Ubuntu
postfix package

SRU tracking bug for postfix 2.8.2 -> 2.8.5 for natty

Bug #869411 reported by Scott Kitterman
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postfix (Ubuntu)
Invalid
Undecided
Unassigned
Natty
Fix Released
Wishlist
Scott Kitterman

Bug Description

Pilot SRU for postfix post-release updates per TB on 10/6/11/

TEST CASE: Run the QA regression test suite (done). Install postfix and verify it installs, starts, stops, sends mail.

See original description

CVE References

Scott Kitterman (kitterman)
Changed in postfix (Ubuntu):
status: New → Invalid
Changed in postfix (Ubuntu Natty):
assignee: nobody → Scott Kitterman (kitterman)
importance: Undecided → Wishlist
status: New → In Progress
Revision history for this message
Scott Kitterman (kitterman) wrote :

Passed the QA regression test (with -1, -2 doesn't affect the binary packages).

root@utest-nns32:/tmp/qa-regression-testing/scripts# python ./test-postfix.py -vRunning test: './test-postfix.py' distro: 'Ubuntu 11.04' kernel: '2.6.38-11.50 (Ubuntu 2.6.38-11.50-generic-pae 2.6.38.8)' arch: 'i386' uid: 0/0 SUDO_USER: '')
test_00_listening (__main__.PostfixTest)
Postfix is listening ... ok
test_10_commands (__main__.PostfixTest)
Basic SMTP commands ... ok
test_10_sending_mail_direct (__main__.PostfixTest)
Mail delivered normally ... ok
test_10_sending_mail_direct_auth (__main__.PostfixTest)
Mail authentication ... ok
test_10_sending_mail_direct_auth_full (__main__.PostfixTest)
Mail delivered with authentication ... ok
test_10_sending_mail_direct_with_tls (__main__.PostfixTest)
Mail delivered normally with TLS ... ok
test_10_sending_mail_forward_normal (__main__.PostfixTest)
Mail delivered via .forward ... ok
test_10_sending_mail_forward_xternal (__main__.PostfixTest)
Mail processed by commands in .forward ... ok
test_11_security_CVE_2008_2936 (__main__.PostfixTest)
CVE-2008-2936 fixed ... ok
test_20_sasldb_cram_md5 (__main__.PostfixTest)
Test sasldb CRAM-MD5 ... ok
test_20_sasldb_digest_md5 (__main__.PostfixTest)
Test sasldb DIGEST-MD5 is supported ... ok
test_20_sasldb_login (__main__.PostfixTest)
Test sasldb LOGIN is supported ... ok
test_20_sasldb_plain (__main__.PostfixTest)
Test sasldb PLAIN ... ok
test_21_security_CVE_2011_1720 (__main__.PostfixTest)
CVE-2011-1720 fixed ... ok
test_99_restore (__main__.PostfixTest)
Restore configuration ... ok

----------------------------------------------------------------------
Ran 15 tests in 80.701s

OK
root@utest-nns32:/tmp/qa-regression-testing/scripts# apt-cache policy postfix
postfix:
  Installed: 2.8.5-1~build0.11.04
  Candidate: 2.8.5-1~build0.11.04
  Version table:
 *** 2.8.5-1~build0.11.04 0
        500 http://ppa.launchpad.net/postfix-support/sru/ubuntu/ natty/main i386 Packages
        100 /var/lib/dpkg/status
     2.8.2-1ubuntu2.1 0
        500 http://ro.archive.ubuntu.com/ubuntu/ natty-updates/main i386 Packages
        500 http://security.ubuntu.com/ubuntu/ natty-security/main i386 Packages
     2.8.2-1ubuntu1 0
        500 http://ro.archive.ubuntu.com/ubuntu/ natty/main i386 Packages

description: updated
Revision history for this message
Martin Pitt (pitti) wrote :

I'm fine with updating to the new upstream version, but I don't like backporting the whole package. There's quite a lot of packaging changes there, including:

 * bumping the debhelper compat level to 7: This might expose bugs in earlier debhelper versions which we haven't encountered in oneiric

 * changing the init script quite radically: formally it breaks feature freeze; at the risk factor, the current postfix init script has never been in a stable release yet, so got comparatively little testing; IMHO it is too much risk to throw it at stable users as it changes expected behaviour and causes conffile prompts.

 * other changes like debian/copyright and the apport integration; these seem harmless, and I'd be willing to take them for an SRU.

FYI, I won't ever agree to a blanket MRE that includes packaging changes. All other MREs that we have, like postgresql or firefox only cover updating the upstream bits, but keeping the packaging structure, scripts, conffiles, etc. unchanged.

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 869411] Re: SRU tracking bug for postfix 2.8.2 -> 2.8.5 for natty

OK. It was a lot easier just to keep the packaging the same then, so that's
what I've done. The debian dir for the reuploaded SRU is the same as what's
in natty-updates/security now except for the changelog entry.

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Scott, or anyone else affected,

Accepted postfix into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in postfix (Ubuntu Natty):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Martin Pitt (pitti) wrote :

Verification should include running the qa-regression-tests on the actual .debs from natty-proposed (not on a local build). Thanks!

Revision history for this message
Imre Gergely (cemc) wrote :
Download full text (3.9 KiB)

Re-ran qa-regression-tests (in a schroot) with the package from -proposed:

(natty32)gimre@voy:~/WORK$ sudo qa-regression-testing/scripts/test-postfix.py -v
Running test: 'qa-regression-testing/scripts/test-postfix.py' distro: 'Ubuntu 11.04' kernel: 'found' arch: 'i386' uid: 0/0 SUDO_USER: 'gimre')
test_00_listening (__main__.PostfixTest)
Postfix is listening ... ok
test_10_commands (__main__.PostfixTest)
Basic SMTP commands ... ok
test_10_sending_mail_direct (__main__.PostfixTest)
Mail delivered normally ... ok
test_10_sending_mail_direct_auth (__main__.PostfixTest)
Mail authentication ... ok
test_10_sending_mail_direct_auth_full (__main__.PostfixTest)
Mail delivered with authentication ... ok
test_10_sending_mail_direct_with_tls (__main__.PostfixTest)
Mail delivered normally with TLS ... ok
test_10_sending_mail_forward_normal (__main__.PostfixTest)
Mail delivered via .forward ... ok
test_10_sending_mail_forward_xternal (__main__.PostfixTest)
Mail processed by commands in .forward ... ok
test_11_security_CVE_2008_2936 (__main__.PostfixTest)
CVE-2008-2936 fixed ... ok
test_20_sasldb_cram_md5 (__main__.PostfixTest)
Test sasldb CRAM-MD5 ... ok
test_20_sasldb_digest_md5 (__main__.PostfixTest)
Test sasldb DIGEST-MD5 is supported ... ok
test_20_sasldb_login (__main__.PostfixTest)
Test sasldb LOGIN is supported ... ok
test_20_sasldb_plain (__main__.PostfixTest)
Test sasldb PLAIN ... ok
test_21_security_CVE_2011_1720 (__main__.PostfixTest)
CVE-2011-1720 fixed ... ok
test_99_restore (__main__.PostfixTest)
Restore configuration ... ok

----------------------------------------------------------------------
Ran 15 tests in 66.698s

OK

(natty32)gimre@voy:~/WORK$ apt-cache policy postfix
postfix:
  Installed: 2.8.5-2~build0.11.04
  Candidate: 2.8.5-2~build0.11.04
  Version table:
 *** 2.8.5-2~build0.11.04 0
        500 http://voy/ubuntu/ natty-proposed/main i386 Packages
        100 /var/lib/dpkg/status
     2.8.2-1ubuntu1 0
        500 http://voy/ubuntu/ natty/main i386 Packages

Installed the package in a VM, with default 'Internet site' configuration, it installed without problems. Sent email through it, email got delivered to local mailbox (/var/spool/mail/<user>).

Removed package, installed the last one from updates/security (2.8.2-1ubuntu2.1), then did an update to 2.8.5-2~build0.11.04 from -proposed, seems to update OK. Not sure why it's stopping twice, but I guess that's normal.

Preparing to replace postfix 2.8.2-1ubuntu2.1 (using .../postfix_2.8.5-2~build0.11.04_i386.deb) ...
 * Stopping Postfix Mail Transport Agent postfix [ OK ]
 * Stopping Postfix Mail Transport Agent postfix [ OK ]
Unpacking replacement postfix ...
[...]
Setting up postfix (2.8.5-2~build0.11.04) ...

Postfix configuration was not cha...

Read more...

Revision history for this message
Imre Gergely (cemc) wrote :

Also tested with mail-stack-delivery package, default config, auth + delivery through dovecot looks fine.

Revision history for this message
Martin Pitt (pitti) wrote :

Thanks for testing!

tags: added: verification-done
removed: verification-needed
Revision history for this message
Imre Gergely (cemc) wrote :

(Also tested content-filter with clamsmtp)

root@nns32-postfix:~# cat /etc/postfix/main.cf |grep content_filter
content_filter = scan:[127.0.0.1]:10026

Oct 7 22:44:03 nns32-postfix postfix/smtp[13012]: 12A253A7D: to=<email address hidden>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.07/0/0.05/0, dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postfix - 2.8.5-2~build0.11.04

---------------
postfix (2.8.5-2~build0.11.04) natty-proposed; urgency=low

  [ LaMont Jones ]
  * Trial microversion update per TB 10/6/11 (LP: #869411)

  [Wietse Venema]

  * 2.8.5
    - Workaround: report a {client_connections} Milter macro value of zero
      instead of garbage, when the remote SMTP client is not subject to any
      smtpd_client_* limits. Problem reported by Christian Roessner.
    - Bugfix: allow for Milters that send an SMTP server reply without RFC 3463
      enhanced status code. Reported by Vladimir Vassiliev.
  * 2.8.4
    - Performance: a high load of DSN success notification requests
      could slow down the queue manager.
    - Bugfix (introduced Postfix 2.3 and Postfix 2.7): the Milter
      client reported some "file too large" errors as temporary
      errors.
    - Bugfix (introduced in Postfix 1.1, duplicated in Postfix
      2.3, unrelated mistake in Postfix 2.7): the local(8) delivery
      agent ignored table lookup errors in mailbox_command_maps,
      mailbox_transport_maps, fallback_transport_maps and (while
      bouncing mail to alias) alias owner lookup.
    - Bugfix (introduced Postfix 2.6 with master_service_disable)
      loop control error when parsing a malformed master.cf file.
    - Bugfix (introduced: Postfix 2.7): "sendmail -t" reported
      "protocol error" after queue file write error.
    - Linux kernel version 3 support.
    - Workaround: some Spamhaus RHSBL rejects lookups with "No
      IP queries" even if the name has an alphanumerical prefix.
      We play safe, and skip both RHSBL and RHSWL queries for
      names ending in a numerical suffix.
  * 2.8.3
    - Cleanup: postscreen(8) and verify(8) daemons now lock their respective
      cache file exclusively upon open, to avoid massive cache corruption
      by unsupported sharing.
    - Bugfix (introduced with Postfix SASL patch 20000314): don't reuse a
      server SASL handle after authentication failure. CVE-2011-1720
 -- Scott Kitterman <email address hidden> Fri, 07 Oct 2011 00:59:20 -0500

Changed in postfix (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.