From 0449962869a473d546da9aee34d0c10da34308fe Mon Sep 17 00:00:00 2001
From: Andrey Arapov <arno@nixaid.com>
Date: Sun, 5 Apr 2015 19:26:13 +0200
Subject: [PATCH] postfix28 and postfix211: hardening with Canary, PIE, Full
 RELRO and FORTIFY_SOURCE

---
 pkgs/servers/mail/postfix/2.11.nix    | 5 +++--
 pkgs/servers/mail/postfix/default.nix | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkgs/servers/mail/postfix/2.11.nix b/pkgs/servers/mail/postfix/2.11.nix
index 5cb22ff936e1..ee014012cf34 100644
--- a/pkgs/servers/mail/postfix/2.11.nix
+++ b/pkgs/servers/mail/postfix/2.11.nix
@@ -33,8 +33,9 @@ stdenv.mkDerivation rec {
     export sendmail_path=$out/bin/sendmail
 
     make makefiles \
-      CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl' \
-      AUXLIBS='-ldb -lnsl -lresolv -lsasl2 -lcrypto -lssl'
+      CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl \
+              -fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2' \
+      AUXLIBS='-ldb -lnsl -lresolv -lsasl2 -lcrypto -lssl -pie -Wl,-z,relro,-z,now'
   '';
 
   installTargets = [ "non-interactive-package" ];
diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix
index 0bfc31580e14..fde49e6e4d45 100644
--- a/pkgs/servers/mail/postfix/default.nix
+++ b/pkgs/servers/mail/postfix/default.nix
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
     export sample_directory=$out/share/postfix/doc/samples
     export readme_directory=$out/share/postfix/doc
 
-    make makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl' AUXLIBS='-lssl -lcrypto -lsasl2 -ldb -lnsl'
+    make makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl -fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2' AUXLIBS='-lssl -lcrypto -lsasl2 -ldb -lnsl -pie -Wl,-z,relro,-z,now'
   '';
 
   installPhase = ''