postfix init script copies smtp_tls_CApath /etc/ssl/certs to /var/spool/postfix/etc/ssl/certs/etc/ssl/certs

Bug #828047 reported by William Shallum on 2011-08-17
This bug affects 3 people
Affects Status Importance Assigned to Milestone
postfix (Debian)
Fix Released
postfix (Ubuntu)
LaMont Jones

Bug Description

The postfix init script copies the files in smtp_tls_CApath to a location within the chroot using this line of code:

find "$ca_path" -print0 | cpio -0pdL "$dest_dir"

where ca_path=$(postconf -h smtp_tls_CApath) and dest_dir="$queue_dir/${ca_path#/}"

When smtp_tls_CApath=/etc/ssl/certs this copies the certificates into /var/spool/postfix/etc/ssl/certs/etc/ssl/certs instead of /var/spool/postfix/etc/ssl/certs, causing certificate verification to fail. I suggest using some other method of copying the certificates.

PS: the part that copies the smtp_tls_CAfile below also seems a bit odd, why is it using ca_path when calculating dest_dir? Have not checked if this is really a bug as I don't use the smtp_tls_CAfile setting.

    if test -f "$ca_file"; then
      mkdir --parent "$dest_dir"
      cp -L "$ca_file" "$dest_dir"

ProblemType: Bug
Architecture: i386
Date: Wed Aug 17 09:59:32 2011
 adduser 3.112ubuntu1
 base-files 5.0.0ubuntu20.10.04.4
 base-passwd 3.5.22
 coreutils 7.4-2ubuntu3
 debconf 1.5.28ubuntu4
 debconf-i18n 1.5.28ubuntu4
 debianutils 3.2.2
 findutils 4.4.2-1ubuntu1
 gcc-4.4-base 4.4.3-4ubuntu5
 libacl1 2.2.49-2
 libattr1 1:2.4.44-1
 libc-bin 2.11.1-0ubuntu7.8
 libc6 2.11.1-0ubuntu7.8
 libdb4.8 4.8.24-1ubuntu1
 libgcc1 1:4.4.3-4ubuntu5
 liblocale-gettext-perl 1.05-6
 libncurses5 5.7+20090803-2ubuntu3
 libpam-modules 1.1.1-2ubuntu5.3
 libpam0g 1.1.1-2ubuntu5.3
 libsasl2-2 2.1.23.dfsg1-5ubuntu1
 libselinux1 2.0.89-4
 libssl0.9.8 0.9.8k-7ubuntu8.6
 libstdc++6 4.4.3-4ubuntu5
 libtext-charwidth-perl 0.04-6
 libtext-iconv-perl 1.7-2
 libtext-wrapi18n-perl 0.06-7
 lsb-base 4.0-0ubuntu8
 lzma 4.43-14ubuntu2
 ncurses-bin 5.7+20090803-2ubuntu3
 netbase 4.35ubuntu3
 openssl 0.9.8k-7ubuntu8.6
 passwd 1:
 perl-base 5.10.1-8ubuntu2.1
 sed 4.2.1-6
 sensible-utils 0.0.1ubuntu3
 ssl-cert 1.0.23ubuntu2
 tzdata 2011g-0ubuntu0.10.04
 zlib1g 1:
DistroRelease: Ubuntu 10.04
Package: postfix 2.8.1-1~lucid1
PackageArchitecture: i386
ProcEnviron: SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.32-33.70-generic-pae
SourcePackage: postfix
Tags: lucid
Uname: Linux 2.6.32-33-generic-pae i686

William Shallum (william) wrote :

Changing the line to

(cd "$ca_path" && find . -print0 | cpio -0pdL "$dest_dir")

seems to do the trick.

Changed in postfix (Ubuntu):
status: New → Confirmed
Changed in postfix (Debian):
status: Unknown → New
LaMont Jones (lamont) on 2011-08-20
Changed in postfix (Ubuntu):
assignee: nobody → LaMont Jones (lamont)
status: Confirmed → Fix Committed
Scott Kitterman (kitterman) wrote :

postfix (2.8.4-1ubuntu1) oneiric; urgency=low

  * Add back in apport. Debian lacks it, so the package is now
    forked. :(

 -- LaMont Jones <email address hidden> Sat, 20 Aug 2011 14:39:33 -0600

postfix (2.8.4-1) unstable; urgency=low

  [Scott Kitterman]

  * Switch to debhelper 7, use dh_prep instead of dh_clean -k

  [Friedemann Stoyan]

  * create chroots with the right ca_path. Closes: #627266

  [Wietse Venema]

  * Upstream fix release
    - Performance: a high load of DSN success notification requests
      could slow down the queue manager.
    - Bugfix (introduced Postfix 2.3 and Postfix 2.7): the Milter
      client reported some "file too large" errors as temporary
    - Bugfix (introduced in Postfix 1.1, duplicated in Postfix
      2.3, unrelated mistake in Postfix 2.7): the local(8) delivery
      agent ignored table lookup errors in mailbox_command_maps,
      mailbox_transport_maps, fallback_transport_maps and (while
      bouncing mail to alias) alias owner lookup.
    - Bugfix (introduced Postfix 2.6 with master_service_disable)
      loop control error when parsing a malformed file.
    - Bugfix (introduced: Postfix 2.7): "sendmail -t" reported
      "protocol error" after queue file write error.
    - Linux kernel version 3 support.
    - Workaround: some Spamhaus RHSBL rejects lookups with "No
      IP queries" even if the name has an alphanumerical prefix.
      We play safe, and skip both RHSBL and RHSWL queries for
      names ending in a numerical suffix.

  [LaMont Jones]

  * apport, fix FTBFS on linux 3.0 - From ubuntu.
  * SASL vs multiarch. Closes: #638443, #638045
  * Update init.d script to handle multi_instance setups. Closes: #560682
  * Do not try to update resolv.conf when does not exist. LP: #530323
  * Better handle bad map names in postmap -u. LP: #647647
  * Drop apport usage, since debian lacks it and failing to build is bad.

 -- LaMont Jones <email address hidden> Sat, 20 Aug 2011 13:48:59 -0600

Changed in postfix (Ubuntu):
status: Fix Committed → Fix Released
Changed in postfix (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.