Bug#444951: postfix: SSL/TLS CA Certificates not accessible by chrootes smtp/smtpd

Tue, 02 Oct 2007 00:40:51 -0700 

Package: postfix
Version: 2.4.5-4~bpo40+1
Severity: normal
Tags: patch

Postfix smtp / smtpd daemons are launched in a chrooted environment. Therefore, 
when we use SSL/TLS and configure them properly to authenticate client / server 
certificates, we need to access /etc/ssl/certs/ to check CA Certificates
signatures. So, in case smtpd_use_tls or smtp_use_tls is YES in postconf, we
should copy /etc/ssl/certs/ca-certificate.crt in the chrooted environment.

The included patch change /etc/init.d/postfix to copy this file when needed.



-- System Information:
Debian Release: 4.0
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-vserver-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages postfix depends on:
ii  adduser                   3.102          Add and remove users and groups
ii  debconf [debconf-2.0]     1.5.11         Debian configuration management sy
ii  dpkg                      1.13.25        package maintenance system for Deb
ii  libc6                     2.3.6.ds1-13   GNU C Library: Shared libraries
ii  libdb4.3                  4.3.29-8       Berkeley v4.3 Database Libraries [
ii  libsasl2-2                2.1.22.dfsg1-8 Authentication abstraction library
ii  libssl0.9.8               0.9.8c-4       SSL shared libraries
ii  lsb-base                  3.1-23.1       Linux Standard Base 3.1 init scrip
ii  netbase                   4.29           Basic TCP/IP networking system
ii  ssl-cert                  1.0.14         Simple debconf wrapper for openssl

postfix recommends no packages.

-- debconf information excluded

--- /etc/init.d/postfix.orig    2007-10-02 09:16:25.000000000 +0200
+++ /etc/init.d/postfix 2007-10-02 09:18:33.000000000 +0200
@@ -47,6 +47,16 @@
                umask 022
                cd $(postconf -h queue_directory)
 
+               # if we're using tls, then we need to add 
etc/ssl/certs/ca-certificates.crt.
+               smtp_use_tls=$(postconf -h smtp_use_tls)
+               smtpd_use_tls=$(postconf -h smtpd_use_tls)
+               if [ "X$smtp_use_tls" = "Xyes" -o "X$smtpd_use_tls" = "Xyes" ]; 
then
+                   if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then 
+                       mkdir -p etc/ssl/certs
+                       cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/
+                   fi
+               fi
+
                # if we're using unix:passwd.byname, then we need to add 
etc/passwd.
                local_maps=$(postconf -h local_recipient_maps)
                if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; 
then

Reply via email to