Postfix error "unsupported dictionary type: ldap" - 4.3 upgrade pre-up removes




I’m using the update LDAP policy to deploy updates to my systems. On my mail server, the Update from UCS 4.2 to 4.3 is correctly withhold because I need to migrate from Cyrus to Dovecot first.

But the pre-up script doing these checks somehow destroys my postfix configuration. Excerpt from /var/log/univention/updater.log:

Custom preupdate script /var/lib/ not found
dpkg: warning: ignoring request to remove univention-config-wrapper which isn't installed
Checking for space on /var/cache/apt/archives: OK
Checking for space on /boot: OK
Checking for space on /: OK
Checking for package status: OK
Checking LDAP schema: OK
Removing /etc/postfix/ Creating backup in /etc/postfix/
'/etc/postfix/' -> '/etc/postfix/'
Not updating ldap/overlay/memberof
ii  univention-mail-cyrus 9.0.0-12A~ all          UCS - imap configuration
ERROR: The Cyrus integration package was found. Cyrus is not
supported anymore by UCS 4.3. Aborting the upgrade. For instructions how to
proceed, please refer to
Error: Update aborted by pre-update script of release 4.3-0

The consequence is that incoming mails are spooled by postfix but not delivered to cyrus. Message in mail.err for each mail is:

Jun  2 11:04:44 mailserver postfix/smtpd[18370]: error: unsupported dictionary type: ldap

To get my postfix back working I follow the steps found in

root@mailserver:~# . /usr/share/postfix/postinst.functions
root@mailserver:~# delmap ldap
grep: /etc/postfix/ Datei oder Verzeichnis nicht gefunden
root@mailserver:~# addmap ldap
grep: /etc/postfix/ Datei oder Verzeichnis nicht gefunden
Adding ldap map entry to /etc/postfix/
root@mailserver:~# service postfix restart

I deactivated the update LDAP policy for this server to keep things working as long as I haven’t migrated to Dovecot. But I think the pre-up script should be checked / improved.


Hello Tanatos,

you are right. The order in the preup script is bad. I have created a bug report, so this can be fixed:

Daniel Tröder



in addition to the bug Daniel already commented on: you don’t necessarily have to deactivate your policy for updates, you just have to prevent it from updating to 4.3-0 or later. I’ve written an explanation how to achieve this a couple of weeks ago. That way you’ll still receive security updates for 4.2-x, but the update to 4.3-0 isn’t attempted automatically.

Kind regards,