Postfix fails to start, "failure to copy certificates"

Bug #1305232 reported by Matthias Andree on 2014-04-09
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
postfix (Ubuntu)
Medium
Unassigned
Trusty
Medium
Joshua Powers
Xenial
Medium
Joshua Powers

Bug Description

== Begin SRU Template ==
[Impact]

 * It is possible for the postfix to fail to start whenever there are broken symlinks in directories it scans, like certificates when the ca-certificates package is upgraded.

[Test Case]

 * lxc launch ubuntu-daily:xenial xenial
 * lxc exec xenial bash
 * sudo apt install postfix -y
 * Edit /etc/postfix/main.cf and add the following line
   smtp_tls_CApath=/usr/share/ca-certificates
 * ln -s fakefile /usr/share/ca-certificates/foobar.pem
 * /etc/init.d/postfix stop
 * /etc/init.d/postfix start
 * If broken, the failure message " * failure copying certificates" should print;

Postfix will fail to start as a result of the bad symlink.

[Regression Potential]

* Users currently experiencing this issue would be expecting an SRU fix to come from us as the application is broken.
* The only work around it would require editing the init script with the workaround as described in this bug or by removing the bad symlinks. In either case, these things should be fixed.

[Other Info]

Postfix frequently fails to start after security updates to the ca-certificates package because upgrading the latter sometimes leaves dangling symlinks behind. If that happens, the /etc/init.d/postfix script aborts.

                    # handle files in subdirectories
                    (cd "$ca_path" && find . -name '*.pem' -print0 | cpio -0pdL --quiet "$dest_dir") 2>/dev/null ||
                        (log_failure_msg failure copying certificates; exit 1)

The usual fix on a high level is "dpkg-reconfigure --priority=high ca-certificates"; however, I would propose to change the find command as follows:

                    # handle files in subdirectories
                    (cd "$ca_path" && find . -name '*.pem' -not -xtype l -print0 | cpio -0pdL --quiet "$dest_dir") 2>/dev/null ||
                        (log_failure_msg failure copying certificates; exit 1)

This would then skip printing broken symbolic links, and prevent cpio from choking on them.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: postfix 2.9.6-1~12.04.1
ProcVersionSignature: Ubuntu 3.11.0-19.33~precise1-generic 3.11.10.5
Uname: Linux 3.11.0-19-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu17.6
Architecture: i386
Date: Wed Apr 9 20:20:17 2014
EcryptfsInUse: Yes
MarkForUpload: True
ProcEnviron:
 LANGUAGE=de_DE:de:en_GB:en
 TERM=xterm
 PATH=(custom, no user)
 LANG=de_DE.utf8
 SHELL=/bin/bash
SourcePackage: postfix
UpgradeStatus: Upgraded to precise on 2012-11-01 (523 days ago)

Related branches

Key is adding "-not -xtype l" which weeds out stuff that is a symbolic link when dereferenced. This is only true for broken (dangling) symbolic links.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in postfix (Ubuntu):
status: New → Confirmed
LaMont Jones (lamont) wrote :

I will get this added to the package.

Bug persists in 14.04 LTS.

Bug persists in 16.04 LTS

Scott Kitterman (kitterman) wrote :

I've pushed the fix to git for the Debian postfix package. This will be in the next Debian upload that will get sync'ed into the Ubuntu development release. Someone who is involved in Ubuntu will need to work on a stable update after that happens if you want the fix in an earlier release.

Changed in postfix (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Fix Committed
Robie Basak (racb) wrote :

Thanks Scott. Marking bitesize as this sounds like a straightforward cherry-pick for SRUs.

Changed in postfix (Ubuntu Trusty):
status: New → Triaged
Changed in postfix (Ubuntu Xenial):
status: New → Triaged
tags: added: bitesize
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postfix - 3.1.4-2

---------------
postfix (3.1.4-2) unstable; urgency=medium

  * Update postfix Suggestions.
  * Update postfix-sqlite postinst/prerm to reflect that addmap is idempotent.
  * Restore so.1.0.1 symlinks for map libraries and change how new entries are
    added. Closes: #850400
  * Be more aggressive in retiring usage of lmtp binary. Closes: #850430
    LP: #1654453
  * Check symlinks separately in postfix-script, to allow library symlinks.
    This will go away once the symlinks are dropped again.

 -- LaMont Jones <email address hidden> Fri, 06 Jan 2017 08:41:36 -0700

Changed in postfix (Ubuntu):
status: Fix Committed → Fix Released
Andrei Coada (raziel.kernel) wrote :

Still hasn't made it in Xenial after 4 months...

Robie Basak (racb) wrote :

Sorry, this issue having affected only four users in three years, we need to prioritise other bugs. If you'd like to drive the fix yourself, please see https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

Joshua Powers (powersj) on 2017-07-19
Changed in postfix (Ubuntu Xenial):
assignee: nobody → Joshua Powers (powersj)
Changed in postfix (Ubuntu Trusty):
assignee: nobody → Joshua Powers (powersj)
Joshua Powers (powersj) on 2017-07-19
description: updated
Joshua Powers (powersj) on 2017-07-19
description: updated
Brian Murray (brian-murray) wrote :

Although the xenial SRU isn't ready yet, I'll accept this into trusty but they should be release together to prevent regressions when updating from 14.04 to 16.04.

Changed in postfix (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-trusty

Hello Matthias, or anyone else affected,

Accepted postfix into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/postfix/2.11.0-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in postfix (Ubuntu Trusty):
importance: Undecided → Medium
Changed in postfix (Ubuntu Xenial):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers