mail-mta/netqmail: avoid ANY DNS queries

Closes: https://bugs.gentoo.org/701476 Signed-off-by: Rolf Eike Beer <[email protected]> Closes: gentoo#13816 Signed-off-by: Joonas Niilola <[email protected]>
hanetzer · Dec 3, 2019 · 668d198 · 668d198
1 parent 5a03db0
commit 668d198
Show file tree

Hide file tree

Showing 2 changed files with 273 additions and 0 deletions.
diff --git a/mail-mta/netqmail/files/netqmail-1.06-any-to-cname.patch b/mail-mta/netqmail/files/netqmail-1.06-any-to-cname.patch
@@ -0,0 +1,74 @@
+From b05ec6cbdacdf40d6c75326394461e22b7f8ab20 Mon Sep 17 00:00:00 2001
+From: Jonathan de Boyne Pollard <[email protected]>
+Date: Fri, 12 Jul 2019 23:34:52 -0600
+Subject: [PATCH] Apply Jonathan de Boyne Pollard's any-to-cname patch.
+
+modifies the behaviour of qmail-remote to remove the workaround
+that Dan Bernstein added on 1996-10-03 to work around a bug in
+BIND versions earlier than version 4.9.4.
+
+Applying this patch incurs a risk, but yields a benefit. It is
+published in order to allow others to experiment with removing
+the workaround.
+
+The risk is twofold:
+
+ * qmail-remote will not be able to relay any mail if one's own
+ proxy DNS server is such a version of BIND. This is trivially
+ overcome by replacing such an old version of BIND either with a
+ new version of BIND that doesn't have the problem or with some
+ other proxy DNS server software entirely (such as dnscache).
+
+ * qmail-remote will not be able to relay mail to domains whose
+ content DNS servers use such versions of BIND, because the
+ "CNAME" resource record lookup will fail. To gauge the level of
+ this risk, notice that Dan's own 2002-12-17 survey of content DNS
+ servers reports a mere 2% of the "*.com." content DNS servers as
+ employing BIND version 4 (but doesn't report how many of that 2%
+ employ BIND 4 versions earlier than 4.9.4).
+
+The benefit of this patch is that it reduces DNS query traffic
+and proxy DNS server cache load.
+
+ * Without it, qmail-remote issues "ANY" queries. Some proxy DNS
+ server softwares (albeit not dnscache) pass such queries through
+ directly to the back end, meaning that every query issued by
+ qmail-remote will result in a back-end query to a content DNS
+ server, no matter if the necessary information is already cached.
+ Moreover: The results of such a query, which are often a large
+ collection of resource record sets of various types, are cached
+ in the proxy DNS server's cache, even though almost none of them
+ will be used. A caching proxy DNS server dedicated to serving
+ qmail will end up with all sorts of cruft in its cache that isn't
+ actually relevant to mail transportation, taking up space that
+ could be better put to use caching those resource record sets
+ that are relevant.
+
+ * With it, qmail-remote issues "CNAME" queries. All of the mainstream
+ proxy DNS server softwares in popular use (apart from dnscache,
+ because it has problems in this regard) don't pass such queries
+ directly through, and will answer them from their caches without
+ issuing a back-end query at all if the data are already there and
+ still current. Moreover: A caching proxy DNS server dedicated to
+ serving qmail will not have its cache cluttered with irrelevant
+ data.
+---
+ dns.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dns.c b/dns.c
+index 44db25b..77e4ff7 100644
+--- a/dns.c
++++ b/dns.c
+@@ -197,7 +197,7 @@ stralloc *sa;
+ if (!sa->len) return loop;
+ if (sa->s[sa->len - 1] == ']') return loop;
+ if (sa->s[sa->len - 1] == '.') { --sa->len; continue; }
+- switch(resolve(sa,T_ANY))
++ switch(resolve(sa,T_CNAME))
+ {
+ case DNS_MEM: return DNS_MEM;
+ case DNS_SOFT: return DNS_SOFT;
+-- 
+2.16.4
+
diff --git a/mail-mta/netqmail/netqmail-1.06-r12.ebuild b/mail-mta/netqmail/netqmail-1.06-r12.ebuild
@@ -0,0 +1,199 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+GENQMAIL_PV=20191010
+QMAIL_SPP_PV=0.42
+
+QMAIL_TLS_PV=20190114
+QMAIL_TLS_F=${PN}-1.05-tls-smtpauth-${QMAIL_TLS_PV}.patch
+QMAIL_TLS_CVE=vu555316.patch
+
+QMAIL_BIGTODO_PV=103
+QMAIL_BIGTODO_F=big-todo.${QMAIL_BIGTODO_PV}.patch
+
+QMAIL_LARGE_DNS='qmail-103.patch'
+
+QMAIL_SMTPUTF8='qmail-smtputf8.patch'
+
+inherit qmail
+
+DESCRIPTION="qmail -- a secure, reliable, efficient, simple message transfer agent"
+HOMEPAGE="
+ http://netqmail.org
+ https://cr.yp.to/qmail.html
+ http://qmail.org
+"
+SRC_URI="mirror://qmail/${P}.tar.gz
+ https://github.com/DerDakon/genqmail/releases/download/genqmail-${GENQMAIL_PV}/${GENQMAIL_F}
+ https://www.ckdhr.com/ckd/${QMAIL_LARGE_DNS}
+ !vanilla? (
+ highvolume? ( mirror://qmail/${QMAIL_BIGTODO_F} )
+ qmail-spp? ( mirror://sourceforge/qmail-spp/${QMAIL_SPP_F} )
+ ssl? (
+ https://mirror.alexh.name/qmail/netqmail/${QMAIL_TLS_F}
+ http://inoa.net/qmail-tls/${QMAIL_TLS_CVE}
+ https://arnt.gulbrandsen.priv.no/qmail/qmail-smtputf8.patch
+ )
+ )
+"
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~x86"
+IUSE="authcram gencertdaily highvolume libressl pop3 qmail-spp ssl vanilla"
+REQUIRED_USE="vanilla? ( !ssl !qmail-spp !highvolume )"
+RESTRICT="test"
+
+DEPEND="
+ acct-group/nofiles
+ acct-group/qmail
+ acct-user/alias
+ acct-user/qmaild
+ acct-user/qmaill
+ acct-user/qmailp
+ acct-user/qmailq
+ acct-user/qmailr
+ acct-user/qmails
+ net-dns/libidn2
+ net-mail/queue-repair
+ sys-apps/gentoo-functions
+ sys-apps/groff
+ ssl? (
+ !libressl? ( >=dev-libs/openssl-1.1:0= )
+ libressl? ( dev-libs/libressl:= )
+ )
+"
+RDEPEND="${DEPEND}
+ sys-apps/ucspi-tcp
+ virtual/checkpassword
+ virtual/daemontools
+ authcram? ( >=net-mail/cmd5checkpw-0.30 )
+ ssl? (
+ pop3? ( sys-apps/ucspi-ssl )
+ )
+ !mail-mta/courier
+ !mail-mta/esmtp
+ !mail-mta/exim
+ !mail-mta/mini-qmail
+ !mail-mta/msmtp[mta]
+ !mail-mta/nullmailer
+ !mail-mta/opensmtpd
+ !mail-mta/postfix
+ !mail-mta/qmail-ldap
+ !mail-mta/sendmail
+ !mail-mta/ssmtp[mta]
+"
+
+pkg_setup() {
+ if [[ -n "${QMAIL_PATCH_DIR}" ]]; then
+ eerror
+ eerror "The QMAIL_PATCH_DIR variable for custom patches"
+ eerror "has been removed from ${PN}. If you need custom patches"
+ eerror "see 'user patches' in the portage manual."
+ eerror
+ die "QMAIL_PATCH_DIR is not supported anymore"
+ fi
+}
+
+src_unpack() {
+ genqmail_src_unpack
+ use qmail-spp && qmail_spp_src_unpack
+
+ unpack ${P}.tar.gz
+}
+
+PATCHES=(
+ "${FILESDIR}/${PV}-exit.patch"
+ "${FILESDIR}/${PV}-readwrite.patch"
+ "${DISTDIR}/${QMAIL_LARGE_DNS}"
+ "${FILESDIR}/${PV}-fbsd-utmpx.patch"
+ "${FILESDIR}/${P}-ipme-multiple.patch"
+ "${FILESDIR}/${P}-any-to-cname.patch"
+)
+
+src_prepare() {
+ if ! use vanilla; then
+ if use ssl; then
+ # This patch contains relative paths and needs to be cleaned up.
+ sed 's~^--- \.\./\.\./~--- ~g' \
+ < "${DISTDIR}"/${QMAIL_TLS_F} \
+ > "${T}"/${QMAIL_TLS_F} || die
+ PATCHES+=( "${T}/${QMAIL_TLS_F}"
+ "${DISTDIR}/${QMAIL_TLS_CVE}"
+ "${FILESDIR}/qmail-smtputf8.patch"
+ "${FILESDIR}/qmail-smtputf8-crlf-fix.patch"
+ )
+ fi
+ if use highvolume; then
+ PATCHES+=( "${DISTDIR}/${QMAIL_BIGTODO_F}" )
+ fi
+
+ if use qmail-spp; then
+ if use ssl; then
+ SPP_PATCH="${QMAIL_SPP_S}/qmail-spp-smtpauth-tls-20060105.diff"
+ else
+ SPP_PATCH="${QMAIL_SPP_S}/netqmail-spp.diff"
+ fi
+ # make the patch work with "-p1"
+ sed -e 's#^--- \([Mq]\)#--- a/\1#' -e 's#^+++ \([Mq]\)#+++ b/\1#' -i ${SPP_PATCH} || die
+
+ PATCHES+=( "${SPP_PATCH}" )
+ fi
+ fi
+
+ default
+
+ qmail_src_postunpack
+
+ # Fix bug #33818 but for netqmail (Bug 137015)
+ if ! use authcram; then
+ einfo "Disabled CRAM_MD5 support"
+ sed -e 's,^#define CRAM_MD5$,/*&*/,' -i "${S}"/qmail-smtpd.c || die
+ else
+ einfo "Enabled CRAM_MD5 support"
+ fi
+
+ ht_fix_file Makefile*
+}
+
+src_compile() {
+ qmail_src_compile
+ use qmail-spp && qmail_spp_src_compile
+}
+
+src_install() {
+ qmail_src_install
+}
+
+pkg_postinst() {
+ qmail_queue_setup
+ qmail_rootmail_fixup
+ qmail_tcprules_build
+
+ qmail_config_notice
+ qmail_supervise_config_notice
+ elog
+ elog "If you are looking for documentation, check those links:"
+ elog "https://wiki.gentoo.org/wiki/Virtual_mail_hosting_with_qmail"
+ elog " -- qmail/vpopmail Virtual Mail Hosting System Guide"
+ elog "http://www.lifewithqmail.com/"
+ elog " -- Life with qmail"
+ elog
+}
+
+pkg_preinst() {
+ qmail_tcprules_fixup
+}
+
+pkg_config() {
+ # avoid some weird locale problems
+ export LC_ALL=C
+
+ qmail_config_fast
+ qmail_tcprules_config
+ qmail_tcprules_build
+
+ use ssl && qmail_ssl_generate
+}