Package: dovecot-core Version: 1:2.2.31-1 Severity: important Dear Maintainer,
================================================================================================== * What led up to the situation? During the upgrade from 1:2.2.27-3 to 1:2.2.31-1, the post-install script produced the message below and dovecot was not functional anymore: Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_key: Can't open file /etc/dovecot/private/dovecot.key: No such file or directory failed! * What exactly did you do (or not do) that was effective (or ineffective)? To fix this, I changed /etc/dovecot/conf.d/10-ssl.conf with the lines: # create symlinks in /etc/dovecot/private to default certificates: ## ssl-cert-snakeoil.key -> /etc/ssl/private/ssl-cert-snakeoil.key ## ssl-cert-snakeoil.pem -> /etc/ssl/certs/ssl-cert-snakeoil.pem ssl_cert = </etc/dovecot/private/ssl-cert-snakeoil.pem ssl_key = </etc/dovecot/private/ssl-cert-snakeoil.key I think it is a serious packaging problem when an upgrade to a working dovecot version fails because now TLS is enabled by default but default certs are not installed. dovecot-core should check it there are valid certificates in /etc/dovecot/private matching 10-ssl.conf and, failing that, create symlinks similar to the above, so that a plain upgrade from a working dovecot version results in a working dovecot again. ================================================================================================== -- Package-specific info: dovecot configuration --------------------- # 2.2.31 (65cde28): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.19 (e5c7051) # OS: Linux 4.7.0-1-686-pae i686 Debian 9.0 default_vsz_limit = 2560 M mail_location = mbox:~/mail:INBOX=/var/mail/%u managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap lmtp sieve pop3" ssl_cert = </etc/dovecot/private/ssl-cert-snakeoil.pem ssl_client_ca_dir = /etc/ssl/certs ssl_key = # hidden, use -P to show it userdb { driver = passwd } -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 4.7.0-1-686-pae (SMP w/6 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages dovecot-core depends on: ii adduser 3.115 ii init-system-helpers 1.48 ii libbz2-1.0 1.0.6-8.1 ii libc6 2.24-5 ii libexttextcat-2.0-0 3.4.4-2+b1 ii liblz4-1 0.0~r131-2+b1 ii liblzma5 5.2.2-1.2+b1 ii libpam-runtime 1.1.8-3.5 ii libpam0g 1.1.8-3.5 ii libssl1.1 1.1.0f-3 ii libstemmer0d 0+svn585-1+b2 ii libwrap0 7.6.q-26 ii lsb-base 9.20161125 ii openssl 1.1.0f-3 ii ssl-cert 1.0.39 ii ucf 3.0036 ii zlib1g 1:1.2.8.dfsg-5 dovecot-core recommends no packages. Versions of packages dovecot-core suggests: ii dovecot-gssapi 1:2.2.31-1 ii dovecot-imapd 1:2.2.31-1 ii dovecot-ldap 1:2.2.31-1 ii dovecot-lmtpd 1:2.2.31-1 pn dovecot-lucene <none> ii dovecot-managesieved 1:2.2.31-1 ii dovecot-mysql 1:2.2.31-1 ii dovecot-pgsql 1:2.2.31-1 ii dovecot-pop3d 1:2.2.31-1 ii dovecot-sieve 1:2.2.31-1 ii dovecot-solr 1:2.2.31-1 ii dovecot-sqlite 1:2.2.31-1 pn ntp <none> Versions of packages dovecot-core is related to: ii dovecot-core [dovecot-common] 1:2.2.31-1 pn dovecot-dbg <none> ii dovecot-dev 1:2.2.31-1 ii dovecot-gssapi 1:2.2.31-1 ii dovecot-imapd 1:2.2.31-1 ii dovecot-ldap 1:2.2.31-1 ii dovecot-lmtpd 1:2.2.31-1 ii dovecot-managesieved 1:2.2.31-1 ii dovecot-mysql 1:2.2.31-1 ii dovecot-pgsql 1:2.2.31-1 ii dovecot-pop3d 1:2.2.31-1 ii dovecot-sieve 1:2.2.31-1 ii dovecot-sqlite 1:2.2.31-1 -- Configuration Files: /etc/init.d/dovecot changed: PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DESC="IMAP/POP3 mail server" NAME=dovecot DAEMON=/usr/sbin/dovecot DAEMON_ARGS="" SCRIPTNAME=/etc/init.d/$NAME CONF=/etc/dovecot/${NAME}.conf NICE="-N 8" [ -r /etc/default/$NAME ] && . /etc/default/$NAME [ -x "$DAEMON" ] || exit 0 [ -f "$CONF" ] || exit 0 [ "$ENABLED" != "0" ] || exit 0 [ "$ALLOW_COREDUMPS" != "1" ] || ulimit -c unlimited . /lib/lsb/init-functions if [ ! -r ${CONF} ]; then log_daemon_msg "${CONF}: not readable" "$NAME" && log_end_msg 1; exit 1; fi if [ -f /etc/inetd.conf ]; then # The init script should do nothing if dovecot or another imap/pop3 server # is being run from inetd, and dovecot is configured to run as an imap or # pop3 service for p in `sed -r "s/^ *(([^:]+|\[[^]]+]|\*):)?(pop3s?|imaps?)[ \t].*/\3/;t;d" \ /etc/inetd.conf` do for q in `doveconf -n -h protocols` do if [ $p = $q ]; then log_daemon_msg "protocol ${p} configured both in inetd and in dovecot" "$NAME" && log_end_msg 1 exit 0 fi done done fi PIDBASE=${PIDBASE:-`doveconf -n -c ${CONF} -h base_dir`} PIDFILE=${PIDBASE:-/var/run/dovecot}/master.pid do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON $NICE --test -- -c ${CONF} > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON $NICE -- -c ${CONF} \ $DAEMON_ARGS \ || return 2 } do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name ${DAEMON##*/} RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks # and if the daemon is only ever run from this initscript. # If the above conditions are not satisfied then add some other code # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --pidfile $PIDFILE --name ${DAEMON##*/} [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE return "$RETVAL" } do_reload() { # # If the daemon can reload its configuration without # restarting (for example, when it is sent a SIGHUP), # then implement that here. # start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE $NICE --name $NAME return 0 } case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" do_start case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac ;; reload|force-reload) log_daemon_msg "Reloading $DESC" "$NAME" do_reload log_end_msg $? ;; restart) # # If the "reload" option is implemented then remove the # 'force-reload' alias # log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; status) status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 exit 3 ;; esac -- debconf information: dovecot-core/create-ssl-cert: false dovecot-core/ssl-cert-name: localhost dovecot-core/ssl-cert-exists: