upgrade/compile options

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

upgrade/compile options

techlist06
I have a functioning install of 2.10 from rpm's on Centos7.  I'm trying to upgrade the postfix to 2.11.

I don't use LDAP and I'm using Dovecot for SASL.  I use TLS.  Following the postfix docs and other's directions, I've tried to pick the correct compile options.  Unfortunately for me RedHat/Centos doesn't appear to include the .out file I need to see how they compiled theirs.

This is the script I'm using to create the makefile and compile.  The compile goes fine without any errors that I see:

make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -
DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS='-
L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm -Wl,-rpath, /usr/lib
64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g'

But in the logs I have warnings about both TLS and SASL not being compiled in:
   warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
   warning: TLS has been selected, but TLS support is not compiled in

I did add this include:  -I/usr/include/dovecot
In lieu of a direction to use /usr/include/sasl which did not exist

Can someone help me with my compile options?  Do I have to keep the CYRUS parts in there, too?  Figure I'm missing an option or path.

Thanks


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade/compile options

Wietse Venema
techlist06:

> I have a functioning install of 2.10 from rpm's on Centos7.  I'm trying to
> upgrade the postfix to 2.11.
>
> I don't use LDAP and I'm using Dovecot for SASL.  I use TLS.  Following the
> postfix docs and other's directions, I've tried to pick the correct compile
> options.  Unfortunately for me RedHat/Centos doesn't appear to include the
> .out file I need to see how they compiled theirs.
>
> This is the script I'm using to create the makefile and compile.  The
> compile goes fine without any errors that I see:
>
> make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -
> DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot
> -I/usr/include' AUXLIBS='-
> L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre
> -lz -lm -Wl,-rpath, /usr/lib
> 64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g'
>
> But in the logs I have warnings about both TLS and SASL not being compiled
> in:
>    warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled
> in
>    warning: TLS has been selected, but TLS support is not compiled in

Do "postfix reload" and see what Postfix version is being logged.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: upgrade/compile options

techlist06
>Do "postfix reload" and see what Postfix version is being logged.

Jul 11 15:58:29 tn2 postfix/postfix-script[17935]: refreshing the Postfix
mail system
Jul 11 15:58:29 tn2 postfix/master[17876]: reload -- version 2.11.10,
configuration /etc/postfix



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade/compile options

Viktor Dukhovni
In reply to this post by techlist06
On Tue, Jul 11, 2017 at 01:21:44PM -0700, techlist06 wrote:

> make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\\"/usr\\" -DHAS_PCRE
> -I/usr/include/openssl
> -I/usr/include/dovecot
> -I/usr/include'

Do NOT add "/usr/include/openssl" to the include path, the OpenSSL
headers are included as "#include <openssl/...>" and so the include
path is just "/usr/include", which should already be used by default,
but if your compiler is putting something else first, just
"/usr/include" will suffice.

The above is sufficient for "dovecot" SASL support in smtpd(8), but
not for Cyrus SASL support in smtp(8).  See SASL_README.

    http://www.postfix.org/SASL_README.html#sasl_support

> AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl
>          -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm
>   -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro'

Does the OpenSSL whose headers are in /usr/include really put
its libraries in a non-default location: /usr/lib64/openssl?

More importantly, /usr/lib64/sasl2 is surely Cyrus SASL, but you've
not enabled Cyrus support.

Compilation instructions are in:

        http://www.postfix.org/INSTALL.html

and in "README" files for various optional features:

        TLS_README
        SASL_README
        ...

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade/compile options

Wietse Venema
In reply to this post by techlist06
techlist06:

> I have a functioning install of 2.10 from rpm's on Centos7.  I'm trying to
> upgrade the postfix to 2.11.
>
> I don't use LDAP and I'm using Dovecot for SASL.  I use TLS.  Following the
> postfix docs and other's directions, I've tried to pick the correct compile
> options.  Unfortunately for me RedHat/Centos doesn't appear to include the
> .out file I need to see how they compiled theirs.
>
> This is the script I'm using to create the makefile and compile.  The
> compile goes fine without any errors that I see:
>
> make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -
> DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot
> -I/usr/include' AUXLIBS='-
> L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre
> -lz -lm -Wl,-rpath, /usr/lib
> 64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g'
>
> But in the logs I have warnings about both TLS and SASL not being compiled
> in:
>    warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled
> in
>    warning: TLS has been selected, but TLS support is not compiled in

If I correct your command for word-wrap breakage and spurious spaces,
but otherwise leave all the unnecessary stuff in place, it produces
a working build with Postfix 3.3 on Fedora Core 24.

$ env - PATH=/usr/bin make makefiles  CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\"/usr\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g'
$ make -j8
$ su
Password:
# make upgrade
# echo test | mail -s test [hidden email]
# tail -f /var/log/maillog
...
Jul 11 19:16:23 wzv postfix/qmgr[8236]: 63882A0173: from=<[hidden email]>, size=258, nrcpt=1 (queue active)
Jul 11 19:16:29 wzv postfix/smtp[8246]: Anonymous TLS connection established to spike.porcupine.org[168.100.189.2]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Jul 11 19:16:29 wzv postfix/smtp[8271]: 63882A0173: to=<[hidden email]>, relay=spike.porcupine.org[168.100.189.2]:25, ...

It should also work Postfix 2.11.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade/compile options

techlist06
Wietse:  

>If I correct your command for word-wrap breakage and spurious spaces,
>but otherwise leave all the unnecessary stuff in place, it produces
>a working build with Postfix 3.3 on Fedora Core 24.

The reference I started with was one by Steve Jenkins for a Centos 7 system (and others).  I'd be grateful to see the compile arguments without the "unnecessary stuff".  

make makefiles  CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\"/usr\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g'

Anyway after make upgrade and a restart I didn't get the warnings this time on test messages.  Apologies for the static.

I would be grateful for the "only necessary stuff" line

Thank you (Victor too).  



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade/compile options

techlist06
I removed the one Cyrus SASL path Victor pointed out.

For anyone else who may come on this searching... Google "Steve Jenkins Building Postfix on RHEL / CentOS from Source" for detailed steps.  Except for me I wanted TLS, Dovecot SASL (no Cyrus), the rest as normal for the distribution.

On a stock centos7 install with functioning postfix 2.10, SASL and TLS,  I did this to upgrade to 2.11:
- yum install gcc openssl-devel pcre pcre-devel dovecot-devel
- download source to /usr/local/src
- used this to build makefile on x64

make makefiles  CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\"
 -DPREFIX=\"/usr\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS='
-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -W
l,-z,relro' OPT='-O' DEBUG='-g'

Be sure to exclude postfix from yum updates so it doesn't get hosed if they ever get around to updating.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade/compile options

Peter Ajamian
In reply to this post by techlist06
On 12/07/17 08:21, techlist06 wrote:
> I have a functioning install of 2.10 from rpm's on Centos7.  I'm trying to
> upgrade the postfix to 2.11.

Why are you trying to upgrade from old to slightly less old?  The
current stable of postfix is 3.2.2.

If you're afraid of 2.10 being EOL then don't worry, Red Hat, and by
extension CentOS will continue to support their build for some time to
come, including backporting of bug and security fixes.

If you have an actual reason to upgrade (need newer features) then
consider using Ghettoforge instead of trying to build it yourself.  See:

http://ghettoforge.org/index.php/Postfix3


Peter
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade/compile options

techlist06
Hi Peter:

> Why are you trying to upgrade from old to slightly less old?  The
> current stable of postfix is 3.2.2.

Valid question.  It wasn't because of EOL concerns.  I was looking to add the feature available in 2.11+:
postscreen_dnsbl_whitelist_threshold

Beyond that, I was just chicken of biting off too much at a time without having a handle on it.  Baby steps.  v2.10 (and now 2.11) will be my first use of postscreen and will have enough new to it vs. the old version I'm upgrading from.  

Maybe an unfounded fear and I should go right to 3.2, but that's why I was just moving to 2.11.  Once I'm comfy, maybe move up another few rungs to 3.2.



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade/compile options

Peter Ajamian
On 12/07/17 15:05, techlist06 wrote:

>> Why are you trying to upgrade from old to slightly less old?  The
>> current stable of postfix is 3.2.2.
>
> Valid question.  It wasn't because of EOL concerns.  I was looking to add
> the feature available in 2.11+:
> postscreen_dnsbl_whitelist_threshold
>
> Beyond that, I was just chicken of biting off too much at a time without
> having a handle on it.  Baby steps.  v2.10 (and now 2.11) will be my first
> use of postscreen and will have enough new to it vs. the old version I'm
> upgrading from.  
>
> Maybe an unfounded fear and I should go right to 3.2, but that's why I was
> just moving to 2.11.  Once I'm comfy, maybe move up another few rungs to
> 3.2.

I think you're looking at this the wrong way.  Going from pre-packaged
postscript to compile-your-own is much more likely to cause issues than
the step to 3.2.  Yes there are certainly a lot more features in 3.2
than there are in 2.11, but you don't have to enable those new features
and there are very few backwards compatibility issues which are well
documented and easy to overcome.

Have a look again at the link I mentioned before.  It lists all the
issues that you will have switching from the stock postfix 2.10 to the
Ghettoforge-provided 3.2 and exactly what to do to have a smooth
transition.  I think you'll find that it's much easier than trying to
compile your own and install from source and you will continue to get
updates from Ghettoforge without having to worry about rebuilding
yourself every time a new version comes out with bug or security fixes,
plus you won't have to worry about when 2.11 goes EOL sometime early
next year.

Here's the link again for you:
http://ghettoforge.org/index.php/Postfix3


Peter
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: upgrade/compile options

techlist06
Thanks Peter, appreciate the nudge.  What the hell, I'm in <smile>.  I'll try it on my test server.  It would be nice for me to stay in the yum update world.
Loading...