[opensuse-packaging] postfix.rpm does not install sysconfig files
After a fresh TW install I compared /etc/sysconfig/postfix with an old installation. Most of the settings are just missing, like POSTFIX_UPDATE_MAPS= After poking around I found the value in /var/adm/fillup-templates/sysconfig.postfix, but not in /etc. And even after 'rpm -e postfix;rm /etc/sysconfig/postfix;zypper in postfix' the file is not installed. I wonder if that part of postfix.spec:%post is really correct: ... %if 0%{?suse_version} > 1210 %service_add_post %{name}.service %set_permissions %{_sbindir}/postqueue %set_permissions %{_sbindir}/postdrop %set_permissions %{_sysconfdir}/%{name}/sasl_passwd %set_permissions %{_sbindir}/sendmail %verifyscript %verify_permissions -e %{_sbindir}/postqueue %verify_permissions -e %{_sbindir}/postdrop %verify_permissions -e %{_sysconfdir}/%{name}/sasl_passwd %verify_permissions -e %{_sbindir}/sendmail %{fillup_only -y postfix} %else %{fillup_and_insserv -y postfix} %endif %{fillup_only -an mail} /sbin/ldconfig ... It seems %verifyscript creates a new section named 'verify scriptlet (using /bin/sh)', which is not executed. Olaf -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Tue, Aug 04, Marcus Meissner wrote:
Not sure if its related to this bug, tls does not seem to work. Aug 04 11:21:35 probook.fritz.box postfix/pickup[8561]: 102F1507F5: uid=1000 from=<olaf@aepfle.de> Aug 04 11:21:35 probook.fritz.box postfix/cleanup[8594]: 102F1507F5: message-id=<20150804092134.GA8585@aepfle.de> Aug 04 11:21:35 probook.fritz.box postfix/qmgr[8563]: 102F1507F5: from=<olaf@aepfle.de>, size=402, nrcpt=1 (queue active) Aug 04 11:21:35 probook.fritz.box postfix/smtp[8596]: warning: cannot get RSA certificate from file /etc/ssl/: disabling TLS support Aug 04 11:21:35 probook.fritz.box postfix/smtp[8596]: warning: TLS library problem: error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE: Aug 04 11:21:35 probook.fritz.box postfix/smtp[8596]: warning: TLS library problem: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:689: Aug 04 11:21:35 probook.fritz.box postfix/smtp[8596]: 102F1507F5: to=<olaf@aepfle.de>, relay=smtp.strato.de[2a01:238:20a:202:55f0::1133]:25, delay=0.58, delays=0.14/0.09/0.16/0.18, dsn=2.0.0, status=sent (250 2.0.0 queued as J057a6r749LZlhX) Aug 04 11:21:35 probook.fritz.box postfix/qmgr[8563]: 102F1507F5: removed It used to look like this, in 11.4: Jul 30 07:57:42 probook postfix/pickup[31726]: 70E9A502E6: uid=1000 from=<olaf@aepfle.de> Jul 30 07:57:42 probook postfix/cleanup[2793]: 70E9A502E6: message-id=<20150730055742.GA1379@aepfle.de> Jul 30 07:57:42 probook postfix/qmgr[2743]: 70E9A502E6: from=<olaf@aepfle.de>, size=947, nrcpt=1 (queue active) Jul 30 07:57:42 probook postfix/smtp[2796]: certificate verification failed for smtp.strato.de[2a01:238:20a:202:55f0::1133]:25: untrusted issuer /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 Jul 30 07:57:43 probook postfix/smtp[2796]: 70E9A502E6: to=<coolo@suse.de>, relay=smtp.strato.de[2a01:238:20a:202:55f0::1133]:25, delay=1.2, delays=0.31/0.11/0.25/0.48, dsn=2.0.0, status=sent (250 2.0.0 queued as g03c76r6U5vgj8d) Jul 30 07:57:43 probook postfix/qmgr[2743]: 70E9A502E6: removed Olaf -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Dne 04.08.2015 v 11:24 Olaf Hering napsal(a):
Also though it is not related to issue itself, there seem to be requests piling up for two months at https://build.opensuse.org/package/requests/server:mail/postfix Martin
Olaf Hering [04.08.2015 11:24]:
# grep tlsmgr /etc/postfix/master.cf tlsmgr unix - - n 1000? 1 tlsmgr Did you remove the # sign at the beginning of that line? tlsmgr is not enabled by default.
In the old times, when 11.4 was released, "Deutsche Telekom Root CA 2" was not known. That changed in the meantime. With the setting smtp_tls_CApath = /etc/ssl/certs on a less ancient SUSE you should not get this verification error. Deutsche_Telekom_Root_CA_2.pem ist delivered now :) On SLES 11, it is in package openssl-certs, in oS 13.2 in ca-certificates. Regards, Werner --
On Tue, Aug 04, Werner Flamme wrote:
It is enabled. '/etc/ssl/' is not a file, so most likely some path expansion fails. What binary needs to be straced or otherwise inspected to see where the RSA certificate grabbing fails? Olaf -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Olaf Hering [05.08.2015 16:23]:
Hi Olaf, maybe the result of postconf smtp_tls_cert_file is smtp_tls_cert_file = /etc/ssl/ For me, this parameter is set to /etc/postfix/ssl/smtp.cert, an existing file containing my (self-signed) certificate. If smtp_tls_cert_file does not point to an existing certificate file, edit /etc/postfix/main.cf so that it does. Maybe you can set smtpd_tls_cert_file to the same value, just to be sure. After the edit "rcpostfix reload" to notify postfix of the changes. smtp_* parameters are for sending, smtpd_* parameters are for receiving mail. HTH, Werner --
On Wed, Aug 05, Werner Flamme wrote:
I do not have a certificate, not sure if I need one. Now smtp_tls_cert_file is disabled, and smtp_enforce_tls changed from no to yes. With smtp_tls_loglevel=3 I see output like: Aug 05 16:55:20 probook.fritz.box postfix/smtp[12522]: Verified TLS connection established to smtp.strato.de[2a01:238:20a:202:55f0::1133]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Aug 05 16:55:20 probook.fritz.box postfix/smtp[12522]: 3E84B5085B: to=<olaf@aepfle.de>, relay=smtp.strato.de[2a01:238:20a:202:55f0::1133]:25, delay=0.59, delays=0.13/0.09/0.32/0.04, dsn=2.0.0, status=sent (250 2.0.0 queued as L0469dr75EtKBQL) So its appearently working. Olaf -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Olaf Hering [05.08.2015 17:02]:
Hi Olaf, you don't need a certificate. I recomment reading the client section of <http://www.postfix.org/TLS_README.html#client_tls> though :) ("Do not configure Postfix SMTP client certificates unless you must present client TLS certificates to one or more servers."). As default, smtp_tls_cert_file is empty. I never set smtp_enforce_tls to yes, since sometimes I have to communicate with servers that are not capable of TLS. smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may Regards, Werner --
Werner Flamme wrote:
AFAICS configuring a client cert does not do any harm. Especially client certs could be another component for better spam scoring. There's no reason why you can't simply use your TLS server cert for that. So this works for me for quite a while now: smtp_tls_cert_file = $smtpd_tls_cert_file smtp_tls_key_file = $smtpd_tls_key_file Ciao, Michael.
Olaf Hering <olaf@aepfle.de> writes:
Probably /usr/lib/postfix/smtp. Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (7)
-
Andreas Schwab -
Marcus Meissner -
Martin Pluskal -
Michael Ströder -
Olaf Hering -
Tomáš Chvátal -
Werner Flamme