1 Topic by blacksteel1288

  • blacksteel1288
  • Member
  • Offline
  • Registered: 2019-09-22
  • Posts: 48

Topic: postfix 3.6 on freebsd requires OpenSSL

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.4
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: FreeBSD 12
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Ngnix
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

According to the maintainers of the ports for postfix, the port will not build because of a requirement for OpenSSL's API that is not supported in LibreSSL, which is what iRedMail is using.

They say that all versions after 3.6 will also require OpenSSL

Is there a plan to migrate from LibreSSL to OpenSSL?  Or, other workaround to get postfix to build?

See the port info here:  https://www.freshports.org/mail/postfix/

----

2021-05-06
Affects: users of mail/postfix
Author: ohauer@FreeBSD.org
Reason:
  Postfix 3.6 and higher requires minimum OpenSSL 1.1.1
  FreeBSD 11 users using base OpenSSL can switch to
  mail/postfix35

----

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: postfix 3.6 on freebsd requires OpenSSL

iRedMail-1.4.0 switched to OpenSSL.

3 Reply by blacksteel1288

  • blacksteel1288
  • Member
  • Offline
  • Registered: 2019-09-22
  • Posts: 48

Re: postfix 3.6 on freebsd requires OpenSSL

ZhangHuangbin wrote:

iRedMail-1.4.0 switched to OpenSSL.

That's great news.  My install was originally done on iRedMail-1.0, where LibreSSL was the default.  What's the best way to migrate/upgrade my instance to OpenSSL now?

I guess this will involve rebuilding ports that use SSL, but I'm not sure how to proceed.  Any advice appreciated.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: postfix 3.6 on freebsd requires OpenSSL

blacksteel1288 wrote:

What's the best way to migrate/upgrade my instance to OpenSSL now?

In /etc/make.conf, find line "DEFAULT_VERSIONS =", replace "ssl=libressl" by "ssl=openssl". Next time you upgrade packages via ports tree, it will switch to openssl.

5 Reply by blacksteel1288

  • blacksteel1288
  • Member
  • Offline
  • Registered: 2019-09-22
  • Posts: 48

Re: postfix 3.6 on freebsd requires OpenSSL

Got it.  But, will that cause any problems with existing ports that are currently using LibreSSL? 

My understanding is that both LibreSSL and OpenSSL cannot be installed at the same time because they have files in common that conflict.

So, when the first port compiles using OpenSSL it will force LibreSSL to uninstall, and it will then break all of the other ports that depend on LibreSSL, if I understand correctly.

6 Reply by blacksteel1288

  • blacksteel1288
  • Member
  • Offline
  • Registered: 2019-09-22
  • Posts: 48

Re: postfix 3.6 on freebsd requires OpenSSL

UPDATE:  I was able to migrate from LibreSSL to OpenSSL, but not without a few gotchas.  Here's the steps I followed:

(As always before starting make sure the ports are up-to-date with a "portsnap auto")

1.  Update make.conf and change ssl=libressl to ssl=openssl in the following section:

# iRedMail-DEFAULT_VERSIONS
DEFAULT_VERSIONS=ssl=openssl python=3.8 python2=2.7 python3=3.8 pgsql=12 php=7.4

2.  Replace the LibreSSL port with the OpenSSL port using portmaster

# portmaster -o security/openssl security/libressl

This was a critical step to "replace" the port instead of just installing OpenSSL.  In my original attempt, I didn't do this an just installed OpenSSL which created too many problems and I had to rollback my server from a snapshot and start over.  So, my advice is do not install OpenSSL first.  Just do this.

3.  Update all dependencies

# portmaster -R -r openssl-1.1.1k_1,1

This process failed several times due to missing libraries.  In my case, the failures and missing libraries were related to these ports:
- archivers/libarchive
- ftp/curl
- databases/mariadb104-client

4.  Fix broken dependencies using this process in each port's directory: (for example)

# cd /usr/ports/archivers/libarchive
# make
# make deinstall install clean

And, generally follow this same process for the other broken dependencies from step 3.

5.  For ftp/curl, I had to do this:

# cd /usr/ports/ftp/curl
# make all-depends-list

Then, for each port from that list, I re-installed it with portmaster.  For example:

# portmaster devel/kyua

There were 14 ports in total I needed to do this for, so I did this for each.

6.  Then, the original process from step 3, I was able to re-run until it finished without error*

*in my case, there was one small problem with a vulnerability with sogo that prevented it from building without adding this line to make.conf

DISABLE_VULNERABILITIES=yes

7.  Then, I checked for any other missing libraries using:

# pkg_libchk -qo

Which resulted in a few ports that I re-installed using portmaster.

8.  Finally, I ran portmaster to install any other ports that had not been updated:

# portmaster -a

9.  ..and restarted the server.  Verified everything was working correctly.

At this point, I also went back and removed the DISABLE_VULNERABILITIES flag from /etc/make.conf

Done!

For reference, I loosely followed some related approaches I found in this post and this post.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: postfix 3.6 on freebsd requires OpenSSL

The LibreSSL -> OpenSSL switch happens during compiling packages, for example, installing new software from ports tree, or upgrading an existing package, then the newly installed or upgraded packages are using openssl instead of libressl. If you need to switch to openssl for all softwares, you need to either re-install them, or upgrade them with ports tree tool like "portmaster".