Control: affects 1003982 + sasl-xoauth2 Control: affects 1006888 + src:sasl-xoauth2
Over in https://bugs.debian.org/1003982, Thomas Fargeix wrote: > On 2022-01-18 23:19, Scott Kitterman wrote: >> According to postconf(5) it's not needed. It says, "These are loaded >> into memory before the smtp(8) client enters the chroot jail". Why >> do you need it in the chroot? > > Then there is a different behavior between smtp(d)_tls_CAfile and > tls_ca_cert_file from the postfix-ldap module (and maybe other TLS > options from other modules? I have not see other errors in my setup > but LDAP is my only non-default one). I use LDAP map for aliases, > with tls_ca_cert_file to verify the certificate of the LDAP server, > and the CA file was not loaded in memory before entering the chroot: Aside from postfix-ldap as a lookup module, SASL modules might also need the files to be in the chroot. For example, I'm preparing the sasl-xoauth2 module for debian (see https://bugs.debian.org/1006888) and the upstream developer for that package (Tarick Bedeir, in Cc here) has some hooks in his upstream .deb packaging (that targets ubuntu), which trying to copy /etc/ssl/certs/ca-certificates.crt into the chroot whenever ca-certificates is updated: https://github.com/tarickb/sasl-xoauth2/blob/master/scripts/update-ca-certificates.sh https://github.com/tarickb/sasl-xoauth2/blob/master/debian/install https://github.com/tarickb/sasl-xoauth2/blob/master/debian/sasl-xoauth2.postinst This seems to be a not-particularly-robust approach, including at least: https://github.com/tarickb/sasl-xoauth2/issues/13 https://github.com/tarickb/sasl-xoauth2/issues/14 I don't plan to adopt this particular approach for the debian package, for (at least) a few reasons: - the sasl-xoauth2 package isn't even explicitly related to postfix -- that's the main upstream test case, but that doesn't mean that the sasl-xoauth2 package should fiddle with the default postfix installation. - This approach won't work for a multi-tenant postfix installation; it doesn't transfer the CA directory, etc. - /usr/share/doc/postfix/README.Debian.gz section 2A suggests that /etc/default/postfix is supposed be the right way to ensure that these files are updated on postfix restart. My current plan is to drop a short note in /usr/share/doc/sasl-xoauth2/README.Debian that encourages use of /etc/default/postfix for postfix admins who install this module. But it would be pretty cool if postfix could automagically figure out that it needs the ca-certificates file if this sasl module is configured. Scott, if you have any suggestions for how to approach this going forward, i'd be happy to try to adopt those suggestions in the sasl-xoauth2 packaging. Or, if you can see that i'm making some kind of mistake here, i'd appreciate hearing about it too. Please let me know what you think! --dkg PS i recognize that some packaging/system-integration decisions might be different were i to try to backport sasl-xoauth2 for the existing debian stable; but i'd prefer to sort out the cleanest and most easily-maintainable packaging for debian unstable first, which is why i'm raising this here. Whoever wants to do fiddly stuff for backports can do so as necessary, but i don't want to have to maintain that fiddliness in the packaging going forward if i can avoid it.
signature.asc
Description: PGP signature
