invalid ssl-certificates in /etc/postfix/main.cf after security upgrade

Bug #715056 reported by Tim Kuijsten on 2011-02-08
100
This bug affects 13 people
Affects Status Importance Assigned to Milestone
dovecot (Ubuntu)
High
Chuck Short
Lucid
High
Chuck Short
Maverick
High
Chuck Short

Bug Description

Binary package hint: dovecot-postfix

After dovecot-postfix was automatically upgraded this morning (http://www.ubuntu.com/usn/usn-1059-1) the config in /etc/postfix/main.cf was changed. Replacing my certificates with invalid ones. Discovered it by Thunderbird complaining about an invalid certificate when try to send mail via the smtp-server.

Changes made by automatic upgrade:
diff --git a/postfix/main.cf b/postfix/main.cf
index ee075a3..b6c0119 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -57,10 +57,15 @@ smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
 smtpd_tls_loglevel = 1
 smtpd_tls_received_header = yes
-smtpd_tls_cert_file = /etc/ssl/certs/xxxxx.crt
-smtpd_tls_key_file = /etc/ssl/private/xxxxx.key
+smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
+smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_security_level = may
 smtp_tls_CAfile = /etc/ssl/certs/netsend_nl_chain.crt
 smtp_tls_note_starttls_offer = yes
+home_mailbox = Maildir/
+smtpd_sasl_authenticated_header = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_use_tls = yes
+smtp_use_tls = yes

Errors in /var/log/mail.log:
Feb 8 09:25:27 lock postfix/smtpd[10607]: connect from xxxxx.versatel.nl[xx.xx.xx.xx]
Feb 8 09:25:27 lock postfix/smtpd[10607]: setting up TLS connection from xxxxx.versatel.nl[xx.xx.xx.xx]
Feb 8 09:25:27 lock postfix/smtpd[10607]: SSL_accept error from xxxxx.versatel.nl[xx.xx.xx.xx]: 0
Feb 8 09:25:27 lock postfix/smtpd[10607]: warning: TLS library problem: 10607:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1093:SSL alert number 48:
Feb 8 09:25:27 lock postfix/smtpd[10607]: lost connection after CONNECT from xxxxx.versatel.nl[xx.xx.xx.xx]
Feb 8 09:25:27 lock postfix/smtpd[10607]: disconnect from xxxxx.versatel.nl[xx.xx.xx.xx]

Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this.

This is caused by the mail-stack-delivery package's postinst script.

In theory, this should only happen when a main.cf backup file located at /var/backups/mail-stack-delivery/main.cf-backup could not be found, which would mean that i had not been installed before.

Unfortunately, this doesn't seem to be the case. This part of the postinst script is wrong:

 if [ -f "/etc/postfix/main.cf" ]; then
                if [ -e "$POSTFIX_BCKFILE" ]; then
                        mv $POSTFIX_BCKFILE ${POSTFIX_BCKFILE}-$(date +%Y%m%d%H%M)
                fi
         if [ -z "$2" -o ! -e "$POSTFIX_BCKFILE" ]; then

If the backup file exists, it renames it...but then checks to see if it exists again (which it doesn't, since it just got renamed)...

Changed in dovecot (Ubuntu):
status: New → Confirmed
assignee: nobody → Chuck Short (zulcss)
eiver (eiver) wrote :

It also altered a number of other things in my config.

List of altered things:
smtpd_sasl_path
smtpd_sender_restrictions
smtpd_recipient_restrictions
smtpd_tls_key_file
smtpd_tls_cert_file
mailbox_command
smtpd_sasl_authenticated_header
smtpd_use_tls
smtp_use_tls
smtpd_tls_received_header
smtpd_tls_mandatory_protocols
smtpd_tls_mandatory_ciphers
tls_random_source

... which rendered my server completely broken, luckily I do regular backups of entire /etc
Is there any chance that other files were also modified in a similar way?

Tim Kuijsten (kuijsten) wrote :

The git diff I posted before is a complete diff from the /etc directory before the upgrade, and after the upgrade (using the package etckeeper).

Ante Karamatić (ivoks) wrote :

Here is the patch that fixes this issue. Instead of moving backup file, it just copies it. Cause of that upgrades of the package won't override user's settings in postfix's main.cf.

tags: added: patch
Tim Kuijsten (kuijsten) wrote :

Last night, the same issue happened again. The automatically installed security update misconfigured my postfix/main.cf file with exactly the same values as posted earlier.

Will Ante Karamatić patch be included in Lucid?

eiver (eiver) wrote :

Thank you Tim for the warning. I was just about to update... luckily I read your post first.

Please elevate the importance of this bug if you can. A security update, which causes one of the main services to completely stop working and destroys server configuration without any warning is a *critical* problem.

Tim Kuijsten (kuijsten) wrote :

@eiver: It looks like I can't change the Importance value of this bug. It's greyd-out and I see no edit options..

Changed in dovecot (Ubuntu Lucid):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

Packages are being worked on and will be released to -proposed as a SRU soon.

Changed in dovecot (Ubuntu):
importance: Undecided → High
Changed in dovecot (Ubuntu Lucid):
importance: Undecided → High
Changed in dovecot (Ubuntu Maverick):
importance: Undecided → High
status: New → Confirmed
Changed in dovecot (Ubuntu Lucid):
assignee: nobody → Chuck Short (zulcss)
Changed in dovecot (Ubuntu Maverick):
assignee: nobody → Chuck Short (zulcss)
Fernando (fernando-018) wrote :

/!\ W A R N I N G /!\

The last version ("1:1.2.9-1ubuntu6.4") also affected us.
After upgrading today (2011-06-02), it overwrote "smtpd_recipient_restrictions" and "smtpd_sender_restrictions".

The "check_policy_service", "check_recipient_access", "reject_invalid_hostname" , "reject_non_fqdn_hostname" , "reject_non_fqdn_sender" and "reject_non_fqdn_recipient" settings were removed, among others. :-(

Accepted dovecot into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in dovecot (Ubuntu Maverick):
status: Confirmed → Fix Committed
tags: added: verification-needed
Clint Byrum (clint-fewbar) wrote :

This bug will need to be fixed in Oneiric before it can move to maverick-updates or lucid-updates.

Clint Byrum (clint-fewbar) wrote :

Accepted dovecot into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in dovecot (Ubuntu Lucid):
status: Confirmed → Fix Committed
Tim Kuijsten (kuijsten) wrote :
Download full text (3.8 KiB)

the new package installed nice, without changing my configuration so it looks like this patch fixes the bug.
Note: I get standard errors about an unconfigured nsd3 everytime I use apt which is related to another bug.
Anyway, the dovecot installation went fine, without any problems and did not change my mail configuration as can be seen by etckeeper/git.

root@lock:/etc# git status
# On branch master
nothing to commit (working directory clean)
root@lock:/etc# sudo apt-get install dovecot
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package dovecot is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  dovecot-common
E: Package dovecot has no installation candidate
root@lock:/etc# sudo apt-get install dovecot-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  dovecot-imapd dovecot-pop3d
Suggested packages:
  ntp
The following packages will be upgraded:
  dovecot-common dovecot-imapd dovecot-pop3d
3 upgraded, 0 newly installed, 0 to remove and 14 not upgraded.
1 not fully installed or removed.
Need to get 7,805kB of archives.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-proposed/main dovecot-pop3d 1:1.2.9-1ubuntu6.5 [1,093kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-proposed/main dovecot-imapd 1:1.2.9-1ubuntu6.5 [1,202kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-proposed/main dovecot-common 1:1.2.9-1ubuntu6.5 [5,510kB]
Fetched 7,805kB in 6s (1,234kB/s)
(Reading database ... 27371 files and directories currently installed.)
Preparing to replace dovecot-pop3d 1:1.2.9-1ubuntu6.4 (using .../dovecot-pop3d_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-pop3d ...
 * Starting IMAP/POP3 mail server dovecot
   ...done.
Preparing to replace dovecot-imapd 1:1.2.9-1ubuntu6.4 (using .../dovecot-imapd_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-imapd ...
 * Starting IMAP/POP3 mail server dovecot
   ...done.
Preparing to replace dovecot-common 1:1.2.9-1ubuntu6.4 (using .../dovecot-common_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-common ...
Processing triggers for ufw ...
Rules updated for profile 'Dovecot Secure IMAP'
Rules updated for profile 'OpenSSH'
Rules updated for profile 'Postfix'
Rules updated for profile 'Postfix Submission'
Skipped reloading firewall
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up nsd3 (3.2.4-1) ...
 * Starting nsd3...
invoke-rc.d: initscript nsd3, action "start" failed.
dpkg: error processing nsd3 (--configure):
 subprocess installed post-install...

Read more...

tags: added: verification-done-lucid
eiver (eiver) wrote :

lucid-proposed - Confirmed! Its working. Updated from 6.3 to 6.5 and everything looks ok. (Just one warning in the output below, but does not seem to have any impact).

Update output:

(Reading database ... 139385 files and directories currently installed.)
Preparing to replace dovecot-imapd 1:1.2.9-1ubuntu6.3 (using .../dovecot-imapd_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-imapd ...
 * Starting IMAP/POP3 mail server dovecot
   ...done.
Preparing to replace dovecot-pop3d 1:1.2.9-1ubuntu6.3 (using .../dovecot-pop3d_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-pop3d ...
 * Starting IMAP/POP3 mail server dovecot
   ...done.
Preparing to replace dovecot-common 1:1.2.9-1ubuntu6.3 (using .../dovecot-common_1%3a1.2.9-1ubuntu6.5_amd64.deb) ...
 * Stopping IMAP/POP3 mail server dovecot
   ...done.
Unpacking replacement dovecot-common ...
Preparing to replace dovecot-postfix 1:1.2.9-1ubuntu6.3 (using .../dovecot-postfix_1%3a1.2.9-1ubuntu6.5_all.deb) ...
Unpacking replacement dovecot-postfix ...
Processing triggers for ufw ...
Processing triggers for ureadahead ...
ureadahead will be reprofiled on next reboot
Processing triggers for man-db ...
Setting up dovecot-common (1:1.2.9-1ubuntu6.5) ...
Not replacing deleted config file /etc/dovecot/dovecot-ldap.conf
Not replacing deleted config file /etc/dovecot/dovecot-sql.conf
You already have ssl certs for dovecot.
update-rc.d: warning: dovecot stop runlevel arguments (1) do not match LSB Default-Stop values (0 1 6)
 * Starting IMAP/POP3 mail server dovecot
   ...done.

Setting up dovecot-imapd (1:1.2.9-1ubuntu6.5) ...
 * Restarting IMAP/POP3 mail server dovecot
   ...done.

Setting up dovecot-pop3d (1:1.2.9-1ubuntu6.5) ...
 * Restarting IMAP/POP3 mail server dovecot
   ...done.

Setting up dovecot-postfix (1:1.2.9-1ubuntu6.5) ...
 * Restarting IMAP/POP3 mail server dovecot
   ...done.
 * Stopping Postfix Mail Transport Agent postfix
   ...done.
 * Starting Postfix Mail Transport Agent postfix
   ...done.

Tim White (timwhite88) wrote :

Lucid-proposed works great. Thanks for the quick bugfix. How soon before we'll see it in Lucid-updates?

Thanks

Excerpts from Tim White's message of Fri Jun 10 22:48:53 UTC 2011:
> Lucid-proposed works great. Thanks for the quick bugfix. How soon before
> we'll see it in Lucid-updates?

Hi Tim, glad its working for you. The package needs to be in -proposed for
7 days to shake out any regressions, and we need it verified on both lucid
and maverick. Would be great to have an experienced user fire up a maverick
VM and try it out. :)

Tim Kuijsten (kuijsten) wrote :

I happened to have a 10.10 server in my VirtualBox and can confirm this latest package does not change the postfix configuration.

root@ubuntu:/etc# git status
# On branch master
nothing to commit (working directory clean)
root@ubuntu:/etc# apt-get install dovecot-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  dovecot-imapd dovecot-pop3d
Suggested packages:
  ntp
The following packages will be upgraded:
  dovecot-common dovecot-imapd dovecot-pop3d
3 upgraded, 0 newly installed, 0 to remove and 17 not upgraded.
Need to get 7,866kB of archives.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://archive.ubuntu.com/ubuntu/ maverick-proposed/main dovecot-pop3d amd64 1:1.2.12-1ubuntu8.3 [1,097kB]
Get:2 http://archive.ubuntu.com/ubuntu/ maverick-proposed/main dovecot-imapd amd64 1:1.2.12-1ubuntu8.3 [1,204kB]
Get:3 http://archive.ubuntu.com/ubuntu/ maverick-proposed/main dovecot-common amd64 1:1.2.12-1ubuntu8.3 [5,565kB]
Fetched 7,866kB in 8s (980kB/s)
(Reading database ... 42297 files and directories currently installed.)
Preparing to replace dovecot-pop3d 1:1.2.12-1ubuntu8.2 (using .../dovecot-pop3d_1%3a1.2.12-1ubuntu8.3_amd64.deb) ...
Unpacking replacement dovecot-pop3d ...
Preparing to replace dovecot-imapd 1:1.2.12-1ubuntu8.2 (using .../dovecot-imapd_1%3a1.2.12-1ubuntu8.3_amd64.deb) ...
Unpacking replacement dovecot-imapd ...
Preparing to replace dovecot-common 1:1.2.12-1ubuntu8.2 (using .../dovecot-common_1%3a1.2.12-1ubuntu8.3_amd64.deb) ...
dovecot stop/waiting
Unpacking replacement dovecot-common ...
Processing triggers for ureadahead ...
Processing triggers for ufw ...
Processing triggers for man-db ...
Setting up dovecot-common (1:1.2.12-1ubuntu8.3) ...
You already have ssl certs for dovecot.
dovecot start/running, process 3434
Setting up dovecot-pop3d (1:1.2.12-1ubuntu8.3) ...
Setting up dovecot-imapd (1:1.2.12-1ubuntu8.3) ...
root@ubuntu:/etc# git status
# On branch master
nothing to commit (working directory clean)

tags: added: verification-done
removed: verification-done-lucid verification-needed
Clint Byrum (clint-fewbar) wrote :

Thanks Tim!

This still needs to sit in -proposed for 7 days to avoid regressions. If none appear, it should be released to -updates on June 16.

Also I verified that this was actually fixed in Natty, so marking Fix Released.

Changed in dovecot (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dovecot - 1:1.2.12-1ubuntu8.3

---------------
dovecot (1:1.2.12-1ubuntu8.3) maverick-proposed; urgency=low

  * debian/mail-stack-delivery.postinst: don't override user's postfix
    settings on upgrade. Thanks to Ante Karamatic. (LP: #715056)
 -- Chuck Short <email address hidden> Thu, 02 Jun 2011 10:03:18 -0400

Changed in dovecot (Ubuntu Maverick):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dovecot - 1:1.2.9-1ubuntu6.5

---------------
dovecot (1:1.2.9-1ubuntu6.5) lucid-proposed; urgency=low

  * debian/dovecot-postfix.postinst: don't override user's postfix settings
    on upgrade. (LP: #715056)
 -- Chuck Short <email address hidden> Thu, 02 Jun 2011 10:10:39 -0400

Changed in dovecot (Ubuntu Lucid):
status: Fix Committed → Fix Released
jan (jan-ubuntu-h-i-s) wrote :

I waited till the patch was in for lucid till I used upgrade manager. By detault, it now found 1:1.2.9-1ubuntu6.5, and it worked like a charm. Thanks for the effort put into this.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Patches