Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ca-certificates.crt is deleted on postfix restart #13

Open
Wasca opened this issue Dec 10, 2020 · 5 comments
Open

ca-certificates.crt is deleted on postfix restart #13

Wasca opened this issue Dec 10, 2020 · 5 comments

Comments

@Wasca
Copy link

Wasca commented Dec 10, 2020
edited

I've found that Postfix is deleting /var/spool/postfix/etc/ssl/certs/ca-certificates.crt when you restart the Postfix service using the command...

service postfix restart

When the file is missing from that location you the token does not get refreshed and you can no longer send email you get this error.

status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[108.177.97.108]: bad protocol / cancel)

It appears to be this script getting called (/usr/lib/postfix/configure-instance.sh) during the restart script that causes all the trouble.

Is this something that is meant to happen?
@Wasca
Copy link
Author

Wasca commented Dec 10, 2020

I'm not sure if this is correct way to fix this but I just added this line before the closing fi in /usr/lib/postfix/configure-instance.sh

cp /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt

Each time postfix is started or restarted the certificate is now copied into the correct location.

I need to find a way to execute this copy command in the postfix startup script, I tried but it never worked when I entered it in there.

@Wasca Wasca mentioned this issue Dec 18, 2020
Closed
@dberlin
Copy link

dberlin commented Apr 21, 2021

The more "correct" patch is that in configure-instance.sh, change where you see -name '.pem' to -name '.pem' -or -name '*.crt'

@rrthomas
Copy link
Contributor

rrthomas commented Feb 5, 2022

FWIW, on my Ubuntu 20.04 machine, I have found that the certificates file is not deleted when I restart postfix. From some of the above comments, I infer that this only happens with postfix-multi installations; can anyone confirm or deny this?

In PR #25 I add support for automatically updating the certificates for the default single-instance case. A multi-instance user might be interested in extending this, taking into account the deletion of the certificates on restart, if that still occurs.

@soreau soreau mentioned this issue Sep 30, 2022
Closed
@VictorHumansa VictorHumansa mentioned this issue Jul 13, 2023
Closed
@daniel-fahey
Copy link

I had the same issue with Postfix recreating the chroot and wiping ca-certificates.crt every time it (re)starts on Debian/Ubuntu. Found a workaround by tweaking the Postfix service to run update-ca-certificates before it (re)starts:

  1. Run sudo systemctl edit postfix.service
  2. Add these lines to the file:
[Service]
ExecStartPre=/usr/sbin/update-ca-certificates
  1. Save it, then run sudo systemctl daemon-reload and sudo systemctl restart postfix.

Of course you'd need the /etc/ca-certificates/update.d/postfix-sasl-xoauth2-update-ca-certs installed.

This fixed it for me, hope it helps! Anyone know how this might be included in the Debian/Ubuntu package?

@rrthomas
Copy link
Contributor

To get it into Debian/Ubuntu, file a Debian bug with as much help for the package maintainer to fix it as possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rrthomas @dberlin @Wasca @daniel-fahey