Postfix smtp stopped after errata 49

Hi
After applying erratum 49 my smtp stopped working.
The error stopped and returned to work after changing the following registry ucr set mail / postfix / tls / client / level = none
Although it is working, now it does not stop falling on the other error log
Postfix / smtp [6156]: warning: hash: / etc / postfix / tls_policy is not available. Open database /etc/postfix/tls_policy.db: No such file or directory
In fact, this file is not present in the path indicated.
What should I do to correct this error?
Thanks for helping

Michael Voigt

Hi,

the file /etc/postfix/tls_policy.db should exist, if the update succeeded. Please check if there were errors in /var/log/univention/updater.log
To continue an interrupted installation/update run apt-get install -f

If there is a file /etc/postfix/tls_policy but not /etc/postfix/tls_policy.db, then you can run
postmap /etc/postfix/tls_policy
to create it.

When the situation with the tls_policy(.db) file has been resolved, please return the UCRV mail/postfix/tls/client/level to its default:
ucr unset mail/postfix/tls/client/level

Greetings
Daniel Tröder

Hi
I followed his guidance, and applied an apt-get -install -f but there was nothing left behind.
Looking at the updater log, see below what happened:

Create mail / postfix / tls / client / policy / amavis
Postmap: fatal: open / etc / postfix / tls_policy: No such file or directory
The user postfix 'is already a member of sasl’.
Warning: Unit file of postfix.service changed on disk, ‘systemctl daemon-reload’ recommended.

That is all I have so far on this issue.
Also not appearing for me the need to install this file tls_policy

Do you think I need to insert this file anyway?

Grateful!

Michael Voigt

Erratum 49 has introduced some changes regading client TLS. The map file is referenced in the main.cf. Postfix will not start until the map exists.

Please check if the template file //etc/univention/templates/files/etc/postfix/tls_policy exists. If yes, run

ucr commit /etc/postfix/tls_policy

If it doesnt exist it is worth a try to reinstall the package “univention-mail-postfix”.

Best Regards,
Dirk Ahrnke

Hi
The file does not even exist.
I tried to reinstall, the result is the same … see log below:

Root @ server: ~ # apt-get --reinstall install univention-mail-postfix
Reading package lists … Done
Building dependency tree
Reading state information … Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 34.2 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get: 1 https://updates.software-univention.de/4.2/maintained/ 4.2-1 / all / univention-mail-postfix 11.0.1-14A ~ 4.2.0.201706191335 [34.2 kB]
Fetched 34.2 kB in 1s (18.3 kB / s)
(Reading database … 173950 files and directories currently installed.)
Preparing to unpack … / univention-mail-postfix_11.0.1-14A ~ 4.2.0.201706191335_all.deb …
Unpacking univention-mail-postfix (11.0.1-14A ~ 4.2.0.201706191335) over (11.0.1-14A ~ 4.2.0.201706191335) …
Processing triggers for univention-config (12.0.1-5A ~ 4.2.0.201703151910) …
Dpkg-query: no packages found matching ldapacl_66univention-appcenter_app.acl
Setting up univention-mail-postfix (11.0.1-14A ~ 4.2.0.201706191335) …
Multifile: /etc/postfix/ldap.virtualwithcanonical
File: /etc/init.d/postfix
Multifile: /etc/postfix/ldap.virtual
File: /etc/postfix/sasl/smtpd.conf
Multifile: / etc / postfix / transport
File: /etc/cron.d/univention-mail-postfix
File: / etc / aliases
Multifile: /etc/postfix/main.cf
Multifile: /etc/postfix/ldap.canonicalsender
File: /etc/pam.d/smtp
Module: create-archivefolder
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.virtualdomains
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
File: /etc/listfilter.secret
Multifile: /etc/postfix/ldap.sharedfolderlocal
File: / etc / mailname
Multifile: /etc/postfix/master.cf
Multifile: /etc/postfix/ldap.sharedfolderremote
Not updating postfix / autostart
Not updating mail / postfix / virtual / enabled
Not updating mail / postfix / transport / ldap / enabled
Not updating mail / postfix / inet / interfaces
Not updating mail / postfix / ldap / timeout
Not updating mail / postfix / policy / listfilter
Not updating mail / postfix / policy / listfilter / use_sasl_username
Not updating mail / postfix / masquerade / domains
Not updating mail / postfix / masquerade / exceptions
Not updating mail / alias / root
Not updating mail / alias / postmaster
Not updating mail / messagesizelimit
Not updating mail / postfix / tls / client / exclude_ciphers
Not updating mail / postfix / ldaptable / starttls
Not updating mail / postfix / ldaptable / tlsrequirecert
Not updating mail / postfix / ldaptable / tlscacertfile
Not updating mail / postfix / ldaptable / debuglevel
Not updating mail / postfix / smtpd / tls / dh1024 / param / file
Not updating mail / postfix / smtpd / tls / dh512 / param / file
Not updating mail / postfix / smtpd / tls / eecdh / grid
Not updating mail / postfix / smtpd / tls / exclude_ciphers
Not updating mail / postfix / tls / preempt / cipherlist
Not updating mail / postfix / smtpd / tls / loglevel
Not updating mail / postfix / smtp / tls / loglevel
Not updating mail / postfix / mastercf / options / smtps / smtpd_tls_wrappermode
Not updating mail / postfix / mastercf / options / smtps / smtpd_sasl_auth_enable
Not updating mail / postfix / mastercf / options / submission / smtpd_sasl_auth_enable
Not updating mail / postfix / mastercf / options / submission / smtpd_enforce_tls
Not updating mail / postfix / tls / client / policy / amavis
Postmap: fatal: open / etc / postfix / tls_policy: No such file or directory
The user postfix 'is already a member of sasl’.
File: / etc / mailname
File: /etc/listfilter.secret
Warning: Unit file of postfix.service changed on disk, ‘systemctl daemon-reload’ recommended.
[Ok] Reloading configuration files for periodic command scheduler: cron.
Reading package lists … Done
Building dependency tree
Reading state information … Done

What do you think?

Best Regards,
Michael Voigt

Hi
After reinstalling the “univention-mail-postfix” package the tls_policy file now exists, but it is not copied to /etc/ postifx. When I run the command ucr commit /etc/postfix/tls_policy the file is also not copied to /etc/postfix.

What is your opinion?

Regards,
Michael Voigt

Please run

ucr update
ucr commit /etc/postfix/tls_policy
postmap /etc/postfix/tls_policy
ls -l /etc/postfix/tls_policy* /etc/univention/templates/files/etc/postfix/tls_policy

Best regards
Daniel Tröder

Hi,
The first two commands work fine. When it arrives at the postmap, this error occurs:
Postmap: fatal: open /etc/postfix/tls_policy: No such file or directory
It does not copy the tls_policy file into /etc/postfix

What do you think?

Best regards,
Michael Voigt

Could you upload or PM the /v/l/u/updater.log?

updater.log (869.4 KB)

Hi
Daniel, follow the updater.log attached.
Appreciate your help.

Great Regards,

Michael Voigt

You modified the UCR template, so the update didn’t overwrite it:

Configuration file '/etc/univention/registry.info/variables/univention-mail-postfix.cfg'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
 ==> Using current old file as you requested.
Installing new version of config file /etc/univention/templates/files/etc/postfix/main.cf.d/60_tls ...

Configuration file '/etc/univention/templates/info/univention-mail-postfix.info'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
 ==> Using current old file as you requested.

This is, why we need Bug #44473…

I don’t know how to fix this - I’ll ask around. My guess is, that you’ll have to look for something like /etc/univention/registry.info/variables/univention-mail-postfix.cfg.*dpkg* and /etc/univention/templates/info/univention-mail-postfix.info.*dpkg* and you’ll have to merge your changes and ours manually.

Hi!

It is curious that the update mechanism thinks that /etc/univention/templates/info/univention-mail-postfix.info has been modified. Just to be sure: have you altered this file intentionally? If not, we have to dig deeper. I have a workaround for you but it would be great if you give use some information first to understand the problem.

So here is my question catalog:

1. Please also attach the /etc/univention/templates/info/univention-mail-postfix.info to this thread.
2. Please run the following command and send me the results:
   md5sum /etc/univention/templates/info/univention-mail-postfix.info
3. Please run the following command and send me the results:
   find -ls /etc/univention/templates/info/univention-mail-postfix*
4. Did you remove and reinstall the Univention Mail Server App in the past?
5. Do you have any mail related apps installed? Kopano? OX? maildisclaimer? …
6. What was the initial UCS version the system has been installed with?

The commands above have to be executed before the following workaround can be applied.

cd /etc/univention/templates/info/
mv univention-mail-postfix.info univention-mail-postfix.info.modified
mv univention-mail-postfix.info.dpkg-dist univention-mail-postfix.info
ucr update
ucr commit /etc/postfix/*
postmap /etc/postfix/tls_policy
invoke-rc.d postfix restart

Thanks in advance,

Sönke Schwardt-Krummrich

univention-mail-postfix.info.txt (10.8 KB)

Hi,
md5…
ef8b68ba52a1836113f6a5d14af960e5 univention-mail-postfix.info

In fact, now I begin to understand why it did not update. Important to know that the postix is working ok. The update did not happen completely.
This server was installed with UCS 4.2
At first I got to install the univention-mail-canonical-maps package but it was later removed.
And a change was made through the Univention Configuration Registry. I inserted a new UCR Variable mail/postfix/smtp/headerchecks >>> value >>> regexp: /etc/postfix/header_check
This should be the cause of the problem in completing the modifications.

Do you think I should still apply the suggestion you gave?

Best Regards,

Michael Voigt

Hi Michael,

yes, first you should perform the steps mentioned above to get back a working system.

If I’m right, you only added Variables: mail/postfix/smtp/headerchecks to univention-mail-postfix.info. This entry is only required to make sure that upon a change of the UCR variable mail/postfix/smtp/headerchecks the file /etc/postfix/main.cf is automatically recreated from the UCR templates.
If the entry is missing, you have to perform an additional step for changing the value:

ucr set mail/postfix/smtp/headerchecks="foo bar baz"
ucr commit /etc/postfix/main.cf
invoke-rc.d postfix restart

Regarding changes for main.cf:
it is possible to add your own custom subtemplate for main.cf. This is described in the following thread. Please note that postfix is always using the last definition of an option within the main.cf. So if you redefine an option in your own subtemplate at the end of main.cf, postfix is using your value. There’s one drawback: postfix issues a warning when defining options a second/third/… time.

Hi,
I ran as suggested, the problem is that it is not copying the tls_policy file into /etc/postfix
So I can not run the postmap /etc/ postfix/tls_policy, of the problem because it does not find this file.
The previous commands will work … it just can not copy tls_policy.
Should I copy this file in hand?
What do you think?

Best Regards,

Michael

Hi!

So you copied the univention-mail-postfix.info.dpkg-dist back to univention-mail-postfix.info and executed ucr update?
Does the file /etc/univention/templates/files/etc/postfix/tls_policy exist?
What happens if you call ucr commit /etc/postfix/tls_policy again? Does the file exist now?
If not, please send the md5sum of the new univention-mail-postfix.info file.

Best regards,

Sönke

Hi!

Ucr commit / etc / postfix / tls_policy again, fixed the problem.
Now the file has been copied, and the errors are gone.
Thank you very much, that helped a lot.

Best Regards,

Michael Voigt