** Description changed: [Impact] Users cannot send emails using dane-only policy in Focal. In this SRU we are proposing a microrelease update from version 3.4.10 to 3.4.11 since the changes are minimal (and also seems there is an authorization from the Tech Board to do that). Here is the upstream changelog change between 3.4.10 and 3.4.11: 20200416 - Workaround for broken builds after an incompatible change - in GCC 10. Files: makedefs, Makefile.in. + Workaround for broken builds after an incompatible change + in GCC 10. Files: makedefs, Makefile.in. - Workaround for broken DANE support after an incompatible - change in GLIBC 2.31. This avoids the need for new options - in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c. + Workaround for broken DANE support after an incompatible + change in GLIBC 2.31. This avoids the need for new options + in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c. This new microrelease fixes the dane issue and the build against GCC 10 which makes us drop a patch applied in version 3.4.7-1 (80_glibc2.30-ftbfs.diff). - [Test Case] Thanks to Jan (bug reporter) there is an easy way to test it (quoting - here part of the original description): + here part of the original description with a small modification to make + it easier to undestand): - $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space + $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space | grep + DANE - posttls-finger: initializing the client-side TLS engine - posttls-finger: warning: connect to private/tlsmgr: No such file or directory - posttls-finger: warning: connect to private/tlsmgr: No such file or directory - posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory - posttls-finger: warning: no entropy for TLS key generation: disabling TLS support - Sending email to this domains stopped working with the following - (obviously wrong) error message in mail.log: + Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log: to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination) + Output of the posttls-finger command with version 3.4.11 installed: + + $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space | grep DANE + posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F + + + Some warning messages show up when the command above is executed (if you remove the grep) but they can be ignored for now. As you can see among the comments below, even with those warnings users are able to send emails using dane-only policy with version 3.4.11 installed. [Regression Potential] According to upstream there are just 2 changes in this new microrelease: fix build against GCC 10, and fix the dane support after upgrade to glibc 2.31. The GCC 10 related changes could impact the build process but it still build fine, the -fcommon option was added but it is the default for GCC in most targets according to the manpage, this new option might penalize the speed and the code size. The dane related changes actually fix this bug, and since all the changes were made in the DNS components, any regression involving DNS might be associated to this update. [Original Description] My postfix configuration uses dane-only policies for some domains. After upgrading from LTS 18.04 to the current developing LTS 20.04 this stopped working. Compare the following commands: Ubuntu 18.04: $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space posttls-finger: initializing the client-side TLS engine posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F posttls-finger: setting up TLS connection to www.bueren.space[31.15.68.4]:25 Ubuntu 20.04: $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space posttls-finger: initializing the client-side TLS engine posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory posttls-finger: warning: no entropy for TLS key generation: disabling TLS support Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log: to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: postfix 3.4.10-1 ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24 Uname: Linux 5.4.0-18-generic x86_64 ApportVersion: 2.20.11-0ubuntu21 Architecture: amd64 Date: Wed Mar 25 11:22:11 2020 EtcMailname: mail.kivitendo.de Hostname: www.kivitendo.de InstallationDate: Installed on 2016-12-14 (1196 days ago) InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3) PostconfMydomain: kivitendo-erp.de PostconfMyhostname: www.kivitendo-erp.de PostconfMyorigin: /etc/mailname ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ResolvConf: # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 nameserver 127.0.0.1 search kivitendo-erp.de SourcePackage: postfix UpgradeStatus: Upgraded to focal on 2020-03-02 (23 days ago)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868955 Title: [SRU] after upgrade to 20.04: dane support is not working To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1868955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
