Date: Thu, 18 Oct 2001 05:17:58 -0400 From: Yarema <yds@dppl.com> To: ports@FreeBSD.org, courier-users@lists.sourceforge.net Cc: Edwin Culp <eculp@EnContacto.Net>, Tom Hukins <tom@FreeBSD.ORG>, petef@FreeBSD.ORG, Neil Blakey-Milner <nbm@mithrandr.moria.org>, Sam Varshavchik <mrsam@courier-mta.com> Subject: Re: Courier-MTA on FreeBSD Message-ID: <782730000.1003396678@volyn.dppl.net>
next in thread | raw e-mail | index | archive | help
--==========2464432778========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline --On Wednesday, October 17, 2001 09:25:27 +0200 Neil Blakey-Milner <nbm@mithrandr.moria.org> wrote: > On Tue 2001-10-16 (16:38), Edwin Culp wrote: >> Quoting Tom Hukins <tom@FreeBSD.ORG>: >> >> | On Tue, Oct 16, 2001 at 03:56:26PM -0400, Yarema wrote: >> | > Greetings, >> | > >> | > Has anyone started any work porting Courier-MTA to FreeBSD? >> | >> | See ports/24987 <http://www.FreeBSD.org/cgi/query-pr.cgi?pr=24987>. >> | >> | Tom >> | >> | To Unsubscribe: send mail to majordomo@FreeBSD.org >> | with "unsubscribe freebsd-ports" in the body of the message >> | >> >> >> That was submitted Feb. 10. WOW. This is version .31 and the latest >> release is .35.1 or something. Eight months - interesting. > > I'd welcome anyone to port the whole courier MTA to FreeBSD - > unfortunately it has foiled any of my attempts to properly live in > hier(7) without severe work. And the work I did on my first port when > it finally behaved was useless with the next version. > > I'm also very happy to commit a working port, but all the efforts > thusfar don't obey the more important port rules. > > Of course, I'm also willing to just shut up and hand over the courier > MTA stuff to someone else. (: > > Neil > -- > Neil Blakey-Milner > nbm@mithrandr.moria.org OK, what I've got so far is a completed port of sysconftool which probably belongs in the devel section of FreeBSD ports. Recent Courier-MTA builds depend on it even though the INSTALL docs say that tarballs shouldn't have that dependency -- only CVS versions should. No matter, having sysconftool as a separate port that the courier port depends on seems like the Right Thing anyway. Some gotchas that I can hack around but probably shouldn't have to are: courier/rootcerts dependency on the OpenSSL tools/c_rehash. On FreeBSD it does exist in /usr/src/crypto/openssl/tools/c_rehash source tree but is not installed as part of the base system. I've got a workaround for this but a better alternative would be for courier to include the Makefile which comes with Apache+mod_ssl to do the same thing that OpenSSL's c_rehash does. I'm attaching the Makefile I'm talking about. Perhaps Mr. Sam (or someone better with autoconf than me) can incorporate it into the courier/rootcerts configure and eliminate the dependency on OpenSSL's c_rehash thus making courier easier to port to *BSD systems and probably others. courier/webmail dependency on mime.types -- I can add a dependancy on the www/apache port and specify --enable-mimetypes=${LOCALBASE}/etc/apache/mime.types or not add any dependancy and assume that people are most likely to use apache if they wanna serve webmail. Now that the configure finished with --enable-mimetypes without puking I'll chose the latter option and not add any explicit dependancy on the apache port. Thoughts? Final gotcha is that after all the configure and build steps complete install fails because in a bunch of the subdirectories the Makefile INSTALL macro is definded as '../' instead of something reasonabele like '/usr/bin/install -c' or something. For now I fix the Makefiles with something like: pre-install: @${PERL} -pi -e 's:^INSTALL = \.\./ :INSTALL = install -c :g;' \ `${GREP} -Erl '^INSTALL = \.\./ ' ${WRKSRC}/*` @${PERL} -pi -e 's:^INSTALL = \.\./:INSTALL = install -c -o root -g wheel:g;' \ `${GREP} -Erl '^INSTALL = \.\./' ${WRKSRC}/*` That shouldn't be happening but it is and I can't yet figure out why. Not all the Makefiles have the bogus INSTALL macro. Possibly related to the INSTALL macro bug all the binaries in libexec/courier/modules/ and below were not stripped even though the install-strip target was used. Unless there's a reason that I don't know yet I believe it's a mistake to install binaries owned by user or group courier or daemon or bin unless the corresponding suid or sgid bit are also set for that binary. I believe all binarries should be owned by root:wheel except the ones that need a suid or sgid bit set to a different user. This provides an extra layer of protection to the binaries since most of the system runs as an unprivileged user which cannot modify files owned by root. As it is now if most of the courier processes run as uid courier and most of the binaries are owned by user courier what's to stop a compromised process from installing a back door to the system by modifying a binary owned by the same unprivileged user courier? Postfix goes out of it's way to ensure that only one binary is sgid maildrop and all other binaries are owned by root:wheel while most of the processes run as user postfix. I believe qmail is installed in a similar manner it just uses more usernames for its different processes. It would make me feel a lot better if courier did the same. I'm very tempted to simply write my own do-install target similar to the one I wrote for the postfix-current port to eliminate the weaknesses I describe above. On the plus side is that I'm already cleanly installing and deinstalling the package. I have a dialog configuration script like the one I addapted for postfix-current to select dependencies and options. And the package seems to conform to hier(7) at least as much as postfix does. Oh yeah.. just to be clear I'm working on FreeBSD 4.4-STABLE porting Courier -0.35.1. I started with courier-0.35.1.20011014 but ran into some libtool problems. I'll return to courier-0.35.1.20011014 or whatever once I got 0.35.1 ported. -- Yarema --==========2464432778========== Content-Type: text/plain; charset=us-ascii; name=Makefile Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=Makefile; size=1522 ## ## Makefile to keep the hash symlinks in SSLCACertificatePath up to date ## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved. ## SSL_PROGRAM= update: clean -@ssl_program="$(SSL_PROGRAM)"; \ if [ ".$$ssl_program" = . ]; then \ for dir in . `echo $$PATH | sed -e 's/:/ /g'`; do \ for program in openssl ssleay; do \ if [ -f "$$dir/$$program" ]; then \ if [ -x "$$dir/$$program" ]; then \ ssl_program="$$dir/$$program"; \ break; \ fi; \ fi; \ done; \ if [ ".$$ssl_program" != . ]; then \ break; \ fi; \ done; \ fi; \ if [ ".$$ssl_program" = . ]; then \ echo "Error: neither 'openssl' nor 'ssleay' program found" 1>&2; \ exit 1; \ fi; \ for file in *.crt; do \ if [ ".`grep SKIPME $$file`" != . ]; then \ echo dummy |\ awk '{ printf("%-15s ... Skipped\n", file); }' \ "file=$$file"; \ else \ n=0; \ while [ 1 ]; do \ hash="`$$ssl_program x509 -noout -hash <$$file`"; \ if [ -r "$$hash.$$n" ]; then \ n=`expr $$n + 1`; \ else \ echo dummy |\ awk '{ printf("%-15s ... %s\n", file, hash); }' \ "file=$$file" "hash=$$hash.$$n"; \ ln -s $$file $$hash.$$n; \ break; \ fi; \ done; \ fi; \ done clean: -@rm -f [0-9a-fA-F]*.[0-9]* --==========2464432778==========-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?782730000.1003396678>