postfix breaking with security/openssl

karolyi

New Member


Messages: 16

hHey,

jJust wanted to document here that:

Git package depends on security/openssl, and security/openssl breaks postfix/smtp. yYou'll get segfaults from 'postfix/smtp' when using it with security/openssl, and SOME emails won't get delivered, depending on the ssl implementation your server wants to connect to.

tThis happens with a fresh upgraded 10.2 and postfix & openssl from ports.

iIf anyone bumps into this problem, remove everything that depends on security/openssl, and recompile everything that used the ports version to use the base version supplied with the system.

yYou're welcome.
 
Last edited by a moderator:
OP
OP
karolyi

karolyi

New Member


Messages: 16

I might have misread things but mail/postfix always builds against security/openssl and cannot be build to use the base OpenSSL.

So I'm guessing you installed devel/git which updated security/openssl. In turn you probably should have rebuild mail/postfix due to the updated OpenSSL libraries.
postfix builds fine with the base provided openssl libraries, it only started to produce these mysterious segfaults when recompiling with security/openssl. once I removed security/openssl and recompiled postfix, the segfaults disappeared.

tThen I started investigating what needed security/openssl, turns out it was devel/git.

tThe interesting thing is, I have git installed via pkg in another jail and it does not depend on security/openssl. lLooking at FreshPorts (https://www.freshports.org/devel/git/), it says that security/openssl is required for devel/git.

I might be missing something here but I use the latest packages and ports at both jails.
 
Last edited by a moderator:

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,075
Messages: 31,686

Ah, dug a little deeper. It's amazing what you can learn by reading files. I got thrown off because Freshports shows it depends on security/openssl. ;)

It actually depends on what's already installed. The script to read is /usr/ports/Mk/bsd.openssl.mk.
Code:
#       If no preference was set, check for an installed base version
#       but give an installed port preference over it.
Reading a bit further it seems you can also force ports to use the base OpenSSL, regardless of the presence of security/openssl, by setting WITH_OPENSSL_BASE:
Code:
.if     !defined(WITH_OPENSSL_BASE) && \
        !defined(WITH_OPENSSL_PORT) && \
        !exists(${DESTDIR}/${LOCALBASE}/lib/libcrypto.so) && \
        exists(${DESTDIR}/usr/include/openssl/opensslv.h)
WITH_OPENSSL_BASE=yes
.endif

.if defined(WITH_OPENSSL_BASE)
OPENSSLBASE=            /usr
OPENSSLDIR?=            /etc/ssl
It has to be noted though, not all ports allow this, some insist on using the version from ports.
 
OP
OP
karolyi

karolyi

New Member


Messages: 16

Ah, dug a little deeper. It's amazing what you can learn by reading files. I got thrown off because Freshports shows it depends on security/openssl. ;)

It actually depends on what's already installed. The script to read is /usr/ports/Mk/bsd.openssl.mk.
Code:
#       If no preference was set, check for an installed base version
#       but give an installed port preference over it.
Reading a bit further it seems you can also force ports to use the base OpenSSL, regardless of the presence of security/openssl, by setting WITH_OPENSSL_BASE:
Code:
.if     !defined(WITH_OPENSSL_BASE) && \
        !defined(WITH_OPENSSL_PORT) && \
        !exists(${DESTDIR}/${LOCALBASE}/lib/libcrypto.so) && \
        exists(${DESTDIR}/usr/include/openssl/opensslv.h)
WITH_OPENSSL_BASE=yes
.endif

.if defined(WITH_OPENSSL_BASE)
OPENSSLBASE=            /usr
OPENSSLDIR?=            /etc/ssl
It has to be noted though, not all ports allow this, some insist on using the version from ports.
Thanks! :)
You actually helped me out here. I was removing git for the sake of a working postfix, but as it seems I could install devel/git again, specifying WITH_OPENSSL_BASE=yes.

I would use the base postfix packages though, but I need mysql support (virtual mailboxes), so in that jail I need to compile everything for myself.

I did put this to /etc/make.conf for 'future compatibility':
Code:
.if ${.CURDIR:M*/devel/git*}
WITH_OPENSSL_BASE=yes
.endif
I wasn't expecting any help here, just wanted to open this topic to ease the struggle of people coming after me, having the same issues. :)
 
Last edited by a moderator:
Top