From 668d198ff2da26953b3d6f9df3f8aea93375317d Mon Sep 17 00:00:00 2001 From: Rolf Eike Beer Date: Sat, 30 Nov 2019 23:42:42 +0100 Subject: mail-mta/netqmail: avoid ANY DNS queries Closes: https://bugs.gentoo.org/701476 Signed-off-by: Rolf Eike Beer Closes: https://github.com/gentoo/gentoo/pull/13816 Signed-off-by: Joonas Niilola --- .../files/netqmail-1.06-any-to-cname.patch | 74 ++++++++ mail-mta/netqmail/netqmail-1.06-r12.ebuild | 199 +++++++++++++++++++++ 2 files changed, 273 insertions(+) create mode 100644 mail-mta/netqmail/files/netqmail-1.06-any-to-cname.patch create mode 100644 mail-mta/netqmail/netqmail-1.06-r12.ebuild diff --git a/mail-mta/netqmail/files/netqmail-1.06-any-to-cname.patch b/mail-mta/netqmail/files/netqmail-1.06-any-to-cname.patch new file mode 100644 index 000000000000..9c9d53963510 --- /dev/null +++ b/mail-mta/netqmail/files/netqmail-1.06-any-to-cname.patch @@ -0,0 +1,74 @@ +From b05ec6cbdacdf40d6c75326394461e22b7f8ab20 Mon Sep 17 00:00:00 2001 +From: Jonathan de Boyne Pollard +Date: Fri, 12 Jul 2019 23:34:52 -0600 +Subject: [PATCH] Apply Jonathan de Boyne Pollard's any-to-cname patch. + +modifies the behaviour of qmail-remote to remove the workaround +that Dan Bernstein added on 1996-10-03 to work around a bug in +BIND versions earlier than version 4.9.4. + +Applying this patch incurs a risk, but yields a benefit. It is +published in order to allow others to experiment with removing +the workaround. + +The risk is twofold: + + * qmail-remote will not be able to relay any mail if one's own + proxy DNS server is such a version of BIND. This is trivially + overcome by replacing such an old version of BIND either with a + new version of BIND that doesn't have the problem or with some + other proxy DNS server software entirely (such as dnscache). + + * qmail-remote will not be able to relay mail to domains whose + content DNS servers use such versions of BIND, because the + "CNAME" resource record lookup will fail. To gauge the level of + this risk, notice that Dan's own 2002-12-17 survey of content DNS + servers reports a mere 2% of the "*.com." content DNS servers as + employing BIND version 4 (but doesn't report how many of that 2% + employ BIND 4 versions earlier than 4.9.4). + +The benefit of this patch is that it reduces DNS query traffic +and proxy DNS server cache load. + + * Without it, qmail-remote issues "ANY" queries. Some proxy DNS + server softwares (albeit not dnscache) pass such queries through + directly to the back end, meaning that every query issued by + qmail-remote will result in a back-end query to a content DNS + server, no matter if the necessary information is already cached. + Moreover: The results of such a query, which are often a large + collection of resource record sets of various types, are cached + in the proxy DNS server's cache, even though almost none of them + will be used. A caching proxy DNS server dedicated to serving + qmail will end up with all sorts of cruft in its cache that isn't + actually relevant to mail transportation, taking up space that + could be better put to use caching those resource record sets + that are relevant. + + * With it, qmail-remote issues "CNAME" queries. All of the mainstream + proxy DNS server softwares in popular use (apart from dnscache, + because it has problems in this regard) don't pass such queries + directly through, and will answer them from their caches without + issuing a back-end query at all if the data are already there and + still current. Moreover: A caching proxy DNS server dedicated to + serving qmail will not have its cache cluttered with irrelevant + data. +--- + dns.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dns.c b/dns.c +index 44db25b..77e4ff7 100644 +--- a/dns.c ++++ b/dns.c +@@ -197,7 +197,7 @@ stralloc *sa; + if (!sa->len) return loop; + if (sa->s[sa->len - 1] == ']') return loop; + if (sa->s[sa->len - 1] == '.') { --sa->len; continue; } +- switch(resolve(sa,T_ANY)) ++ switch(resolve(sa,T_CNAME)) + { + case DNS_MEM: return DNS_MEM; + case DNS_SOFT: return DNS_SOFT; +-- +2.16.4 + diff --git a/mail-mta/netqmail/netqmail-1.06-r12.ebuild b/mail-mta/netqmail/netqmail-1.06-r12.ebuild new file mode 100644 index 000000000000..8044a26d5027 --- /dev/null +++ b/mail-mta/netqmail/netqmail-1.06-r12.ebuild @@ -0,0 +1,199 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +GENQMAIL_PV=20191010 +QMAIL_SPP_PV=0.42 + +QMAIL_TLS_PV=20190114 +QMAIL_TLS_F=${PN}-1.05-tls-smtpauth-${QMAIL_TLS_PV}.patch +QMAIL_TLS_CVE=vu555316.patch + +QMAIL_BIGTODO_PV=103 +QMAIL_BIGTODO_F=big-todo.${QMAIL_BIGTODO_PV}.patch + +QMAIL_LARGE_DNS='qmail-103.patch' + +QMAIL_SMTPUTF8='qmail-smtputf8.patch' + +inherit qmail + +DESCRIPTION="qmail -- a secure, reliable, efficient, simple message transfer agent" +HOMEPAGE=" + http://netqmail.org + https://cr.yp.to/qmail.html + http://qmail.org +" +SRC_URI="mirror://qmail/${P}.tar.gz + https://github.com/DerDakon/genqmail/releases/download/genqmail-${GENQMAIL_PV}/${GENQMAIL_F} + https://www.ckdhr.com/ckd/${QMAIL_LARGE_DNS} + !vanilla? ( + highvolume? ( mirror://qmail/${QMAIL_BIGTODO_F} ) + qmail-spp? ( mirror://sourceforge/qmail-spp/${QMAIL_SPP_F} ) + ssl? ( + https://mirror.alexh.name/qmail/netqmail/${QMAIL_TLS_F} + http://inoa.net/qmail-tls/${QMAIL_TLS_CVE} + https://arnt.gulbrandsen.priv.no/qmail/qmail-smtputf8.patch + ) + ) +" + +LICENSE="public-domain" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~x86" +IUSE="authcram gencertdaily highvolume libressl pop3 qmail-spp ssl vanilla" +REQUIRED_USE="vanilla? ( !ssl !qmail-spp !highvolume )" +RESTRICT="test" + +DEPEND=" + acct-group/nofiles + acct-group/qmail + acct-user/alias + acct-user/qmaild + acct-user/qmaill + acct-user/qmailp + acct-user/qmailq + acct-user/qmailr + acct-user/qmails + net-dns/libidn2 + net-mail/queue-repair + sys-apps/gentoo-functions + sys-apps/groff + ssl? ( + !libressl? ( >=dev-libs/openssl-1.1:0= ) + libressl? ( dev-libs/libressl:= ) + ) +" +RDEPEND="${DEPEND} + sys-apps/ucspi-tcp + virtual/checkpassword + virtual/daemontools + authcram? ( >=net-mail/cmd5checkpw-0.30 ) + ssl? ( + pop3? ( sys-apps/ucspi-ssl ) + ) + !mail-mta/courier + !mail-mta/esmtp + !mail-mta/exim + !mail-mta/mini-qmail + !mail-mta/msmtp[mta] + !mail-mta/nullmailer + !mail-mta/opensmtpd + !mail-mta/postfix + !mail-mta/qmail-ldap + !mail-mta/sendmail + !mail-mta/ssmtp[mta] +" + +pkg_setup() { + if [[ -n "${QMAIL_PATCH_DIR}" ]]; then + eerror + eerror "The QMAIL_PATCH_DIR variable for custom patches" + eerror "has been removed from ${PN}. If you need custom patches" + eerror "see 'user patches' in the portage manual." + eerror + die "QMAIL_PATCH_DIR is not supported anymore" + fi +} + +src_unpack() { + genqmail_src_unpack + use qmail-spp && qmail_spp_src_unpack + + unpack ${P}.tar.gz +} + +PATCHES=( + "${FILESDIR}/${PV}-exit.patch" + "${FILESDIR}/${PV}-readwrite.patch" + "${DISTDIR}/${QMAIL_LARGE_DNS}" + "${FILESDIR}/${PV}-fbsd-utmpx.patch" + "${FILESDIR}/${P}-ipme-multiple.patch" + "${FILESDIR}/${P}-any-to-cname.patch" +) + +src_prepare() { + if ! use vanilla; then + if use ssl; then + # This patch contains relative paths and needs to be cleaned up. + sed 's~^--- \.\./\.\./~--- ~g' \ + < "${DISTDIR}"/${QMAIL_TLS_F} \ + > "${T}"/${QMAIL_TLS_F} || die + PATCHES+=( "${T}/${QMAIL_TLS_F}" + "${DISTDIR}/${QMAIL_TLS_CVE}" + "${FILESDIR}/qmail-smtputf8.patch" + "${FILESDIR}/qmail-smtputf8-crlf-fix.patch" + ) + fi + if use highvolume; then + PATCHES+=( "${DISTDIR}/${QMAIL_BIGTODO_F}" ) + fi + + if use qmail-spp; then + if use ssl; then + SPP_PATCH="${QMAIL_SPP_S}/qmail-spp-smtpauth-tls-20060105.diff" + else + SPP_PATCH="${QMAIL_SPP_S}/netqmail-spp.diff" + fi + # make the patch work with "-p1" + sed -e 's#^--- \([Mq]\)#--- a/\1#' -e 's#^+++ \([Mq]\)#+++ b/\1#' -i ${SPP_PATCH} || die + + PATCHES+=( "${SPP_PATCH}" ) + fi + fi + + default + + qmail_src_postunpack + + # Fix bug #33818 but for netqmail (Bug 137015) + if ! use authcram; then + einfo "Disabled CRAM_MD5 support" + sed -e 's,^#define CRAM_MD5$,/*&*/,' -i "${S}"/qmail-smtpd.c || die + else + einfo "Enabled CRAM_MD5 support" + fi + + ht_fix_file Makefile* +} + +src_compile() { + qmail_src_compile + use qmail-spp && qmail_spp_src_compile +} + +src_install() { + qmail_src_install +} + +pkg_postinst() { + qmail_queue_setup + qmail_rootmail_fixup + qmail_tcprules_build + + qmail_config_notice + qmail_supervise_config_notice + elog + elog "If you are looking for documentation, check those links:" + elog "https://wiki.gentoo.org/wiki/Virtual_mail_hosting_with_qmail" + elog " -- qmail/vpopmail Virtual Mail Hosting System Guide" + elog "http://www.lifewithqmail.com/" + elog " -- Life with qmail" + elog +} + +pkg_preinst() { + qmail_tcprules_fixup +} + +pkg_config() { + # avoid some weird locale problems + export LC_ALL=C + + qmail_config_fast + qmail_tcprules_config + qmail_tcprules_build + + use ssl && qmail_ssl_generate +} -- cgit v1.2.3-65-gdbad