Regarding issue 5, I forgot to take care of directories in the patch. Fixed in the attached patch.
Sorry for the mess!
--- postfix-2.5.5-orig/debian/init.d 2008-10-31 13:59:26.000000000 +0100 +++ postfix-2.5.5/debian/init.d 2008-10-31 14:47:54.000000000 +0100 @@ -25,6 +25,8 @@ # Defaults - don't touch, edit /etc/default/postfix SYNC_CHROOT="y" +CHROOT_FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \ + etc/nsswitch.conf etc/nss_mdns.config" test -f /etc/default/postfix && . /etc/default/postfix @@ -45,6 +47,55 @@ fi } +update_chroot() { + # see if anything is running chrooted. + NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf) + + if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then + # Make sure that the chroot environment is set up correctly. + oldumask=$(umask) + umask 027 + cd $(postconf -h queue_directory) + + # if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt. + smtp_tls_security_level=$(postconf -h smtp_tls_security_level) + smtp_use_tls=$(postconf -h smtp_use_tls) + smtpd_tls_security_level=$(postconf -h smtpd_tls_security_level) + smtpd_use_tls=$(postconf -h smtpd_use_tls) + if [ "X$smtp_use_tls" = "Xyes" -o "X$smtpd_use_tls" = "Xyes" \ + -o "X$smtp_tls_security_level" != "X" -a "X$smtp_tls_security_level" != "Xnone" \ + -o "X$smtpd_tls_security_level" != "X" -a "X$smtpd_tls_security_level" != "Xnone" ]; then + if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then + mkdir -p etc/ssl/certs + cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/ + chgrp -R postfix etc + fi + fi + + # if we're using unix:passwd.byname, then we need to add etc/passwd. + local_maps=$(postconf -h local_recipient_maps) + if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then + if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then + sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd + chgrp postfix etc/passwd + fi + fi + + for file in $CHROOT_FILES; do + if [ ! -d ${file%/*} ]; then mkdir -p ${file%/*} && chgrp -R postfix ${file%%/*}; fi + if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi + if [ -f ${file} ]; then chgrp postfix ${file}; fi + done + rm -f usr/lib/zoneinfo/localtime + mkdir -p usr/lib/zoneinfo + ln -sf /etc/localtime usr/lib/zoneinfo/localtime + rm -f lib/libnss_*so* + tar cf - /lib/libnss_*so* 2>/dev/null |tar xf - + umask $oldumask + fi +} + + case "$1" in start) log_daemon_msg "Starting Postfix Mail Transport Agent" postfix @@ -65,48 +116,7 @@ exit 1 fi - # see if anything is running chrooted. - NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf) - - if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then - # Make sure that the chroot environment is set up correctly. - oldumask=$(umask) - umask 022 - cd $(postconf -h queue_directory) - - # if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt. - smtp_use_tls=$(postconf -h smtp_use_tls) - smtpd_use_tls=$(postconf -h smtpd_use_tls) - if [ "X$smtp_use_tls" = "Xyes" -o "X$smtpd_use_tls" = "Xyes" ]; then - if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then - mkdir -p etc/ssl/certs - cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/ - fi - fi - - # if we're using unix:passwd.byname, then we need to add etc/passwd. - local_maps=$(postconf -h local_recipient_maps) - if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then - if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then - sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd - chmod a+r etc/passwd - fi - fi - - FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \ - etc/nsswitch.conf etc/nss_mdns.config" - for file in $FILES; do - [ -d ${file%/*} ] || mkdir -p ${file%/*} - if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi - if [ -f ${file} ]; then chmod a+rX ${file}; fi - done - rm -f usr/lib/zoneinfo/localtime - mkdir -p usr/lib/zoneinfo - ln -sf /etc/localtime usr/lib/zoneinfo/localtime - rm -f lib/libnss_*so* - tar cf - /lib/libnss_*so* 2>/dev/null |tar xf - - umask $oldumask - fi + update_chroot if start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start; then log_end_msg 0 @@ -159,8 +169,14 @@ ${DAEMON} $1 ;; + update-chroot) + log_action_begin_msg "Updating the Postfix chroot" + update_chroot + log_action_end_msg 0 + ;; + *) - log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}" + log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload|update-chroot}" exit 1 ;; esac