SSL issue upgrading postfix
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postfix (Debian) |
Fix Released
|
Unknown
|
|||
postfix (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* On upgrade depending on config postfix might mess with said config as
it mis-detects being an upgrade from postfix-2.
* This was fixes in Debian later on, this cherry picks the fix
[Test Case]
* have a config with
submission inet n - - - - smtpd
And then upgrade (reinstall), example:
- apt install postfix
- change the line to the above in /etc/postfix/
(that was essentially removing a comment and y -> -)
- apt install --reinstall postfix
This will have changed the config:
- on upgrade you see
setting explicit chroot on /etc/postfix:
- the value now is
submission inet n - y - - smtpd
[Regression Potential]
* Upgrades behave slightly different, but in the way we want. We can
break down into two things:
1. only if coming from the right former versions (wanted)
2. if the upgrade is done it is done in a safer way (wanted)
[Other Info]
* In a perfect world the version compare would be against the first
ubuntu 3.x version, but taking the cherry pick as-is appears much
cleaner for review and also there was never anything released (nor
seems it remotely likely to be) that would fall in the gap between
the first Debian / Ubuntu postfix 3 version.
----
issue upgrading posfix on Ubuntu 16.04.3 LTS
in file master.cf, line submission=
the upgrade procedure has changed the field chroot to 'y', but it was '-'. 'y' is wrong
#pre upgrade it was
submission inet n - - - - smtpd
#then it become
submission inet n - y - - smtpd
the 'y' is wrong
http://
sais "Chroot (default: Postfix >= 3.0: n, Postfix <3.0: y)"
with 'y' the server rejects all SSL smtp mails
Changed in postfix (Debian): | |
status: | Unknown → Fix Released |
Hi Tom,
on the version originally release in Xenial I see:
3.1.0-3:
#submission inet n - y - - smtpd
3.1.0-3ubuntu0.1
#submission inet n - y - - smtpd
After the upgrade it still is the same, and it is a comment in both.
There is another similar line related, which is:
3.1.0-3:
smtp inet n - y - - smtpd
3.1.0-3ubuntu0.1
smtp inet n - y - - smtpd
The switch form "-" to "y" means swicth from built-in default to an explicit yes, the column is for using a chroot. The doc you are referring is exactly documenting that:
Chroot (default: Postfix >= 3.0: n, Postfix <3.0: y)
That does not mean "set y / n in that file" but instead it means if you have set "-" then depending on the version this is what you get.
Since on my upgrade I didn't see the change I checked for a potential Trusty->Xenial upgrade.
There I found the config change (as upstream changed defaults from 2->3).
On trusty it had:
2.11.0-1ubuntu1:
smtp inet n - - - - smtpd
[...]
#submission inet n - - - - smtpd
So on 2.x it had "-" which was implying the default (which was yes), but on 3.x it is "y" (as the default is no now) to have no change in behavior upon upgrade.
Since "submission" is a comment anyway I looked at what happens on upgrade.
Note: This is no normal conffile, it is handled by the *inst scripts.
So I took a trusty system, modified the conf to have the line uncommented.
Then I upgraded.
There the file is as it was before and the admin has to fix it u on upgrade.
But I think this was not forgotten, instead it is just too complex to convert the old config to a surely working new one.
So yes going from Trusty to Xenial if you had "-" set (which was default yes) it now changes its meaning to default "no". The defaults of a new install are good, and I found the following from the changelog:
postfix (3.1.0-1) unstable; urgency=medium
[LaMont Jones]
* Explicitly chroot services that we want chrooted in master.cf on fresh
installs.
* Convert defaults as needed for 3.0+ on upgrade to minimize compatibility
warnings.
Not sure if there is better handling that I overlook.
Subscribing LaMont for an opinion.