Ubuntu
postfix package

Bug #1868955
Comment #26

Comment 26 for bug 1868955

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2020-06-08: Re: after upgrade to 20.04: posttls cannot connect to private/tlsmgr

#26

After Scott's comment about updating postfix to 3.4.11 I checked the changelog of this version and I noticed the only change from 3.4.10 is:

20200416

Workaround for broken builds after an incompatible change
in GCC 10. Files: makedefs, Makefile.in.

Workaround for broken DANE support after an incompatible
change in GLIBC 2.31. This avoids the need for new options
in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.

I marked Groovy as Fix Released because the version 3.5.2 also contains this commit. However, when I tried the mentioned commands in a Groovy container I faced the same issue:

$ lxc launch ubuntu-daily:groovy postfix-dane-issue
$ lxc shell postfix-dane-issue
# apt install postfix
# dpkg -l | grep postfix
ii postfix 3.5.2-1 amd64 High-performance mail transport agent
# posttls-finger -c gmail.com
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
^C
# posttls-finger -t30 -T180 -c -L verbose,summary -w smtp.sdeziel.info:465
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
posttls-finger: warning: lost connection while sending QUIT command

As Paride mentioned those commands work without any problem in Eoan and also in Debian unstable which has the same postfix version:

$ lxc launch images:debian/sid postfix-dane-issue-debian
$ lxc shell postfix-dane-issue-debian
# apt install postfix
# dpkg -l | grep postfix
ii postfix 3.5.2-1+b1 amd64 High-performance mail transport agent
# posttls-finger -c gmail.com
posttls-finger: Failed to establish session to gmail.com via gmail-smtp-in.l.google.com: connect to gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Connection timed out
^C
# posttls-finger -t30 -T180 -c -L verbose,summary -w smtp.sdeziel.info:465
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to smtp.sdeziel.info[2001:470:b1c3:7942::25]:465
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: depth=1 verify=0 subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: depth=0 verify=1 subject=/CN=smtp.sdeziel.info
posttls-finger: certificate verification failed for smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: subject_CN=smtp.sdeziel.info, issuer_CN=Let's Encrypt Authority X3, fingerprint=C9:7A:27:B3:13:62:4C:ED:5C:C8:CE:6D:9D:E8:E7:3A:F2:73:AE:9D, pkey_fingerprint=59:B1:2C:D2:78:CD:55:A1:11:F5:D5:AA:DB:87:1E:16:00:EC:52:33
posttls-finger: Untrusted TLS connection established to smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256

In Debian there is a binary only upload (got it from the amd64 buildd log):

Format: 1.0
Source: postfix (3.5.2-1)
Binary: postfix postfix-ldap postfix-lmdb postfix-cdb postfix-pcre postfix-mysql postfix-pgsql postfix-sqlite postfix-doc
Architecture: amd64
Version: 3.5.2-1+b1
Binary-Only-Changes:
postfix (3.5.2-1+b1) sid; urgency=low, binary-only=yes
.
   * Binary-only non-maintainer upload for amd64; no source changes.
   * Rebuild against libicu67
.
  -- all / amd64 / i386 Build Daemon (x86-conova-01) <email address hidden> Wed, 03 Jun 2020 20:54:57 +0000

Do we need this in Groovy?

After Scott's comment about updating postfix to 3.4.11 I checked the changelog of this version and I noticed the only change from 3.4.10 is:

20200416

Workaround for broken builds after an incompatible change
	in GCC 10. Files: makedefs, Makefile.in.

Workaround for broken DANE support after an incompatible
	change in GLIBC 2.31. This avoids the need for new options
	in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.

I marked Groovy as Fix Released because the version 3.5.2 also contains this commit. However, when I tried the mentioned commands in a Groovy container I faced the same issue:

$ lxc launch ubuntu-daily:groovy postfix-dane-issue
$ lxc shell postfix-dane-issue
# apt install postfix
# dpkg -l | grep postfix
ii  postfix                        3.5.2-1                           amd64        High-performance mail transport agent 
# posttls-finger -c gmail.com
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
^C
#  posttls-finger -t30 -T180 -c -L verbose,summary -w smtp.sdeziel.info:465
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
posttls-finger: warning: lost connection while sending QUIT command

As Paride mentioned those commands work without any problem in Eoan and also in Debian unstable which has the same postfix version:

$ lxc launch images:debian/sid postfix-dane-issue-debian
$ lxc shell postfix-dane-issue-debian
# apt install postfix
# dpkg -l | grep postfix
ii  postfix                    3.5.2-1+b1                 amd64        High-performance mail transport agent
# posttls-finger -c gmail.com
posttls-finger: Failed to establish session to gmail.com via gmail-smtp-in.l.google.com: connect to gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Connection timed out
^C
# posttls-finger -t30 -T180 -c -L verbose,summary -w smtp.sdeziel.info:465
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to smtp.sdeziel.info[2001:470:b1c3:7942::25]:465
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: depth=1 verify=0 subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: depth=0 verify=1 subject=/CN=smtp.sdeziel.info
posttls-finger: certificate verification failed for smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: subject_CN=smtp.sdeziel.info, issuer_CN=Let's Encrypt Authority X3, fingerprint=C9:7A:27:B3:13:62:4C:ED:5C:C8:CE:6D:9D:E8:E7:3A:F2:73:AE:9D, pkey_fingerprint=59:B1:2C:D2:78:CD:55:A1:11:F5:D5:AA:DB:87:1E:16:00:EC:52:33
posttls-finger: Untrusted TLS connection established to smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256

In Debian there is a binary only upload (got it from the amd64 buildd log):

Format: 1.0
Source: postfix (3.5.2-1)
Binary: postfix postfix-ldap postfix-lmdb postfix-cdb postfix-pcre postfix-mysql postfix-pgsql postfix-sqlite postfix-doc
Architecture: amd64
Version: 3.5.2-1+b1
Binary-Only-Changes:
 postfix (3.5.2-1+b1) sid; urgency=low, binary-only=yes
 .
   * Binary-only non-maintainer upload for amd64; no source changes.
   * Rebuild against libicu67
 .
  -- all / amd64 / i386 Build Daemon (x86-conova-01) <buildd_amd64-x86-conova-01@buildd.debian.org>  Wed, 03 Jun 2020 20:54:57 +0000

Do we need this in Groovy?

Ubuntupostfix package

Comment 26 for bug 1868955

Ubuntu
postfix package