Let me suggest the attached patch instead, since it covers more use cases. The basics are simple:
- We no longer check for smtp_use_tls and friends, since they are deprecated. - Instead, if smtp_tls_CApath is specified, it replaces its distant cousin in the queue directory. - If smtp_tls_CAfile is specified, it is copied to the same location within the chroot. Otherwise, the /etc/ssl/certs/ca_certificates.crt bundle is installed. Please apply this (or a previous) patch, Lamont. -- .''`. martin f. krafft <madd...@d.o> Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduck http://vcs-pkg.org `- Debian - when you have better things to do than fixing systems
--- /tmp/postfix 2010-08-26 18:41:31.325351656 +0200
+++ /etc/init.d/postfix 2010-08-26 19:17:10.425343825 +0200
@@ -72,21 +72,54 @@
# Make sure that the chroot environment is set up correctly.
oldumask=$(umask)
umask 022
- cd $(postconf -h queue_directory)
-
- # if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt.
- if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
- smtp_use_tls=$(postconf -h smtp_use_tls)
- smtp_enforce_tls=$(postconf -h smtp_enforce_tls)
- smtpd_use_tls=$(postconf -h smtpd_use_tls)
- smtpd_enforce_tls=$(postconf -h smtpd_use_tls)
- case :$smtp_use_tls:$smtp_enforce_tls:$smtpd_use_tls:$smtpd_enforce_tls: in
- *:yes:*)
- mkdir -p etc/ssl/certs
- cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/
- esac
- fi
+ queue_dir=$(postconf -h queue_directory)
+ cd "$queue_dir"
+ # copy the CA path if specified
+ ca_path=$(postconf -h smtp_tls_CApath)
+ case "$ca_path" in
+ '') :;; # no ca_path
+ $queue_dir/*) :;; # skip stuff already in chroot
+ *)
+ if test -d "$ca_path"; then
+ dest_dir="$queue_dir/${ca_path#/}" new=0
+ if test -d "$dest_dir"
+ # write to a new directory ...
+ then dest_dir="$dest_dir.NEW" && new=1
+ else mkdir --parent ${dest_dir%/*}
+ fi
+ # handle files in subdirectories
+ find "$ca_path" -print0 | cpio -0pdL "$dest_dir"
+ if [ "$new" = 1 ]; then
+ # and replace the old directory
+ rm -r "${dest_dir%.NEW}"
+ mv "$dest_dir" "${dest_dir%.NEW}"
+ fi
+ fi
+ ;;
+ esac
+
+ # if there is a CA file, copy it
+ ca_file=$(postconf -h smtp_tls_CAfile)
+ case "$ca_file" in
+ $queue_dir/*) :;; # skip stuff already in chroot
+ '') # no ca_file
+ # or copy the bundle to preserve functionality
+ ca_bundle=/etc/ssl/certs/ca-certificates.crt
+ if [ -f $ca_bundle ]; then
+ mkdir --parent ${ca_bundle%/*}
+ cp -L "$ca_bundle" "$queue_dir/${ca_bundle%/*}"
+ fi
+ ;;
+ *)
+ if test -f "$ca_file"; then
+ dest_dir="$queue_dir/${ca_path#/}"
+ mkdir --parent "$dest_dir"
+ cp -L "$ca_file" "$dest_dir"
+ fi
+ ;;
+ esac
+
# if we're using unix:passwd.byname, then we need to add etc/passwd.
local_maps=$(postconf -h local_recipient_maps)
if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
