Sat Jul 10 08:41:56 2021 UTC ()
update postsrsd to version 1.11
The update fixes CVE-2020-35573 and CVE-2021-35525
(spz)
diff -r0 -r1.1 pkgsrc/mail/postsrsd/MESSAGE
diff -r1.2 -r1.3 pkgsrc/mail/postsrsd/Makefile
diff -r1.2 -r1.3 pkgsrc/mail/postsrsd/PLIST
diff -r1.1 -r1.2 pkgsrc/mail/postsrsd/distinfo
diff -r0 -r1.1 pkgsrc/mail/postsrsd/files/postsrsd.sh
diff -r0 -r1.1 pkgsrc/mail/postsrsd/patches/patch-postsrsd.c
===========================================================================
$NetBSD: MESSAGE,v 1.1 2021/07/10 08:41:56 spz Exp $
When using postsrsd with its rc.d script, at the minimum set
postsrsd_flags="-dyour.domain"
in rc.conf. See the manpage for more options.
You must store at least one secret key in ${PKG_SYSCONFDIR}/postsrsd.secret.
Be careful that no one can guess your secret, because anyone who knows it
can use your mail server as open relay.
Each line of ${PKG_SYSCONFDIR}/postsrsd.secret is used as secret.
The first secret is used for signing and verification, the others for
verification only.
PostSRSd exposes its functionality via two TCP lookup tables.
Add or amend the following variables in your main.cf:
sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes= envelope_recipient,header_recipient
This will transparently rewrite incoming and outgoing envelope addresses,
and additionally undo SRS rewrites in the To: header of bounce notifications
and vacation autoreplies.
===========================================================================
--- pkgsrc/mail/postsrsd/Makefile 2017/12/31 13:22:46 1.2
+++ pkgsrc/mail/postsrsd/Makefile 2021/07/10 08:41:56 1.3
| @@ -1,22 +1,33 @@ | | | @@ -1,22 +1,33 @@ |
1 | # $NetBSD: Makefile,v 1.2 2017/12/31 13:22:46 wiz Exp $ | | 1 | # $NetBSD: Makefile,v 1.3 2021/07/10 08:41:56 spz Exp $ |
2 | | | 2 | |
3 | DISTNAME= postsrsd-1.4 | | 3 | DISTNAME= postsrsd-1.11 |
4 | PKGREVISION= 1 | | 4 | #PKGREVISION= 0 |
5 | CATEGORIES= mail | | 5 | CATEGORIES= mail |
6 | MASTER_SITES= ${MASTER_SITE_GITHUB:=roehling/} | | 6 | MASTER_SITES= ${MASTER_SITE_GITHUB:=roehling/} |
7 | | | 7 | |
8 | MAINTAINER= pkgsrc-users@NetBSD.org | | 8 | MAINTAINER= pkgsrc-users@NetBSD.org |
9 | HOMEPAGE= https://github.com/roehling/postsrsd | | 9 | HOMEPAGE= https://github.com/roehling/postsrsd |
10 | COMMENT= Postfix Sender Rewriting Scheme daemon | | 10 | COMMENT= Postfix Sender Rewriting Scheme daemon |
11 | LICENSE= gnu-gpl-v2 | | 11 | LICENSE= gnu-gpl-v2 |
12 | | | 12 | |
| | | 13 | RCD_SCRIPTS= postsrsd |
| | | 14 | |
| | | 15 | POSTSRSD_USER?= postsrsd |
| | | 16 | POSTSRSD_GROUP?= postsrsd |
| | | 17 | PKG_USERS= ${POSTSRSD_USER}:${POSTSRSD_GROUP} |
| | | 18 | PKG_GROUPS= ${POSTSRSD_GROUP} |
| | | 19 | USER_GROUP= ${POSTSRSD_USER} ${POSTSRSD_GROUP} |
| | | 20 | |
| | | 21 | PKG_GECOS.${POSTSRSD_USER}?= postSRSd |
| | | 22 | |
| | | 23 | |
13 | USE_CMAKE= yes | | 24 | USE_CMAKE= yes |
14 | BUILD_DEPENDS+= help2man-[0-9]*:../../converters/help2man | | 25 | BUILD_DEPENDS+= help2man-[0-9]*:../../converters/help2man |
15 | | | 26 | |
16 | SUBST_CLASSES+= man | | 27 | SUBST_CLASSES+= man |
17 | SUBST_STAGE.man= pre-configure | | 28 | SUBST_STAGE.man= pre-configure |
18 | SUBST_SED.man+= -e "s,share/man,${PKGMANDIR}," | | 29 | SUBST_SED.man+= -e "s,share/man,${PKGMANDIR}," |
19 | SUBST_FILES.man+= CMakeLists.txt | | 30 | SUBST_FILES.man+= CMakeLists.txt |
20 | SUBST_MESSAGE.man= Fixing man page installation path. | | 31 | SUBST_MESSAGE.man= Fixing man page installation path. |
21 | | | 32 | |
22 | .include "../../mk/bsd.pkg.mk" | | 33 | .include "../../mk/bsd.pkg.mk" |
--- pkgsrc/mail/postsrsd/PLIST 2017/12/31 13:22:46 1.2
+++ pkgsrc/mail/postsrsd/PLIST 2021/07/10 08:41:56 1.3
| @@ -1,6 +1,7 @@ | | | @@ -1,6 +1,7 @@ |
1 | @comment $NetBSD: PLIST,v 1.2 2017/12/31 13:22:46 wiz Exp $ | | 1 | @comment $NetBSD: PLIST,v 1.3 2021/07/10 08:41:56 spz Exp $ |
2 | man/man8/postsrsd.8 | | 2 | man/man8/postsrsd.8 |
3 | sbin/postsrsd | | 3 | sbin/postsrsd |
4 | share/doc/postsrsd/README.md | | 4 | share/doc/postsrsd/README.md |
5 | share/doc/postsrsd/README_UPGRADE.md | | 5 | share/doc/postsrsd/README_UPGRADE.md |
6 | share/doc/postsrsd/main.cf.ex | | 6 | share/doc/postsrsd/main.cf.ex |
| | | 7 | share/postsrsd/postsrsd-systemd-launcher |
--- pkgsrc/mail/postsrsd/distinfo 2016/02/25 15:29:15 1.1
+++ pkgsrc/mail/postsrsd/distinfo 2021/07/10 08:41:56 1.2
| @@ -1,6 +1,7 @@ | | | @@ -1,6 +1,7 @@ |
1 | $NetBSD: distinfo,v 1.1 2016/02/25 15:29:15 wiz Exp $ | | 1 | $NetBSD: distinfo,v 1.2 2021/07/10 08:41:56 spz Exp $ |
2 | | | 2 | |
3 | SHA1 (postsrsd-1.4.tar.gz) = 9b71bc8bbd40dab7d545cd2ec98cf69e4ff50450 | | 3 | SHA1 (postsrsd-1.11.tar.gz) = 664478941995a05166dc2bc73d744de48ecd8827 |
4 | RMD160 (postsrsd-1.4.tar.gz) = 9402c4b9ab9f4bb356a07c67a74fd270c9c56655 | | 4 | RMD160 (postsrsd-1.11.tar.gz) = 8c94d4fdd5bc47566bcda83e968892204962e6a6 |
5 | SHA512 (postsrsd-1.4.tar.gz) = e5b9d2091d562030dd8d35117a3c5fb7d99c0613120fc90f74be57af5e88a3fe0ce73a5ce702708047ae37f70c6aedb4a0df018dccbe480048ccb6ed4debbcef | | 5 | SHA512 (postsrsd-1.11.tar.gz) = cc041bbbd0277dd416a19e427d63eace3489dc518ebe3a61a022b3e2e159bcb09731a0eb5547eb85bd55887821726b66e828326c109c2ebe26b27dbd062a8d89 |
6 | Size (postsrsd-1.4.tar.gz) = 26555 bytes | | 6 | Size (postsrsd-1.11.tar.gz) = 36309 bytes |
| | | 7 | SHA1 (patch-postsrsd.c) = 06a9e294279e6ec17491d2b612473948bb92ef4c |
#!@RCD_SCRIPTS_SHELL@
#
# PostSRSd provides the Sender Rewriting Scheme (SRS) for Postfix
#
# PROVIDE: postsrsd
# BEFORE: mail
# REQUIRE: DAEMON LOGIN
. /etc/rc.subr
name="postsrsd"
# user-settable rc.conf variables
: ${postsrsd_secret:="@PKG_SYSCONFDIR@/${name}.secret"}
: ${postsrsd_chrootdir:="@VARBASE@/chroot/postsrsd"}
rcvar=${name}
required_files="${postsrsd_secret}"
pidfile="@VARBASE@/run/${name}.pid"
command="@PREFIX@/sbin/${name}"
start_precmd="postsrsd_precmd"
postsrsd_precmd()
{
rc_flags="-p${pidfile} -s${postsrsd_secret} -D $rc_flags"
if [ -z "$postsrsd_chrootdir" ]; then
return 0;
fi
# If running in a chroot cage, ensure that the appropriate files
# exist inside the cage, as well as helper symlinks into the cage
# from outside.
if [ ! -d "${postsrsd_chrootdir}" ]; then
mkdir -p "${postsrsd_chrootdir}"
fi
# Change run_rc_commands()'s internal copy of $ntpd_flags
#
rc_flags="-upostsrsd -c${postsrsd_chrootdir} $rc_flags"
}
load_rc_config $name
run_rc_command "$1"
$NetBSD: patch-postsrsd.c,v 1.1 2021/07/10 08:41:56 spz Exp $
make sure we can use a connection more than once
it'll work without the patch but with many error messages in the log
--- postsrsd.c.orig 2021-03-21 19:23:39.000000000 +0000
+++ postsrsd.c 2021-07-09 10:29:40.996255562 +0000
@@ -644,7 +644,7 @@
}
while (TRUE)
{
- int conn;
+ int conn, flags;
FILE *fp_read, *fp_write;
char linebuf[1024], *line;
char keybuf[1024], *key;
@@ -667,6 +667,16 @@
conn = accept(fds[sc].fd, NULL, NULL);
if (conn < 0)
continue;
+ /* remove the nonblocking for !Linux */
+ flags = fcntl(conn, F_GETFL, 0);
+ if (flags < 0) {
+ close(conn);
+ continue;
+ }
+ if (fcntl(conn, F_SETFL, flags & ~O_NONBLOCK) < 0) {
+ close(conn);
+ continue;
+ }
if (fork() == 0)
{
int i;