ca-certificates.crt is deleted on postfix restart

tarickb / sasl-xoauth2

SASL plugin for XOAUTH2

Other

73 stars 21 forks source link

ca-certificates.crt is deleted on postfix restart #13

Open Wasca opened 3 years ago

Wasca commented 3 years ago

I've found that Postfix is deleting /var/spool/postfix/etc/ssl/certs/ca-certificates.crt when you restart the Postfix service using the command...

service postfix restart

When the file is missing from that location you the token does not get refreshed and you can no longer send email you get this error.

status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[108.177.97.108]: bad protocol / cancel)

It appears to be this script getting called (/usr/lib/postfix/configure-instance.sh) during the restart script that causes all the trouble.

Is this something that is meant to happen?

Wasca commented 3 years ago

I'm not sure if this is correct way to fix this but I just added this line before the closing fi in /usr/lib/postfix/configure-instance.sh

cp /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt

Each time postfix is started or restarted the certificate is now copied into the correct location.

I need to find a way to execute this copy command in the postfix startup script, I tried but it never worked when I entered it in there.

dberlin commented 3 years ago

The more "correct" patch is that in configure-instance.sh, change where you see -name '.pem' to -name '.pem' -or -name '*.crt'

rrthomas commented 2 years ago

FWIW, on my Ubuntu 20.04 machine, I have found that the certificates file is not deleted when I restart postfix. From some of the above comments, I infer that this only happens with postfix-multi installations; can anyone confirm or deny this?

In PR #25 I add support for automatically updating the certificates for the default single-instance case. A multi-instance user might be interested in extending this, taking into account the deletion of the certificates on restart, if that still occurs.

daniel-fahey commented 7 months ago

I had the same issue with Postfix recreating the chroot and wiping ca-certificates.crt every time it (re)starts on Debian/Ubuntu. Found a workaround by tweaking the Postfix service to run update-ca-certificates before it (re)starts:

Run sudo systemctl edit postfix.service

Add these lines to the file:

[Service]
ExecStartPre=/usr/sbin/update-ca-certificates

Save it, then run sudo systemctl daemon-reload and sudo systemctl restart postfix.

Of course you'd need the /etc/ca-certificates/update.d/postfix-sasl-xoauth2-update-ca-certs installed.

This fixed it for me, hope it helps! Anyone know how this might be included in the Debian/Ubuntu package?

rrthomas commented 7 months ago

To get it into Debian/Ubuntu, file a Debian bug with as much help for the package maintainer to fix it as possible.