postfix chroot environment doesn't have ca-certificates

Bug #118963 reported by PatRiehecky on 2007-06-06
Affects Status Importance Assigned to Milestone
postfix (Debian)
Fix Released
ubuntu-docs (Ubuntu)
Ubuntu Server

Bug Description

Binary package hint: postfix

In my mail.log I noticed

Jun 6 06:25:09 smtp2 postfix/smtp[6020]: certificate verification failed for mailfilter.mysite.tld: num=20:unable to get local issuer certificate
Jun 6 06:25:09 smtp2 postfix/smtp[6020]: certificate verification failed for mailfilter.mysite.tld: num=27:certificate not trusted
Jun 6 06:25:09 smtp2 postfix/smtp[6020]: certificate verification failed for mailfilter.mysite.tld: num=21:unable to verify the first certificate
Jun 6 06:25:10 smtp2 postfix/smtp[6020]: Unverified: subject_CN=mailfilter.mysite.tld, issuer=Thawte Premium Server CA

which I found a bit odd considering ca-certificates was installed.

After poking around a bit I discovered that the ca-certificates were not installed in a place that the postfix chroot could get to them.

Steps for resolution by hand:

mkdir -p /var/spool/postfix/certs /var/spool/postfix/usr/share/ca-certificates
(cd /etc/ssl/certs ; tar cvf - * ) | (cd /var/spool/postfix/certs ; tar xvf -)
(cd /usr/share/ca-certificates ; tar cvf - * ) | (cd /var/spool/postfix/usr/share/ca-certificates ; tar xvf - )
postconf -e smtp_tls_CApath = /certs
/etc/init.d/postfix reload

Any chance on getting this a bit more automated?

dpkg -l |grep postfix
ii postfix 2.3.3-1 A high-performance mail transport agent
ii postfix-ldap 2.3.3-1 LDAP map support for Postfix
ii postfix-pcre 2.3.3-1 PCRE map support for Postfix

dpkg -l |grep ca-certificates
ii ca-certificates 20050804 Common CA Certificates PEM files

Related branches

Changed in postfix:
status: Unknown → New

I think this bug can be raised to Wishlist in Ubuntu as it currently gets no attention in Debian and solved by the proposal here or in the Debian Bug Tracker. Doing so will increase postfix administrator experience.

Probably it's even better to put the certificates inside the chroot and only symlinking outside the chroot as this will save some efforts and does not brake chroot.

Changed in postfix:
assignee: nobody → ubuntu-server
status: New → Confirmed
Scott Kitterman (kitterman) wrote :

I'd suggest that this should probably be addressed in Ubuntu documentation. Checking the valididty of certificates for TLS is not a standard practice and so in the corner case of someone wanting to do that, addressing it in documentation would be largely sufficient I would think. Postfix is always going to take a certain amount of manual configuration for special cases.

Changed in ubuntu-docs:
status: Confirmed → Triaged
importance: Undecided → Low
Changed in postfix:
status: New → Fix Released
Adam Sommer (asommer) wrote :

The new Server Guide recommends using Dovecot SASL, and the issue with ca-certificates doesn't apply.

Changed in ubuntu-docs:
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-docs - 8.03.2

ubuntu-docs (8.03.2) hardy; urgency=low

  * New bzr checkout (LP: #176678, LP: #118963, LP: #108083, LP: #202312)
  * Replacing "server" document with "serverguide"
  * Refresh pot files
  * Fixing debian/rules to filter translations less than 40%

 -- Matthew East <email address hidden> Sun, 16 Mar 2008 22:16:42 +0000

Changed in ubuntu-docs:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.