Ubuntu
postfix package

postfix: autopkgtest fails with saslauthd.service installed

Bug #2018238 reported by Scott Kitterman
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postfix (Debian)
Fix Released
Unknown
postfix (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

As of 2.1.28+dfsg-11, sasl2-bin now contains a systemd service file. That makes postfix's chrooted autopkgtest fail if systemd is active in the test environment.

Presumably this will shortly land in Mantic and the Postfix test will start failing. Since the autopkgtest was originally developed by Ubuntu based on the Ubuntu Security Team QRT, I was hoping someone from the Server or Security Teams could see if they can figure out how to update it.

See the related Debian Bug for what I've been able to figure out so far.

Scott K

CVE References

Bug Watch Updater (bug-watch-updater)
Changed in postfix (Debian):
status: Unknown → New
Revision history for this message
Scott Kitterman (kitterman) wrote :

This is now a live issue in mantic-proposed:

https://autopkgtest.ubuntu.com/results/autopkgtest-mantic/mantic/amd64/p/postfix/20230502_021341_a0189@/log.gz

Changed in postfix (Ubuntu):
status: New → Confirmed
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :
Download full text (13.2 KiB)

Thanks for filing this bug Scott.

I was able to reproduce the bug in Debian with sasl2-bin/2.1.28+dfsg-11, as you mentioned it is not reproducible in Ubuntu Lunar (with sasl2-bin/2.1.28+dfsg-10) but it will in Mantic when we sync the latest version of sasl-bin.

I am subscribing ubuntu-server so we can take a look at it.

Error log:

autopkgtest [10:47:07]: test postfix: [-----------------------
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  ca-certificates cpio libicu72 openssl ssl-cert
Suggested packages:
  libarchive-dev postfix-mysql postfix-pgsql postfix-ldap postfix-pcre
  postfix-lmdb postfix-sqlite postfix-cdb mail-reader postfix-mta-sts-resolver
  ufw postfix-doc
The following NEW packages will be installed:
  ca-certificates cpio libicu72 openssl postfix ssl-cert
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 11.2 MB/12.7 MB of archives.
After this operation, 45.1 MB of additional disk space will be used.
Get:1 file:/tmp/autopkgtest.sWccF2/binaries postfix 3.7.5-1 [1499 kB]
Get:2 http://deb.debian.org/debian sid/main amd64 libicu72 amd64 72.1-3 [9376 kB]
Get:3 http://deb.debian.org/debian sid/main amd64 openssl amd64 3.0.8-1 [1407 kB]
Get:4 http://deb.debian.org/debian sid/main amd64 ssl-cert all 1.1.2 [21.1 kB]
Get:5 http://deb.debian.org/debian sid/main amd64 cpio amd64 2.13+dfsg-7.1 [245 kB]
Get:6 http://deb.debian.org/debian sid/main amd64 ca-certificates all 20230311 [153 kB]
Preconfiguring packages ...
Fetched 11.2 MB in 7s (1509 kB/s)
Selecting previously unselected package libicu72:amd64.
(Reading database ... 15779 files and directories currently installed.)
Preparing to unpack .../0-libicu72_72.1-3_amd64.deb ...
Unpacking libicu72:amd64 (72.1-3) ...
Selecting previously unselected package openssl.
Preparing to unpack .../1-openssl_3.0.8-1_amd64.deb ...
Unpacking openssl (3.0.8-1) ...
Selecting previously unselected package ssl-cert.
Preparing to unpack .../2-ssl-cert_1.1.2_all.deb ...
Unpacking ssl-cert (1.1.2) ...
Selecting previously unselected package cpio.
Preparing to unpack .../3-cpio_2.13+dfsg-7.1_amd64.deb ...
Unpacking cpio (2.13+dfsg-7.1) ...
Selecting previously unselected package postfix.
Preparing to unpack .../4-postfix.deb ...
Unpacking postfix (3.7.5-1) ...
Selecting previously unselected package ca-certificates.
Preparing to unpack .../5-ca-certificates_20230311_all.deb ...
Unpacking ca-certificates (20230311) ...
Setting up cpio (2.13+dfsg-7.1) ...
update-alternatives: using /bin/mt-gnu to provide /bin/mt (mt) in auto mode
Setting up libicu72:amd64 (72.1-3) ...
Setting up openssl (3.0.8-1) ...
Setting up ca-certificates (20230311) ...
Updating certificates in /etc/ssl/certs...
140 added, 0 removed; done.
Setting up ssl-cert (1.1.2) ...
Setting up postfix (3.7.5-1) ...
Adding group `postfix' (GID 108) ...
Done.
Adding system user `postfix' (UID 101) ...
Adding new user `postfix' (UID 101) with group `postfix' ...
Not creating home directory `/var/spool/postfix'.
Creating /etc/postfix/dynamicmaps.cf
Adding group `postdrop' (GID 109) ...
Done.
setting myhostname: localhost.lxd
setting alias...

Lucas Kanashiro (lucaskanashiro)
tags: added: server-todo
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I was able to investigate the failure a bit more.

The problem happens because saslauthd.service has the following directive:

RuntimeDirectory=saslauthd

This means that /run/saslauthd will be created when the service is running, and deleted when the service finishes. Remember that /var/run/ is a symlink to /run/.

As one can verify, the recommended way to setup a chrooted postfix with support for SASL is, according to /usr/share/doc/sasl2-bin/README.Debian.gz, to place the saslauthd socket inside the postfix chroot, which lives inside /var/spool/postfix/. The test script is doing things in a bit of a strange way: it's placing the actual socket inside the chroot, and then symlinking it in /var/run/saslauthd/. For systemd, RuntimeDirectory will only work if /run/saslauthd/ is a directory (i.e., not a symlink).

There's an easier way to fix this problem: we can keep the current behaviour of placing the socket insider /run/saslauthd/, and then symlink it into /var/spool/postfix/... instead. There are some small adjustments that need to be made in the script, but it seems to work fine.

I will post the fix to the Debian bug (along with a copy of this explanation), and also file an MP against our package.

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 2018238] Re: postfix: autopkgtest fails with saslauthd.service installed

On Wednesday, May 3, 2023 9:27:04 AM EDT Sergio Durigan Junior wrote:
> I will post the fix to the Debian bug (along with a copy of this
> explanation), and also file an MP against our package.

I've uploaded postfix 3.7.5-2 to unstable. You should get it via autosync, so
I don't think you need to do an Ubuntu specific MP or upload.

Thanks for the quick response,

Scott K

Revision history for this message
Scott Kitterman (kitterman) wrote :

Fixed in unstable now.

Changed in postfix (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in postfix (Debian):
status: New → Fix Released
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

The Debian patch has been accepted and uploaded. Because Debian is in hard freeze right now, we won't be able to sync the package from unstable. Either way, I will prepare an MP.

Revision history for this message
Scott Kitterman (kitterman) wrote :

On Thursday, May 4, 2023 3:24:45 AM EDT you wrote:
> The Debian patch has been accepted and uploaded. Because Debian is in
> hard freeze right now, we won't be able to sync the package from
> unstable. Either way, I will prepare an MP.

 postfix | 3.7.4-2build1 | mantic | source, amd64, arm64, armhf,
ppc64el, riscv64, s390x
 postfix | 3.7.5-2 | mantic-proposed | source, amd64, arm64, armhf,
ppc64el, riscv64, s390x

It's in mantic-proposed already.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Ah, true, thank you for the heads up.

Christian Ehrhardt  (paelzer)
tags: removed: server-todo
Lena Voytek (lvoytek)
Changed in postfix (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.