pool/postfix
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 965609 from home:13ilya

Browse Source 
- Refreshed spec-file via spec-cleaner and manual optimizated.
  * Added -p flag to all install commands.
  * Removed -f flag from all ln commands.
- Changed file harden_postfix.service.patch (boo#1191988).

OBS-URL: https://build.opensuse.org/request/show/965609
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=438
This commit is contained in:
Dirk Mueller 2022-04-10 09:27:44 +00:00 committed by Git OBS Bridge
parent e8c4e4ac0b
commit 8308be11bf
3 changed files with 57 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
harden_postfix.service.patch
View File

@ -2,14 +2,18 @@ Index: postfix-3.6.2/postfix-SUSE/postfix.service
=================================================================== ===================================================================
--- postfix-3.6.2.orig/postfix-SUSE/postfix.service --- postfix-3.6.2.orig/postfix-SUSE/postfix.service
+++ postfix-3.6.2/postfix-SUSE/postfix.service +++ postfix-3.6.2/postfix-SUSE/postfix.service
@@ -19,6 +19,20 @@ After=amavis.service mysql.service cyrus @@ -19,6 +19,24 @@ After=amavis.service mysql.service cyrus
Conflicts=sendmail.service exim.service Conflicts=sendmail.service exim.service
[Service] [Service]
+# added automatically, for details please see +# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full +
+ReadWritePaths=/etc/postfix +# Needed write permissions for /etc/aliases.* or /etc/aliases.lmdb
+# https://bugzilla.opensuse.org/show_bug.cgi?id=1191988
+#ProtectSystem=full
+#ReadWritePaths=/etc/postfix
+
+ProtectHome=false +ProtectHome=false
+PrivateDevices=true +PrivateDevices=true
+ProtectHostname=true +ProtectHostname=true

8
postfix.changes
View File

@ -4,6 +4,14 @@ Mon Apr 4 09:01:56 UTC 2022 - Peter Varkoly <varkoly@suse.com>
- config.postfix fails to set smtp_tls_security_level - config.postfix fails to set smtp_tls_security_level
(bsc#1192314) (bsc#1192314)
-------------------------------------------------------------------
Tue Mar 29 10:12:29 UTC 2022 - Илья Индиго <ilya@ilya.cf>
- Refreshed spec-file via spec-cleaner and manual optimizated.
* Added -p flag to all install commands.
* Removed -f flag from all ln commands.
- Changed file harden_postfix.service.patch (boo#1191988).
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Mar 18 20:29:34 UTC 2022 - Michael Ströder <michael@stroeder.com> Fri Mar 18 20:29:34 UTC 2022 - Michael Ströder <michael@stroeder.com>

88
postfix.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package postfix # spec file for package postfix
# #
# Copyright (c) 2020 SUSE LLC # Copyright (c) 2022 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -52,7 +52,6 @@ Source0: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official
Source1: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz.gpg2#/postfix-%{version}.tar.gz.asc Source1: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz.gpg2#/postfix-%{version}.tar.gz.asc
Source2: %{name}-SUSE.tar.gz Source2: %{name}-SUSE.tar.gz
Source3: %{name}-mysql.tar.bz2 Source3: %{name}-mysql.tar.bz2
#Source4: http://cdn.postfix.johnriley.me/mirrors/postfix-release/wietse.pgp#/postfix.keyring
Source4: postfix.keyring Source4: postfix.keyring
Source10: %{name}-rpmlintrc Source10: %{name}-rpmlintrc
Source11: check_mail_queue Source11: check_mail_queue
@ -68,45 +67,44 @@ Patch7: %{name}-ssl-release-buffers.patch
Patch8: %{name}-vda-v14-3.0.3.patch Patch8: %{name}-vda-v14-3.0.3.patch
Patch9: fix-postfix-script.patch Patch9: fix-postfix-script.patch
Patch10: %{name}-avoid-infinit-loop-if-no-permission.patch Patch10: %{name}-avoid-infinit-loop-if-no-permission.patch
Patch11: set-default-db-type.patch Patch11: set-default-db-type.patch
Patch13: harden_postfix.service.patch Patch12: harden_postfix.service.patch
BuildRequires: ca-certificates BuildRequires: ca-certificates
BuildRequires: cyrus-sasl-devel BuildRequires: cyrus-sasl-devel
#BuildRequires: db-devel
BuildRequires: diffutils BuildRequires: diffutils
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: libicu-devel BuildRequires: libicu-devel
BuildRequires: libopenssl-devel >= 1.1.1 BuildRequires: libopenssl-devel >= 1.1.1
BuildRequires: lmdb-devel
BuildRequires: m4 BuildRequires: m4
BuildRequires: mysql-devel BuildRequires: mysql-devel
%if %{with ldap}
BuildRequires: openldap2-devel
%endif
BuildRequires: lmdb-devel
BuildRequires: pcre-devel BuildRequires: pcre-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: postgresql-devel BuildRequires: postgresql-devel
BuildRequires: shadow BuildRequires: shadow
BuildRequires: sysuser-tools
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
Requires: iproute2 Requires: iproute2
Requires(post): permissions Requires(post): permissions
Requires(pre): %fillup_prereq Requires(pre): %fillup_prereq
Requires(pre): group(%{mail_group})
Requires(pre): permissions Requires(pre): permissions
Requires(pre): user(nobody)
Conflicts: exim Conflicts: exim
Conflicts: sendmail
Conflicts: postfix-bdb Conflicts: postfix-bdb
Conflicts: sendmail
Provides: postfix-lmdb = %{version}-%{release} Provides: postfix-lmdb = %{version}-%{release}
Obsoletes: postfix-lmdb < %{version}-%{release} Obsoletes: postfix-lmdb < %{version}-%{release}
Provides: smtp_daemon Provides: smtp_daemon
%{?systemd_ordering} %{?systemd_ordering}
%sysusers_requires
%if %{with ldap}
BuildRequires: openldap2-devel
%endif
%if %{with libnsl} %if %{with libnsl}
BuildRequires: libnsl-devel BuildRequires: libnsl-devel
%endif %endif
BuildRequires: sysuser-tools
Requires(pre): user(nobody)
Requires(pre): group(%{mail_group})
%sysusers_requires
%description %description
Postfix aims to be an alternative to the widely-used sendmail program. Postfix aims to be an alternative to the widely-used sendmail program.
@ -132,10 +130,10 @@ This package contains the documentation for %{name}
Summary: Postfix plugin to support MySQL maps Summary: Postfix plugin to support MySQL maps
Group: Productivity/Networking/Email/Servers Group: Productivity/Networking/Email/Servers
Requires(pre): %{name} = %{version} Requires(pre): %{name} = %{version}
%sysusers_requires
%if 0%{?suse_version} < 1550 %if 0%{?suse_version} < 1550
Provides: group(vmail) Provides: group(vmail)
%endif %endif
%sysusers_requires
%description mysql %description mysql
Postfix plugin to support MySQL maps. This library will be loaded by Postfix plugin to support MySQL maps. This library will be loaded by
@ -176,7 +174,7 @@ maps with Postfix, you need this.
%patch9 %patch9
%patch10 %patch10
%patch11 %patch11
%patch13 -p1 %patch12 -p1
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
@ -235,12 +233,12 @@ export CCARGS="${CCARGS} -DNO_DB -DDEF_DB_TYPE=\\\"lmdb\\\""
export PIE=-pie export PIE=-pie
# using SHLIB_RPATH to specify unrelated linker flags, because LDFLAGS is # using SHLIB_RPATH to specify unrelated linker flags, because LDFLAGS is
# ignored # ignored
make makefiles pie=yes shared=yes dynamicmaps=yes \ %make_build makefiles pie=yes shared=yes dynamicmaps=yes \
shlib_directory=%{_prefix}/lib/%{name} \ shlib_directory=%{_prefix}/lib/%{name} \
meta_directory=%{_prefix}/lib/%{name} \ meta_directory=%{_prefix}/lib/%{name} \
config_directory=%{_sysconfdir}/%{name} \ config_directory=%{_sysconfdir}/%{name} \
SHLIB_RPATH="-Wl,-rpath,%{pf_shlib_directory} -Wl,-z,relro,-z,now" SHLIB_RPATH="-Wl,-rpath,%{pf_shlib_directory} -Wl,-z,relro,-z,now"
make %{?_smp_mflags} %make_build
# Create postfix user # Create postfix user
%sysusers_generate_pre %{SOURCE12} postfix postfix-user.conf %sysusers_generate_pre %{SOURCE12} postfix postfix-user.conf
%sysusers_generate_pre %{SOURCE13} vmail postfix-vmail-user.conf %sysusers_generate_pre %{SOURCE13} vmail postfix-vmail-user.conf
@ -252,7 +250,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/%{name}
# create our default postfix ssl DIR (/etc/postfix/ssl) # create our default postfix ssl DIR (/etc/postfix/ssl)
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/ssl/certs mkdir -p %{buildroot}%{_sysconfdir}/%{name}/ssl/certs
# link cacerts to /etc/ssl/certs # link cacerts to /etc/ssl/certs
ln -sf ../../ssl/certs %{buildroot}%{_sysconfdir}/%{name}/ssl/cacerts ln -s ../../ssl/certs %{buildroot}%{_sysconfdir}/%{name}/ssl/cacerts
cp lib/lib%{name}-* %{buildroot}/%{_libdir} cp lib/lib%{name}-* %{buildroot}/%{_libdir}
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir} export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir}
sh postfix-install -non-interactive \ sh postfix-install -non-interactive \
@ -268,9 +266,9 @@ sh postfix-install -non-interactive \
setgid_group=%{pf_setgid_group} \ setgid_group=%{pf_setgid_group} \
readme_directory=%{pf_readme_directory} \ readme_directory=%{pf_readme_directory} \
data_directory=%{pf_data_directory} data_directory=%{pf_data_directory}
ln -sf ../sbin/sendmail %{buildroot}%{_libexecdir}/sendmail ln -s ../sbin/sendmail %{buildroot}%{_libexecdir}/sendmail
for i in qmqp-source smtp-sink smtp-source; do for i in qmqp-source smtp-sink smtp-source; do
install -m 755 bin/$i %{buildroot}%{_sbindir}/$i install -pm 0755 bin/$i %{buildroot}%{_sbindir}/$i
done done
mkdir -p %{buildroot}/sbin/conf.d mkdir -p %{buildroot}/sbin/conf.d
mkdir -p %{buildroot}%{_sysconfdir}/permissions.d mkdir -p %{buildroot}%{_sysconfdir}/permissions.d
@ -281,10 +279,10 @@ mkdir -p %{buildroot}/%{pf_sample_directory}
mkdir -p %{buildroot}/%{pf_html_directory} mkdir -p %{buildroot}/%{pf_html_directory}
mkdir -p %{buildroot}%{_includedir}/%{name} mkdir -p %{buildroot}%{_includedir}/%{name}
mkdir -p %{buildroot}%{_sysconfdir}/pam.d mkdir -p %{buildroot}%{_sysconfdir}/pam.d
install -m 644 %{name}-SUSE/smtp %{buildroot}%{_sysconfdir}/pam.d/smtp install -pm 0644 %{name}-SUSE/smtp %{buildroot}%{_sysconfdir}/pam.d/smtp
mkdir -p %{buildroot}%{_fillupdir} mkdir -p %{buildroot}%{_fillupdir}
sed -e 's;@lib@;%{_lib};g' %{name}-SUSE/sysconfig.%{name} > %{buildroot}%{_fillupdir}/sysconfig.%{name} sed -e 's;@lib@;%{_lib};g' %{name}-SUSE/sysconfig.%{name} > %{buildroot}%{_fillupdir}/sysconfig.%{name}
install -m 644 %{name}-SUSE/sysconfig.mail-%{name} %{buildroot}%{_fillupdir}/sysconfig.mail-%{name} install -pm 0644 %{name}-SUSE/sysconfig.mail-%{name} %{buildroot}%{_fillupdir}/sysconfig.mail-%{name}
sed -e 's;@lib@;%{_lib};g' \ sed -e 's;@lib@;%{_lib};g' \
-e 's;@conf_backup_dir@;%{conf_backup_dir};' \ -e 's;@conf_backup_dir@;%{conf_backup_dir};' \
-e 's;@daemon_directory@;%{pf_daemon_directory};' \ -e 's;@daemon_directory@;%{pf_daemon_directory};' \
@ -296,19 +294,19 @@ sed -e 's;@lib@;%{_lib};g' \
-e 's;@newaliases_path@;%{pf_newaliases_path};' \ -e 's;@newaliases_path@;%{pf_newaliases_path};' \
-e 's;@sample_directory@;%{pf_sample_directory};' \ -e 's;@sample_directory@;%{pf_sample_directory};' \
-e 's;@mailq_path@;%{pf_mailq_path};' %{name}-SUSE/config.%{name} > %{buildroot}%{_sbindir}/config.%{name} -e 's;@mailq_path@;%{pf_mailq_path};' %{name}-SUSE/config.%{name} > %{buildroot}%{_sbindir}/config.%{name}
chmod 755 %{buildroot}%{_sbindir}/config.%{name} chmod 0755 %{buildroot}%{_sbindir}/config.%{name}
install -m 644 %{name}-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/%{name}/ldap_aliases.cf install -pm 0644 %{name}-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/%{name}/ldap_aliases.cf
install -m 644 %{name}-SUSE/helo_access %{buildroot}%{_sysconfdir}/%{name}/helo_access install -pm 0644 %{name}-SUSE/helo_access %{buildroot}%{_sysconfdir}/%{name}/helo_access
install -m 644 %{name}-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/%{name} install -pm 0644 %{name}-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/%{name}
install -m 644 %{name}-SUSE/sender_canonical %{buildroot}%{_sysconfdir}/%{name}/sender_canonical install -pm 0644 %{name}-SUSE/sender_canonical %{buildroot}%{_sysconfdir}/%{name}/sender_canonical
install -m 644 %{name}-SUSE/relay %{buildroot}%{_sysconfdir}/%{name}/relay install -pm 0644 %{name}-SUSE/relay %{buildroot}%{_sysconfdir}/%{name}/relay
install -m 644 %{name}-SUSE/relay_ccerts %{buildroot}%{_sysconfdir}/%{name}/relay_ccerts install -pm 0644 %{name}-SUSE/relay_ccerts %{buildroot}%{_sysconfdir}/%{name}/relay_ccerts
install -m 644 %{name}-SUSE/relay_recipients %{buildroot}%{_sysconfdir}/%{name}/relay_recipients install -pm 0644 %{name}-SUSE/relay_recipients %{buildroot}%{_sysconfdir}/%{name}/relay_recipients
install -m 600 %{name}-SUSE/sasl_passwd %{buildroot}%{_sysconfdir}/%{name}/sasl_passwd install -pm 0600 %{name}-SUSE/sasl_passwd %{buildroot}%{_sysconfdir}/%{name}/sasl_passwd
mkdir -p %{buildroot}%{_sysconfdir}/sasl2 mkdir -p %{buildroot}%{_sysconfdir}/sasl2
install -m 600 %{name}-SUSE/smtpd.conf %{buildroot}%{_sysconfdir}/sasl2/smtpd.conf install -pm 0600 %{name}-SUSE/smtpd.conf %{buildroot}%{_sysconfdir}/sasl2/smtpd.conf
install -m 644 %{name}-SUSE/openssl_%{name}.conf.in %{buildroot}%{_sysconfdir}/%{name}/openssl_%{name}.conf.in install -pm 0644 %{name}-SUSE/openssl_%{name}.conf.in %{buildroot}%{_sysconfdir}/%{name}/openssl_%{name}.conf.in
install -m 755 %{name}-SUSE/mk%{name}cert %{buildroot}%{_sbindir}/mk%{name}cert install -pm 0755 %{name}-SUSE/mk%{name}cert %{buildroot}%{_sbindir}/mk%{name}cert
{ {
cat<<EOF cat<<EOF
# #
@ -347,12 +345,12 @@ sed -i -e 's/\(.*ldap.*\)/#\1/g' \
%{buildroot}%{pf_shlib_directory}/postfix-files %{buildroot}%{pf_shlib_directory}/postfix-files
mkdir -p %{buildroot}%{pf_shlib_directory}/postfix-files.d mkdir -p %{buildroot}%{pf_shlib_directory}/postfix-files.d
# postfix-mysql # postfix-mysql
install -m 644 %{name}-mysql/main.cf-mysql %{buildroot}%{_sysconfdir}/%{name}/main.cf-mysql install -pm 0644 %{name}-mysql/main.cf-mysql %{buildroot}%{_sysconfdir}/%{name}/main.cf-mysql
install -m 640 %{name}-mysql/*_maps.cf %{buildroot}%{_sysconfdir}/%{name}/ install -pm 0640 %{name}-mysql/*_maps.cf %{buildroot}%{_sysconfdir}/%{name}/
# create paranoid permissions file # create paranoid permissions file
printf '%%-38s %%-18s %%s\n' %{_sbindir}/postdrop "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid printf '%%-38s %%-18s %%s\n' %{_sbindir}/postdrop "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
printf '%%-38s %%-18s %%s\n' %{_sbindir}/postqueue "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid printf '%%-38s %%-18s %%s\n' %{_sbindir}/postqueue "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
install -m 644 include/*.h %{buildroot}%{_includedir}/%{name}/ install -pm 0644 include/*.h %{buildroot}%{_includedir}/%{name}/
# some rpmlint stuff # some rpmlint stuff
# remove unneeded examples/chroot-setup # remove unneeded examples/chroot-setup
for example in AIX42 BSDI* F* HPUX* IRIX* NETBSD1 NEXTSTEP3 OPENSTEP4 OSF1 Solaris*; do for example in AIX42 BSDI* F* HPUX* IRIX* NETBSD1 NEXTSTEP3 OPENSTEP4 OSF1 Solaris*; do
@ -366,12 +364,12 @@ rm %{buildroot}%{pf_docdir}/README_FILES/INSTALL
rm -f %{buildroot}%{_sysconfdir}/%{name}/*.orig rm -f %{buildroot}%{_sysconfdir}/%{name}/*.orig
mkdir -p %{buildroot}%{_unitdir}/mail-transfer-agent.target.wants/ mkdir -p %{buildroot}%{_unitdir}/mail-transfer-agent.target.wants/
mkdir -p %{buildroot}%{pf_shlib_directory}/systemd mkdir -p %{buildroot}%{pf_shlib_directory}/systemd
install -m 0644 %{name}-SUSE/%{name}.service %{buildroot}%{_unitdir}/%{name}.service install -pm 0644 %{name}-SUSE/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
install -m 0755 %{name}-SUSE/config_%{name}.systemd %{buildroot}%{pf_shlib_directory}/systemd/config_%{name} install -pm 0755 %{name}-SUSE/config_%{name}.systemd %{buildroot}%{pf_shlib_directory}/systemd/config_%{name}
install -m 0755 %{name}-SUSE/update_chroot.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_chroot install -pm 0755 %{name}-SUSE/update_chroot.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_chroot
install -m 0755 %{name}-SUSE/update_postmaps.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_postmaps install -pm 0755 %{name}-SUSE/update_postmaps.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_postmaps
install -m 0755 %{name}-SUSE/wait_qmgr.systemd %{buildroot}%{pf_shlib_directory}/systemd/wait_qmgr install -pm 0755 %{name}-SUSE/wait_qmgr.systemd %{buildroot}%{pf_shlib_directory}/systemd/wait_qmgr
install -m 0755 %{name}-SUSE/cond_slp.systemd %{buildroot}%{pf_shlib_directory}/systemd/cond_slp install -pm 0755 %{name}-SUSE/cond_slp.systemd %{buildroot}%{pf_shlib_directory}/systemd/cond_slp
ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
ln -sv %{_unitdir}/%{name}.service %{buildroot}%{_unitdir}/mail-transfer-agent.target.wants/%{name}.service ln -sv %{_unitdir}/%{name}.service %{buildroot}%{_unitdir}/mail-transfer-agent.target.wants/%{name}.service
%fdupes %{buildroot}%{pf_docdir} %fdupes %{buildroot}%{pf_docdir}
@ -465,10 +463,8 @@ fi
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
%pre mysql -f vmail.pre %pre mysql -f vmail.pre
%post mysql -p /sbin/ldconfig %post mysql -p /sbin/ldconfig
%postun mysql -p /sbin/ldconfig %postun mysql -p /sbin/ldconfig
%post postgresql -p /sbin/ldconfig %post postgresql -p /sbin/ldconfig
%postun postgresql -p /sbin/ldconfig %postun postgresql -p /sbin/ldconfig