Hi,
Thanks for the guidance Viktor. I wanted to share what worked for me. I was
able to get Postfix compiling and working on High Sierra with the following
command:
make -f Makefile.init makefiles \
CCARGS='-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\"
-DDEF_COMMAND_DIR=\"/usr/local/sbin\"
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\"
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DUSE_TLS -DHAS_PCRE
-I/usr/local/include -DHAS_SSL -I/usr/local/include/openssl -DHAS_MYSQL
-I/usr/local/mysql/include' \
AUXLIBS='-L/usr/local/lib -lssl -lcrypto -L/usr/local/mysql/lib -lmysqlclient
-lz -lm' \
AUXLIBS_PCRE='-L/usr/local/lib -lpcre’
This configuration includes PCRE, MySQL, and OpenSSL for SASL and TLS. I found
that I had to be very careful with the line continuations. Either bash on High
Sierra is very picky or my formatting was poor but I had to play with running
the command until I was sure all of my options were being read correctly.
Hopefully this helps someone else. I’d love to hear if someone figured out to
get logging on MacOS back to normal. It’s something I might investigate
further.
On Nov 20, 2017, at 9:28 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Nov 20, 2017, at 10:46 PM, AnotherGuyFromAlberta <crmckin...@shaw.ca>
> wrote:
>
> I recently upgraded a Mac server to 10.13 (High Sierra). This server
> has been running for about 5 years and hosts Postfix. After upgrading the
> OS I upgraded:
> 1. dovecot to 2.2.33.2
> 2. openssl to 1.1.0g
> 3. pcre to 8.41
> 4. postfix to 3.2.4
>
> Everything appears to compile and work except TLS on Postfix. It crashes
> with the same error
> every few minutes. Here's a snippet of the crash:
>
> Assertion failed: (ctx->pctx == NULL || ctx->pctx_ops != NULL), function
> EVP_MD_CTX_cleanup, file
> /BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-109.20.5/crypto/digest/digest.c,
> line 98.
The "BoringSSL" library is derived from and conflicts with OpenSSL.
With some care in the compiler options you may be able to build
a version of Postfix that is using OpenSSL and not Boring SSL.
I have (my own build of) OpenSSL 1.1.0 installed in /opt/openssl/1.1.0
and after configuration makedefs.out has:
CCARGS=-I/opt/openssl/1.1.0/include -DUSE_TLS -DHAS_PCRE -DHAS_CDB
-I/usr/local/include
AUXLIBS=-L/opt/openssl/1.1.0/lib -lssl -lcrypto -L/usr/local/lib -ldb
AUXLIBS_PCRE=-L/usr/local/lib -lpcre
AUXLIBS_CDB=-L/usr/local/lib -lcdb
shared=yes
dynamicmaps=yes
This appears to produce a working Postfix with TLS.
$ otool -L .../libexec/smtpd
.../libexec/smtpd:
@rpath/libpostfix-master.dylib (compatibility version 0.0.0, current
version 0.0.0)
@rpath/libpostfix-tls.dylib (compatibility version 0.0.0, current
version 0.0.0)
@rpath/libpostfix-dns.dylib (compatibility version 0.0.0, current
version 0.0.0)
@rpath/libpostfix-global.dylib (compatibility version 0.0.0, current
version 0.0.0)
@rpath/libpostfix-util.dylib (compatibility version 0.0.0, current
version 0.0.0)
/opt/openssl/1.1.0/lib/libssl-opt.1.1.dylib (compatibility version
1.1.0, current version 1.1.0)
/opt/openssl/1.1.0/lib/libcrypto-opt.1.1.dylib (compatibility version
1.1.0, current version 1.1.0)
/usr/local/opt/berkeley-db/lib/libdb-6.2.dylib (compatibility version
0.0.0, current version 0.0.0)
/usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version
1.0.0)
/usr/local/opt/icu4c/lib/libicui18n.59.dylib (compatibility version
59.0.0, current version 59.1.0)
/usr/local/opt/icu4c/lib/libicuuc.59.dylib (compatibility version
59.0.0, current version 59.1.0)
/usr/local/opt/icu4c/lib/libicudata.59.1.dylib (compatibility version
59.0.0, current version 59.1.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version
1252.0.0)
The "posttls-finger" command works, and connecting to a loopback server yields:
$ posttls-finger -c -l may "[127.0.0.1]"
posttls-finger: Anonymous TLS connection established to
127.0.0.1[127.0.0.1]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256
bits)
posttls-finger: Server is anonymous
That said, it has become increasingly difficult to support Postfix
on Apple's most recent operating systems. I think you should either
run the Postfix supplied by Apple, or choose a different O/S (a BSD
or Linux) for your mail server.
--
Viktor.
