Package: postfix Version: 2.11.3-1 Severity: normal Tags: patch Dear Maintainer,
I have been using the postfix package on mail servers since squeeze and upgraded through wheezy and jessie when they were released. Today I found a problem with /var/spool/postfix/etc/ssl/certs/ca-certificates.crt being severely out-of-date, in fact the file has a timestamp of the last time postfix had been restarted when the servers were running wheezy, April 2013. This bug does not seem severe since STARTTLS is opportunistic, unverified, and MitM-friendly, therefore it does not matter much that the copy of the Debian CA certificates bundle is three years old. However in my case, I was enalbing postfix LDAP TLS server certificate verification, and was struggling with obtuse error messages from postifx for hours until realizing the LDAP TLS server certificate is signed by a CA that is newer than what was in the wheezy-era of ca-certificates bundle found in the postfix chroot. Attached is a patch which fixes the init.d script to copy smtp_tls_CAfile to the correct destination. It appears the the bug exists in stretch/sid, however I have not tested the patch on any version other than 2.11.3-1. Thanks. -- System Information: Debian Release: 8.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-0.bpo.1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages postfix depends on: ii adduser 3.113+nmu3 ii cpio 2.11+dfsg-4.1+deb8u1 ii debconf [debconf-2.0] 1.5.56 ii dpkg 1.17.26 ii libc6 2.19-18+deb8u4 ii libdb5.3 5.3.28-9 ii libsasl2-2 2.1.26.dfsg1-13+deb8u1 ii libsqlite3-0 3.8.7.1-1+deb8u1 ii libssl1.0.0 1.0.1k-3+deb8u4 ii lsb-base 4.1+Debian13+nmu1 ii netbase 5.3 ii ssl-cert 1.0.35 Versions of packages postfix recommends: ii python 2.7.9-1 Versions of packages postfix suggests: pn dovecot-common <none> ii emacs24-nox [mail-reader] 24.5+1-6~bpo8+1 ii heirloom-mailx [mail-reader] 12.5-4 ii libsasl2-modules 2.1.26.dfsg1-13+deb8u1 pn postfix-cdb <none> pn postfix-doc <none> ii postfix-ldap 2.11.3-1 pn postfix-mysql <none> pn postfix-pcre <none> pn postfix-pgsql <none> pn procmail <none> pn resolvconf <none> pn sasl2-bin <none> pn ufw <none> -- debconf information excluded -- Gerald Turner <gtur...@unzane.com> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
commit b6dd96146c4e4ade7fdb841d887b67f3ed66b4e6
Author: Gerald Turner <gtur...@unzane.com>
Date: Tue Apr 26 13:39:16 2016 -0700
Correct destination directory when copying smtp_tls_CAfile to chroot
diff --git a/debian/init.d b/debian/init.d
index b2114ce..63b6389 100644
--- a/debian/init.d
+++ b/debian/init.d
@@ -128,9 +128,8 @@ configure_instance() {
;;
*)
if test -f "$ca_file"; then
- dest_dir="$queue_dir/${ca_path#/}"
- mkdir --parent "$dest_dir"
- cp -L "$ca_file" "$dest_dir"
+ mkdir --parent "$queue_dir/${ca_file%/*}"
+ cp -L "$ca_file" "$queue_dir/${ca_file%/*}"
fi
;;
esac
signature.asc
Description: PGP signature
