2020-03-25 10:30:48 |
Jan Büren |
bug |
|
|
added bug |
2020-03-26 13:36:59 |
Paride Legovini |
bug |
|
|
added subscriber Ubuntu Server |
2020-03-26 13:37:08 |
Paride Legovini |
tags |
amd64 apport-bug focal |
amd64 apport-bug focal server-next |
|
2020-03-26 16:06:03 |
Launchpad Janitor |
postfix (Ubuntu): status |
New |
Confirmed |
|
2020-03-30 18:50:58 |
Bryce Harrington |
postfix (Ubuntu): importance |
Undecided |
Medium |
|
2020-03-30 18:51:00 |
Bryce Harrington |
postfix (Ubuntu): status |
Confirmed |
Triaged |
|
2020-06-06 03:37:04 |
Nick Tait |
attachment added |
|
C program to demonstrate AD flag issue https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1868955/+attachment/5380849/+files/dnsadtest.c |
|
2020-06-06 03:59:08 |
Scott Kitterman |
affects |
postfix (Ubuntu) |
glibc (Ubuntu) |
|
2020-06-06 08:44:15 |
Nick Tait |
affects |
glibc (Ubuntu) |
postfix (Ubuntu) |
|
2020-06-08 14:11:52 |
Paride Legovini |
bug |
|
|
added subscriber Paride Legovini |
2020-06-08 17:54:49 |
Lucas Kanashiro |
nominated for series |
|
Ubuntu Focal |
|
2020-06-08 17:54:49 |
Lucas Kanashiro |
bug task added |
|
postfix (Ubuntu Focal) |
|
2020-06-08 17:54:59 |
Lucas Kanashiro |
postfix (Ubuntu Focal): status |
New |
Triaged |
|
2020-06-08 17:55:02 |
Lucas Kanashiro |
postfix (Ubuntu Focal): importance |
Undecided |
Medium |
|
2020-06-08 17:55:07 |
Lucas Kanashiro |
postfix (Ubuntu): status |
Triaged |
Fix Released |
|
2020-06-09 14:51:30 |
Lucas Kanashiro |
postfix (Ubuntu): status |
Fix Released |
Triaged |
|
2020-06-10 12:53:28 |
Lucas Kanashiro |
postfix (Ubuntu): status |
Triaged |
Fix Released |
|
2020-06-10 13:43:01 |
Lucas Kanashiro |
description |
My postfix configuration uses dane-only policies for some domains.
After upgrading from LTS 18.04 to the current developing LTS 20.04 this stopped working.
Compare the following commands:
Ubuntu 18.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F
posttls-finger: setting up TLS connection to www.bueren.space[31.15.68.4]:25
Ubuntu 20.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: postfix 3.4.10-1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Wed Mar 25 11:22:11 2020
EtcMailname: mail.kivitendo.de
Hostname: www.kivitendo.de
InstallationDate: Installed on 2016-12-14 (1196 days ago)
InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3)
PostconfMydomain: kivitendo-erp.de
PostconfMyhostname: www.kivitendo-erp.de
PostconfMyorigin: /etc/mailname
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
ResolvConf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
nameserver 127.0.0.1
search kivitendo-erp.de
SourcePackage: postfix
UpgradeStatus: Upgraded to focal on 2020-03-02 (23 days ago) |
[Impact]
Users cannot send emails using dane-only policy in Focal.
In this SRU we are proposing a microrelease update from version 3.4.10 to 3.4.11 since the changes are minimal (and also seems there is an authorization from the Tech Board to do that). Here is the upstream changelog change between 3.4.10 and 3.4.11:
20200416
Workaround for broken builds after an incompatible change
in GCC 10. Files: makedefs, Makefile.in.
Workaround for broken DANE support after an incompatible
change in GLIBC 2.31. This avoids the need for new options
in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
This new microrelease fixes the dane issue and the build against GCC 10 which makes us drop a patch applied in version 3.4.7-1 (80_glibc2.30-ftbfs.diff).
[Test Case]
Thanks to Jan (bug reporter) there is an easy way to test it (quoting here part of the original description):
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
[Regression Potential]
According to upstream there are just 2 changes in this new microrelease: fix build against GCC 10, and fix the dane support after upgrade to glibc 2.31. The GCC 10 related changes could impact the build process but it still build fine, the -fcommon option was added but it is the default for GCC in most targets according to the manpage, this new option might penalize the speed and the code size. The dane related changes actually fix this bug, and since all the changes were made in the DNS components, any regression involving DNS might be associated to this update.
[Original Description]
My postfix configuration uses dane-only policies for some domains.
After upgrading from LTS 18.04 to the current developing LTS 20.04 this stopped working.
Compare the following commands:
Ubuntu 18.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F
posttls-finger: setting up TLS connection to www.bueren.space[31.15.68.4]:25
Ubuntu 20.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: postfix 3.4.10-1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Wed Mar 25 11:22:11 2020
EtcMailname: mail.kivitendo.de
Hostname: www.kivitendo.de
InstallationDate: Installed on 2016-12-14 (1196 days ago)
InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3)
PostconfMydomain: kivitendo-erp.de
PostconfMyhostname: www.kivitendo-erp.de
PostconfMyorigin: /etc/mailname
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
ResolvConf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
nameserver 127.0.0.1
search kivitendo-erp.de
SourcePackage: postfix
UpgradeStatus: Upgraded to focal on 2020-03-02 (23 days ago) |
|
2020-06-10 13:43:53 |
Lucas Kanashiro |
summary |
after upgrade to 20.04: posttls cannot connect to private/tlsmgr |
[SRU] after upgrade to 20.04: posttls cannot connect to private/tlsmgr |
|
2020-06-10 13:55:41 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/postfix/+git/postfix/+merge/385501 |
|
2020-06-10 14:05:49 |
Lucas Kanashiro |
postfix (Ubuntu Focal): assignee |
|
Lucas Kanashiro (lucaskanashiro) |
|
2020-06-10 22:00:59 |
Lucas Kanashiro |
postfix (Ubuntu Focal): status |
Triaged |
In Progress |
|
2020-06-12 12:32:59 |
Lucas Kanashiro |
summary |
[SRU] after upgrade to 20.04: posttls cannot connect to private/tlsmgr |
[SRU] after upgrade to 20.04: dane support is not working |
|
2020-06-12 12:42:47 |
Lucas Kanashiro |
description |
[Impact]
Users cannot send emails using dane-only policy in Focal.
In this SRU we are proposing a microrelease update from version 3.4.10 to 3.4.11 since the changes are minimal (and also seems there is an authorization from the Tech Board to do that). Here is the upstream changelog change between 3.4.10 and 3.4.11:
20200416
Workaround for broken builds after an incompatible change
in GCC 10. Files: makedefs, Makefile.in.
Workaround for broken DANE support after an incompatible
change in GLIBC 2.31. This avoids the need for new options
in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
This new microrelease fixes the dane issue and the build against GCC 10 which makes us drop a patch applied in version 3.4.7-1 (80_glibc2.30-ftbfs.diff).
[Test Case]
Thanks to Jan (bug reporter) there is an easy way to test it (quoting here part of the original description):
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
[Regression Potential]
According to upstream there are just 2 changes in this new microrelease: fix build against GCC 10, and fix the dane support after upgrade to glibc 2.31. The GCC 10 related changes could impact the build process but it still build fine, the -fcommon option was added but it is the default for GCC in most targets according to the manpage, this new option might penalize the speed and the code size. The dane related changes actually fix this bug, and since all the changes were made in the DNS components, any regression involving DNS might be associated to this update.
[Original Description]
My postfix configuration uses dane-only policies for some domains.
After upgrading from LTS 18.04 to the current developing LTS 20.04 this stopped working.
Compare the following commands:
Ubuntu 18.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F
posttls-finger: setting up TLS connection to www.bueren.space[31.15.68.4]:25
Ubuntu 20.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: postfix 3.4.10-1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Wed Mar 25 11:22:11 2020
EtcMailname: mail.kivitendo.de
Hostname: www.kivitendo.de
InstallationDate: Installed on 2016-12-14 (1196 days ago)
InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3)
PostconfMydomain: kivitendo-erp.de
PostconfMyhostname: www.kivitendo-erp.de
PostconfMyorigin: /etc/mailname
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
ResolvConf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
nameserver 127.0.0.1
search kivitendo-erp.de
SourcePackage: postfix
UpgradeStatus: Upgraded to focal on 2020-03-02 (23 days ago) |
[Impact]
Users cannot send emails using dane-only policy in Focal.
In this SRU we are proposing a microrelease update from version 3.4.10 to 3.4.11 since the changes are minimal (and also seems there is an authorization from the Tech Board to do that). Here is the upstream changelog change between 3.4.10 and 3.4.11:
20200416
Workaround for broken builds after an incompatible change
in GCC 10. Files: makedefs, Makefile.in.
Workaround for broken DANE support after an incompatible
change in GLIBC 2.31. This avoids the need for new options
in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
This new microrelease fixes the dane issue and the build against GCC 10 which makes us drop a patch applied in version 3.4.7-1 (80_glibc2.30-ftbfs.diff).
[Test Case]
Thanks to Jan (bug reporter) there is an easy way to test it (quoting here part of the original description with a small modification to make it easier to undestand):
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space | grep DANE
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
Output of the posttls-finger command with version 3.4.11 installed:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space | grep DANE
posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F
Some warning messages show up when the command above is executed (if you remove the grep) but they can be ignored for now. As you can see among the comments below, even with those warnings users are able to send emails using dane-only policy with version 3.4.11 installed.
[Regression Potential]
According to upstream there are just 2 changes in this new microrelease: fix build against GCC 10, and fix the dane support after upgrade to glibc 2.31. The GCC 10 related changes could impact the build process but it still build fine, the -fcommon option was added but it is the default for GCC in most targets according to the manpage, this new option might penalize the speed and the code size. The dane related changes actually fix this bug, and since all the changes were made in the DNS components, any regression involving DNS might be associated to this update.
[Original Description]
My postfix configuration uses dane-only policies for some domains.
After upgrading from LTS 18.04 to the current developing LTS 20.04 this stopped working.
Compare the following commands:
Ubuntu 18.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F
posttls-finger: setting up TLS connection to www.bueren.space[31.15.68.4]:25
Ubuntu 20.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: postfix 3.4.10-1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Wed Mar 25 11:22:11 2020
EtcMailname: mail.kivitendo.de
Hostname: www.kivitendo.de
InstallationDate: Installed on 2016-12-14 (1196 days ago)
InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3)
PostconfMydomain: kivitendo-erp.de
PostconfMyhostname: www.kivitendo-erp.de
PostconfMyorigin: /etc/mailname
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
ResolvConf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
nameserver 127.0.0.1
search kivitendo-erp.de
SourcePackage: postfix
UpgradeStatus: Upgraded to focal on 2020-03-02 (23 days ago) |
|
2020-06-12 12:43:27 |
Lucas Kanashiro |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-06-19 17:58:56 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/postfix/+git/postfix/+merge/386118 |
|
2020-06-22 12:43:49 |
Lucas Kanashiro |
description |
[Impact]
Users cannot send emails using dane-only policy in Focal.
In this SRU we are proposing a microrelease update from version 3.4.10 to 3.4.11 since the changes are minimal (and also seems there is an authorization from the Tech Board to do that). Here is the upstream changelog change between 3.4.10 and 3.4.11:
20200416
Workaround for broken builds after an incompatible change
in GCC 10. Files: makedefs, Makefile.in.
Workaround for broken DANE support after an incompatible
change in GLIBC 2.31. This avoids the need for new options
in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
This new microrelease fixes the dane issue and the build against GCC 10 which makes us drop a patch applied in version 3.4.7-1 (80_glibc2.30-ftbfs.diff).
[Test Case]
Thanks to Jan (bug reporter) there is an easy way to test it (quoting here part of the original description with a small modification to make it easier to undestand):
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space | grep DANE
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
Output of the posttls-finger command with version 3.4.11 installed:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space | grep DANE
posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F
Some warning messages show up when the command above is executed (if you remove the grep) but they can be ignored for now. As you can see among the comments below, even with those warnings users are able to send emails using dane-only policy with version 3.4.11 installed.
[Regression Potential]
According to upstream there are just 2 changes in this new microrelease: fix build against GCC 10, and fix the dane support after upgrade to glibc 2.31. The GCC 10 related changes could impact the build process but it still build fine, the -fcommon option was added but it is the default for GCC in most targets according to the manpage, this new option might penalize the speed and the code size. The dane related changes actually fix this bug, and since all the changes were made in the DNS components, any regression involving DNS might be associated to this update.
[Original Description]
My postfix configuration uses dane-only policies for some domains.
After upgrading from LTS 18.04 to the current developing LTS 20.04 this stopped working.
Compare the following commands:
Ubuntu 18.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F
posttls-finger: setting up TLS connection to www.bueren.space[31.15.68.4]:25
Ubuntu 20.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: postfix 3.4.10-1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Wed Mar 25 11:22:11 2020
EtcMailname: mail.kivitendo.de
Hostname: www.kivitendo.de
InstallationDate: Installed on 2016-12-14 (1196 days ago)
InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3)
PostconfMydomain: kivitendo-erp.de
PostconfMyhostname: www.kivitendo-erp.de
PostconfMyorigin: /etc/mailname
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
ResolvConf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
nameserver 127.0.0.1
search kivitendo-erp.de
SourcePackage: postfix
UpgradeStatus: Upgraded to focal on 2020-03-02 (23 days ago) |
[Impact]
Users cannot send emails using dane-only policy in Focal.
In this SRU we are proposing a microrelease update from version 3.4.10 to 3.4.13 since the changes are self contained. Moreover, there is a Postfix SRU exception which allows microreleases if the bug is fixed in the current development series:
https://wiki.ubuntu.com/StableReleaseUpdates#Postfix
And according to the described process there is no need to define a Test Case and a Regression Potential sections. Upstream has been doing a good work regarding those stable version bug fixes.
Here is the upstream changelog change between 3.4.10 and 3.4.13:
20200416
Workaround for broken builds after an incompatible change
in GCC 10. Files: makedefs, Makefile.in.
Workaround for broken DANE support after an incompatible
change in GLIBC 2.31. This avoids the need for new options
in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
20200419
Bugfix: segfault in the tlsproxy client role when the server
role was disabled. This typically happens on systems that
do not receive mail, after configuring connection reuse for
outbound TLS. Found during program maintenance. File:
tlsproxy/tlsproxy.c.
20200420
Noise suppression: shut up a compiler that special-cases
string literals. Viktor Dukhovni. File milter/milter.c.
20200422
Security: disable DANE support on Alpine Linux because
libc-musl provides no indication whether DNS responses are
authentic. This broke DANE support without a clear explanation.
File: makedefs.
20200505
Noise suppression: shut up a compiler that special-cases
string literals. Viktor Dukhovni. File smtpd/smtpd_check.c.
20200509
Bugfix (introduced: Postfix 3.5): maillog_file_rotate_suffix
default value used the minute instead of the month. Reported
by Larry Stone. Files: conf/postfix-tls-script,
proto/MAILLOG_README.html, proto/postconf.proto.
global/mail_params.h, postfix/postfix.c.
20200510
Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
initializing the ICU library before making the chroot()
call. Files: util/midna_domain.[hc], global/mail_params.c.
20200511
Noise suppression: avoid "SSL_Shutdown:shutdown while in
init" warnings. File: tls/tls_session.c.
20200515
Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL
client caused a false 'lost connection' error for an SMTP
over TLS session in the same Postfix process. Reported by
Alexander Vasarab, diagnosed by Viktor Dukhovni. File:
tls/tls_bio_ops.c.
Bugfix (introduced: Postfix 2.8): a TLS error for one TLS
session may cause a false 'lost connection' error for a
concurrent TLS session in the same tlsproxy process. File:
tlsproxy/tlsproxy.c.
20200530
Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
did not handle a missing optional argument. File:
conf/postfix-tls-script.
20200610
Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
the SNI callback reported an error when it was called a
second time. This happened after the server-side TLS engine
sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
client. Reported by Ján Máté, fixed by Viktor Dukhovni.
File: tls/tls_misc.c.
This new microrelease fixes the dane issue and the build against GCC 10 which makes us drop a patch applied in version 3.4.7-1 (80_glibc2.30-ftbfs.diff).
[Original Description]
My postfix configuration uses dane-only policies for some domains.
After upgrading from LTS 18.04 to the current developing LTS 20.04 this stopped working.
Compare the following commands:
Ubuntu 18.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F
posttls-finger: setting up TLS connection to www.bueren.space[31.15.68.4]:25
Ubuntu 20.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: postfix 3.4.10-1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Wed Mar 25 11:22:11 2020
EtcMailname: mail.kivitendo.de
Hostname: www.kivitendo.de
InstallationDate: Installed on 2016-12-14 (1196 days ago)
InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3)
PostconfMydomain: kivitendo-erp.de
PostconfMyhostname: www.kivitendo-erp.de
PostconfMyorigin: /etc/mailname
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
ResolvConf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
nameserver 127.0.0.1
search kivitendo-erp.de
SourcePackage: postfix
UpgradeStatus: Upgraded to focal on 2020-03-02 (23 days ago) |
|
2020-06-24 13:49:57 |
Robie Basak |
postfix (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2020-06-24 13:49:59 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
2020-06-24 13:50:02 |
Robie Basak |
tags |
amd64 apport-bug focal server-next |
amd64 apport-bug focal server-next verification-needed verification-needed-focal |
|
2020-06-29 12:28:48 |
Lucas Kanashiro |
tags |
amd64 apport-bug focal server-next verification-needed verification-needed-focal |
amd64 apport-bug focal server-next verification-done verification-done-focal |
|
2020-07-07 21:07:56 |
Launchpad Janitor |
postfix (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2020-07-07 21:08:03 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2021-08-12 13:13:58 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paride/ubuntu/+source/postfix/+git/postfix/+merge/407020 |
|