Let me suggest the attached patch instead, since it covers more use cases. The basics are simple:
- We no longer check for smtp_use_tls and friends, since they are deprecated. - Instead, if smtp_tls_CApath is specified, it replaces its distant cousin in the queue directory. - If smtp_tls_CAfile is specified, it is copied to the same location within the chroot. Otherwise, the /etc/ssl/certs/ca_certificates.crt bundle is installed. Please apply this (or a previous) patch, Lamont. -- .''`. martin f. krafft <madd...@d.o> Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduck http://vcs-pkg.org `- Debian - when you have better things to do than fixing systems
--- /tmp/postfix 2010-08-26 18:41:31.325351656 +0200 +++ /etc/init.d/postfix 2010-08-26 19:17:10.425343825 +0200 @@ -72,21 +72,54 @@ # Make sure that the chroot environment is set up correctly. oldumask=$(umask) umask 022 - cd $(postconf -h queue_directory) - - # if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt. - if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then - smtp_use_tls=$(postconf -h smtp_use_tls) - smtp_enforce_tls=$(postconf -h smtp_enforce_tls) - smtpd_use_tls=$(postconf -h smtpd_use_tls) - smtpd_enforce_tls=$(postconf -h smtpd_use_tls) - case :$smtp_use_tls:$smtp_enforce_tls:$smtpd_use_tls:$smtpd_enforce_tls: in - *:yes:*) - mkdir -p etc/ssl/certs - cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/ - esac - fi + queue_dir=$(postconf -h queue_directory) + cd "$queue_dir" + # copy the CA path if specified + ca_path=$(postconf -h smtp_tls_CApath) + case "$ca_path" in + '') :;; # no ca_path + $queue_dir/*) :;; # skip stuff already in chroot + *) + if test -d "$ca_path"; then + dest_dir="$queue_dir/${ca_path#/}" new=0 + if test -d "$dest_dir" + # write to a new directory ... + then dest_dir="$dest_dir.NEW" && new=1 + else mkdir --parent ${dest_dir%/*} + fi + # handle files in subdirectories + find "$ca_path" -print0 | cpio -0pdL "$dest_dir" + if [ "$new" = 1 ]; then + # and replace the old directory + rm -r "${dest_dir%.NEW}" + mv "$dest_dir" "${dest_dir%.NEW}" + fi + fi + ;; + esac + + # if there is a CA file, copy it + ca_file=$(postconf -h smtp_tls_CAfile) + case "$ca_file" in + $queue_dir/*) :;; # skip stuff already in chroot + '') # no ca_file + # or copy the bundle to preserve functionality + ca_bundle=/etc/ssl/certs/ca-certificates.crt + if [ -f $ca_bundle ]; then + mkdir --parent ${ca_bundle%/*} + cp -L "$ca_bundle" "$queue_dir/${ca_bundle%/*}" + fi + ;; + *) + if test -f "$ca_file"; then + dest_dir="$queue_dir/${ca_path#/}" + mkdir --parent "$dest_dir" + cp -L "$ca_file" "$dest_dir" + fi + ;; + esac + # if we're using unix:passwd.byname, then we need to add etc/passwd. local_maps=$(postconf -h local_recipient_maps) if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)