Re: postfix error shown in mail.log

2021-07-28 Thread Scott Kitterman 



On July 28, 2021 2:58:21 PM UTC, Viktor Dukhovni  
wrote:
>If the postfix-files file does not reflect the content delivered by
>the package, you would typically see errors running "postfix check".
>Either the package should deliver all the files expected upstream,
>or the "postfix-files" file should be updated to match the package
>content.
>

I think it matches.  Last year I went through and checked.  I'll check it again.

Scott K

Re: postfix error shown in mail.log

2021-07-28 Thread Viktor Dukhovni 
If the postfix-files file does not reflect the content delivered by
the package, you would typically see errors running "postfix check".
Either the package should deliver all the files expected upstream,
or the "postfix-files" file should be updated to match the package
content.

-- 
Viktor.

Re: postfix error shown in mail.log

2021-07-28 Thread Vincent Lefevre 
On 2021-07-26 12:11:16 -0400, Viktor Dukhovni wrote:
[...]
> At which point the only files in /etc/postfix that are updated with
> each package release are:
> 
> $config_directory/LICENSE:f:root:-:644:1
> $config_directory/TLS_LICENSE:f:root:-:644:1
> $config_directory/bounce.cf.default:f:root:-:644:1
> $config_directory/main.cf.default:f:root:-:644:1
> 
> What do you do about these?

I can see on my Debian/unstable machine that LICENSE and TLS_LICENSE
are not installed anywhere, as per policy, AFAIK. So LICENSE is
included in /usr/share/doc/postfix/copyright, but TLS_LICENSE isn't.
I've just reported a serious bug about the missing TLS_LICENSE info.

bounce.cf.default and main.cf.default are both installed in
/usr/share/doc/postfix/examples by debian/rules:

dh_installexamples -p ${docpkg} examples/{qmail-local,smtpd-policy}
dh_installexamples -p ${docpkg} -Xmain.cf -Xmaster.cf -Xfiles 
conf/[a-z]*
dh_installexamples -p ${docpkg} conf/main.cf.default debian/mailqfmt.pl

BTW, conf/main.cf.default seems redundant with conf/[a-z]*.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: postfix error shown in mail.log

2021-07-26 Thread Viktor Dukhovni 
On Mon, Jul 26, 2021 at 12:18:01PM +, Scott Kitterman wrote:

> >(it is listed in the postfix 3.6.1 tarball in conf/postfix-files:
> >"$meta_directory/makedefs.out:f:root:-:644"
> 
> The Debian package management system tracks system induced changes in
> /etc and notifies users about them during package upgrade.  Before I
> moved the file to /usr/share/postfix, there were alerts during package
> upgrade every time if makedefs.out changed (i.e. every time).

Note that the file is installed into "$meta_directory" along with a
small number of other files that apply to all Postfix instances:

$meta_directory/dynamicmaps.cf.d:d:root:-:755
$meta_directory/dynamicmaps.cf:f:root:-:644
$meta_directory/main.cf.proto:f:root:-:644
$meta_directory/makedefs.out:f:root:-:644
$meta_directory/master.cf.proto:f:root:-:644
$meta_directory/postfix-files.d:d:root:-:755
$meta_directory/postfix-files:f:root:-:644

The simplest solution would be to make $meta_directory be something like
/usr/share/postfix or the same as $daemon_directory.  At which point the
only files in /etc/postfix that are updated with each package release
are:

$config_directory/LICENSE:f:root:-:644:1
$config_directory/TLS_LICENSE:f:root:-:644:1
$config_directory/bounce.cf.default:f:root:-:644:1
$config_directory/main.cf.default:f:root:-:644:1

What do you do about these?

> 3.  Put it elsewhere and provide a symlink, which means the warning.

You should customise postfix-files to exactly match what the package
delivers.  Replacing files with symlinks without changing the metadata
is not a good idea.

-- 
Viktor.

Re: postfix error shown in mail.log

2021-07-26 Thread Vincent Lefevre 
On 2021-07-26 12:18:01 +, Scott Kitterman wrote:
[makedefs.out location]
> The Debian package management system tracks system induced changes in /etc 
> and notifies users about them during package upgrade.  Before I moved the 
> file to /usr/share/postfix, there were alerts during package upgrade every 
> time if makedefs.out changed (i.e. every time).
> 
> I agree with the warning since permissions in the target directory might be 
> inappropriate.  In this case I've checked it before I put the symlink in 
> place and it's fine.
> 
> There are a limited number of options:
> 
> 1. Don't install makedefs.out, which means the standard postfix installation 
> is incomplete (this is what Debian used to do).
> 
> 2.  Put it in /etc, which means the admin gets notified about changes in the 
> file on package upgrade (which made no one happy).
> 
> 3.  Put it elsewhere and provide a symlink, which means the warning.
> 
> 4.  Put it elsewhere and patch away the warning.
> 
> None of those are ideal.

But perhaps this should be changed in postfix itself (upstream),
or at least made configurable.

The FHS says that /etc is for host-specific system configuration,
and makedefs.out is not a configuration file. So I would say that
/etc/postfix is not the right place for this file, which starts
with:

# Do not edit -- this file documents how Postfix was built for your machine.
   ^

Thus, IMHO, this file should be with the other documentation files.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: postfix error shown in mail.log

2021-07-26 Thread Scott Kitterman 



On July 26, 2021 8:59:00 AM UTC, Vincent Lefevre  wrote:
>On 2021-07-24 09:29:04 +1000, raf wrote:
>> On Fri, Jul 23, 2021 at 04:13:00PM +0200, Jean-François Bachelet 
>>  wrote:
>> 
>> > Hello ^^)
>> > 
>> > I found that error in mail.log, at each start postfix issue that error :
>> > 
>> > 'Jul 23 15:36:57 discovery postfix/postfix-script[1170]: warning: symlink
>> > leaves directory: /etc/postfix/./makedefs.out'
>> > 
>> > is that warning harmless or not ?
>> > 
>> > Jeff
>> 
>> I'm pretty sure that that file is put there as part of
>> the debian package (even though it doesn't show up in
>> dpkg-query -L postfix). I had it too.
>
>It is not part of the Debian package, but installed by the
>postfix.postinst script:
>
># we want it out of /etc to not be a conffile, but users might expect it there
># so leave a symlink at the expected place in /etc
>if [ -f "/usr/share/postfix/makedefs.out" ]; then
>if [ ! -e "/etc/postfix/makedefs.out" ]; then
>ln -s /usr/share/postfix/makedefs.out /etc/postfix/makedefs.out
>fi
>fi
>
>If I understand correctly, it is a normal file in postfix
>(it is listed in the postfix 3.6.1 tarball in conf/postfix-files:
>"$meta_directory/makedefs.out:f:root:-:644"), but Debian chose
>to move it into /usr/share/postfix and added a symlink to this
>file. The probable reason is that this file is not a configuration
>file and should not be modified.
>

Close.  

The Debian package management system tracks system induced changes in /etc and 
notifies users about them during package upgrade.  Before I moved the file to 
/usr/share/postfix, there were alerts during package upgrade every time if 
makedefs.out changed (i.e. every time).

I agree with the warning since permissions in the target directory might be 
inappropriate.  In this case I've checked it before I put the symlink in place 
and it's fine.

There are a limited number of options:

1. Don't install makedefs.out, which means the standard postfix installation is 
incomplete (this is what Debian used to do).

2.  Put it in /etc, which means the admin gets notified about changes in the 
file on package upgrade (which made no one happy).

3.  Put it elsewhere and provide a symlink, which means the warning.

4.  Put it elsewhere and patch away the warning.

None of those are ideal.

Scott K

Re: postfix error shown in mail.log

2021-07-26 Thread Vincent Lefevre 
On 2021-07-24 09:29:04 +1000, raf wrote:
> On Fri, Jul 23, 2021 at 04:13:00PM +0200, Jean-François Bachelet 
>  wrote:
> 
> > Hello ^^)
> > 
> > I found that error in mail.log, at each start postfix issue that error :
> > 
> > 'Jul 23 15:36:57 discovery postfix/postfix-script[1170]: warning: symlink
> > leaves directory: /etc/postfix/./makedefs.out'
> > 
> > is that warning harmless or not ?
> > 
> > Jeff
> 
> I'm pretty sure that that file is put there as part of
> the debian package (even though it doesn't show up in
> dpkg-query -L postfix). I had it too.

It is not part of the Debian package, but installed by the
postfix.postinst script:

# we want it out of /etc to not be a conffile, but users might expect it there
# so leave a symlink at the expected place in /etc
if [ -f "/usr/share/postfix/makedefs.out" ]; then
if [ ! -e "/etc/postfix/makedefs.out" ]; then
ln -s /usr/share/postfix/makedefs.out /etc/postfix/makedefs.out
fi
fi

If I understand correctly, it is a normal file in postfix
(it is listed in the postfix 3.6.1 tarball in conf/postfix-files:
"$meta_directory/makedefs.out:f:root:-:644"), but Debian chose
to move it into /usr/share/postfix and added a symlink to this
file. The probable reason is that this file is not a configuration
file and should not be modified.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: postfix error shown in mail.log

2021-07-23 Thread raf 
On Fri, Jul 23, 2021 at 04:13:00PM +0200, Jean-François Bachelet 
 wrote:

> Hello ^^)
> 
> I found that error in mail.log, at each start postfix issue that error :
> 
> 'Jul 23 15:36:57 discovery postfix/postfix-script[1170]: warning: symlink
> leaves directory: /etc/postfix/./makedefs.out'
> 
> is that warning harmless or not ?
> 
> Jeff

I'm pretty sure that that file is put there as part of
the debian package (even though it doesn't show up in
dpkg-query -L postfix). I had it too.

It's just a link to /usr/share/postfix/makedefs.out
which shows how postfix was compiled. It isn't needed.
I deleted mine without consequence.

cheers,
raf

Re: postfix error shown in mail.log

2021-07-23 Thread Wietse Venema 
Jean-Fran?ois Bachelet:
> Hello ^^)
> 
> 
> I found that error in mail.log, at each start postfix issue that error :
> 
> 
> 'Jul 23 15:36:57 discovery postfix/postfix-script[1170]: warning: 
> symlink leaves directory: /etc/postfix/./makedefs.out'
> 
> 
> is that warning harmless or not ?

As a matter of principle, it is a bad idea to have symlinks under
/etc/postfix that go elsewhere. Such symlinks are a security hole
if they involve a directory or file that is owned or writable by a
non-root user.

This particular file is not sensitive, but most files under
/etc/postfix are definitely sensitive because they may be opened
while a Postfix process runs as root.

Wietse

postfix error shown in mail.log

2021-07-23 Thread Jean-François Bachelet 

Hello ^^)


I found that error in mail.log, at each start postfix issue that error :


'Jul 23 15:36:57 discovery postfix/postfix-script[1170]: warning: 
symlink leaves directory: /etc/postfix/./makedefs.out'



is that warning harmless or not ?


Jeff