Build failure with >= postfix-3.5.20 #914

orbea · 2023-09-17T17:12:36Z

As I am sure is well known modern Postfix releases are broken with LibreSSL, OpenBSD outright uses OpenSSL.

https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable/Makefile#L7

And the Postfix 3.5 releases are the oldest that work with LibreSSL, but starting with >= 3.5.20 one of the build failures with modern Postfix has been introduced.

tls_misc.c: In function 'tls_library_init':
tls_misc.c:660:5: error: unknown type name 'OPENSSL_INIT_SETTINGS'; did you mean 'OPENSSL_INIT_ATFORK'?
  660 |     OPENSSL_INIT_SETTINGS *init_settings;
      |     ^~~~~~~~~~~~~~~~~~~~~
      |     OPENSSL_INIT_ATFORK
tls_misc.c:684:26: error: implicit declaration of function 'OPENSSL_INIT_new'; did you mean 'OPENSSL_init_ssl'? [-Werror=implicit-function-declaration]
  684 |     if ((init_settings = OPENSSL_INIT_new()) == 0) {
      |                          ^~~~~~~~~~~~~~~~
      |                          OPENSSL_init_ssl
tls_misc.c:684:24: warning: assignment to 'int *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
  684 |     if ((init_settings = OPENSSL_INIT_new()) == 0) {
      |                        ^
tls_misc.c:690:10: error: implicit declaration of function 'OPENSSL_INIT_free'; did you mean 'OPENSSL_INIT_ASYNC'? [-Werror=implicit-function-declaration]
  690 |     do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
      |          ^~~~~~~~~~~~~~~~~
tls_misc.c:741:13: note: in expansion of macro 'TLS_LIB_INIT_RETURN'
  741 |             TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
      |             ^~~~~~~~~~~~~~~~~~~
tls_misc.c:744:9: error: implicit declaration of function 'OPENSSL_INIT_set_config_file_flags' [-Werror=implicit-function-declaration]
  744 |         OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tls_misc.c:749:9: error: implicit declaration of function 'OPENSSL_INIT_set_config_filename' [-Werror=implicit-function-declaration]
  749 |         OPENSSL_INIT_set_config_filename(init_settings, conf_file);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tls_misc.c:751:9: error: implicit declaration of function 'OPENSSL_INIT_set_config_appname' [-Werror=implicit-function-declaration]
  751 |         OPENSSL_INIT_set_config_appname(init_settings, conf_name);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make: *** [Makefile:92: tls_misc.o] Error 1

build.log

OpenBSD currently provides 3.5.17 where the current patches also allow 3.5.19 to build.

https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable35/Makefile#L1
https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable35/patches/patch-src_tls_tls_certkey_c
https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable35/patches/patch-src_tls_tls_server_c

Is there any hope that LibreSSL can at least support newer Postfix 3.5 patch releases?

The text was updated successfully, but these errors were encountered:

brad0 · 2023-11-02T23:18:19Z

AFAIK the biggest issue with Postfix and LibreSSL is the lack of DANE support.

botovq · 2023-12-19T18:55:03Z

Current events made this a bit of a problem.

This issue came too close to the 3.8 release for us to do anything about it. We don't really want to add OPENSSL_INIT_new(). My understanding of the Postfix release cycle is that Postfix 3.5 will be end of life some time next year, so we would add another single-digit consumer API for no compelling reason. The reason here is that Postfix added two config knobs to add support for OpenSSL config files.

It is straightforward to patch out the OPENSSL_INIT_new()-related code:

https://marc.info/?l=openbsd-ports&m=170300480407134&w=2

As long as you don't set the tls_config_{file,name} configuration, this should work just fine.

Brad is right, DANE support became mandatory in Postfix at some point, presumably at around the time when support for the OpenSSL 1.0 branch was removed, and that is the major blocker. While supporting DANE in LibreSSL is not entirely out of the question, doing it the OpenSSL way pretty much is.

brad0 · 2023-12-20T00:38:49Z

With the release of Postfix 3.6.

20200705

	Cleanup: OpenSSL-1.1.1 is the minimum supported version.
	This is an LTS (long-term support) version that will reach
	the end of life by 2023-09-11. This removes support for
	export ciphers.

	This also changes the Postfix default fingerprint digest
	from MD5 to SHA256, but only when the compatibility_level
	is set to '3' or higher.

	Code by Viktor Dukhovni. Files: global/mail_params.c,
	global/mail_params.h, posttls-finger/posttls-finger.c,
	proto/COMPATIBILITY_README.html, proto/TLS_README.html,
	proto/postconf.proto, smtp/smtp.c, smtp/smtp_tls_policy.c,
	smtpd/smtpd.c, smtpd/smtpd_check.c, tls/Makefile.in,
	tls/tls.h, tls/tls_certkey.c, tls/tls_client.c, tls/tls_dane.c,
	tls/tls_dh.c, tls/tls_misc.c, tls/tls_rsa.c, tls/tls_server.c,
	tls/tls_verify.c.

20200710

	Security: added a section to the sendmail(1) manpage for
	security researchers and application developers, with an
	example of using '--' to disable command option processing
	for user-specified data. File sendmail/sendmail.c.

	Error reporting: added '--' to a postalias command line to
	make an obsecure error message less confusing. File
	sendmail/sendmail.c.

	Conversion from Postfix built-in DANE support to OpenSSL
	DANE support. Code by Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, proto/postconf.proto,
	smtp/smtp.c, smtp/smtp_proto.c, smtp/smtp_tls_policy.c,
	tls/Makefile.in, tlsproxy/tlsproxy.c, tls/tls_client.c,
	tls/tls_dane.c, tls/tls_fprint.c, tls/tls.h, tls/tls_misc.c,
	tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
	tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
	tls/tls_proxy.h, tls/tls_verify.c, util/hex_code.c.

	Bugfix (introduced: Postfix 3.0): minor memory leaks in the
	Postfix TLS library, found during tests. File: tls/tls_misc.c.

orbea · 2023-12-20T14:49:33Z

@botovq Thanks for the detailed information, would you mind elaborating on why OPENSSL_INIT_new() is undesirable?

I can confirm your patch also builds on my side and its understandable if fixing newer postfix is difficult, but if at all possible it would be greatly appreciated. Its one of the few blockers I have found in Gentoo so far.

botovq · 2023-12-20T18:34:07Z

It is not desirable simply because there are almost no consumers. It is not particularly offensive as far as new OpenSSL APIs go, but it adds quite a bit of complexity. If it was the only thing in the way of having newer postfix work out of the box it would be an easier sell. But as things are, it's most likely easier to adjust the few consumers than to add this kind of complexity to our libraries.

orbea · 2023-12-21T13:14:54Z

That makes sense, thanks for helping me understand.

orbea changed the title ~~Build failures with >= postfix-3..5.20~~ Build failures with >= postfix-3.5.20 Sep 17, 2023

orbea mentioned this issue Sep 17, 2023

mail-mta/postfix-3.8.1[ssl] - error: unknown type name 'OPENSSL_INIT_SETTINGS' gentoo/libressl#536

Open

orbea changed the title ~~Build failures with >= postfix-3.5.20~~ Build failure with >= postfix-3.5.20 Sep 17, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build failure with >= postfix-3.5.20 #914

Build failure with >= postfix-3.5.20 #914

orbea commented Sep 17, 2023

brad0 commented Nov 2, 2023

botovq commented Dec 19, 2023

brad0 commented Dec 20, 2023

orbea commented Dec 20, 2023

botovq commented Dec 20, 2023

orbea commented Dec 21, 2023

Build failure with >= postfix-3.5.20 #914

Build failure with >= postfix-3.5.20 #914

Comments

orbea commented Sep 17, 2023

brad0 commented Nov 2, 2023

botovq commented Dec 19, 2023

brad0 commented Dec 20, 2023

orbea commented Dec 20, 2023

botovq commented Dec 20, 2023

orbea commented Dec 21, 2023