> On Nov 20, 2017, at 10:46 PM, AnotherGuyFromAlberta <crmckin...@shaw.ca>
> wrote:
>
> I recently upgraded a Mac server to 10.13 (High Sierra). This server
> has been running for about 5 years and hosts Postfix. After upgrading the
> OS I upgraded:
> 1. dovecot to 2.2.33.2
> 2. openssl to 1.1.0g
> 3. pcre to 8.41
> 4. postfix to 3.2.4
>
> Everything appears to compile and work except TLS on Postfix. It crashes
> with the same error
> every few minutes. Here's a snippet of the crash:
>
> Assertion failed: (ctx->pctx == NULL || ctx->pctx_ops != NULL), function
> EVP_MD_CTX_cleanup, file
> /BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-109.20.5/crypto/digest/digest.c,
> line 98.
The "BoringSSL" library is derived from and conflicts with OpenSSL.
With some care in the compiler options you may be able to build
a version of Postfix that is using OpenSSL and not Boring SSL.
I have (my own build of) OpenSSL 1.1.0 installed in /opt/openssl/1.1.0
and after configuration makedefs.out has:
CCARGS=-I/opt/openssl/1.1.0/include -DUSE_TLS -DHAS_PCRE -DHAS_CDB
-I/usr/local/include
AUXLIBS=-L/opt/openssl/1.1.0/lib -lssl -lcrypto -L/usr/local/lib -ldb
AUXLIBS_PCRE=-L/usr/local/lib -lpcre
AUXLIBS_CDB=-L/usr/local/lib -lcdb
shared=yes
dynamicmaps=yes
This appears to produce a working Postfix with TLS.
$ otool -L .../libexec/smtpd
.../libexec/smtpd:
@rpath/libpostfix-master.dylib (compatibility version 0.0.0, current
version 0.0.0)
@rpath/libpostfix-tls.dylib (compatibility version 0.0.0, current
version 0.0.0)
@rpath/libpostfix-dns.dylib (compatibility version 0.0.0, current
version 0.0.0)
@rpath/libpostfix-global.dylib (compatibility version 0.0.0, current
version 0.0.0)
@rpath/libpostfix-util.dylib (compatibility version 0.0.0, current
version 0.0.0)
/opt/openssl/1.1.0/lib/libssl-opt.1.1.dylib (compatibility version
1.1.0, current version 1.1.0)
/opt/openssl/1.1.0/lib/libcrypto-opt.1.1.dylib (compatibility version
1.1.0, current version 1.1.0)
/usr/local/opt/berkeley-db/lib/libdb-6.2.dylib (compatibility version
0.0.0, current version 0.0.0)
/usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current
version 1.0.0)
/usr/local/opt/icu4c/lib/libicui18n.59.dylib (compatibility version
59.0.0, current version 59.1.0)
/usr/local/opt/icu4c/lib/libicuuc.59.dylib (compatibility version
59.0.0, current version 59.1.0)
/usr/local/opt/icu4c/lib/libicudata.59.1.dylib (compatibility version
59.0.0, current version 59.1.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1252.0.0)
The "posttls-finger" command works, and connecting to a loopback server yields:
$ posttls-finger -c -l may "[127.0.0.1]"
posttls-finger: Anonymous TLS connection established to
127.0.0.1[127.0.0.1]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256
bits)
posttls-finger: Server is anonymous
That said, it has become increasingly difficult to support Postfix
on Apple's most recent operating systems. I think you should either
run the Postfix supplied by Apple, or choose a different O/S (a BSD
or Linux) for your mail server.
--
Viktor.
