# postfix breaking with security/openssl



## karolyi (Feb 1, 2016)

hHey,

jJust wanted to document here that:

Git package depends on security/openssl, and security/openssl breaks postfix/smtp. yYou'll get segfaults from 'postfix/smtp' when using it with security/openssl, and SOME emails won't get delivered, depending on the ssl implementation your server wants to connect to.

tThis happens with a fresh upgraded 10.2 and postfix & openssl from ports.

iIf anyone bumps into this problem, remove everything that depends on security/openssl, and recompile everything that used the ports version to use the base version supplied with the system.

yYou're welcome.


----------



## SirDice (Feb 1, 2016)

I might have misread things but mail/postfix _always_ builds against security/openssl and cannot be build to use the base OpenSSL. 

So I'm guessing you installed devel/git which updated security/openssl. In turn you probably should have rebuild mail/postfix due to the updated OpenSSL libraries.


----------



## karolyi (Feb 1, 2016)

SirDice said:


> I might have misread things but mail/postfix _always_ builds against security/openssl and cannot be build to use the base OpenSSL.
> 
> So I'm guessing you installed devel/git which updated security/openssl. In turn you probably should have rebuild mail/postfix due to the updated OpenSSL libraries.



postfix builds fine with the base provided openssl libraries, it only started to produce these mysterious segfaults when recompiling with security/openssl. once I removed security/openssl and recompiled postfix, the segfaults disappeared.

tThen I started investigating what needed security/openssl, turns out it was devel/git.

tThe interesting thing is, I have git installed via pkg in another jail and it does not depend on security/openssl. lLooking at FreshPorts (https://www.freshports.org/devel/git/), it says that security/openssl is required for devel/git.

I might be missing something here but I use the latest packages and ports at both jails.


----------



## SirDice (Feb 1, 2016)

Ah, dug a little deeper. It's amazing what you can learn by reading files. I got thrown off because Freshports shows it depends on security/openssl. 

It actually depends on what's already installed. The script to read is /usr/ports/Mk/bsd.openssl.mk. 

```
#       If no preference was set, check for an installed base version
#       but give an installed port preference over it.
```

Reading a bit further it seems you can also force ports to use the base OpenSSL, regardless of the presence of security/openssl, by setting WITH_OPENSSL_BASE:

```
.if     !defined(WITH_OPENSSL_BASE) && \
        !defined(WITH_OPENSSL_PORT) && \
        !exists(${DESTDIR}/${LOCALBASE}/lib/libcrypto.so) && \
        exists(${DESTDIR}/usr/include/openssl/opensslv.h)
WITH_OPENSSL_BASE=yes
.endif

.if defined(WITH_OPENSSL_BASE)
OPENSSLBASE=            /usr
OPENSSLDIR?=            /etc/ssl
```

It has to be noted though, not all ports allow this, some insist on using the version from ports.


----------



## karolyi (Feb 1, 2016)

SirDice said:


> Ah, dug a little deeper. It's amazing what you can learn by reading files. I got thrown off because Freshports shows it depends on security/openssl.
> 
> It actually depends on what's already installed. The script to read is /usr/ports/Mk/bsd.openssl.mk.
> 
> ...



Thanks! 
You actually helped me out here. I was removing git for the sake of a working postfix, but as it seems I could install devel/git again, specifying WITH_OPENSSL_BASE=yes.

I would use the base postfix packages though, but I need mysql support (virtual mailboxes), so in that jail I need to compile everything for myself.

I did put this to /etc/make.conf for 'future compatibility':

```
.if ${.CURDIR:M*/devel/git*}
WITH_OPENSSL_BASE=yes
.endif
```

I wasn't expecting any help here, just wanted to open this topic to ease the struggle of people coming after me, having the same issues.


----------

