diff options
Diffstat (limited to 'mail-filter/spamassassin')
-rw-r--r-- | mail-filter/spamassassin/files/3.4.1-spamd.conf | 25 | ||||
-rw-r--r-- | mail-filter/spamassassin/files/3.4.1-spamd.init | 56 | ||||
-rw-r--r-- | mail-filter/spamassassin/files/spamassassin-3.4.1-bug_7199.patch | 280 | ||||
-rw-r--r-- | mail-filter/spamassassin/spamassassin-3.4.1-r5.ebuild | 196 |
4 files changed, 557 insertions, 0 deletions
diff --git a/mail-filter/spamassassin/files/3.4.1-spamd.conf b/mail-filter/spamassassin/files/3.4.1-spamd.conf new file mode 100644 index 000000000000..0cb7cbbfc471 --- /dev/null +++ b/mail-filter/spamassassin/files/3.4.1-spamd.conf @@ -0,0 +1,25 @@ +# Config file for /etc/init.d/spamd +# +# ***WARNING*** +# +# spamd was not designed to listed to an untrusted network. spamd +# is vulnerable to DoS attacks (and eternal doom) if used to listen +# to an untrusted network. +# +# ***WARNING*** +# + +# Additional options to pass to the spamd daemon. The spamd(1) man +# page explains the available options. If you choose to listen on a +# non-default interface, you will need to use OpenRC's "rc_need" +# mechanism to ensure that your interface comes up before spamd +# starts. The openrc-run(8) man page describes rc_need. +SPAMD_OPTS="--max-children=5 --create-prefs --helper-home-dir" + +# Sets the 'nice' level of the spamd process. +SPAMD_NICELEVEL=0 + +# How long (in seconds) should we wait for spamd to stop after we've +# asked it to? After this amount of time, if spamd is still running, +# we will assume that it has failed to stop. +SPAMD_TIMEOUT=15 diff --git a/mail-filter/spamassassin/files/3.4.1-spamd.init b/mail-filter/spamassassin/files/3.4.1-spamd.init new file mode 100644 index 000000000000..7d2af814a03b --- /dev/null +++ b/mail-filter/spamassassin/files/3.4.1-spamd.init @@ -0,0 +1,56 @@ +#!/sbin/openrc-run +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +PIDDIR=/run/spamd +PIDFILE=${PIDDIR}/spamd.pid + +extra_started_commands="reload" + +depend() { + before mta + use logger +@USEPOSTGRES@ use postgresql +@USEMYSQL@ use mysql +} + +start() { + ebegin "Starting spamd" + + # Ensure that the PID file's directory exists. + checkpath --directory "${PIDDIR}" + + # Reloading spamd causes its PID to change, so we track it by + # name instead. + start-stop-daemon --start --quiet \ + --name spamd \ + --nicelevel ${SPAMD_NICELEVEL} \ + --pidfile ${PIDFILE} \ + --exec /usr/sbin/spamd -- \ + --daemonize \ + --pidfile=${PIDFILE} \ + ${SPAMD_OPTS} + + retval=$? + + eend ${retval} "Failed to start spamd" +} + +stop() { + ebegin "Stopping spamd" + # Retry after SPAMD_TIMEOUT seconds because spamd can take a + # while to kill off all of its children. This was bug 322025. + start-stop-daemon --stop \ + --quiet \ + --retry ${SPAMD_TIMEOUT} \ + --pidfile ${PIDFILE} + eend $? "Failed to stop spamd" +} + +reload() { + ebegin "Reloading configuration" + # Warning: causes the PID of the spamd process to change. + start-stop-daemon --signal HUP --quiet --pidfile ${PIDFILE} + eend $? +} diff --git a/mail-filter/spamassassin/files/spamassassin-3.4.1-bug_7199.patch b/mail-filter/spamassassin/files/spamassassin-3.4.1-bug_7199.patch new file mode 100644 index 000000000000..323740cbb048 --- /dev/null +++ b/mail-filter/spamassassin/files/spamassassin-3.4.1-bug_7199.patch @@ -0,0 +1,280 @@ +The "sslv3" option doesn't do what it says (upstream bug 7093) and +only makes things worse. The SSLv3 support also prevents SpamAssassin +from working with LibreSSL, which no longer does SSLv3. + +Index: trunk/spamc/libspamc.c +=================================================================== +--- trunk.orig/spamc/libspamc.c ++++ trunk/spamc/libspamc.c +@@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp, + unsigned int throwaway; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; +- SSL_METHOD *meth; ++ const SSL_METHOD *meth; + char zlib_on = 0; + unsigned char *zlib_buf = NULL; + int zlib_bufsiz = 0; +@@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp, + if (flags & SPAMC_USE_SSL) { + #ifdef SPAMC_SSL + SSLeay_add_ssl_algorithms(); +- if (flags & SPAMC_TLSV1) { +- meth = TLSv1_client_method(); +- } else { +- meth = SSLv3_client_method(); /* default */ +- } ++ meth = SSLv23_client_method(); + SSL_load_error_strings(); + ctx = SSL_CTX_new(meth); + #else +@@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c + int failureval; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; +- SSL_METHOD *meth; ++ const SSL_METHOD *meth; + + assert(tp != NULL); + assert(m != NULL); +@@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c + if (flags & SPAMC_USE_SSL) { + #ifdef SPAMC_SSL + SSLeay_add_ssl_algorithms(); +- meth = SSLv3_client_method(); ++ meth = SSLv23_client_method(); + SSL_load_error_strings(); + ctx = SSL_CTX_new(meth); + #else +Index: trunk/spamc/spamc.c +=================================================================== +--- trunk.orig/spamc/spamc.c ++++ trunk/spamc/spamc.c +@@ -368,16 +368,11 @@ read_args(int argc, char **argv, + case 'S': + { + flags |= SPAMC_USE_SSL; +- if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) { +- flags |= SPAMC_SSLV3; +- } +- else if (strcmp(spamc_optarg,"tlsv1") == 0) { +- flags |= SPAMC_TLSV1; +- } +- else { +- libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg); +- ret = EX_USAGE; +- } ++ if(spamc_optarg) { ++ libspamc_log(flags, LOG_ERR, ++ "Explicit specification of an SSL/TLS version no longer supported."); ++ ret = EX_USAGE; ++ } + break; + } + #endif +Index: trunk/spamd/spamd.raw +=================================================================== +--- trunk.orig/spamd/spamd.raw ++++ trunk/spamd/spamd.raw +@@ -409,7 +409,6 @@ GetOptions( + 'sql-config!' => \$opt{'sql-config'}, + 'ssl' => \$opt{'ssl'}, + 'ssl-port=s' => \$opt{'ssl-port'}, +- 'ssl-version=s' => \$opt{'ssl-version'}, + 'syslog-socket=s' => \$opt{'syslog-socket'}, + 'syslog|s=s' => \$opt{'syslog'}, + 'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'}, +@@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) { + + # Do whitelist later in tmp dir. Side effect: this will be done as -u user. + +-my $sslversion = $opt{'ssl-version'} || 'sslv3'; +-if ($sslversion !~ /^(?:sslv3|tlsv1)$/) { +- die "spamd: invalid ssl-version: $opt{'ssl-version'}\n"; +-} +- + $opt{'server-key'} ||= "$LOCAL_RULES_DIR/certs/server-key.pem"; + $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem"; + +@@ -899,9 +893,8 @@ sub compose_listen_info_string { + $socket_info->{ip_addr}, $socket_info->{port})); + + } elsif ($socket->isa('IO::Socket::SSL')) { +- push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s", +- $socket_info->{ip_addr}, $socket_info->{port}, +- $opt{'ssl-version'}||'sslv3')); ++ push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr}, ++ $socket_info->{port})); + } + } + +@@ -1072,7 +1065,6 @@ sub server_sock_setup_inet { + $sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP' + && IO::Socket::IP->VERSION >= 0.09; + %sockopt = (%sockopt, ( +- SSL_version => $sslversion, + SSL_verify_mode => 0x00, + SSL_key_file => $opt{'server-key'}, + SSL_cert_file => $opt{'server-cert'}, +@@ -1093,7 +1085,8 @@ sub server_sock_setup_inet { + if (!$server_inet) { + $diag = sprintf("could not create %s socket on [%s]:%s: %s", + $ssl ? 'IO::Socket::SSL' : $io_socket_module_name, +- $adr, $port, $!); ++ $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ? ++ "$!,$IO::Socket::SSL::SSL_ERROR" : $!); + push(@diag_fail, $diag); + } else { + $diag = sprintf("created %s socket on [%s]:%s", +@@ -3238,7 +3231,6 @@ Options: + -H [dir], --helper-home-dir[=dir] Specify a different HOME directory + --ssl Enable SSL on TCP connections + --ssl-port port Override --port setting for SSL connections +- --ssl-version sslversion Specify SSL protocol version to use + --server-key keyfile Specify an SSL keyfile + --server-cert certfile Specify an SSL certificate + --socketpath=path Listen on a given UNIX domain socket +@@ -3727,14 +3719,6 @@ Optionally specifies the port number for + SSL connections (default: whatever --port uses). See B<--ssl> for + more details. + +-=item B<--ssl-version>=I<sslversion> +- +-Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>. +-The default, B<sslv3>, is the most flexible, accepting a SSLv3 or +-higher hello handshake, then negotiating use of SSLv3 or TLSv1 +-protocol if the client can accept it. Specifying B<--ssl-version> +-implies B<--ssl>. +- + =item B<--server-key> I<keyfile> + + Specify the SSL key file to use for SSL connections. +Index: trunk/spamc/spamc.pod +=================================================================== +--- trunk.orig/spamc/spamc.pod ++++ trunk/spamc/spamc.pod +@@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a + Sleep for I<sleep> seconds between failed spamd filtering attempts. + The default is 1 second. + +-=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion> ++=item B<-S>, B<--ssl>, B<--ssl> + + If spamc was built with support for SSL, encrypt data to and from the + spamd process with SSL; spamd must support SSL as well. +-I<sslversion> specifies the SSL protocol version to use, either +-C<sslv3>, or C<tlsv1>. The default, is C<sslv3>. + + =item B<-t> I<timeout>, B<--timeout>=I<timeout> + +Index: trunk/t/spamd_ssl_tls.t +=================================================================== +--- trunk.orig/t/spamd_ssl_tls.t ++++ /dev/null +@@ -1,28 +0,0 @@ +-#!/usr/bin/perl +- +-use lib '.'; use lib 't'; +-use SATest; sa_t_init("spamd_ssl_tls"); +-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); +- +-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); +- +-# --------------------------------------------------------------------------- +- +-%patterns = ( +- +-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline', +-q{ Subject: There yours for FREE!}, 'subj', +-q{ X-Spam-Status: Yes, score=}, 'status', +-q{ X-Spam-Flag: YES}, 'flag', +-q{ X-Spam-Level: **********}, 'stars', +-q{ TEST_ENDSNUMS}, 'endsinnums', +-q{ TEST_NOREALNAME}, 'noreal', +-q{ This must be the very last line}, 'lastline', +- +- +-); +- +-ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", +- "--ssl=tlsv1 < data/spam/001", +- \&patterns_run_cb)); +-ok_all_patterns(); +Index: trunk/t/spamd_ssl_v3.t +=================================================================== +--- trunk.orig/t/spamd_ssl_v3.t ++++ /dev/null +@@ -1,28 +0,0 @@ +-#!/usr/bin/perl +- +-use lib '.'; use lib 't'; +-use SATest; sa_t_init("spamd_sslv3"); +-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); +- +-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); +- +-# --------------------------------------------------------------------------- +- +-%patterns = ( +- +-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline', +-q{ Subject: There yours for FREE!}, 'subj', +-q{ X-Spam-Status: Yes, score=}, 'status', +-q{ X-Spam-Flag: YES}, 'flag', +-q{ X-Spam-Level: **********}, 'stars', +-q{ TEST_ENDSNUMS}, 'endsinnums', +-q{ TEST_NOREALNAME}, 'noreal', +-q{ This must be the very last line}, 'lastline', +- +- +-); +- +-ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", +- "--ssl=sslv3 < data/spam/001", +- \&patterns_run_cb)); +-ok_all_patterns(); +Index: trunk/t/spamd_ssl_accept_fail.t +=================================================================== +--- trunk.orig/t/spamd_ssl_accept_fail.t ++++ trunk/t/spamd_ssl_accept_fail.t +@@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la + + ); + +-ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); ++ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); + ok (spamcrun ("< data/spam/001", \&patterns_run_cb)); +-ok (spamcrun ("--ssl=sslv3 < data/spam/001", \&patterns_run_cb)); ++ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb)); + ok (stop_spamd ()); + + ok_all_patterns(); +Index: trunk/t/spamd_ssl.t +=================================================================== +--- trunk.orig/t/spamd_ssl.t ++++ trunk/t/spamd_ssl.t +@@ -2,10 +2,7 @@ + + use lib '.'; use lib 't'; + use SATest; sa_t_init("spamd_ssl"); +-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9), +- onfail => sub { +- warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" . +- "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" }; ++use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); + + exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); + +Index: trunk/MANIFEST +=================================================================== +--- trunk.orig/MANIFEST ++++ trunk/MANIFEST +@@ -513,8 +513,6 @@ t/spamd_report_ifspam.t + t/spamd_sql_prefs.t + t/spamd_ssl.t + t/spamd_ssl_accept_fail.t +-t/spamd_ssl_tls.t +-t/spamd_ssl_v3.t + t/spamd_stop.t + t/spamd_symbols.t + t/spamd_syslog.t diff --git a/mail-filter/spamassassin/spamassassin-3.4.1-r5.ebuild b/mail-filter/spamassassin/spamassassin-3.4.1-r5.ebuild new file mode 100644 index 000000000000..f127be2f5601 --- /dev/null +++ b/mail-filter/spamassassin/spamassassin-3.4.1-r5.ebuild @@ -0,0 +1,196 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 + +inherit toolchain-funcs systemd + +MY_P=Mail-SpamAssassin-${PV//_/-} +S=${WORKDIR}/${MY_P} +DESCRIPTION="An extensible mail filter which can identify and tag spam" +HOMEPAGE="http://spamassassin.apache.org/" +SRC_URI="mirror://apache/spamassassin/source/${MY_P}.tar.bz2" + +LICENSE="Apache-2.0 GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos" +IUSE="+bayes berkdb ipv6 ldap libressl mysql postgres qmail sqlite ssl test" + +# You can do without a database unless you need the Bayes features. +REQUIRED_USE="bayes? ( || ( berkdb mysql postgres sqlite ) )" + +DEPEND=">=dev-lang/perl-5.8.8-r8 + virtual/perl-MIME-Base64 + >=virtual/perl-Pod-Parser-1.510.0-r2 + virtual/perl-Storable + virtual/perl-Time-HiRes + >=dev-perl/HTML-Parser-3.43 + >=dev-perl/Mail-DKIM-0.37 + >=dev-perl/Net-DNS-0.53 + dev-perl/Digest-SHA1 + dev-perl/libwww-perl + >=virtual/perl-Archive-Tar-1.23 + app-crypt/gnupg + >=virtual/perl-IO-Zlib-1.04 + >=dev-util/re2c-0.12.0 + dev-perl/Mail-SPF + >=dev-perl/NetAddr-IP-4.0.1 + dev-perl/Geo-IP + dev-perl/Encode-Detect + dev-perl/Net-Patricia + ssl? ( + dev-perl/IO-Socket-SSL + !libressl? ( dev-libs/openssl:0 ) + libressl? ( dev-libs/libressl ) + ) + berkdb? ( + virtual/perl-DB_File + ) + ldap? ( dev-perl/perl-ldap ) + mysql? ( + dev-perl/DBI + dev-perl/DBD-mysql + ) + postgres? ( + dev-perl/DBI + dev-perl/DBD-Pg + ) + sqlite? ( + dev-perl/DBI + dev-perl/DBD-SQLite + ) + ipv6? ( + || ( dev-perl/IO-Socket-INET6 + virtual/perl-IO-Socket-IP ) + )" +RDEPEND="${DEPEND}" + +# Some spamd tests fail, and it looks like the whole suite eventually +# hangs. +RESTRICT=test + +PATCHES=( + "${FILESDIR}/spamassassin-3.4.1-bug_7199.patch" + "${FILESDIR}/spamassassin-3.4.1-bug_7223.patch" + "${FILESDIR}/spamassassin-3.4.1-bug_7231.patch" + "${FILESDIR}/spamassassin-3.4.1-bug_7265.patch" +) + +src_configure() { + # spamc can be built with ssl support. + local use_ssl="no" + if use ssl; then + use_ssl="yes" + fi + + # Set SYSCONFDIR explicitly so we can't get bitten by bug 48205 again + # (just to be sure, nobody knows how it could happen in the first place). + # + # We also set the path to the perl executable explictly. This will be + # used to create the initial shebang line in the scripts (bug 62276). + perl Makefile.PL \ + PREFIX="${EPREFIX}/usr" \ + INSTALLDIRS=vendor \ + SYSCONFDIR="${EPREFIX}/etc" \ + DATADIR="${EPREFIX}/usr/share/spamassassin" \ + PERL_BIN="${EPREFIX}/usr/bin/perl" \ + ENABLE_SSL="${use_ssl}" \ + DESTDIR="${D}" \ + || die "Unable to build!" + + # Now configure spamc. + emake CC="$(tc-getCC)" LDFLAGS="${LDFLAGS}" spamc/Makefile +} + +src_compile() { + PERL_MM_USE_DEFAULT=1 emake + + if use qmail; then + emake spamc/qmail-spamc + fi +} + +src_install () { + emake install + einstalldocs + + # Create the stub dir used by sa-update and friends + keepdir /var/lib/spamassassin + + # Move spamd to sbin where it belongs. + dodir /usr/sbin + mv "${ED}"/usr/bin/spamd "${ED}"/usr/sbin/spamd || die "move spamd failed" + + if use qmail; then + dobin spamc/qmail-spamc + fi + + ln -s mail/spamassassin "${ED}"/etc/spamassassin || die + + # Disable plugin by default + sed -i -e 's/^loadplugin/\#loadplugin/g' \ + "${ED}"/etc/mail/spamassassin/init.pre \ + || die "failed to disable plugins by default" + + # Add the init and config scripts. + newinitd "${FILESDIR}"/3.4.1-spamd.init spamd + newconfd "${FILESDIR}"/3.4.1-spamd.conf spamd + + systemd_newunit "${FILESDIR}"/${PN}.service-r1 ${PN}.service + systemd_install_serviced "${FILESDIR}"/${PN}.service.conf + + if use postgres; then + sed -i -e 's:@USEPOSTGRES@::' "${ED}/etc/init.d/spamd" || die + + dodoc sql/*_pg.sql + else + sed -i -e '/@USEPOSTGRES@/d' "${ED}/etc/init.d/spamd" || die + fi + + if use mysql; then + sed -i -e 's:@USEMYSQL@::' "${ED}/etc/init.d/spamd" || die + + dodoc sql/*_mysql.sql + else + sed -i -e '/@USEMYSQL@/d' "${ED}/etc/init.d/spamd" || die + fi + + dodoc NOTICE TRADEMARK CREDITS UPGRADE USAGE sql/README.bayes \ + sql/README.awl procmailrc.example sample-nonspam.txt \ + sample-spam.txt spamd/PROTOCOL spamd/README.vpopmail \ + spamd-apache2/README.apache + + # Rename some docu files so they don't clash with others + newdoc spamd/README README.spamd + newdoc sql/README README.sql + newdoc ldap/README README.ldap + + if use qmail; then + dodoc spamc/README.qmail + fi + + insinto /etc/mail/spamassassin/ + insopts -m0400 + newins "${FILESDIR}"/secrets.cf secrets.cf.example + + # Create the directory where sa-update stores its GPG key (if you + # choose to import one). If this directory does not exist, the + # import will fail. This is bug 396307. We expect that the import + # will be performed as root, and making the directory accessible + # only to root prevents a warning on the command-line. + diropts -m0700 + dodir /etc/mail/spamassassin/sa-update-keys +} + +pkg_postinst() { + elog + elog "No rules are install by default. You will need to run sa-update" + elog "at least once, and most likely configure SpamAssassin before it" + elog "will work. You should also consider a cron job for sa-update." + elog + elog "Configuration and update help can be found on the wiki:" + elog + elog " https://wiki.gentoo.org/wiki/SpamAssassin" + elog +} |