Open Wasca opened 3 years ago
I'm not sure if this is correct way to fix this but I just added this line before the closing fi
in /usr/lib/postfix/configure-instance.sh
cp /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt
Each time postfix is started or restarted the certificate is now copied into the correct location.
I need to find a way to execute this copy command in the postfix startup script, I tried but it never worked when I entered it in there.
The more "correct" patch is that in configure-instance.sh, change where you see -name '.pem' to -name '.pem' -or -name '*.crt'
FWIW, on my Ubuntu 20.04 machine, I have found that the certificates file is not deleted when I restart postfix. From some of the above comments, I infer that this only happens with postfix-multi
installations; can anyone confirm or deny this?
In PR #25 I add support for automatically updating the certificates for the default single-instance case. A multi-instance user might be interested in extending this, taking into account the deletion of the certificates on restart, if that still occurs.
I had the same issue with Postfix recreating the chroot and wiping ca-certificates.crt
every time it (re)starts on Debian/Ubuntu. Found a workaround by tweaking the Postfix service to run update-ca-certificates
before it (re)starts:
sudo systemctl edit postfix.service
[Service]
ExecStartPre=/usr/sbin/update-ca-certificates
sudo systemctl daemon-reload
and sudo systemctl restart postfix
.Of course you'd need the /etc/ca-certificates/update.d/postfix-sasl-xoauth2-update-ca-certs
installed.
This fixed it for me, hope it helps! Anyone know how this might be included in the Debian/Ubuntu package?
To get it into Debian/Ubuntu, file a Debian bug with as much help for the package maintainer to fix it as possible.
I've found that Postfix is deleting /var/spool/postfix/etc/ssl/certs/ca-certificates.crt when you restart the Postfix service using the command...
service postfix restart
When the file is missing from that location you the token does not get refreshed and you can no longer send email you get this error.
status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[108.177.97.108]: bad protocol / cancel)
It appears to be this script getting called (/usr/lib/postfix/configure-instance.sh) during the restart script that causes all the trouble.
Is this something that is meant to happen?