update postsrsd to version 1.11

The update fixes CVE-2020-35573 and CVE-2021-35525
2021-07-10 08:41:56 +00:00 · 2021-07-10 08:41:56 +00:00 · 7a07e2d4a2
commit 7a07e2d4a2
parent 0e51357fc8
6 changed files with 126 additions and 9 deletions
--- a/mail/postsrsd/MESSAGE
+++ b/mail/postsrsd/MESSAGE
@ -0,0 +1,27 @@
+===========================================================================
+$NetBSD: MESSAGE,v 1.1 2021/07/10 08:41:56 spz Exp $
+
+When using postsrsd with its rc.d script, at the minimum set
+postsrsd_flags="-dyour.domain"
+in rc.conf. See the manpage for more options.
+
+You must store at least one secret key in ${PKG_SYSCONFDIR}/postsrsd.secret.
+Be careful that no one can guess your secret, because anyone who knows it
+can use your mail server as open relay.
+Each line of ${PKG_SYSCONFDIR}/postsrsd.secret is used as secret.
+The first secret is used for signing and verification, the others for
+verification only.
+
+PostSRSd exposes its functionality via two TCP lookup tables.
+Add or amend the following variables in your main.cf:
+
+    sender_canonical_maps = tcp:localhost:10001
+    sender_canonical_classes = envelope_sender
+    recipient_canonical_maps = tcp:localhost:10002
+    recipient_canonical_classes= envelope_recipient,header_recipient
+
+This will transparently rewrite incoming and outgoing envelope addresses,
+and additionally undo SRS rewrites in the To: header of bounce notifications
+and vacation autoreplies.
+
+===========================================================================
--- a/mail/postsrsd/Makefile
+++ b/mail/postsrsd/Makefile
@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.2 2017/12/31 13:22:46 wiz Exp $
+# $NetBSD: Makefile,v 1.3 2021/07/10 08:41:56 spz Exp $

-DISTNAME=	postsrsd-1.4
-PKGREVISION=	1
+DISTNAME=	postsrsd-1.11
+#PKGREVISION=	0
 CATEGORIES=	mail
 MASTER_SITES=	${MASTER_SITE_GITHUB:=roehling/}

@ -10,6 +10,17 @@ HOMEPAGE=	https://github.com/roehling/postsrsd
 COMMENT=	Postfix Sender Rewriting Scheme daemon
 LICENSE=	gnu-gpl-v2

+RCD_SCRIPTS=	postsrsd
+
+POSTSRSD_USER?=		postsrsd
+POSTSRSD_GROUP?=	postsrsd
+PKG_USERS=		${POSTSRSD_USER}:${POSTSRSD_GROUP}
+PKG_GROUPS=		${POSTSRSD_GROUP}
+USER_GROUP=		${POSTSRSD_USER} ${POSTSRSD_GROUP}
+
+PKG_GECOS.${POSTSRSD_USER}?=	postSRSd
+
+
 USE_CMAKE=	yes
 BUILD_DEPENDS+=	help2man-[0-9]*:../../converters/help2man

--- a/mail/postsrsd/PLIST
+++ b/mail/postsrsd/PLIST
@ -1,6 +1,7 @@
-@comment $NetBSD: PLIST,v 1.2 2017/12/31 13:22:46 wiz Exp $
+@comment $NetBSD: PLIST,v 1.3 2021/07/10 08:41:56 spz Exp $
 man/man8/postsrsd.8
 sbin/postsrsd
 share/doc/postsrsd/README.md
 share/doc/postsrsd/README_UPGRADE.md
 share/doc/postsrsd/main.cf.ex
+share/postsrsd/postsrsd-systemd-launcher
--- a/mail/postsrsd/distinfo
+++ b/mail/postsrsd/distinfo
@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.1 2016/02/25 15:29:15 wiz Exp $
+$NetBSD: distinfo,v 1.2 2021/07/10 08:41:56 spz Exp $

-SHA1 (postsrsd-1.4.tar.gz) = 9b71bc8bbd40dab7d545cd2ec98cf69e4ff50450
-RMD160 (postsrsd-1.4.tar.gz) = 9402c4b9ab9f4bb356a07c67a74fd270c9c56655
-SHA512 (postsrsd-1.4.tar.gz) = e5b9d2091d562030dd8d35117a3c5fb7d99c0613120fc90f74be57af5e88a3fe0ce73a5ce702708047ae37f70c6aedb4a0df018dccbe480048ccb6ed4debbcef
-Size (postsrsd-1.4.tar.gz) = 26555 bytes
+SHA1 (postsrsd-1.11.tar.gz) = 664478941995a05166dc2bc73d744de48ecd8827
+RMD160 (postsrsd-1.11.tar.gz) = 8c94d4fdd5bc47566bcda83e968892204962e6a6
+SHA512 (postsrsd-1.11.tar.gz) = cc041bbbd0277dd416a19e427d63eace3489dc518ebe3a61a022b3e2e159bcb09731a0eb5547eb85bd55887821726b66e828326c109c2ebe26b27dbd062a8d89
+Size (postsrsd-1.11.tar.gz) = 36309 bytes
+SHA1 (patch-postsrsd.c) = 06a9e294279e6ec17491d2b612473948bb92ef4c
--- a/mail/postsrsd/files/postsrsd.sh
+++ b/mail/postsrsd/files/postsrsd.sh
@ -0,0 +1,44 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# PostSRSd provides the Sender Rewriting Scheme (SRS) for Postfix
+#
+
+# PROVIDE: postsrsd
+# BEFORE: mail
+# REQUIRE: DAEMON LOGIN
+
+. /etc/rc.subr
+
+name="postsrsd"
+
+# user-settable rc.conf variables
+: ${postsrsd_secret:="@PKG_SYSCONFDIR@/${name}.secret"}
+: ${postsrsd_chrootdir:="@VARBASE@/chroot/postsrsd"}
+
+rcvar=${name}
+required_files="${postsrsd_secret}"
+pidfile="@VARBASE@/run/${name}.pid"
+command="@PREFIX@/sbin/${name}"
+start_precmd="postsrsd_precmd"
+
+postsrsd_precmd()
+{
+	rc_flags="-p${pidfile} -s${postsrsd_secret} -D $rc_flags"
+	if [ -z "$postsrsd_chrootdir" ]; then
+		return 0;
+	fi
+
+	# If running in a chroot cage, ensure that the appropriate files
+	# exist inside the cage, as well as helper symlinks into the cage 
+	# from outside.
+	if [ ! -d "${postsrsd_chrootdir}" ]; then
+		mkdir -p "${postsrsd_chrootdir}"
+	fi
+
+	#	Change run_rc_commands()'s internal copy of $ntpd_flags
+	#
+	rc_flags="-upostsrsd -c${postsrsd_chrootdir} $rc_flags"
+}
+
+load_rc_config $name
+run_rc_command "$1"
--- a/mail/postsrsd/patches/patch-postsrsd.c
+++ b/mail/postsrsd/patches/patch-postsrsd.c
@ -0,0 +1,33 @@
+$NetBSD: patch-postsrsd.c,v 1.1 2021/07/10 08:41:56 spz Exp $
+
+make sure we can use a connection more than once
+it'll work without the patch but with many error messages in the log
+
+--- postsrsd.c.orig	2021-03-21 19:23:39.000000000 +0000
+++ postsrsd.c	2021-07-09 10:29:40.996255562 +0000
+@@ -644,7 +644,7 @@
+     }
+     while (TRUE)
+     {
+-        int conn;
+        int conn, flags;
+         FILE *fp_read, *fp_write;
+         char linebuf[1024], *line;
+         char keybuf[1024], *key;
+@@ -667,6 +667,16 @@
+                 conn = accept(fds[sc].fd, NULL, NULL);
+                 if (conn < 0)
+                     continue;
+                /* remove the nonblocking for !Linux */
+                flags = fcntl(conn, F_GETFL, 0);
+                if (flags < 0) {
+                    close(conn);
+                    continue;
+                }
+                if (fcntl(conn, F_SETFL, flags & ~O_NONBLOCK) < 0) {
+                    close(conn);
+                    continue;
+                }
+                 if (fork() == 0)
+                 {
+                     int i;