Control: tag -1 + moreinfo unreproducible
Control: severity -1 normal
On 03.03.2026 17:51, Pirate Praveen wrote:
After upgrading from bookworm to trixie postfix authentication started failing.
Upgrade postfix from bookworm to trixie
sasl authentication with ldap backend was broken.
Then I compared postconf output from a freshly installed postfix on another
system and found
It had cyrus_sasl_config_path = /etc/postfix/sasl
Adding this to main.cf fixed the issue. Since this breaks upgrades, this should
be documented in the NEWS file (until bookworm this was not required).
When upgrading from bookworm version to trixie version, the package
checks if cyrus_sasl_config_path is specified in the old config,
and if not, sets it to /etc/postfix/sasl. This is the fragment from
the postinst script which does this:
if dpkg --compare-versions "$OLDVERSION" lt-nl 3.9.0-3~
then
# cyrus_sasl_config used to be hard-coded in debian to
/etc/postfix/sasl.
# Since 3.9.0-3 we switched to upstream default which is empty,
# which means to use built-in Cyrus SASL library defaults.
# Debian policy says it should be /etc/postfix/sasl
if [ ! "$(postconf -hx cyrus_sasl_config_path)" ]; then
postconf -e cyrus_sasl_config_path=/etc/postfix/sasl
fi
fi
I verified upgrades from various different versions of postfix package,
and the upgrade definitely adds this configuration item. A lot of users
with cyrus sasl upgraded their systems flawlessly. Just yesterday I
upgraded another bookworm system to trixie, including postfix, and the
procedure added
cyrus_sasl_config_path = /etc/postfix/sasl
to main.cf, even if I don't use cyrus or sasl in general.
So this should be something on your system which breaks this workaround.
Please find out what's different on your system.
Which was the version of postfix you're upgrading from?
There's definitely no reason to add news entries saying upgrade will
break your system if it doesn't happen for everyone else.
Also, it's a bad habit to hijack an old bug report which talks about
a version which were many debian releases ago - it's unlikely to be
the same issue.
Thanks,
/mjt
