B<--ssl-version>=I<sslversion> | ||
- | ||
-Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>. | ||
-The default, B<sslv3>, is the most flexible, accepting a SSLv3 or | ||
-higher hello handshake, then negotiating use of SSLv3 or TLSv1 | ||
-protocol if the client can accept it. Specifying B<--ssl-version> | ||
-implies B<--ssl>. | ||
- | ||
=item B<--server-key> I<keyfile> | ||
|
||
Specify the SSL key file to use for SSL connections. | ||
Index: trunk/spamc/spamc.pod | ||
=================================================================== | ||
--- trunk.orig/spamc/spamc.pod | ||
+++ trunk/spamc/spamc.pod | ||
@@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a | ||
Sleep for I<sleep> seconds between failed spamd filtering attempts. | ||
The default is 1 second. | ||
|
||
-=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion> | ||
+=item B<-S>, B<--ssl>, B<--ssl> | ||
|
||
If spamc was built with support for SSL, encrypt data to and from the | ||
spamd process with SSL; spamd must support SSL as well. | ||
-I<sslversion> specifies the SSL protocol version to use, either | ||
-C<sslv3>, or C<tlsv1>. The default, is C<sslv3>. | ||
|
||
=item B<-t> I<timeout>, B<--timeout>=I<timeout> | ||
|
||
Index: trunk/t/spamd_ssl_tls.t | ||
=================================================================== | ||
--- trunk.orig/t/spamd_ssl_tls.t | ||
+++ /dev/null | ||
@@ -1,28 +0,0 @@ | ||
-#!/usr/bin/perl | ||
- | ||
-use lib '.'; use lib 't'; | ||
-use SATest; sa_t_init("spamd_ssl_tls"); | ||
-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); | ||
- | ||
-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); | ||
- | ||
-# --------------------------------------------------------------------------- | ||
- | ||
-%patterns = ( | ||
- | ||
-q{ Return-Path: [email protected]}, 'firstline', | ||
-q{ Subject: There yours for FREE!}, 'subj', | ||
-q{ X-Spam-Status: Yes, score=}, 'status', | ||
-q{ X-Spam-Flag: YES}, 'flag', | ||
-q{ X-Spam-Level: **********}, 'stars', | ||
-q{ TEST_ENDSNUMS}, 'endsinnums', | ||
-q{ TEST_NOREALNAME}, 'noreal', | ||
-q{ This must be the very last line}, 'lastline', | ||
- | ||
- | ||
-); | ||
- | ||
-ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", | ||
- "--ssl=tlsv1 < data/spam/001", | ||
- \&patterns_run_cb)); | ||
-ok_all_patterns(); | ||
Index: trunk/t/spamd_ssl_v3.t | ||
=================================================================== | ||
--- trunk.orig/t/spamd_ssl_v3.t | ||
+++ /dev/null | ||
@@ -1,28 +0,0 @@ | ||
-#!/usr/bin/perl | ||
- | ||
-use lib '.'; use lib 't'; | ||
-use SATest; sa_t_init("spamd_sslv3"); | ||
-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); | ||
- | ||
-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); | ||
- | ||
-# --------------------------------------------------------------------------- | ||
- | ||
-%patterns = ( | ||
- | ||
-q{ Return-Path: [email protected]}, 'firstline', | ||
-q{ Subject: There yours for FREE!}, 'subj', | ||
-q{ X-Spam-Status: Yes, score=}, 'status', | ||
-q{ X-Spam-Flag: YES}, 'flag', | ||
-q{ X-Spam-Level: **********}, 'stars', | ||
-q{ TEST_ENDSNUMS}, 'endsinnums', | ||
-q{ TEST_NOREALNAME}, 'noreal', | ||
-q{ This must be the very last line}, 'lastline', | ||
- | ||
- | ||
-); | ||
- | ||
-ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", | ||
- "--ssl=sslv3 < data/spam/001", | ||
- \&patterns_run_cb)); | ||
-ok_all_patterns(); | ||
Index: trunk/t/spamd_ssl_accept_fail.t | ||
=================================================================== | ||
--- trunk.orig/t/spamd_ssl_accept_fail.t | ||
+++ trunk/t/spamd_ssl_accept_fail.t | ||
@@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la | ||
|
||
); | ||
|
||
-ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); | ||
+ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); | ||
ok (spamcrun ("< data/spam/001", \&patterns_run_cb)); | ||
-ok (spamcrun ("--ssl=sslv3 < data/spam/001", \&patterns_run_cb)); | ||
+ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb)); | ||
ok (stop_spamd ()); | ||
|
||
ok_all_patterns(); | ||
Index: trunk/t/spamd_ssl.t | ||
=================================================================== | ||
--- trunk.orig/t/spamd_ssl.t | ||
+++ trunk/t/spamd_ssl.t | ||
@@ -2,10 +2,7 @@ | ||
|
||
use lib '.'; use lib 't'; | ||
use SATest; sa_t_init("spamd_ssl"); | ||
-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9), | ||
- onfail => sub { | ||
- warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" . | ||
- "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" }; | ||
+use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); | ||
|
||
exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); | ||
|
||
Index: trunk/MANIFEST | ||
=================================================================== | ||
--- trunk.orig/MANIFEST | ||
+++ trunk/MANIFEST | ||
@@ -513,8 +513,6 @@ t/spamd_report_ifspam.t | ||
t/spamd_sql_prefs.t | ||
t/spamd_ssl.t | ||
t/spamd_ssl_accept_fail.t | ||
-t/spamd_ssl_tls.t | ||
-t/spamd_ssl_v3.t | ||
t/spamd_stop.t | ||
t/spamd_symbols.t | ||
t/spamd_syslog.t |
Oops, something went wrong.