Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 14 Feb 2016 22:55:50 -1000
From: cpb <cpb@...ny.log2.net>
To: owl-users@...ts.openwall.com
Subject: Request tips to build postfix with TLS

Hi everyone, I decided Owl-users was the place for this question, even
though it's a package tweak+build question.

I am trying to build postfix with TLS support, I made a little progress
with a couple of tweaks to Owl's postfix.spec, but I don't want to tweak
it any more without asking first. I am not sure that I actually made any
progress at all! Here's the 2 main things I tried:

-------------------
1. defined USE_TLS, resulting in dozens of undefined SSL symbols:
-------------------
$ whoami ; pwd
build
/usr/src/world
$ p=native/Owl/packages/postfix
$ sed -i.bak -e s/-UUSE_TLS/-DUSE_TLS/g $p/postfix.spec
$ make PACKAGE=postfix
...
12:35:38: #1: Failed postfix
...
$ egrep undefined.reference logs/postfix | tail -2
../../lib/libpostfix.so: undefined reference to `SSL_set_cipher_list'
../../lib/libpostfix.so: undefined reference to `SSL_set_bio'

-------------------
2. After that, augmented the SYSLIBS list with -lssl, but two undefined
   symbols remain in the same link step. These are postfix symbols though,
   not libssl symbols:
-------------------
$ sed -i.bak -e 's/^SYSLIBS="\(.*\)"/SYSLIBS="\1 -lssl"/' $p/postfix.spec
$ make PACKAGE=postfix
...
12:47:19: #1: Failed postfix
...
$ egrep undefined.reference logs/postfix
../../lib/libpostfix.so: undefined reference to `var_tls_daemon_rand_bytes'
../../lib/libpostfix.so: undefined reference to `var_tls_append_def_CA'

-------------------
The two changes made to postfix.spec are pretty close together:
-------------------
$ diff -U4 -Nar $p/postfix.spec-orig $p/postfix.spec
--- native/Owl/packages/postfix/postfix.spec-orig	2016-02-13 09:35:42 -1000
+++ native/Owl/packages/postfix/postfix.spec	2016-02-14 12:45:09 -1000
@@ -151,17 +151,17 @@
  -DDEF_SENDMAIL_PATH=\\\"%sendmail_path\\\" \
 "
 DICT_LIBS="-ldb -lcdb `pcre-config --libs`"
 DICT_ARGS="-DHAS_CDB -DHAS_PCRE `pcre-config --cflags`"
-SYSLIBS="-lnsl -lresolv"
+SYSLIBS="-lnsl -lresolv -lssl"
 
 pushd src
 
 # 0. Prepare.
 %__make	-j1 -C .. tidy makefiles \
 	SYSLIBS="$SYSLIBS" \
 	AUXLIBS= \
-	CCARGS="$CCARGS $DICT_ARGS -UUSE_TLS" \
+	CCARGS="$CCARGS $DICT_ARGS -DUSE_TLS" \
 	OPT="$OPT" \
 	DEBUG= \
 	NO_IPV6=1

-------------------
The step that fails is the link of anvil including lib/libpostfix.so:
-------------------
[src/anvil]
make: Entering directory `/usr/src/world/rpm-work-1/BUILD/postfix-2.4.15/src/anv
il'
gcc -Wmissing-prototypes -Wformat -DDEF_COMMAND_DIR=\"/usr/sbin\" -DDEF_CONFIG_D
IR=\"/etc/postfix\" -DDEF_DAEMON_DIR=\"/usr/libexec/postfix\" -DDEF_HTML_DIR=\"/
usr/share/doc/postfix-2.4.15/html\" -DDEF_MAILQ_PATH=\"/usr/bin/mailq\" -DDEF_MA
NPAGE_DIR=\"/usr/share/man\" -DDEF_NEWALIAS_PATH=\"/usr/bin/newaliases\" -DDEF_P
ROGRAM_DIR=\"/usr/libexec/postfix\" -DDEF_QUEUE_DIR=\"/var/spool/postfix\" -DDEF
_README_DIR=\"/etc/postfix/README_FILES\" -DDEF_SAMPLE_DIR=\"/etc/postfix/README
_FILES\" -DDEF_SENDMAIL_PATH=\"/usr/sbin/sendmail\" -DHAS_CDB -DHAS_PCRE -I/usr/
include/pcre -DUSE_TLS  -pipe -march=i686 -O2 -fomit-frame-pointer -mpreferred-s
tack-boundary=2 -Wall -Wno-comment -Wno-missing-braces -I. -I../../include -DLIN
UX2 -o anvil anvil.o ../../lib/libpostfix_dict.so ../../lib/libpostfix.so 
../../lib/libpostfix.so: undefined reference to `var_tls_daemon_rand_bytes'
../../lib/libpostfix.so: undefined reference to `var_tls_append_def_CA'
collect2: ld returned 1 exit status
make: *** [anvil] Error 1
-------------------

I see that the specfile divides up the executables and config/builds them
in separate batches, but I do not know how these two var_tls_* symbols are
supposed to get resolved in the link. RHEL4's spec file doesn't do this
kind of stuff, and of course the Postfix TLS docs don't discuss this
separation either. I don't want to struggle if someone already knows how
to build postfix with TLS support the right way.

I can give more information if requested, but I think this question is
already a bit too long. Thanks in advance.

Chris Bopp
Honolulu, Hawaii

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ