invalid ssl-certificates in /etc/postfix/main.cf after security upgrade

Thanks for reporting this.

This is caused by the mail-stack-delivery package's postinst script.

In theory, this should only happen when a main.cf backup file located at /var/backups/mail-stack-delivery/main.cf-backup could not be found, which would mean that i had not been installed before.

Unfortunately, this doesn't seem to be the case. This part of the postinst script is wrong:

 if [ -f "/etc/postfix/main.cf" ]; then
                if [ -e "$POSTFIX_BCKFILE" ]; then
                        mv $POSTFIX_BCKFILE ${POSTFIX_BCKFILE}-$(date +%Y%m%d%H%M)
                fi
         if [ -z "$2" -o ! -e "$POSTFIX_BCKFILE" ]; then

If the backup file exists, it renames it...but then checks to see if it exists again (which it doesn't, since it just got renamed)...

It also altered a number of other things in my config.

List of altered things:
smtpd_sasl_path
smtpd_sender_restrictions
smtpd_recipient_restrictions
smtpd_tls_key_file
smtpd_tls_cert_file
mailbox_command
smtpd_sasl_authenticated_header
smtpd_use_tls
smtp_use_tls
smtpd_tls_received_header
smtpd_tls_mandatory_protocols
smtpd_tls_mandatory_ciphers
tls_random_source

... which rendered my server completely broken, luckily I do regular backups of entire /etc
Is there any chance that other files were also modified in a similar way?

The git diff I posted before is a complete diff from the /etc directory before the upgrade, and after the upgrade (using the package etckeeper).

Here is the patch that fixes this issue. Instead of moving backup file, it just copies it. Cause of that upgrades of the package won't override user's settings in postfix's main.cf.

Last night, the same issue happened again. The automatically installed security update misconfigured my postfix/main.cf file with exactly the same values as posted earlier.

Will Ante Karamatić patch be included in Lucid?

Thank you Tim for the warning. I was just about to update... luckily I read your post first.

Please elevate the importance of this bug if you can. A security update, which causes one of the main services to completely stop working and destroys server configuration without any warning is a *critical* problem.

@eiver: It looks like I can't change the Importance value of this bug. It's greyd-out and I see no edit options..

Packages are being worked on and will be released to -proposed as a SRU soon.

/!\ W A R N I N G /!\

The last version ("1:1.2.9-1ubuntu6.4") also affected us.
After upgrading today (2011-06-02), it overwrote "smtpd_recipient_restrictions" and "smtpd_sender_restrictions".

The "check_policy_service", "check_recipient_access", "reject_invalid_hostname" , "reject_non_fqdn_hostname" , "reject_non_fqdn_sender" and "reject_non_fqdn_recipient" settings were removed, among others. :-(

Accepted dovecot into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

This bug will need to be fixed in Oneiric before it can move to maverick-updates or lucid-updates.

Accepted dovecot into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

the new package installed nice, without changing my configuration so it looks like this patch fixes the bug.
Note: I get standard errors about an unconfigured nsd3 everytime I use apt which is related to another bug.
Anyway, the dovecot installation went fine, without any problems and did not change my mail configuration as can be seen by etckeeper/git.

root@lock:/etc# git status
# On branch master
nothing to commit (working directory clean)
root@lock:/etc# sudo apt-get install dovecot
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package dovecot is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  dovecot-common
E: Package dovecot has no installation candidate
root@lock:/etc# sudo apt-get install dovecot-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  dovecot-imapd dovecot-pop3d
Suggested packages:
  ntp
The following packages will be upgraded:
  dovecot-common dovecot-imapd dovecot-pop3d
3 upgraded, 0 newly installed, 0 to remove and 14 not upgraded.
1 not fully installed or removed.
Need to get 7,805kB of archives.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-proposed/main dovecot-pop3d 1:1.2.9-1ubuntu6.5 [1,093kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-proposed/main dovecot-imapd 1:1.2.9-1ubuntu6.5 [1,202kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-proposed/main dovecot-common 1:1.2.9-1ubuntu6.5 [5,510kB]
Fetched 7,805kB in 6s (1,234kB/s)
(Reading database ... 27371 files and directories currently installed.)
Preparing to replace dovecot-pop3d 1:1.2.9-1ubuntu6.4 (using .../dovecot-pop3d_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-pop3d ...
 * Starting IMAP/POP3 mail server dovecot
   ...done.
Preparing to replace dovecot-imapd 1:1.2.9-1ubuntu6.4 (using .../dovecot-imapd_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-imapd ...
 * Starting IMAP/POP3 mail server dovecot
   ...done.
Preparing to replace dovecot-common 1:1.2.9-1ubuntu6.4 (using .../dovecot-common_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-common ...
Processing triggers for ufw ...
Rules updated for profile 'Dovecot Secure IMAP'
Rules updated for profile 'OpenSSH'
Rules updated for profile 'Postfix'
Rules updated for profile 'Postfix Submission'
Skipped reloading firewall
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up nsd3 (3.2.4-1) ...
 * Starting nsd3...
invoke-rc.d: initscript nsd3, action "start" failed.
dpkg: error processing nsd3 (--configure):
 subprocess installed post-install...

lucid-proposed - Confirmed! Its working. Updated from 6.3 to 6.5 and everything looks ok. (Just one warning in the output below, but does not seem to have any impact).

Update output:

(Reading database ... 139385 files and directories currently installed.)
Preparing to replace dovecot-imapd 1:1.2.9-1ubuntu6.3 (using .../dovecot-imapd_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-imapd ...
 * Starting IMAP/POP3 mail server dovecot
   ...done.
Preparing to replace dovecot-pop3d 1:1.2.9-1ubuntu6.3 (using .../dovecot-pop3d_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-pop3d ...
 * Starting IMAP/POP3 mail server dovecot
   ...done.
Preparing to replace dovecot-common 1:1.2.9-1ubuntu6.3 (using .../dovecot-common_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-common ...
Preparing to replace dovecot-postfix 1:1.2.9-1ubuntu6.3 (using .../dovecot-postfix_1%3a1.2.9-1ubuntu6.5_all.deb) ...
Unpacking replacement dovecot-postfix ...
Processing triggers for ufw ...
Processing triggers for ureadahead ...
ureadahead will be reprofiled on next reboot
Processing triggers for man-db ...
Setting up dovecot-common (1:1.2.9-1ubuntu6.5) ...
Not replacing deleted config file /etc/dovecot/dovecot-ldap.conf
Not replacing deleted config file /etc/dovecot/dovecot-sql.conf
You already have ssl certs for dovecot.
update-rc.d: warning: dovecot stop runlevel arguments (1) do not match LSB Default-Stop values (0 1 6)
 * Starting IMAP/POP3 mail server dovecot
   ...done.

Setting up dovecot-imapd (1:1.2.9-1ubuntu6.5) ...
 * Restarting IMAP/POP3 mail server dovecot
   ...done.

Setting up dovecot-pop3d (1:1.2.9-1ubuntu6.5) ...
 * Restarting IMAP/POP3 mail server dovecot
   ...done.

Setting up dovecot-postfix (1:1.2.9-1ubuntu6.5) ...
 * Restarting IMAP/POP3 mail server dovecot
   ...done.
 * Stopping Postfix Mail Transport Agent postfix
   ...done.
 * Starting Postfix Mail Transport Agent postfix
   ...done.

Lucid-proposed works great. Thanks for the quick bugfix. How soon before we'll see it in Lucid-updates?

Thanks

Excerpts from Tim White's message of Fri Jun 10 22:48:53 UTC 2011:
> Lucid-proposed works great. Thanks for the quick bugfix. How soon before
> we'll see it in Lucid-updates?

Hi Tim, glad its working for you. The package needs to be in -proposed for
7 days to shake out any regressions, and we need it verified on both lucid
and maverick. Would be great to have an experienced user fire up a maverick
VM and try it out. :)

I happened to have a 10.10 server in my VirtualBox and can confirm this latest package does not change the postfix configuration.

root@ubuntu:/etc# git status
# On branch master
nothing to commit (working directory clean)
root@ubuntu:/etc# apt-get install dovecot-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  dovecot-imapd dovecot-pop3d
Suggested packages:
  ntp
The following packages will be upgraded:
  dovecot-common dovecot-imapd dovecot-pop3d
3 upgraded, 0 newly installed, 0 to remove and 17 not upgraded.
Need to get 7,866kB of archives.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://archive.ubuntu.com/ubuntu/ maverick-proposed/main dovecot-pop3d amd64 1:1.2.12-1ubuntu8.3 [1,097kB]
Get:2 http://archive.ubuntu.com/ubuntu/ maverick-proposed/main dovecot-imapd amd64 1:1.2.12-1ubuntu8.3 [1,204kB]
Get:3 http://archive.ubuntu.com/ubuntu/ maverick-proposed/main dovecot-common amd64 1:1.2.12-1ubuntu8.3 [5,565kB]
Fetched 7,866kB in 8s (980kB/s)
(Reading database ... 42297 files and directories currently installed.)
Preparing to replace dovecot-pop3d 1:1.2.12-1ubuntu8.2 (using .../dovecot-pop3d_1%3a1.2.12-1ubuntu8.3_amd64.deb) ...
Unpacking replacement dovecot-pop3d ...
Preparing to replace dovecot-imapd 1:1.2.12-1ubuntu8.2 (using .../dovecot-imapd_1%3a1.2.12-1ubuntu8.3_amd64.deb) ...
Unpacking replacement dovecot-imapd ...
Preparing to replace dovecot-common 1:1.2.12-1ubuntu8.2 (using .../dovecot-common_1%3a1.2.12-1ubuntu8.3_amd64.deb) ...
dovecot stop/waiting
Unpacking replacement dovecot-common ...
Processing triggers for ureadahead ...
Processing triggers for ufw ...
Processing triggers for man-db ...
Setting up dovecot-common (1:1.2.12-1ubuntu8.3) ...
You already have ssl certs for dovecot.
dovecot start/running, process 3434
Setting up dovecot-pop3d (1:1.2.12-1ubuntu8.3) ...
Setting up dovecot-imapd (1:1.2.12-1ubuntu8.3) ...
root@ubuntu:/etc# git status
# On branch master
nothing to commit (working directory clean)

Thanks Tim!

This still needs to sit in -proposed for 7 days to avoid regressions. If none appear, it should be released to -updates on June 16.

Also I verified that this was actually fixed in Natty, so marking Fix Released.

This bug was fixed in the package dovecot - 1:1.2.12-1ubuntu8.3

---------------
dovecot (1:1.2.12-1ubuntu8.3) maverick-proposed; urgency=low

  * debian/mail-stack-delivery.postinst: don't override user's postfix
    settings on upgrade. Thanks to Ante Karamatic. (LP: #715056)
 -- Chuck Short <email address hidden> Thu, 02 Jun 2011 10:03:18 -0400

This bug was fixed in the package dovecot - 1:1.2.9-1ubuntu6.5

---------------
dovecot (1:1.2.9-1ubuntu6.5) lucid-proposed; urgency=low

  * debian/dovecot-postfix.postinst: don't override user's postfix settings
    on upgrade. (LP: #715056)
 -- Chuck Short <email address hidden> Thu, 02 Jun 2011 10:10:39 -0400

I waited till the patch was in for lucid till I used upgrade manager. By detault, it now found 1:1.2.9-1ubuntu6.5, and it worked like a charm. Thanks for the effort put into this.