Accepting request 968129 from server:mail

OBS-URL: https://build.opensuse.org/request/show/968129 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=213
2022-04-12 19:43:14 +00:00 · 2022-04-12 19:43:14 +00:00 · 828a5f30ce
commit 828a5f30ce
parent 9e7b01830a 8308be11bf
11 changed files with 276 additions and 79 deletions
--- a/harden_postfix.service.patch
+++ b/harden_postfix.service.patch
@ -0,0 +1,29 @@
 Index: postfix-3.6.2/postfix-SUSE/postfix.service
 ===================================================================
 --- postfix-3.6.2.orig/postfix-SUSE/postfix.service
 +++ postfix-3.6.2/postfix-SUSE/postfix.service
@@ -19,6 +19,24 @@ After=amavis.service mysql.service cyrus
 Conflicts=sendmail.service exim.service
 [Service]
 +# added automatically, for details please see
 +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 +
 +# Needed write permissions for /etc/aliases.* or /etc/aliases.lmdb
 +# https://bugzilla.opensuse.org/show_bug.cgi?id=1191988
 +#ProtectSystem=full
 +#ReadWritePaths=/etc/postfix
 +
 +ProtectHome=false
 +PrivateDevices=true
 +ProtectHostname=true
 +ProtectClock=true
 +ProtectKernelTunables=true
 +ProtectKernelModules=true
 +ProtectKernelLogs=true
 +ProtectControlGroups=true
 +RestrictRealtime=true
 +# end of automatic additions 
 Type=forking
 PIDFile=/var/spool/postfix/pid/master.pid
 ExecStartPre=-/bin/echo 'Starting mail service (Postfix)'
--- a/postfix-3.6.2-glibc-234-build-fix.patch
+++ b/postfix-3.6.2-glibc-234-build-fix.patch
@ -1,14 +0,0 @@
 diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h
 index 99bec9b..95c78ec 100644
 --- a/src/util/sys_defs.h
 +++ b/src/util/sys_defs.h
@@ -802,6 +803,9 @@ extern int initgroups(const char *, int);
 #define _PATH_PROCNET_IFINET6 "/proc/net/if_inet6"
 #endif
 #endif
 +#if HAVE_GLIBC_API_VERSION_SUPPORT(2, 34)
 +#define HAS_CLOSEFROM
 +#endif
 #include <linux/version.h>
 #if !defined(KERNEL_VERSION)
 #define KERNEL_VERSION(a,b,c) (LINUX_VERSION_CODE + 1)
--- a/postfix-3.6.2.tar.gz
+++ b/postfix-3.6.2.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:507323d20d7b3f705f49cf8c07d437c6d8090bed07e15a3c0ec405edad54a7d4
 size 4749530
--- a/postfix-3.6.2.tar.gz.asc
+++ b/postfix-3.6.2.tar.gz.asc
@ -1,7 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (FreeBSD)
 iFcDBQBg/KW0DAtZDoDKFacRCv6ZAP93+1Bi+iPb24MFzjxHAuT0VjvNpYxgKPrp
 GRhhUcs8tAD/Y0ghKWq8Ra8Gk9UHePI0PwD8jqCbt4m3mWAIfyqKh7w=
 =e01E
 -----END PGP SIGNATURE-----
--- a/postfix-3.6.5.tar.gz
+++ b/postfix-3.6.5.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:300fa8811cea20d01d25c619d359bffab82656e704daa719e0c9afc4ecff4808
 size 4751485
--- a/postfix-3.6.5.tar.gz.asc
+++ b/postfix-3.6.5.tar.gz.asc
@ -0,0 +1,7 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (FreeBSD)
 iFcDBQBh/wfiDAtZDoDKFacRCsDYAP0aS0hL1d6vn+nJYOLGKLsQajAL8FFZd5TH
 PS0Ck+cNhQD/Q4Qc8Q4AvINqT5ZfY4xnIWIWtJ6Yra0X9eP6vC6f7JM=
 =+pTi
 -----END PGP SIGNATURE-----
--- a/postfix-SUSE.tar.gz
+++ b/postfix-SUSE.tar.gz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0587b81f9930058056c903b22bef9c1b1a9ebc61c01e86271a9edf059beaaf1a
+oid sha256:1853d69d3d8e46f877815bb850c6bbcf313b039f59284260cb000b5b821326fd
-size 24345
+size 24333
--- a/postfix-bdb.changes
+++ b/postfix-bdb.changes
@ -1,3 +1,93 @@
 -------------------------------------------------------------------
 Mon Apr  4 09:02:48 UTC 2022 - Peter Varkoly <varkoly@suse.com>
 - config.postfix fails to set smtp_tls_security_level
  (bsc#1192314) 
 -------------------------------------------------------------------
 Fri Mar 18 20:29:34 UTC 2022 - Michael Ströder <michael@stroeder.com>
 - update to 3.6.5
  * Glibc 2.34 implements closefrom(). This was causing a conflict
    with Postfix's implementation for systems that have no closefrom()
    implementation.
  * Support for Berkeley DB version 18.
 - removed obsolete postfix-3.6.2-glibc-234-build-fix.patch
 -------------------------------------------------------------------
 Mon Mar 14 09:52:48 UTC 2022 - Peter Varkoly <varkoly@suse.com>
 - Postfix on start don't run postalias /etc/postfix/aliases
  (error open database /etc/postfix/aliases.lmdb). (bsc#1197041)
  Apply proposed patch
 -------------------------------------------------------------------
 Wed Feb  9 09:22:41 UTC 2022 - Peter Varkoly <varkoly@suse.com>
 - config.postfix can't handle symlink'd /etc/resolv.cof
  (bsc#1195019)
  Adapt proposed change: using "cp -afL" by copying. 
 -------------------------------------------------------------------
 Tue Jan 18 23:32:41 UTC 2022 - Michael Ströder <michael@stroeder.com>
 - Update to 3.6.4
  * Bug introduced in bugfix 20210708: duplicate bounce_notice_recipient
    entries in postconf output. This was caused by an incomplete
    fix to send SMTP session transcripts to $bounce_notice_recipient.
  * Bug introduced in Postfix 3.0: the proxymap daemon did not
    automatically authorize proxied maps inside pipemap (example:
    pipemap:{proxy:maptype:mapname, ...}) or inside unionmap.
  * Bug introduced in Postfix 2.5: off-by-one error while writing
    a string terminator. This code passed all memory corruption
    tests, presumably because it wrote over an alignment padding
    byte, or over an adjacent character byte that was never read.
  * The proxymap daemon did not automatically authorize map features
    added after Postfix 3.3, caused by missing *_maps parameter
    names in the proxy_read_maps default value. Found during code
    maintenance.
 -------------------------------------------------------------------
 Mon Nov  8 10:26:56 UTC 2021 - Michael Ströder <michael@stroeder.com>
 - Update to 3.6.3
  * (problem introduced in Postfix 2.4, released in 2007): queue
    file corruption after a Milter (for example, MIMEDefang) made
    a request to replace the message body with a copy of that message
    body plus additional text (for example, a SpamAssassin report).
  * (problem introduced in Postfix 2.10, released in 2012): The
    postconf "-x" option could produce incorrect output, because
    multiple functions were implicitly sharing a buffer for
    intermediate results. Problem report by raf, root cause analysis
    by Viktor Dukhovni.
  * (problem introduced in Postfix 2.11, released in 2013): The
    check_ccert_access feature worked as expected, but produced a
    spurious warning when Postfix was built without SASL support.
    Fix by Brad Barden.
  * Fix for a compiler warning due to a missing 'const' qualifier
    when compiling Postfix with OpenSSL 3. Depending on compiler
    settings this could cause the build to fail.
  * The known_tcp_ports settings had no effect. It also wasn't fully
    implemented. Problem report by Peter.
  * Fix for missing space between a hostname and warning text.
 -------------------------------------------------------------------
 Fri Oct 22 09:45:40 UTC 2021 - Dirk Stoecker <opensuse@dstoecker.de>
 - Ensure postfix can write to home directory or server side
  filtering wont work (sieve)
 -------------------------------------------------------------------
 Fri Oct 22 08:46:19 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Ensure service can write to /etc/postfix
 -------------------------------------------------------------------
 Thu Oct 21 15:39:55 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Added hardening to systemd service (bsc#1181400). Added
  harden_postfix.service.patch
 -------------------------------------------------------------------
 Thu Oct  7 08:03:40 UTC 2021 - Peter Varkoly <varkoly@suse.com>
@ -13,7 +103,7 @@ Thu Aug 26 13:59:42 UTC 2021 - Peter Varkoly <varkoly@suse.com>
  Adapt master.cf patch
 -------------------------------------------------------------------
-Tue Aug 24 09:55:02 UTC 2021 - Peter Varkoly <varkoly@suse.com>
+Tue Aug 24 09:55:42 UTC 2021 - Peter Varkoly <varkoly@suse.com>
 - postfix fails with glibc 2.34
  Define HAS_CLOSEFROM 
@ -5302,4 +5392,3 @@ Mon Oct  9 13:54:13 CEST 2000 - choeger@suse.de
 Mon Oct  9 11:48:39 CEST 2000 - choeger@suse.de
 - inititial revision of pfixtls
--- a/postfix-bdb.spec
+++ b/postfix-bdb.spec
@ -56,7 +56,7 @@
 %endif
 %bcond_without ldap
 Name:           postfix-bdb
-Version:        3.6.2
+Version: 3.6.5
 Release:        0
 Summary:        A fast, secure, and flexible mailer
 License:        IPL-1.0 OR EPL-2.0
@ -82,7 +82,7 @@ Patch7:         postfix-ssl-release-buffers.patch
 Patch8:         postfix-vda-v14-3.0.3.patch
 Patch9:         fix-postfix-script.patch
 Patch10:        postfix-avoid-infinit-loop-if-no-permission.patch
-Patch11:	postfix-3.6.2-glibc-234-build-fix.patch
+Patch12:	harden_postfix.service.patch
 BuildRequires:  ca-certificates
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  db-devel
@ -156,7 +156,7 @@ lmdb.
 %patch8
 %patch9
 %patch10
-%patch11 -p1
+%patch12 -p1
 # ---------------------------------------------------------------------------
--- a/postfix.changes
+++ b/postfix.changes
@ -1,3 +1,101 @@
 -------------------------------------------------------------------
 Mon Apr  4 09:01:56 UTC 2022 - Peter Varkoly <varkoly@suse.com>
 - config.postfix fails to set smtp_tls_security_level
  (bsc#1192314) 
 -------------------------------------------------------------------
 Tue Mar 29 10:12:29 UTC 2022 - Илья Индиго <ilya@ilya.cf>
 - Refreshed spec-file via spec-cleaner and manual optimizated.
  * Added -p flag to all install commands.
  * Removed -f flag from all ln commands.
 - Changed file harden_postfix.service.patch (boo#1191988).
 -------------------------------------------------------------------
 Fri Mar 18 20:29:34 UTC 2022 - Michael Ströder <michael@stroeder.com>
 - update to 3.6.5
  * Glibc 2.34 implements closefrom(). This was causing a conflict
    with Postfix's implementation for systems that have no closefrom()
    implementation.
  * Support for Berkeley DB version 18.
 - removed obsolete postfix-3.6.2-glibc-234-build-fix.patch
 -------------------------------------------------------------------
 Mon Mar 14 09:52:48 UTC 2022 - Peter Varkoly <varkoly@suse.com>
 - Postfix on start don't run postalias /etc/postfix/aliases
  (error open database /etc/postfix/aliases.lmdb). (bsc#1197041)
  Apply proposed patch
 -------------------------------------------------------------------
 Wed Feb  9 09:22:41 UTC 2022 - Peter Varkoly <varkoly@suse.com>
 - config.postfix can't handle symlink'd /etc/resolv.cof
  (bsc#1195019)
  Adapt proposed change: using "cp -afL" by copying. 
 -------------------------------------------------------------------
 Tue Jan 18 23:32:41 UTC 2022 - Michael Ströder <michael@stroeder.com>
 - Update to 3.6.4
  * Bug introduced in bugfix 20210708: duplicate bounce_notice_recipient
    entries in postconf output. This was caused by an incomplete
    fix to send SMTP session transcripts to $bounce_notice_recipient.
  * Bug introduced in Postfix 3.0: the proxymap daemon did not
    automatically authorize proxied maps inside pipemap (example:
    pipemap:{proxy:maptype:mapname, ...}) or inside unionmap.
  * Bug introduced in Postfix 2.5: off-by-one error while writing
    a string terminator. This code passed all memory corruption
    tests, presumably because it wrote over an alignment padding
    byte, or over an adjacent character byte that was never read.
  * The proxymap daemon did not automatically authorize map features
    added after Postfix 3.3, caused by missing *_maps parameter
    names in the proxy_read_maps default value. Found during code
    maintenance.
 -------------------------------------------------------------------
 Mon Nov  8 10:26:56 UTC 2021 - Michael Ströder <michael@stroeder.com>
 - Update to 3.6.3
  * (problem introduced in Postfix 2.4, released in 2007): queue
    file corruption after a Milter (for example, MIMEDefang) made
    a request to replace the message body with a copy of that message
    body plus additional text (for example, a SpamAssassin report).
  * (problem introduced in Postfix 2.10, released in 2012): The
    postconf "-x" option could produce incorrect output, because
    multiple functions were implicitly sharing a buffer for
    intermediate results. Problem report by raf, root cause analysis
    by Viktor Dukhovni.
  * (problem introduced in Postfix 2.11, released in 2013): The
    check_ccert_access feature worked as expected, but produced a
    spurious warning when Postfix was built without SASL support.
    Fix by Brad Barden.
  * Fix for a compiler warning due to a missing 'const' qualifier
    when compiling Postfix with OpenSSL 3. Depending on compiler
    settings this could cause the build to fail.
  * The known_tcp_ports settings had no effect. It also wasn't fully
    implemented. Problem report by Peter.
  * Fix for missing space between a hostname and warning text.
 -------------------------------------------------------------------
 Fri Oct 22 09:45:40 UTC 2021 - Dirk Stoecker <opensuse@dstoecker.de>
 - Ensure postfix can write to home directory or server side
  filtering wont work (sieve)
 -------------------------------------------------------------------
 Fri Oct 22 08:46:19 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Ensure service can write to /etc/postfix
 -------------------------------------------------------------------
 Thu Oct 21 15:39:55 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 - Added hardening to systemd service (bsc#1181400). Added
  harden_postfix.service.patch
 -------------------------------------------------------------------
 Thu Oct  7 08:03:40 UTC 2021 - Peter Varkoly <varkoly@suse.com>
@ -18,7 +116,7 @@ Tue Aug 24 09:55:42 UTC 2021 - Peter Varkoly <varkoly@suse.com>
 - postfix fails with glibc 2.34
  Define HAS_CLOSEFROM 
  (bsc#1189101) 
-  add patch 
+  add patch
  - postfix-3.6.2-glibc-234-build-fix.patch
 -------------------------------------------------------------------
@ -5302,4 +5400,3 @@ Mon Oct  9 13:54:13 CEST 2000 - choeger@suse.de
 Mon Oct  9 11:48:39 CEST 2000 - choeger@suse.de
 - inititial revision of pfixtls
--- a/postfix.spec
+++ b/postfix.spec
@ -1,7 +1,7 @@
 #
 # spec file for package postfix
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -42,7 +42,7 @@
 %bcond_without libnsl
 %bcond_without ldap
 Name:           postfix
-Version:        3.6.2
+Version:        3.6.5
 Release:        0
 Summary:        A fast, secure, and flexible mailer
 License:        IPL-1.0 OR EPL-2.0
@ -52,7 +52,6 @@ Source0:        http://cdn.postfix.johnriley.me/mirrors/postfix-release/official
 Source1:        http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz.gpg2#/postfix-%{version}.tar.gz.asc
 Source2:        %{name}-SUSE.tar.gz
 Source3:        %{name}-mysql.tar.bz2
 #Source4:        http://cdn.postfix.johnriley.me/mirrors/postfix-release/wietse.pgp#/postfix.keyring
 Source4:        postfix.keyring
 Source10:       %{name}-rpmlintrc
 Source11:       check_mail_queue
@ -68,45 +67,44 @@ Patch7:         %{name}-ssl-release-buffers.patch
 Patch8:         %{name}-vda-v14-3.0.3.patch
 Patch9:         fix-postfix-script.patch
 Patch10:        %{name}-avoid-infinit-loop-if-no-permission.patch
-Patch11:	set-default-db-type.patch
+Patch11:        set-default-db-type.patch
-Patch12:	postfix-3.6.2-glibc-234-build-fix.patch
+Patch12:        harden_postfix.service.patch
 BuildRequires:  ca-certificates
 BuildRequires:  cyrus-sasl-devel
 #BuildRequires:  db-devel
 BuildRequires:  diffutils
 BuildRequires:  fdupes
 BuildRequires:  libicu-devel
 BuildRequires:  libopenssl-devel >= 1.1.1
 BuildRequires:  lmdb-devel
 BuildRequires:  m4
 BuildRequires:  mysql-devel
 %if %{with ldap}
 BuildRequires:  openldap2-devel
 %endif
 BuildRequires:  lmdb-devel
 BuildRequires:  pcre-devel
 BuildRequires:  pkgconfig
 BuildRequires:  postgresql-devel
 BuildRequires:  shadow
 BuildRequires:  sysuser-tools
 BuildRequires:  zlib-devel
 BuildRequires:  pkgconfig(systemd)
 Requires:       iproute2
 Requires(post): permissions
 Requires(pre):  %fillup_prereq
 Requires(pre):  group(%{mail_group})
 Requires(pre):  permissions
 Requires(pre):  user(nobody)
 Conflicts:      exim
 Conflicts:      sendmail
 Conflicts:      postfix-bdb
 Conflicts:      sendmail
 Provides:       postfix-lmdb = %{version}-%{release}
 Obsoletes:      postfix-lmdb < %{version}-%{release}
 Provides:       smtp_daemon
 %{?systemd_ordering}
 %sysusers_requires
 %if %{with ldap}
 BuildRequires:  openldap2-devel
 %endif
 %if %{with libnsl}
 BuildRequires:  libnsl-devel
 %endif
 BuildRequires:  sysuser-tools
 Requires(pre):  user(nobody)
 Requires(pre):  group(%{mail_group})
 %sysusers_requires
 %description
 Postfix aims to be an alternative to the widely-used sendmail program.
@ -132,10 +130,10 @@ This package contains the documentation for %{name}
 Summary:        Postfix plugin to support MySQL maps
 Group:          Productivity/Networking/Email/Servers
 Requires(pre):  %{name} = %{version}
 %sysusers_requires
 %if 0%{?suse_version} < 1550
 Provides:       group(vmail)
 %endif
 %sysusers_requires
 %description mysql
 Postfix plugin to support MySQL maps. This library will be loaded by
@ -235,12 +233,12 @@ export CCARGS="${CCARGS} -DNO_DB -DDEF_DB_TYPE=\\\"lmdb\\\""
 export PIE=-pie
 # using SHLIB_RPATH to specify unrelated linker flags, because LDFLAGS is
 # ignored
-make makefiles pie=yes shared=yes dynamicmaps=yes \
+%make_build makefiles pie=yes shared=yes dynamicmaps=yes \
  shlib_directory=%{_prefix}/lib/%{name} \
  meta_directory=%{_prefix}/lib/%{name} \
  config_directory=%{_sysconfdir}/%{name} \
  SHLIB_RPATH="-Wl,-rpath,%{pf_shlib_directory} -Wl,-z,relro,-z,now"
-make %{?_smp_mflags}
+%make_build
 # Create postfix user
 %sysusers_generate_pre %{SOURCE12} postfix postfix-user.conf
 %sysusers_generate_pre %{SOURCE13} vmail postfix-vmail-user.conf
@ -252,7 +250,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/%{name}
 # create our default postfix ssl DIR (/etc/postfix/ssl)
 mkdir -p %{buildroot}%{_sysconfdir}/%{name}/ssl/certs
 # link cacerts to /etc/ssl/certs
-ln -sf ../../ssl/certs %{buildroot}%{_sysconfdir}/%{name}/ssl/cacerts
+ln -s ../../ssl/certs %{buildroot}%{_sysconfdir}/%{name}/ssl/cacerts
 cp lib/lib%{name}-*  %{buildroot}/%{_libdir}
 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir}
 sh postfix-install -non-interactive \
@ -268,9 +266,9 @@ sh postfix-install -non-interactive \
       setgid_group=%{pf_setgid_group} \
       readme_directory=%{pf_readme_directory} \
       data_directory=%{pf_data_directory}
-ln -sf ../sbin/sendmail %{buildroot}%{_libexecdir}/sendmail
+ln -s ../sbin/sendmail %{buildroot}%{_libexecdir}/sendmail
 for i in qmqp-source smtp-sink smtp-source; do
-	install -m 755 bin/$i %{buildroot}%{_sbindir}/$i
+	install -pm 0755 bin/$i %{buildroot}%{_sbindir}/$i
 done
 mkdir -p %{buildroot}/sbin/conf.d
 mkdir -p %{buildroot}%{_sysconfdir}/permissions.d
@ -281,10 +279,10 @@ mkdir -p %{buildroot}/%{pf_sample_directory}
 mkdir -p %{buildroot}/%{pf_html_directory}
 mkdir -p %{buildroot}%{_includedir}/%{name}
 mkdir -p %{buildroot}%{_sysconfdir}/pam.d
-install -m 644 %{name}-SUSE/smtp %{buildroot}%{_sysconfdir}/pam.d/smtp
+install -pm 0644 %{name}-SUSE/smtp %{buildroot}%{_sysconfdir}/pam.d/smtp
 mkdir -p %{buildroot}%{_fillupdir}
 sed -e 's;@lib@;%{_lib};g' %{name}-SUSE/sysconfig.%{name} > %{buildroot}%{_fillupdir}/sysconfig.%{name}
-install -m 644 %{name}-SUSE/sysconfig.mail-%{name} %{buildroot}%{_fillupdir}/sysconfig.mail-%{name}
+install -pm 0644 %{name}-SUSE/sysconfig.mail-%{name} %{buildroot}%{_fillupdir}/sysconfig.mail-%{name}
 sed -e 's;@lib@;%{_lib};g' \
    -e 's;@conf_backup_dir@;%{conf_backup_dir};' \
    -e 's;@daemon_directory@;%{pf_daemon_directory};' \
@ -296,19 +294,19 @@ sed -e 's;@lib@;%{_lib};g' \
    -e 's;@newaliases_path@;%{pf_newaliases_path};' \
    -e 's;@sample_directory@;%{pf_sample_directory};' \
    -e 's;@mailq_path@;%{pf_mailq_path};' %{name}-SUSE/config.%{name} > %{buildroot}%{_sbindir}/config.%{name}
-chmod 755 %{buildroot}%{_sbindir}/config.%{name}
+chmod 0755 %{buildroot}%{_sbindir}/config.%{name}
-install -m 644 %{name}-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/%{name}/ldap_aliases.cf
+install -pm 0644 %{name}-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/%{name}/ldap_aliases.cf
-install -m 644 %{name}-SUSE/helo_access %{buildroot}%{_sysconfdir}/%{name}/helo_access
+install -pm 0644 %{name}-SUSE/helo_access %{buildroot}%{_sysconfdir}/%{name}/helo_access
-install -m 644 %{name}-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/%{name}
+install -pm 0644 %{name}-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/%{name}
-install -m 644 %{name}-SUSE/sender_canonical %{buildroot}%{_sysconfdir}/%{name}/sender_canonical
+install -pm 0644 %{name}-SUSE/sender_canonical %{buildroot}%{_sysconfdir}/%{name}/sender_canonical
-install -m 644 %{name}-SUSE/relay %{buildroot}%{_sysconfdir}/%{name}/relay
+install -pm 0644 %{name}-SUSE/relay %{buildroot}%{_sysconfdir}/%{name}/relay
-install -m 644 %{name}-SUSE/relay_ccerts %{buildroot}%{_sysconfdir}/%{name}/relay_ccerts
+install -pm 0644 %{name}-SUSE/relay_ccerts %{buildroot}%{_sysconfdir}/%{name}/relay_ccerts
-install -m 644 %{name}-SUSE/relay_recipients %{buildroot}%{_sysconfdir}/%{name}/relay_recipients
+install -pm 0644 %{name}-SUSE/relay_recipients %{buildroot}%{_sysconfdir}/%{name}/relay_recipients
-install -m 600 %{name}-SUSE/sasl_passwd %{buildroot}%{_sysconfdir}/%{name}/sasl_passwd
+install -pm 0600 %{name}-SUSE/sasl_passwd %{buildroot}%{_sysconfdir}/%{name}/sasl_passwd
 mkdir -p %{buildroot}%{_sysconfdir}/sasl2
-install -m 600 %{name}-SUSE/smtpd.conf %{buildroot}%{_sysconfdir}/sasl2/smtpd.conf
+install -pm 0600 %{name}-SUSE/smtpd.conf %{buildroot}%{_sysconfdir}/sasl2/smtpd.conf
-install -m 644 %{name}-SUSE/openssl_%{name}.conf.in %{buildroot}%{_sysconfdir}/%{name}/openssl_%{name}.conf.in
+install -pm 0644 %{name}-SUSE/openssl_%{name}.conf.in %{buildroot}%{_sysconfdir}/%{name}/openssl_%{name}.conf.in
-install -m 755 %{name}-SUSE/mk%{name}cert %{buildroot}%{_sbindir}/mk%{name}cert
+install -pm 0755 %{name}-SUSE/mk%{name}cert %{buildroot}%{_sbindir}/mk%{name}cert
 {
 cat<<EOF
 #
@ -347,12 +345,12 @@ sed -i	-e 's/\(.*ldap.*\)/#\1/g' \
 	%{buildroot}%{pf_shlib_directory}/postfix-files
 mkdir -p %{buildroot}%{pf_shlib_directory}/postfix-files.d
 # postfix-mysql
-install -m 644 %{name}-mysql/main.cf-mysql %{buildroot}%{_sysconfdir}/%{name}/main.cf-mysql
+install -pm 0644 %{name}-mysql/main.cf-mysql %{buildroot}%{_sysconfdir}/%{name}/main.cf-mysql
-install -m 640 %{name}-mysql/*_maps.cf     %{buildroot}%{_sysconfdir}/%{name}/
+install -pm 0640 %{name}-mysql/*_maps.cf     %{buildroot}%{_sysconfdir}/%{name}/
 # create paranoid permissions file
 printf '%%-38s %%-18s %%s\n' %{_sbindir}/postdrop "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
 printf '%%-38s %%-18s %%s\n' %{_sbindir}/postqueue "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
-install -m 644 include/*.h %{buildroot}%{_includedir}/%{name}/
+install -pm 0644 include/*.h %{buildroot}%{_includedir}/%{name}/
 # some rpmlint stuff
 # remove unneeded examples/chroot-setup
 for example in AIX42 BSDI* F* HPUX* IRIX* NETBSD1 NEXTSTEP3 OPENSTEP4 OSF1 Solaris*; do
@ -366,12 +364,12 @@ rm %{buildroot}%{pf_docdir}/README_FILES/INSTALL
 rm -f %{buildroot}%{_sysconfdir}/%{name}/*.orig
 mkdir -p %{buildroot}%{_unitdir}/mail-transfer-agent.target.wants/
 mkdir -p %{buildroot}%{pf_shlib_directory}/systemd
-install -m 0644 %{name}-SUSE/%{name}.service         %{buildroot}%{_unitdir}/%{name}.service
+install -pm 0644 %{name}-SUSE/%{name}.service         %{buildroot}%{_unitdir}/%{name}.service
-install -m 0755 %{name}-SUSE/config_%{name}.systemd  %{buildroot}%{pf_shlib_directory}/systemd/config_%{name}
+install -pm 0755 %{name}-SUSE/config_%{name}.systemd  %{buildroot}%{pf_shlib_directory}/systemd/config_%{name}
-install -m 0755 %{name}-SUSE/update_chroot.systemd   %{buildroot}%{pf_shlib_directory}/systemd/update_chroot
+install -pm 0755 %{name}-SUSE/update_chroot.systemd   %{buildroot}%{pf_shlib_directory}/systemd/update_chroot
-install -m 0755 %{name}-SUSE/update_postmaps.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_postmaps
+install -pm 0755 %{name}-SUSE/update_postmaps.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_postmaps
-install -m 0755 %{name}-SUSE/wait_qmgr.systemd       %{buildroot}%{pf_shlib_directory}/systemd/wait_qmgr
+install -pm 0755 %{name}-SUSE/wait_qmgr.systemd       %{buildroot}%{pf_shlib_directory}/systemd/wait_qmgr
-install -m 0755 %{name}-SUSE/cond_slp.systemd        %{buildroot}%{pf_shlib_directory}/systemd/cond_slp
+install -pm 0755 %{name}-SUSE/cond_slp.systemd        %{buildroot}%{pf_shlib_directory}/systemd/cond_slp
 ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 ln -sv %{_unitdir}/%{name}.service %{buildroot}%{_unitdir}/mail-transfer-agent.target.wants/%{name}.service
 %fdupes %{buildroot}%{pf_docdir}
@ -465,10 +463,8 @@ fi
 # ---------------------------------------------------------------------------
 %pre    mysql -f vmail.pre
 %post   mysql -p /sbin/ldconfig
 %postun mysql -p /sbin/ldconfig
 %post   postgresql -p /sbin/ldconfig
 %postun postgresql -p /sbin/ldconfig