Fixing this properly is not straightforward.
* I'm -1 for calling configure-instance.sh when ca-certificates is
updated as that script is not meant do be run while postfix is running.
We can't be sure that changing the postfix environment without
restarting it won't have unexpected consequences. We could check the
script now, but we can't be sure of what it will do in the future.
* Even if configure-instance.sh is run, I think that at least a postfix
reload is needed to make it pick up the new certificates.
* Postfix only Recommends: ca-certificates, so when implementing the fix
we should take into account the fact that ca-certificates may not be
installed. This shouldn't really add complexity but it's something to
keep in mind.
* While a postfix restart should update the certificates in the chroot,
I agree that doing it automatically on ca-certificates update is too
invasive. (Moreover, while me and Simon found out that a restart works,
the linked debbug mentions it does not, so this should be double-
checked.)
* A solution would to fix this on the ca-certificates side, making ca-
certificates detect running services possibly needing a restart and
interactively asking to restart them. This is basically what e.g. glibc
and pam do, and the debconf logic could be taken from there. This
solution also has downsides: it's one more blocking debconf question,
and added interaction logic between packages without a dpkg relation (at
least not in the ca-certificates -> postfix direction). Ideally this
change should land in Debian.
In the end I think this should be fixed on the Postfix side by adding a
debconf question asking if postfix should be restarted on ca-
certificates updates, and dropping a script in /etc/ca-
certificates/update.d/ doing the restart if desired. This is also
something I'd like to see land in Debian and not in an Ubuntu delta.
I'm sorry for the wall-of-text :-)
** Changed in: postfix (Ubuntu)
Status: Incomplete => Triaged
** Changed in: postfix (Ubuntu)
Assignee: Paride Legovini (paride) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1915238
Title:
warning: /var/spool/postfix/etc/ssl/certs/ca-certificates.crt and
/etc/ssl/certs/ca-certificates.crt differ
Status in ca-certificates package in Ubuntu:
New
Status in postfix package in Ubuntu:
Triaged
Status in postfix package in Debian:
Unknown
Bug description:
Postfix package doesn't utilize update-ca-certificate's hooks
mechanism. By simply copying certs from /etc/ssl/certs/ca-
certificates.crt to /var/spool/postfix/etc/ssl/certs/ca-
certificates.crt, this warning and potential security issues could be
avoided.
Something like this would be a start:
$ cat /etc/ca-certificates/update.d/postfix
#!/bin/bash
if [ -e /var/spool/postfix/etc/ssl/certs/ca-certificates.crt ]; then
echo "Updating postfix chrooted certs"
cp /etc/ssl/certs/ca-certificates.crt
/var/spool/postfix/etc/ssl/certs/ca-certificates.crt
systemctl reload postfix
fi
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1915238/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
