aboutsummaryrefslogtreecommitdiff
path: root/network/opensmtpd
diff options
context:
space:
mode:
authorRichard Narron <richard@aaazen.com>2020-02-29 10:30:03 +0100
committerRobby Workman <rworkman@slackbuilds.org>2021-04-17 23:50:38 -0500
commit99326a7d8358c7dd77e4234f49ef29873c3378d6 (patch)
tree108cab75e932c99c9e935ca84302203a4a4e8230 /network/opensmtpd
parent717f6c2a1d0e3f5b60655578aa7ba888465e2078 (diff)
network/opensmtpd: Updated for version 6.6.4p1.
Signed-off-by: Matteo Bernardini <ponce@slackbuilds.org>
Diffstat (limited to 'network/opensmtpd')
-rw-r--r--network/opensmtpd/aliases34
-rw-r--r--network/opensmtpd/fix-crash-on-authentication.patch43
-rw-r--r--network/opensmtpd/openbsd64-020-smtpd.patch31
-rw-r--r--network/opensmtpd/openbsd65-029-smptd-tls.patch52
-rw-r--r--network/opensmtpd/openbsd65-031-smtpd-envelope.patch199
-rw-r--r--network/opensmtpd/openbsd66-019-smtpd-exec.patch46
-rw-r--r--network/opensmtpd/opensmtpd.SlackBuild31
-rw-r--r--network/opensmtpd/opensmtpd.info6
8 files changed, 44 insertions, 398 deletions
diff --git a/network/opensmtpd/aliases b/network/opensmtpd/aliases
index ea54878974609..85cc8e71ac4b2 100644
--- a/network/opensmtpd/aliases
+++ b/network/opensmtpd/aliases
@@ -1,23 +1,49 @@
-# See aliases(5) for more information
+# Sample aliases file installed in /etc/opensmtpd/aliases
+#
+# Aliases in this file will NOT be expanded in the header from
+# Mail, but WILL be visible over networks or from /usr/libexec/mail.local.
+#
+# >>>>>>>>>> The program "newaliases" must be run after
+# >> NOTE >> this file is updated for any changes to
+# >>>>>>>>>> show through to smtpd.
+#
+
+# Person who should get root's mail. Don't receive mail as root!
+#root: you
# Basic system aliases -- these MUST be present
MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts
-bin: root
daemon: root
named: root
-nobody: root
uucp: root
www: root
ftp-bugs: root
+# Redirections for pseudo accounts that should not receive mail
+bin: /dev/null
+build: /dev/null
+nobody: /dev/null
+sshd: /dev/null
+
# Well-known aliases
manager: root
dumper: root
operator: root
-abuse: postmaster
+
+# RFC 2142: NETWORK OPERATIONS MAILBOX NAMES
+abuse: root
+# noc: root
+security: root
+
+# RFC 2142: SUPPORT MAILBOX NAMES FOR SPECIFIC INTERNET SERVICES
+# hostmaster: root
+# usenet: root
+# news: usenet
+# webmaster: root
+# ftp: root
# trap decode to catch security attacks
decode: root
diff --git a/network/opensmtpd/fix-crash-on-authentication.patch b/network/opensmtpd/fix-crash-on-authentication.patch
deleted file mode 100644
index c20b5e0a0ef9d..0000000000000
--- a/network/opensmtpd/fix-crash-on-authentication.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 9b5f70b93e038df5446bd37a4adac5a0380748e7 Mon Sep 17 00:00:00 2001
-From: johannes <johannes.brechtmann@gmail.com>
-Date: Wed, 21 Feb 2018 23:57:11 +0100
-Subject: [PATCH] crypt_checkpass: include HAVE_CRYPT_H definition, add NULL
- check
-
----
- openbsd-compat/crypt_checkpass.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/openbsd-compat/crypt_checkpass.c b/openbsd-compat/crypt_checkpass.c
-index dafd2dae..d10b3a57 100644
---- a/openbsd-compat/crypt_checkpass.c
-+++ b/openbsd-compat/crypt_checkpass.c
-@@ -1,5 +1,6 @@
- /* OPENBSD ORIGINAL: lib/libc/crypt/cryptutil.c */
-
-+#include "includes.h"
- #include <errno.h>
- #ifdef HAVE_CRYPT_H
- #include <crypt.h>
-@@ -10,6 +11,8 @@
- int
- crypt_checkpass(const char *pass, const char *goodhash)
- {
-+ char *c;
-+
- if (goodhash == NULL)
- goto fail;
-
-@@ -17,7 +20,11 @@ crypt_checkpass(const char *pass, const char *goodhash)
- if (strlen(goodhash) == 0 && strlen(pass) == 0)
- return 0;
-
-- if (strcmp(crypt(pass, goodhash), goodhash) == 0)
-+ c = crypt(pass, goodhash);
-+ if (c == NULL)
-+ goto fail;
-+
-+ if (strcmp(c, goodhash) == 0)
- return 0;
-
- fail:
diff --git a/network/opensmtpd/openbsd64-020-smtpd.patch b/network/opensmtpd/openbsd64-020-smtpd.patch
deleted file mode 100644
index 8ce7178da8b17..0000000000000
--- a/network/opensmtpd/openbsd64-020-smtpd.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-OpenBSD 6.4 errata 020, August 2, 2019
-
-smtpd can crash on excessively large input, causing a denial of service.
-
---- a/smtpd/smtp_session.c 3 Sep 2018 19:01:29 -0000 1.337
-+++ b/smtpd/smtp_session.c 1 Aug 2019 21:18:53 -0000
-@@ -1904,15 +1904,21 @@ smtp_reply(struct smtp_session *s, char
- {
- va_list ap;
- int n;
-- char buf[LINE_MAX], tmp[LINE_MAX];
-+ char buf[LINE_MAX*2], tmp[LINE_MAX*2];
-
- va_start(ap, fmt);
- n = vsnprintf(buf, sizeof buf, fmt, ap);
- va_end(ap);
-- if (n == -1 || n >= LINE_MAX)
-- fatalx("smtp_reply: line too long");
-+ if (n < 0)
-+ fatalx("smtp_reply: response format error");
- if (n < 4)
- fatalx("smtp_reply: response too short");
-+ if (n >= (int)sizeof buf) {
-+ /* only first three bytes are used by SMTP logic,
-+ * so if _our_ reply does not fit entirely in the
-+ * buffer, it's ok to truncate.
-+ */
-+ }
-
- log_trace(TRACE_SMTP, "smtp: %p: >>> %s", s, buf);
-
diff --git a/network/opensmtpd/openbsd65-029-smptd-tls.patch b/network/opensmtpd/openbsd65-029-smptd-tls.patch
deleted file mode 100644
index a2727decf8f7e..0000000000000
--- a/network/opensmtpd/openbsd65-029-smptd-tls.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-OpenBSD 6.5 errata 029, January 30, 2020:
-
-smtpd can crash on opportunistic TLS downgrade, causing a denial of service.
-
---- usr.sbin/smtpd/mta_session.c 23 Dec 2018 16:37:53 -0000 1.115
-+++ usr.sbin/smtpd/mta_session.c 20 Jan 2020 10:36:58 -0000
-@@ -1292,40 +1292,20 @@ mta_io(struct io *io, int evt, void *arg
- break;
-
- case IO_ERROR:
-+ case IO_TLSERROR:
- log_debug("debug: mta: %p: IO error: %s", s, io_error(io));
-- if (!s->ready) {
-- mta_error(s, "IO Error: %s", io_error(io));
-- mta_connect(s);
-- break;
-- }
-- else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
-- /* error in non-strict SSL negotiation, downgrade to plain */
-- if (s->flags & MTA_TLS) {
-- log_info("smtp-out: Error on session %016"PRIx64
-- ": opportunistic TLS failed, "
-- "downgrading to plain", s->id);
-- s->flags &= ~MTA_TLS;
-- s->flags |= MTA_DOWNGRADE_PLAIN;
-- mta_connect(s);
-- break;
-- }
-- }
-- mta_error(s, "IO Error: %s", io_error(io));
-- mta_free(s);
-- break;
-
-- case IO_TLSERROR:
-- log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io));
-- if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
-+ if (s->state == MTA_STARTTLS && s->use_smtp_tls) {
- /* error in non-strict SSL negotiation, downgrade to plain */
-- log_info("smtp-out: TLS Error on session %016"PRIx64
-- ": TLS failed, "
-+ log_info("smtp-out: Error on session %016"PRIx64
-+ ": opportunistic TLS failed, "
- "downgrading to plain", s->id);
- s->flags &= ~MTA_TLS;
- s->flags |= MTA_DOWNGRADE_PLAIN;
- mta_connect(s);
- break;
- }
-+
- mta_error(s, "IO Error: %s", io_error(io));
- mta_free(s);
- break;
diff --git a/network/opensmtpd/openbsd65-031-smtpd-envelope.patch b/network/opensmtpd/openbsd65-031-smtpd-envelope.patch
deleted file mode 100644
index cd59f1d6fa74b..0000000000000
--- a/network/opensmtpd/openbsd65-031-smtpd-envelope.patch
+++ /dev/null
@@ -1,199 +0,0 @@
-OpenBSD 6.5 errata 031, February 24, 2020:
-
-An out of bounds read in smtpd allows an attacker to inject arbitrary
-commands into the envelope file which are then executed as root.
-Separately, missing privilege revocation in smtpctl allows arbitrary
-commands to be run with the _smtpq group.
-
---- a/smtpd/makemap.c.orig 2018-01-10 05:06:40.000000000 -0800
-+++ b/smtpd/makemap.c 2020-02-24 15:41:18.278340410 -0800
-@@ -105,8 +105,13 @@ makemap(int prog_mode, int argc, char *a
- int ch, dbputs = 0, Uflag = 0;
- DBTYPE dbtype = DB_HASH;
- char *p;
-+ gid_t gid;
- int fd = -1;
-
-+ gid = getgid();
-+ if (setresgid(gid, gid, gid) == -1)
-+ err(1, "setresgid");
-+
- log_init(1, LOG_MAIL);
-
- mode = prog_mode;
-@@ -180,9 +185,9 @@ makemap(int prog_mode, int argc, char *a
- errx(1, "database name too long");
- }
-
-- execlp("makemap", "makemap", "-d", argv[0], "-o", dbname, "-",
-- (char *)NULL);
-- err(1, "execlp");
-+ execl(PATH_MAKEMAP, "makemap", "-d", argv[0], "-o", dbname,
-+ "-", (char *)NULL);
-+ err(1, "execl");
- }
-
- if (mode == P_NEWALIASES) {
---- a/smtpd/mta_session.c.orig 2020-02-08 10:24:17.692029666 -0800
-+++ b/smtpd/mta_session.c 2020-02-24 15:46:46.121342818 -0800
-@@ -1214,7 +1214,7 @@ mta_io(struct io *io, int evt, void *arg
- if (cont) {
- if (s->replybuf[0] == '\0')
- (void)strlcat(s->replybuf, line, sizeof s->replybuf);
-- else {
-+ else if (len > 4) {
- line = line + 4;
- if (isdigit((int)*line) && *(line + 1) == '.' &&
- isdigit((int)*line+2) && *(line + 3) == '.' &&
-@@ -1229,7 +1229,9 @@ mta_io(struct io *io, int evt, void *arg
- /* last line of a reply, check if we're on a continuation to parse out status and ESC.
- * if we overflow reply buffer or are not on continuation, log entire last line.
- */
-- if (s->replybuf[0] != '\0') {
-+ if (s->replybuf[0] == '\0')
-+ (void)strlcat(s->replybuf, line, sizeof s->replybuf);
-+ else if (len > 4) {
- p = line + 4;
- if (isdigit((int)*p) && *(p + 1) == '.' &&
- isdigit((int)*p+2) && *(p + 3) == '.' &&
-@@ -1238,8 +1240,6 @@ mta_io(struct io *io, int evt, void *arg
- if (strlcat(s->replybuf, p, sizeof s->replybuf) >= sizeof s->replybuf)
- (void)strlcpy(s->replybuf, line, sizeof s->replybuf);
- }
-- else
-- (void)strlcpy(s->replybuf, line, sizeof s->replybuf);
-
- if (s->state == MTA_QUIT) {
- log_info("%016"PRIx64" mta event=closed reason=quit messages=%zu",
---- a/smtpd/smtpctl.c.orig 2018-01-10 05:06:40.000000000 -0800
-+++ b/smtpd/smtpctl.c 2020-02-24 14:57:04.687320914 -0800
-@@ -1116,7 +1116,7 @@ sendmail_compat(int argc, char **argv)
- */
- for (i = 1; i < argc; i++)
- if (strncmp(argv[i], "-bi", 3) == 0)
-- exit(makemap(P_NEWALIASES, argc, argv));
-+ exit(makemap(P_SENDMAIL, argc, argv));
-
- if (!srv_connect())
- offlinefp = offline_file();
---- a/smtpd/smtpd-defines.h.orig 2018-01-10 05:06:40.000000000 -0800
-+++ b/smtpd/smtpd-defines.h 2020-02-24 15:00:29.616322420 -0800
-@@ -46,6 +46,9 @@
- #ifndef PATH_SPOOL
- #define PATH_SPOOL "/var/spool/smtpd"
- #endif
-+#ifndef PATH_MAKEUP
-+#define PATH_MAKEMAP "/usr/sbin/makemap"
-+#endif
-
- #define SUBADDRESSING_DELIMITER "+"
-
---- a/smtpd/smtpd.c.orig 2018-01-10 05:06:40.000000000 -0800
-+++ b/smtpd/smtpd.c 2020-02-24 15:55:55.503346854 -0800
-@@ -109,9 +109,10 @@ static struct mproc *setup_peer(enum smt
- static int imsg_wait(struct imsgbuf *, struct imsg *, int);
-
- static void offline_scan(int, short, void *);
--static int offline_add(char *);
-+static int offline_add(char *, uid_t, gid_t);
- static void offline_done(void);
--static int offline_enqueue(char *);
-+static int offline_enqueue(char *, uid_t, gid_t);
-+
-
- static void purge_task(void);
- static int parent_auth_user(const char *, const char *);
-@@ -136,6 +137,8 @@ struct child {
-
- struct offline {
- TAILQ_ENTRY(offline) entry;
-+ uid_t uid;
-+ gid_t gid;
- char *path;
- };
-
-@@ -1409,7 +1412,8 @@ offline_scan(int fd, short ev, void *arg
- continue;
- }
-
-- if (offline_add(e->fts_name)) {
-+ if (offline_add(e->fts_name, e->fts_statp->st_uid,
-+ e->fts_statp->st_gid)) {
- log_warnx("warn: smtpd: "
- "could not add offline message %s", e->fts_name);
- continue;
-@@ -1429,7 +1433,7 @@ offline_scan(int fd, short ev, void *arg
- }
-
- static int
--offline_enqueue(char *name)
-+offline_enqueue(char *name, uid_t uid, gid_t gid)
- {
- char *path;
- struct stat sb;
-@@ -1491,6 +1495,18 @@ offline_enqueue(char *name)
- _exit(1);
- }
-
-+ if (sb.st_uid != uid) {
-+ log_warnx("warn: smtpd: file %s has bad uid %d",
-+ path, sb.st_uid);
-+ _exit(1);
-+ }
-+
-+ if (sb.st_gid != gid) {
-+ log_warnx("warn: smtpd: file %s has bad gid %d",
-+ path, sb.st_gid);
-+ _exit(1);
-+ }
-+
- pw = getpwuid(sb.st_uid);
- if (pw == NULL) {
- log_warnx("warn: smtpd: getpwuid for uid %d failed",
-@@ -1547,17 +1563,19 @@ offline_enqueue(char *name)
- }
-
- static int
--offline_add(char *path)
-+offline_add(char *path, uid_t uid, gid_t gid)
- {
- struct offline *q;
-
- if (offline_running < OFFLINE_QUEUEMAX)
- /* skip queue */
-- return offline_enqueue(path);
-+ return offline_enqueue(path, uid, gid);
-
- q = malloc(sizeof(*q) + strlen(path) + 1);
- if (q == NULL)
- return (-1);
-+ q->uid = uid;
-+ q->gid = gid;
- q->path = (char *)q + sizeof(*q);
- memmove(q->path, path, strlen(path) + 1);
- TAILQ_INSERT_TAIL(&offline_q, q, entry);
-@@ -1576,7 +1594,8 @@ offline_done(void)
- if ((q = TAILQ_FIRST(&offline_q)) == NULL)
- break; /* all done */
- TAILQ_REMOVE(&offline_q, q, entry);
-- offline_enqueue(q->path);
-+ offline_enqueue(q->path, q->uid, q->gid);
-+
- free(q);
- }
- }
---- a/smtpd/smtpd.h.orig 2018-01-10 05:06:40.000000000 -0800
-+++ b/smtpd/smtpd.h 2020-02-24 15:20:09.043331085 -0800
-@@ -128,8 +128,10 @@
- #define MTA_EXT_DSN 0x400
-
-
--#define P_NEWALIASES 0
--#define P_MAKEMAP 1
-+#define P_SENDMAIL 0
-+#define P_NEWALIASES 1
-+#define P_MAKEMAP 2
-+
-
- struct userinfo {
- char username[SMTPD_VUSERNAME_SIZE];
diff --git a/network/opensmtpd/openbsd66-019-smtpd-exec.patch b/network/opensmtpd/openbsd66-019-smtpd-exec.patch
deleted file mode 100644
index 93ce19dcb1704..0000000000000
--- a/network/opensmtpd/openbsd66-019-smtpd-exec.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-OpenBSD 6.6 errata 019, January 30, 2020:
-
-An incorrect check allows an attacker to trick mbox delivery into executing
-arbitrary commands as root and lmtp delivery into executing arbitrary commands
-as an unprivileged user.
-
---- usr.sbin/smtpd/smtp_session.c 4 Oct 2019 08:34:29 -0000 1.415
-+++ usr.sbin/smtpd/smtp_session.c 26 Jan 2020 05:56:37 -0000
-@@ -2012,24 +2012,22 @@ smtp_mailaddr(struct mailaddr *maddr, ch
- memmove(maddr->user, p, strlen(p) + 1);
- }
-
-- if (!valid_localpart(maddr->user) ||
-- !valid_domainpart(maddr->domain)) {
-- /* accept empty return-path in MAIL FROM, required for bounces */
-- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
-- return (1);
-+ /* accept empty return-path in MAIL FROM, required for bounces */
-+ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
-+ return (1);
-
-- /* no user-part, reject */
-- if (maddr->user[0] == '\0')
-- return (0);
--
-- /* no domain, local user */
-- if (maddr->domain[0] == '\0') {
-- (void)strlcpy(maddr->domain, domain,
-- sizeof(maddr->domain));
-- return (1);
-- }
-+ /* no or invalid user-part, reject */
-+ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
- return (0);
-+
-+ /* no domain part, local user */
-+ if (maddr->domain[0] == '\0') {
-+ (void)strlcpy(maddr->domain, domain,
-+ sizeof(maddr->domain));
- }
-+
-+ if (!valid_domainpart(maddr->domain))
-+ return (0);
-
- return (1);
- }
diff --git a/network/opensmtpd/opensmtpd.SlackBuild b/network/opensmtpd/opensmtpd.SlackBuild
index 54a4f8e4cf9ad..afda7fedc1e41 100644
--- a/network/opensmtpd/opensmtpd.SlackBuild
+++ b/network/opensmtpd/opensmtpd.SlackBuild
@@ -24,8 +24,8 @@
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PRGNAM=opensmtpd
-VERSION=${VERSION:-6.0.3p1}
-BUILD=${BUILD:-6}
+VERSION=${VERSION:-6.6.4p1}
+BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
if [ -z "$ARCH" ]; then
@@ -92,21 +92,6 @@ find -L . \
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
-# fix reply buffer overflow
-cat $CWD/openbsd64-020-smtpd.patch | patch -p1
-
-# fix tls downgrade
-cat $CWD/openbsd65-029-smptd-tls.patch | patch -p1
-
-# fix exec
-cat $CWD/openbsd66-019-smtpd-exec.patch | patch -p1
-
-# check null from crypt function
-cat $CWD/fix-crash-on-authentication.patch | patch -p1
-
-# fix smtpctl envelop
-cat $CWD/openbsd65-031-smtpd-envelope.patch | patch -p1
-
CFLAGS="$SLKCFLAGS -D_DEFAULT_SOURCE" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
@@ -150,10 +135,16 @@ ln -s smtpctl $PKG/usr/sbin/makemap
mkdir -p $PKG/etc/rc.d
cat $CWD/rc.opensmtpd > $PKG/etc/rc.d/rc.opensmtpd.new
-# Don't clobber the config file
+# copy original smtpd.conf file
+cp -p $PKG/etc/opensmtpd/smtpd.conf $PKG/etc/opensmtpd/smtpd.conf.upstream.default
+
+# Don't clobber the existing config file
mv $PKG/etc/opensmtpd/smtpd.conf $PKG/etc/opensmtpd/smtpd.conf.new
# and reflect the correct path to aliases file
-sed -i "s,/etc/mail/,/etc/opensmtpd/,g" $PKG/etc/opensmtpd/smtpd.conf.new
+# and use mbox instead of maildir
+sed -i -e "s,/etc/mail/,/etc/opensmtpd/,g" \
+ -e "s,maildir alias,mbox alias,g" \
+ $PKG/etc/opensmtpd/smtpd.conf.new
# Create (but don't clobber) the aliases file
cat $CWD/aliases > $PKG/etc/opensmtpd/aliases.new
@@ -176,7 +167,7 @@ find $PKG/usr/man -type f -exec gzip -9 {} \;
for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
-cp -a INSTALL LICENSE README.md THANKS $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a INSTALL LICENSE README.md $PKG/usr/doc/$PRGNAM-$VERSION
cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README.slackware
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
diff --git a/network/opensmtpd/opensmtpd.info b/network/opensmtpd/opensmtpd.info
index 093088029945d..b8753bc31d361 100644
--- a/network/opensmtpd/opensmtpd.info
+++ b/network/opensmtpd/opensmtpd.info
@@ -1,8 +1,8 @@
PRGNAM="opensmtpd"
-VERSION="6.0.3p1"
+VERSION="6.6.4p1"
HOMEPAGE="https://www.opensmtpd.org/"
-DOWNLOAD="https://www.opensmtpd.org/archives/opensmtpd-6.0.3p1.tar.gz"
-MD5SUM="66e496bb0f3303d660744f4fa2178765"
+DOWNLOAD="https://www.opensmtpd.org/archives/opensmtpd-6.6.4p1.tar.gz"
+MD5SUM="4744943277f9a6dc942e7560dbdb5643"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
REQUIRES="libasr"