Postfix fails to start, "failure to copy certificates"

Bug #1305232 reported by Matthias Andree on 2014-04-09
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
postfix (Ubuntu)
Medium
Unassigned
Trusty
Medium
Joshua Powers
Xenial
Medium
Joshua Powers

Bug Description

== Begin SRU Template ==
[Impact]

 * It is possible for the postfix to fail to start whenever there are broken symlinks in directories it scans, like certificates when the ca-certificates package is upgraded.

[Test Case]

 * lxc launch ubuntu-daily:xenial xenial
 * lxc exec xenial bash
 * sudo apt install postfix -y
 * Edit /etc/postfix/main.cf and add the following line
   smtp_tls_CApath=/usr/share/ca-certificates
 * ln -s fakefile /usr/share/ca-certificates/foobar.pem
 * /etc/init.d/postfix stop
 * /etc/init.d/postfix start
 * If broken, the failure message " * failure copying certificates" should print;

Postfix will fail to start as a result of the bad symlink.

[Regression Potential]

* Users currently experiencing this issue would be expecting an SRU fix to come from us as the application is broken.
* The only work around it would require editing the init script with the workaround as described in this bug or by removing the bad symlinks. In either case, these things should be fixed.

[Other Info]

Postfix frequently fails to start after security updates to the ca-certificates package because upgrading the latter sometimes leaves dangling symlinks behind. If that happens, the /etc/init.d/postfix script aborts.

                    # handle files in subdirectories
                    (cd "$ca_path" && find . -name '*.pem' -print0 | cpio -0pdL --quiet "$dest_dir") 2>/dev/null ||
                        (log_failure_msg failure copying certificates; exit 1)

The usual fix on a high level is "dpkg-reconfigure --priority=high ca-certificates"; however, I would propose to change the find command as follows:

                    # handle files in subdirectories
                    (cd "$ca_path" && find . -name '*.pem' -not -xtype l -print0 | cpio -0pdL --quiet "$dest_dir") 2>/dev/null ||
                        (log_failure_msg failure copying certificates; exit 1)

This would then skip printing broken symbolic links, and prevent cpio from choking on them.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: postfix 2.9.6-1~12.04.1
ProcVersionSignature: Ubuntu 3.11.0-19.33~precise1-generic 3.11.10.5
Uname: Linux 3.11.0-19-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu17.6
Architecture: i386
Date: Wed Apr 9 20:20:17 2014
EcryptfsInUse: Yes
MarkForUpload: True
ProcEnviron:
 LANGUAGE=de_DE:de:en_GB:en
 TERM=xterm
 PATH=(custom, no user)
 LANG=de_DE.utf8
 SHELL=/bin/bash
SourcePackage: postfix
UpgradeStatus: Upgraded to precise on 2012-11-01 (523 days ago)

Related branches

Key is adding "-not -xtype l" which weeds out stuff that is a symbolic link when dereferenced. This is only true for broken (dangling) symbolic links.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in postfix (Ubuntu):
status: New → Confirmed
LaMont Jones (lamont) wrote :

I will get this added to the package.

Bug persists in 14.04 LTS.

Bug persists in 16.04 LTS

Scott Kitterman (kitterman) wrote :

I've pushed the fix to git for the Debian postfix package. This will be in the next Debian upload that will get sync'ed into the Ubuntu development release. Someone who is involved in Ubuntu will need to work on a stable update after that happens if you want the fix in an earlier release.

Changed in postfix (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Fix Committed
Robie Basak (racb) wrote :

Thanks Scott. Marking bitesize as this sounds like a straightforward cherry-pick for SRUs.

Changed in postfix (Ubuntu Trusty):
status: New → Triaged
Changed in postfix (Ubuntu Xenial):
status: New → Triaged
tags: added: bitesize
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postfix - 3.1.4-2

---------------
postfix (3.1.4-2) unstable; urgency=medium

  * Update postfix Suggestions.
  * Update postfix-sqlite postinst/prerm to reflect that addmap is idempotent.
  * Restore so.1.0.1 symlinks for map libraries and change how new entries are
    added. Closes: #850400
  * Be more aggressive in retiring usage of lmtp binary. Closes: #850430
    LP: #1654453
  * Check symlinks separately in postfix-script, to allow library symlinks.
    This will go away once the symlinks are dropped again.

 -- LaMont Jones <email address hidden> Fri, 06 Jan 2017 08:41:36 -0700

Changed in postfix (Ubuntu):
status: Fix Committed → Fix Released
Andrei Coada (raziel.kernel) wrote :

Still hasn't made it in Xenial after 4 months...

Robie Basak (racb) wrote :

Sorry, this issue having affected only four users in three years, we need to prioritise other bugs. If you'd like to drive the fix yourself, please see https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

Joshua Powers (powersj) on 2017-07-19
Changed in postfix (Ubuntu Xenial):
assignee: nobody → Joshua Powers (powersj)
Changed in postfix (Ubuntu Trusty):
assignee: nobody → Joshua Powers (powersj)
Joshua Powers (powersj) on 2017-07-19
description: updated
Joshua Powers (powersj) on 2017-07-19
description: updated
Brian Murray (brian-murray) wrote :

Although the xenial SRU isn't ready yet, I'll accept this into trusty but they should be release together to prevent regressions when updating from 14.04 to 16.04.

Changed in postfix (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-trusty

Hello Matthias, or anyone else affected,

Accepted postfix into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/postfix/2.11.0-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in postfix (Ubuntu Trusty):
importance: Undecided → Medium
Changed in postfix (Ubuntu Xenial):
importance: Undecided → Medium
ChristianEhrhardt (paelzer) wrote :

Multiple notes on this for the SRU Team:
1. the trusty fix was accepted by Brian about a month ago, but back then it failed to build.
   Reason: it had issues on the new kernel in the build env.
   Currently 2.11.0-1ubuntu1.2 [1] is in proposed for that which looks good.
   IMHO that could have needed a -v2.11.0-1ubuntu1 but it is too late for that.
   I expect some SRU tools miss this bug, for the -v being missing.

2. The Xenial SRU pipe is finally cleared of [2], so we now are able to correctly sponsor the Xenial fix for this.

Thereby ready for SRU review and acceptance on x-unapproved as well now.

@Josh it would be great if you could help to track migration of these - ok?

[1]: https://launchpad.net/ubuntu/+source/postfix/2.11.0-1ubuntu1.2
[2]: https://launchpad.net/ubuntu/+source/postfix/3.1.0-3ubuntu0.1

Chris J Arges (arges) wrote :

Hello Matthias, or anyone else affected,

Accepted postfix into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/postfix/3.1.0-3ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in postfix (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed-xenial
Joshua Powers (powersj) wrote :

Using Trusty I was able to install version 2.11.0-1ubuntu1.2 from proposed and complete the verification steps in the test case. I can confirm that postfix started as expected with the new version, but failed to start with the current version in the archive.

My log from Trusty attached

Joshua Powers (powersj) wrote :

Using Xenial I was able to install version 3.1.0-3ubuntu0.2 from proposed and complete the verification steps in the test case. I can confirm that postfix started as expected with the new version, but failed to start with the current version in the archive.

My log from Xenial is attached

tags: added: verification-done-trusty verification-done-xenial
removed: verification-needed verification-needed-trusty verification-needed-xenial
Joshua Powers (powersj) wrote :

Marking verification-done-trusty and verification-done-xenial

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postfix - 2.11.0-1ubuntu1.2

---------------
postfix (2.11.0-1ubuntu1.2) trusty; urgency=medium

  * makedefs, src/util/sys_defs.h: Fix FTBFS with prior upload.
    - Source assumes only Linux 3.x kernels exist, but HWE in trusty is
      at 4.4.

 -- Nishanth Aravamudan <email address hidden> Fri, 18 Aug 2017 18:13:13 -0700

Changed in postfix (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postfix - 3.1.0-3ubuntu0.2

---------------
postfix (3.1.0-3ubuntu0.2) xenial; urgency=medium

  * Ignore broken symbolic links during ca_cert check (Closes LP: #1305232)

 -- Joshua Powers <email address hidden> Thu, 17 Aug 2017 08:56:11 -0700

Changed in postfix (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for postfix has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers