Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Harald Dunkel 
On 8/14/19 3:43 PM, Harald Dunkel wrote:
> 
> This is Debian sid (amd64), including openssl version 1.1.1c .
> Here is the list of packages providing shared objects for smtpd:
> 
> ||/ Name VersionArchitecture Description
> +++--==--===
> ii  libasr0  1.0.2-2+b1 amd64asynchronous DNS 
> resolver
> ii  libaudit1:amd64  1:2.8.5-2  amd64Dynamic library for 
> security auditing
> ii  libc6:amd64  2.28-10amd64GNU C Library: 
> Shared libraries
> ii  libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX 
> capabilities library
> ii  libdb5.3:amd64   5.3.28+dfsg1-0.6   amd64Berkeley v5.3 
> Database Libraries [runtime]
> ii  libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event 
> notification library
> ii  libpam0g:amd64   1.3.1-5amd64Pluggable 
> Authentication Modules library
> ii  libssl1.1:amd64  1.1.1c-1   amd64Secure Sockets Layer 
> toolkit - shared libraries
> ii  zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library 
> - runtime
> 

PS: compiler version:

{harri@cecil:~ (master) 502} gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-19' 
--with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs 
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr 
--with-gcc-major-version-only --program-suffix=-8 
--program-prefix=x86_64-linux-gnu-
--enable-shared --enable-linker-build-id --libexecdir=/usr/lib 
--without-included-gettext --enable-threads=posix --libdir=/usr/lib 
--enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug 
--enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new 
--enable-gnu-unique-object
--disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie 
--with-system-zlib --with-target-system-zlib --enable-objc-gc=auto 
--enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu 
--target=x86_64-linux-gnu --with-build-config=bootstrap-lto --enable-link-mutex
Thread model: posix
gcc version 8.3.0 (Debian 8.3.0-19)


Regards
Harri

Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Denis Fateyev 
>
> ../../smtpd/ca.c: In function 'ca_X509_verify':
> ../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type
> 'X509_STORE_CTX' {aka 'struct x509_store_ctx_st'}
>   204 |*errstr = X509_verify_cert_error_string(xsc->error);
>

This can be fixed in "smtpd/ca.c" with:
- *errstr = X509_verify_cert_error_string(xsc->error);
+ *errstr = X509_verify_cert_error_string(X509_STORE_CTX_get_error(xsc));

But as for rsae-specific, it should be more complicated.
I remember an old openssl-1.1.x compat patch, where RSA methods were
explicitly defined.

---
wbr, Denis.

Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Denis Fateyev 
Hello Gilles,

Tried to rebuild on Fedora 30, but got compile errors (providing below with
warnings in case if you find them useful):
--- < cut here > ---
gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat
-I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
-I/usr/include  -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
-DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
-DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
-DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
-DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-fexceptions -fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
 -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
-Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
-D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
../../smtpd/smtpd-ca.o `test -f '../../smtpd/ca.c' || echo
'./'`../../smtpd/ca.c
../../smtpd/aliases.c: In function 'aliases_get':
../../smtpd/aliases.c:56:23: warning: variable 'userbase' set but not used
[-Wunused-but-set-variable]
   56 |  struct table*userbase = NULL;
  |   ^~~~
../../smtpd/aliases.c: In function 'aliases_virtual_get':
../../smtpd/aliases.c:114:23: warning: variable 'userbase' set but not used
[-Wunused-but-set-variable]
  114 |  struct table*userbase = NULL;
  |   ^~~~
gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat
-I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
-I/usr/include  -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
-DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
-DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
-DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
-DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-fexceptions -fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
 -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
-Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
-D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
../../smtpd/smtpd-compress_backend.o `test -f
'../../smtpd/compress_backend.c' || echo './'`../../smtpd/compress_backend.c
../../smtpd/ca.c: In function 'ca_X509_verify':
../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type
'X509_STORE_CTX' {aka 'struct x509_store_ctx_st'}
  204 |*errstr = X509_verify_cert_error_string(xsc->error);
  |   ^~
../../smtpd/ca.c: At top level:
../../smtpd/ca.c:307:1: error: variable 'rsae_method' has initializer but
incomplete type
  307 | static RSA_METHOD rsae_method = {
  | ^~
../../smtpd/ca.c:308:2: warning: excess elements in struct initializer
  308 |  "RSA privsep engine",
  |  ^~~~
../../smtpd/ca.c:308:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:309:2: warning: excess elements in struct initializer
  309 |  rsae_pub_enc,
  |  ^~~~
../../smtpd/ca.c:309:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:310:2: warning: excess elements in struct initializer
  310 |  rsae_pub_dec,
  |  ^~~~
../../smtpd/ca.c:310:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:311:2: warning: excess elements in struct initializer
  311 |  rsae_priv_enc,
  |  ^
../../smtpd/ca.c:311:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:312:2: warning: excess elements in struct initializer
  312 |  rsae_priv_dec,
  |  ^
../../smtpd/ca.c:312:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:313:2: warning: excess elements in struct initializer
  313 |  rsae_mod_exp,
  |  ^~~~
../../smtpd/ca.c:313:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:314:2: warning: excess elements in struct initializer
  314 |  rsae_bn_mod_exp,
  |  ^~~
../../smtpd/ca.c:314:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:315:2: warning: excess elements in struct initializer
  315 |  rsae_init,
  |  ^
../../smtpd/ca.c:315:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:316:2: warning: excess elements in struct initializer
  316 |  rsae_finish,
  |  ^~~

Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Harald Dunkel 
On 8/13/19 9:02 PM, gil...@poolp.org wrote:
> 13 août 2019 12:35 "Harald Dunkel"  a écrit:
> 
>>
>> Surely I don't have a highly complex EMail configuration, but
>> the new version is running on my MTA and the nullclients since
>> Aug 7th: No issues by now, AFAICT. Cool.
>>
> 
> Care to mention what system you are using ? :-)
> 

This is Debian sid (amd64), including openssl version 1.1.1c .
Here is the list of packages providing shared objects for smtpd:

||/ Name VersionArchitecture Description
+++--==--===
ii  libasr0  1.0.2-2+b1 amd64asynchronous DNS 
resolver
ii  libaudit1:amd64  1:2.8.5-2  amd64Dynamic library for 
security auditing
ii  libc6:amd64  2.28-10amd64GNU C Library: Shared 
libraries
ii  libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX 
capabilities library
ii  libdb5.3:amd64   5.3.28+dfsg1-0.6   amd64Berkeley v5.3 Database 
Libraries [runtime]
ii  libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event 
notification library
ii  libpam0g:amd64   1.3.1-5amd64Pluggable 
Authentication Modules library
ii  libssl1.1:amd64  1.1.1c-1   amd64Secure Sockets Layer 
toolkit - shared libraries
ii  zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library - 
runtime


Regards
Harri

filter-rspamd available for testing (repost)

2019-08-14 Thread Gilles Chehade 
Hello,

It seems that I forgot to setup a proper outgoing route yesterday, so my
mail announcing availability of filter-rspamd has been SPF-rejected by a
bunch of hosts...

Here's a link to the mail archive:

   https://www.mail-archive.com/misc@opensmtpd.org/msg04472.html

Note that since then, the port has been committed to OpenBSD !

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles