Merge pull request #7189 from arno01/hardenpostfix

postfix28 and postfix211: hardening with Canary, PIE, Full RELRO and FORTIFY_SOURCE

2 files changed, 4 insertions, 3 deletions

diff --git a/pkgs/servers/mail/postfix/2.11.nix b/pkgs/servers/mail/postfix/2.11.nix
index cb104eed980..817f559cbd5 100644
--- a/pkgs/servers/mail/postfix/2.11.nix
+++ b/pkgs/servers/mail/postfix/2.11.nix
@@ -33,8 +33,9 @@ stdenv.mkDerivation rec {
     export sendmail_path=$out/bin/sendmail
 
     make makefiles \
-      CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl' \
-      AUXLIBS='-ldb -lnsl -lresolv -lsasl2 -lcrypto -lssl'
+      CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl \
+              -fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2' \
+      AUXLIBS='-ldb -lnsl -lresolv -lsasl2 -lcrypto -lssl -pie -Wl,-z,relro,-z,now'
   '';
 
   installTargets = [ "non-interactive-package" ];
diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix
index e12565238c9..7bd2d620910 100644
--- a/pkgs/servers/mail/postfix/default.nix
+++ b/pkgs/servers/mail/postfix/default.nix
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
     export sample_directory=$out/share/postfix/doc/samples
     export readme_directory=$out/share/postfix/doc
 
-    make makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl' AUXLIBS='-lssl -lcrypto -lsasl2 -ldb -lnsl'
+    make makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl -fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2' AUXLIBS='-lssl -lcrypto -lsasl2 -ldb -lnsl -pie -Wl,-z,relro,-z,now'
   '';
 
   installPhase = ''