posttls-finger fails to connect to private/tlsmgr
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postfix (Ubuntu) |
Fix Released
|
Low
|
Miriam España Acebal | ||
Focal |
Fix Released
|
Low
|
Miriam España Acebal | ||
Groovy |
Won't Fix
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Low
|
Miriam España Acebal | ||
Impish |
Fix Released
|
Low
|
Miriam España Acebal |
Bug Description
[SRU]
[Impact]
If posttls-finger is not used within /var/spool/postfix, the private/tlmsgr socket is not found and TLS is disabled.
[Test Plan]
This behaviour has been seen in Focal, Hirsute (also in Impish).
To test the bad response, run posttls-finger mx.dmz.tait.net.nz outside /var/spool/postfix folder:
root@focal:
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
posttls-finger: Connected to mx.dmz.
posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu)
posttls-finger: > EHLO impish-
posttls-finger: < 250-mx.tait.net.nz
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20480000
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTA
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SMTPUTF8
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye
Good response has STARTTLS section and also the warning messages doesn't appear.
[Where problems could occur]
It can affect other global variables/functions reallocated in the shared library, so unexpected behaviour can arise for other postfix tools using the shared libraries that the package provides (in the sense of not-discovered-yet bugs).
[Other Info]
Reported upstream at https:/
"Ubuntu should not use -Bsymbolic or -Bsymbolic-
Postfix shared libraries."
[Original Report]
---
When running posttls-finger on focal, it attempts to connect to private/tlsmgr, and unless the program is being run from /var/spool/postfix as root, this fails and posttls-finger disables TLS in the subsequent connection that it makes to the specified SMTP server.
If the user doesn't notice the "disabling TLS support" message in the output, they might infer that the test has successfully verified their TLS configuration, when in fact all it has verified is that it can connect to the SMTP server without TLS.
The following command shows the problem:
root@maimbo:/# posttls-finger mx.dmz.tait.net.nz
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
posttls-finger: using DANE RR: _25._tcp.
posttls-finger: Connected to mx.dmz.
posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu)
posttls-finger: > EHLO maimbo.tait.net.nz
posttls-finger: < 250-mx.tait.net.nz
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20480000
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTA
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye
In contrast, if the same command is run from /var/spool/postfix as root, the output is as follows:
root@maimbo:
posttls-finger: using DANE RR: _25._tcp.
posttls-finger: Connected to mx.dmz.
posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu)
posttls-finger: > EHLO maimbo.tait.net.nz
posttls-finger: < 250-mx.tait.net.nz
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20480000
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTA
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 SMTPUTF8
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: mx.dmz.
posttls-finger: mx.dmz.
posttls-finger: mx.dmz.
posttls-finger: mx.dmz.
posttls-finger: Verified TLS connection established to mx.dmz.
posttls-finger: > EHLO maimbo.tait.net.nz
posttls-finger: < 250-mx.tait.net.nz
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20480000
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTA
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye
Which of course now includes the "Verified TLS connection established..."
line.
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 127 lines (+64/-2)6 files modifieddebian/changelog (+36/-0)
debian/control (+2/-1)
debian/patches/postfix-3.6.2-glibc-234-build-fix.patch (+23/-0)
debian/patches/series (+1/-0)
debian/postfix.postinst (+1/-1)
debian/rules (+1/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 25 lines (+7/-0)2 files modifieddebian/changelog (+6/-0)
debian/rules (+1/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 25 lines (+7/-0)2 files modifieddebian/changelog (+6/-0)
debian/rules (+1/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 67 lines (+35/-0)4 files modifieddebian/changelog (+8/-0)
debian/patches/postfix-3.6.2-glibc-234-build-fix.patch (+25/-0)
debian/patches/series (+1/-0)
debian/rules (+1/-0)
Changed in postfix (Ubuntu): | |
importance: | Undecided → Low |
tags: | added: server-next |
description: | updated |
description: | updated |
Changed in postfix (Ubuntu Hirsute): | |
assignee: | nobody → Miriam España Acebal (mirespace) |
Changed in postfix (Ubuntu Impish): | |
assignee: | nobody → Miriam España Acebal (mirespace) |
Changed in postfix (Ubuntu Groovy): | |
status: | Confirmed → Won't Fix |
Changed in postfix (Ubuntu Focal): | |
assignee: | nobody → Miriam España Acebal (mirespace) |
Changed in postfix (Ubuntu Impish): | |
status: | Confirmed → In Progress |
Changed in postfix (Ubuntu Focal): | |
importance: | Undecided → Low |
description: | updated |
description: | updated |
We (Debian and derivatives such as Ubuntu) have postfix in a chroot by default. This is a side effect of that configuration.