This thread got my intrigued as I have my system (OS X “Client” doing lots of server stuff) almost entirely independent of Apple provided stuff in favor of building from source. OpenSSL is one I have not done. So I decided to try it on my test system (which is really my laptop booted from an alternate disk).
On May 9, 2014, at 10:18 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Fri, May 09, 2014 at 10:58:30AM -0400, Wietse Venema wrote:
>
>>> Any hint's to build postfix + openssl-1.x on a system based on
>>> openssl-0.9.x ??? I also avoided building openssl from source for
>>> good reasons over the last years.
>
> It is rather easy to build on Unix-like systems.
>
> Unpack the tarball, cd to the top-level source directory and run
> './config -h'. This will suggest default build options.
>
> For example, on a Macbook Pro:
>
> $ ./config -h
> Operating system: i686-apple-darwinDarwin Kernel Version 13.1.0: Wed Apr 2
> 23:52:02 PDT 2014; root:xnu-2422.92.1~2/RELEASE_X86_64
> WARNING! If you wish to build 64-bit library, then you have to
> invoke './Configure darwin64-x86_64-cc' *manually*.
> Configuring for darwin-i386-cc
> /opt/local/bin/perl5 ./Configure darwin-i386-cc
>
>> I have some success with installing OpenSSL in a different location
>> (/opt/openssl-1.x.y) and pointing the Postfix CCARGS/AUXLIBS there.
>
> Then I just run:
>
> $ ./Configure --prefix=/opt/openssl-1.x.y darwin64-x86_64-cc
>
I went with './Configure darwin64-x86_64-cc -shared' which puts everything in
/usr/local/ssl (the -shared adds the .dylib - maybe I shouldn’t go that route).
>> However, this may cause conflicts if you link Postfix with any
>> libraries that were compiled against a different OpenSSL version
>> (in my case, libldap).
>
> Indeed DLL-hell is a potential problem. You may also need to build
> LDAP, MySQL, PgSQL, ... all linked with the custom version of
> OpenSSL.
As far as I can tell, the only things I have dependent on OpenSSL are Postfix,
Dovecot, and Apache. Apache built fine and mod_info reports OpenSSL 1.0.1g.
Dovecot appears to be fine but I haven’t figure out how to tell.
But Postfix…
First off, I’m a neophyte at make and building C programs. So I don’t fully
understand all the options but think I am getting the hang of it.
I’ve been building Postfix, adapted from instructions at diymacserver.com, with:
make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DUSE_CYRUS_SASL -I/usr/include/sasl \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/include \
-DHAS_SSL -I/usr/include/openssl' \
AUXLIBS='-L/usr/local/lib -lpcre -lssl -L/usr/lib -llber -lresolv -lsasl2’
Today, after learning a few things and realizing I need neither the LDAP nor
Cyrus SASL stuff, I reduced that to:
make -f Makefile.init makefiles CCARGS='-DUSE_TLS -I/usr/include/openssl \
-DUSE_SASL_AUTH \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/include' \
AUXLIBS='-L/usr/local/lib -lpcre -lssl -L/usr/lib -lresolv’
which as of earlier today was used to rebuild my production build of 2.11.1.
On the test system, trying to force the new version of OpenSSL (1.0.1g), I used:
make -f Makefile.init makefiles \
CCARGS='-DUSE_TLS /usr/local/ssl/include/openssl \
-DUSE_SASL_AUTH \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/include' \
AUXLIBS='L/usr/local/ssl/lib –lssl –lcrypto \
-L/usr/local/lib -lpcre -L/usr/lib -lresolv’
It builds fine but when I run it, I get OpenSSL mismatch warnings from both
smtp and smtpd:
May 11 17:38:14 mbpls.stonejongleux.com postfix/p10028/smtpd[10806]: warning:
run-time library vs. compile-time header version mismatch: OpenSSL 1.0.1 may
not be compatible with OpenSSL 0.9.8
and
May 11 17:38:14 mbpls.stonejongleux.com postfix/smtp[10807]: warning: run-time
library vs. compile-time header version mismatch: OpenSSL 1.0.1 may not be
compatible with OpenSSL 0.9.8
It all seems to work but obviously pieces of both are getting into the build
and as I said, understanding all the nuances of makefiles is beyond me. Also,
this is just for curiosity for now so more interested in learning at this point
than actually getting it running. But pointing me in the right direction will
be appreciated.
>
> It may be simpler to upgrade your system.
AFAIK, Apple does not have a later version of OpenSSL available.
--
Larry Stone
lston...@stonejongleux.com
http://www.stonejongleux.com/
smime.p7s
Description: S/MIME cryptographic signature
