Fixing this properly is not straightforward. * I'm -1 for calling configure-instance.sh when ca-certificates is updated as that script is not meant do be run while postfix is running. We can't be sure that changing the postfix environment without restarting it won't have unexpected consequences. We could check the script now, but we can't be sure of what it will do in the future.
* Even if configure-instance.sh is run, I think that at least a postfix reload is needed to make it pick up the new certificates. * Postfix only Recommends: ca-certificates, so when implementing the fix we should take into account the fact that ca-certificates may not be installed. This shouldn't really add complexity but it's something to keep in mind. * While a postfix restart should update the certificates in the chroot, I agree that doing it automatically on ca-certificates update is too invasive. (Moreover, while me and Simon found out that a restart works, the linked debbug mentions it does not, so this should be double- checked.) * A solution would to fix this on the ca-certificates side, making ca- certificates detect running services possibly needing a restart and interactively asking to restart them. This is basically what e.g. glibc and pam do, and the debconf logic could be taken from there. This solution also has downsides: it's one more blocking debconf question, and added interaction logic between packages without a dpkg relation (at least not in the ca-certificates -> postfix direction). Ideally this change should land in Debian. In the end I think this should be fixed on the Postfix side by adding a debconf question asking if postfix should be restarted on ca- certificates updates, and dropping a script in /etc/ca- certificates/update.d/ doing the restart if desired. This is also something I'd like to see land in Debian and not in an Ubuntu delta. I'm sorry for the wall-of-text :-) ** Changed in: postfix (Ubuntu) Status: Incomplete => Triaged ** Changed in: postfix (Ubuntu) Assignee: Paride Legovini (paride) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1915238 Title: warning: /var/spool/postfix/etc/ssl/certs/ca-certificates.crt and /etc/ssl/certs/ca-certificates.crt differ Status in ca-certificates package in Ubuntu: New Status in postfix package in Ubuntu: Triaged Status in postfix package in Debian: Unknown Bug description: Postfix package doesn't utilize update-ca-certificate's hooks mechanism. By simply copying certs from /etc/ssl/certs/ca- certificates.crt to /var/spool/postfix/etc/ssl/certs/ca- certificates.crt, this warning and potential security issues could be avoided. Something like this would be a start: $ cat /etc/ca-certificates/update.d/postfix #!/bin/bash if [ -e /var/spool/postfix/etc/ssl/certs/ca-certificates.crt ]; then echo "Updating postfix chrooted certs" cp /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt systemctl reload postfix fi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1915238/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp