Problem with mailsystem after Update to 4.3 (SSL issue?)

tafkaz · September 22, 2018, 8:05am

Hi,
very strange problem here.
UCS / OX System (single node, just a master, no slaves)

completely working 4.2-5 UCS shows following problems via “System diagnostic”:

Critical: Check validity of SSL certificates:
Found invalid certificate '/etc/univention/ssl/foo.bar.de/foo-bar.de.crt': /etc/univention/ssl/foo-bar.de/foo-bar.de.crt: OU = Domain Control Validated, CN = *.foo-bar.de error 20 at 0 depth lookup:unable to get local issuer certificate

I had not seen this issue before updating to 4.3 (but do see now after rolling back to this earlier snapshot), therefore triggered the update without worrying.
Update to 4.3-2 went incredibly smooth, no problems at all.
Univention / OX reachable afterwards, but mailsystem completely down.

Being a bit dumb this morning unfortunately i just rolled back the system to 4.2-5 without backing up the logfiles
but here’s what i still had in some terminal session, maybe it helps:

Sep 22 09:22:37 ucs slapd[1887]: <= mdb_equality_candidates: (userOptionsPreset) not indexed
Sep 22 09:22:37 ucs slapd[1887]: <= mdb_equality_candidates: (userOptionsPreset) not indexed
Sep 22 09:22:37 ucs slapd[1887]: <= mdb_equality_candidates: (userOptionsPreset) not indexed
Sep 22 09:22:38 ucs slapd[1887]: <= mdb_equality_candidates: (SAMLServiceProviderIdentifier) not indexed
Sep 22 09:23:02 ucs check_nrpe: Remote 45.5.123.123 accepted a Version 3 Packet
Sep 22 09:23:05 ucs dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=karencorbett@foo-bar.de, method=PLAIN, rip=197.51.174.45, lip=45.5.123.123, TLS: Disconnected, session=
Sep 22 09:24:09 ucs dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=roneggron@foo-bar.de, method=PLAIN, rip=61.153.54.38, lip=45.5.123.123, TLS, session=<30r1o3B2FL49mTYm>
Sep 22 09:24:23 ucs nagios: SERVICE ALERT: ucs.foo-bar.de;UNIVENTION_NTP;CRITICAL;SOFT;1;NTP CRITICAL: Offset unknown
Sep 22 09:24:38 ucs dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=mirianaltamiranocalle@foo-bar.de, method=PLAIN, rip=222.76.48.121, lip=45.5.123.123, TLS: Disconnected, session=
Sep 22 09:24:43 ucs check_nrpe: Remote 45.5.123.123 accepted a Version 3 Packet
Sep 22 09:25:01 ucs CRON[3761]: (root) CMD ([ -x /usr/share/univention-ox/process-listener ] && /usr/share/univention-ox/process-listener)
Sep 22 09:25:01 ucs CRON[3763]: (root) CMD (if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ] && [ -d “$(grep ‘^[[:space:]][^#][[:space:]]*WorkDir’ /etc/mrtg.cfg | awk ‘{ print $NF }’)” ]; then mkdir -p /var/log/mrtg ; env LANG=C /usr/bin/mrtg /etc/mrtg.cfg 2>&1 | tee -a /var/log/mrtg/mrtg.log ; fi)
Sep 22 09:25:02 ucs check_nrpe: Remote 45.5.123.123 accepted a Version 3 Packet
Sep 22 09:25:11 ucs dovecot: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=info@foo-bar.de, method=PLAIN, rip=123.12.123.12, lip=45.5.123.123, TLS, session=<Dwa8p3B2/O3aFrSS>

Maybe someone can tell me what went wrong here and how i would be able to solve this?
have yourself a great weekend and thanks a ton
Sascha

tafkaz · September 22, 2018, 7:32pm

Fixed it.
after reupdating i found this in the logs:

Sep 22 21:02:29 ucs postmulti[25319]: fatal: instance /etc/postfix, shlib_directory=/usr/lib/postfix conflicts with instance /etc/postfix, daemon_directory=/usr/lib/postfix

So all i had to do was:

postconf -e daemon_directory='/usr/lib/postfix/sbin'
postconf -e shlib_directory='/usr/lib/postfix'
postconf -e compatibility_level=2
for i in $(postconf -Mf | grep '^[0-9a-zA-Z]' | awk '{print $1"/"$2"/chroot=n"}'); do postconf -F $i; done

solution found here:
https://docs.iredmail.org/upgrade.debian.8-9.html

are these changes now updatesafe, or would i better change something in some templates again?
And how the hell was this ṕossible to be happening in the first place?
Shouldn’t univention-upgrade take care of these changes?

thanks
Sascha

tafkaz · September 22, 2018, 8:21pm

nope…not updatesafe…
After Update to 4.3-2 same thing. Same remedy…
Ok…got a working system for now. how to fix the issue permanently?
thanks and good night
Sascha

troeder · September 24, 2018, 5:43am

You must have modified the templates, because in 4.3 the shlib_directory default is /usr/lib/postfix (no need to set it) and daemon_directory is set explicitly in templates for both /etc/init.d/postfix and /etc/postfix/main.cf.

Greetings
Daniel

tafkaz · September 24, 2018, 8:46am

HI Daniel,
yes, you’re right…

univention-check-templates
WARNING: The following UCR files are modified locally.
Updated versions will be named FILENAME.dpkg-*.
The files should be checked for differences.

/etc/univention/templates/files/etc/postfix/main.cf.d/10_general

I think we touched than file long ago to handle DKIM.

so all i would have to do would be to restore the apropriate .dpkg-dist to 10_general?

ls -lah  /etc/univention/templates/files/etc/postfix/main.cf.d/10_general*
-rw-r--r-- 1 root root 3,5K Apr  4 11:03 /etc/univention/templates/files/etc/postfix/main.cf.d/10_general
-rw-r--r-- 1 root root 3,8K Mär  1  2018 /etc/univention/templates/files/etc/postfix/main.cf.d/10_general.dpkg-dist

and then set the wanted changes back?
Basically what we need to add is:

#DKIM Additions, 4.4.2018
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

How would i best do this?

thanks
Sascha

Moritz_Bunkus · September 24, 2018, 8:51am

Hey,

Yes, just rename the .dpkg-dist to the original file name and call ucr commit /etc/postfix/main.cf afterwards.

For a while now there’s a mechanism for adding arbitrary configuration options to Postfix by placing them in /etc/postfix/main.cf.local and calling ucr commit /etc/postfix/main.cf.

Don’t forget to postfix reload after all your changes, of course.

m.

tafkaz · September 24, 2018, 8:56am

Hey, that seemed to have worked!
perfect, thank you very much!
Best
Sascha