Package: postfix
Version: 3.5.6-1+b1
Severity: normal
X-Debbugs-Cc: [email protected]

I was just debugging why Postfix (after finding first
smtpd_tls_received_header=yes then smtpd_tls_ask_ccert=yes)
does not properly verify the SSL certificates provided by
my sendmail servers.

Turns out that…

smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = $smtpd_tls_CApath

… does not work, obviously, if the thing is chrooted, which
it is in Debian (which is good) and the certificates are not
present in the chroot.

However, the start code only copies things over from the system
store that are both *.pem and not symlinks. It then proceeds to
run c_rehash manually.

This probably works for the default ca-certificates ones, but
not if people add custom root certificates there in already
c_rehash’d form or have a different root store setup which
also does the same. I have, for example…

lrwxrwxrwx 1 root root     37 14. Feb 2020  /etc/ssl/certs/00673b5b.0 -> 
/usr/share/ca-bundle/certs/00673b5b.0

This would require a copy of the entire /etc/ssl/certs/ directory
*following* symbolic links (and then, maybe jdupes to at least make
hardlinks out of duplicates).

I fully get why this would not be desirable for the stock Debian
ca-certificates setup. In fact, I’d prefer to control the files
placed into the chroot, copying just the /usr/share/ca-bundle/certs/
files and symlinks (which are already c_rehash’d) to get rid of
the ssl-cert-snakeoil.pem presence (which Debian seems to insist
on for some reason) from that directory as well.

However, /usr/lib/postfix/configure-instance.sh does not seem to
offer any kind of hook for setting up the SSL certificate root store
inside the chroot. It doesn’t even seem to be written to allow for
a customised setup of *any* kind; the code looks like it’d overwrite
everything if I were to manually copy the files there.

So please add a way to make the SSL root store setup customisable.


-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500, 
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages postfix depends on:
ii  adduser                3.118
ii  cpio                   2.13+dfsg-4
ii  debconf [debconf-2.0]  1.5.77
ii  dpkg                   1.20.9
ii  e2fsprogs              1.46.2-2
ii  libc6                  2.31-13+deb11u3
ii  libdb5.3               5.3.28+dfsg1-0.8
ii  libicu67               67.1-7
ii  libnsl2                1.3.0-2
ii  libsasl2-2             2.1.27+dfsg-2.1+deb11u1
ii  libssl1.1              1.1.1n-0+deb11u1
ii  lsb-base               11.1.0
ii  netbase                6.3
ii  ssl-cert               1.1.0+nmu1

Versions of packages postfix recommends:
ii  ca-bundle [ca-certificates]  20190604
ii  python3                      3.9.2-3

Versions of packages postfix suggests:
ii  bsd-mailx [mail-reader]  8.1.2-0.20180807cvs-2
ii  libsasl2-modules         2.1.27+dfsg-2.1+deb11u1
pn  postfix-cdb              <none>
pn  postfix-doc              <none>
pn  postfix-ldap             <none>
pn  postfix-lmdb             <none>
pn  postfix-mysql            <none>
pn  postfix-pcre             <none>
pn  postfix-pgsql            <none>
pn  postfix-sqlite           <none>
pn  procmail                 <none>
pn  resolvconf               <none>
pn  ufw                      <none>

-- debconf information excluded

Reply via email to