Control: tag -1 + patch
Attached is a possible fix for this bug. I would like to get
maintainer's feedback before uploading it because it is quite intrusive
for an NMU.
The patch changes upstream's mkesmtpdcert, which is used by the
currently failing maintainer script, to allow specification of the
filename for the certificate.
The maintainer script is changed to create the certificate in a
temporary directory, to avoid idempotency problems (interrupt when
mkesmptdcert is run).
WM
diff --git a/courier/module.esmtp/mkesmtpdcert.in b/courier/module.esmtp/mkesmtpdcert.in
index 03b055e..f61d8cf 100644
--- a/courier/module.esmtp/mkesmtpdcert.in
+++ b/courier/module.esmtp/mkesmtpdcert.in
@@ -8,6 +8,12 @@
# ESMTP STARTTLS. Normally this script would get called by an automatic
# package installation routine.
+PEMFILE="$1"
+
+if [ -z "$PEMFILE" ]; then
+ PEMFILE=@mydatadir@/esmtpd.pem
+fi
+
if test "@ssllib@" = "openssl"
then
test -x @OPENSSL@ || exit 0
@@ -15,17 +21,17 @@ else
test -x @CERTTOOL@ || exit 0
fi
-if test -f @mydatadir@/esmtpd.pem
+if test -f "$PEMFILE"
then
- echo "@mydatadir@/esmtpd.pem already exists."
+ echo "$PEMFILE already exists."
exit 1
fi
cleanup() {
- rm -f @mydatadir@/esmtpd.rand
- rm -f @mydatadir@/esmtpd.pem
- rm -f @mydatadir@/esmtpd.key
- rm -f @mydatadir@/esmtpd.cert
+ rm -f "$PEMFILE".rand
+ rm -f "$PEMFILE"
+ rm -f "$PEMFILE".key
+ rm -f "$PEMFILE".cert
exit 1
}
@@ -36,16 +42,19 @@ set -e
if test "@ssllib@" = "openssl"
then
- cp /dev/null @mydatadir@/esmtpd.pem
- chmod 600 @mydatadir@/esmtpd.pem
- chown @mailuser@ @mydatadir@/esmtpd.pem
- dd if=@RANDOMV@ of=@mydatadir@/esmtpd.rand count=1 2>/dev/null
+ cp /dev/null "$PEMFILE"
+ chmod 600 "$PEMFILE"
+ chown @mailuser@ "$PEMFILE"
+ dd if=@RANDOMV@ of="$PEMFILE".rand count=1 2>/dev/null
@OPENSSL@ req -new -x509 -days 365 -nodes \
- -config @sysconfdir@/esmtpd.cnf -out @mydatadir@/esmtpd.pem -keyout @mydatadir@/esmtpd.pem || cleanup
- @OPENSSL@ gendh -rand @mydatadir@/esmtpd.rand 512 >>@mydatadir@/esmtpd.pem || cleanup
- @OPENSSL@ x509 -subject -dates -fingerprint -noout -in @mydatadir@/esmtpd.pem || cleanup
- rm -f @mydatadir@/esmtpd.rand
+ -config @sysconfdir@/esmtpd.cnf -out "$PEMFILE" -keyout "$PEMFILE" || cleanup
+ @OPENSSL@ gendh -rand "$PEMFILE".rand 512 >>"$PEMFILE" || cleanup
+ @OPENSSL@ x509 -subject -dates -fingerprint -noout -in "$PEMFILE" || cleanup
+ rm -f "$PEMFILE".rand
else
+ echo "@CERTTOOL@ is not supported in debian"
+ exit 1
+
if test "$BITS" = ""
then
BITS="high"
diff --git a/debian/changelog b/debian/changelog
index 25d4cce..b78158e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+courier (0.73.1-1.2) UNRELEASED; urgency=low
+
+ * Non-maintainer upload.
+ * Change mkesmptdcert to make cert-filename controllable by parameter.
+ * Create esmptd.pem in temporary path and then move it to /etc/courier.
+ This way, mkesmptdcert no longer has to work on an dangling symlink as
+ destination. (closes: #749129)
+
+ -- Willi Mann <wi...@debian.org> Mon, 26 May 2014 18:23:21 +0200
+
courier (0.73.1-1.1) unstable; urgency=medium
* Non-maintainer upload in coordination with maintainer.
diff --git a/debian/correctpermissions.pl b/debian/correctpermissions.pl
old mode 100644
new mode 100755
diff --git a/debian/courier-mta-ssl.postinst b/debian/courier-mta-ssl.postinst
index 89c967e..ae3cce9 100644
--- a/debian/courier-mta-ssl.postinst
+++ b/debian/courier-mta-ssl.postinst
@@ -27,8 +27,19 @@ if [ "$1" = "configure" ]; then
ln -s /etc/courier/emtspd.pem /usr/lib/courier/emtspd.pem
fi
if [ ! -f /etc/courier/esmtpd.pem ]; then
- mkesmtpdcert
- chown daemon /etc/courier/esmtpd.pem
+
+ # create pem file in temporary directory, for full idempotency
+ TMPDIR=$(mktemp -d)
+ ESMTPDPEM="$TMPDIR/esmtpd.pem"
+
+ # call patched mkesmtpdcert which allows to specify the filename as first paramter
+ mkesmtpdcert "$ESMTPDPEM"
+
+ chown daemon "$ESMTPDPEM"
+ mv "$ESMTPDPEM" /etc/courier/esmtpd.pem
+
+ # clean up
+ rm -fr "$TMPDIR"
fi
fi
diff --git a/debian/courier_perms b/debian/courier_perms
old mode 100644
new mode 100755
diff --git a/debian/fixlinks b/debian/fixlinks
old mode 100644
new mode 100755
