** Description changed: [Impact] Users cannot send emails using dane-only policy in Focal. In this SRU we are proposing a microrelease update from version 3.4.10 - to 3.4.11 since the changes are minimal (and also seems there is an - authorization from the Tech Board to do that). Here is the upstream - changelog change between 3.4.10 and 3.4.11: + to 3.4.13 since the changes are self contained. Moreover, there is a + Postfix SRU exception which allows microreleases if the bug is fixed in + the current development series: + + https://wiki.ubuntu.com/StableReleaseUpdates#Postfix + + And according to the described process there is no need to define a Test + Case and a Regression Potential sections. Upstream has been doing a good + work regarding those stable version bug fixes. + + Here is the upstream changelog change between 3.4.10 and 3.4.13: 20200416 - Workaround for broken builds after an incompatible change - in GCC 10. Files: makedefs, Makefile.in. + Workaround for broken builds after an incompatible change + in GCC 10. Files: makedefs, Makefile.in. - Workaround for broken DANE support after an incompatible - change in GLIBC 2.31. This avoids the need for new options - in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c. + Workaround for broken DANE support after an incompatible + change in GLIBC 2.31. This avoids the need for new options + in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c. - This new microrelease fixes the dane issue and the build against GCC 10 - which makes us drop a patch applied in version 3.4.7-1 - (80_glibc2.30-ftbfs.diff). + 20200419 - [Test Case] + Bugfix: segfault in the tlsproxy client role when the server + role was disabled. This typically happens on systems that + do not receive mail, after configuring connection reuse for + outbound TLS. Found during program maintenance. File: + tlsproxy/tlsproxy.c. - Thanks to Jan (bug reporter) there is an easy way to test it (quoting - here part of the original description with a small modification to make - it easier to undestand): + 20200420 - $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space | grep - DANE + Noise suppression: shut up a compiler that special-cases + string literals. Viktor Dukhovni. File milter/milter.c. + + 20200422 + + Security: disable DANE support on Alpine Linux because + libc-musl provides no indication whether DNS responses are + authentic. This broke DANE support without a clear explanation. + File: makedefs. + + 20200505 + + Noise suppression: shut up a compiler that special-cases + string literals. Viktor Dukhovni. File smtpd/smtpd_check.c. + + 20200509 + + Bugfix (introduced: Postfix 3.5): maillog_file_rotate_suffix + default value used the minute instead of the month. Reported + by Larry Stone. Files: conf/postfix-tls-script, + proto/MAILLOG_README.html, proto/postconf.proto. + global/mail_params.h, postfix/postfix.c. + + 20200510 + + Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by + initializing the ICU library before making the chroot() + call. Files: util/midna_domain.[hc], global/mail_params.c. + + 20200511 + + Noise suppression: avoid "SSL_Shutdown:shutdown while in + init" warnings. File: tls/tls_session.c. + + 20200515 + + Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL + client caused a false 'lost connection' error for an SMTP + over TLS session in the same Postfix process. Reported by + Alexander Vasarab, diagnosed by Viktor Dukhovni. File: + tls/tls_bio_ops.c. + + Bugfix (introduced: Postfix 2.8): a TLS error for one TLS + session may cause a false 'lost connection' error for a + concurrent TLS session in the same tlsproxy process. File: + tlsproxy/tlsproxy.c. + + 20200530 + + Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert" + did not handle a missing optional argument. File: + conf/postfix-tls-script. + + 20200610 + + Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server, + the SNI callback reported an error when it was called a + second time. This happened after the server-side TLS engine + sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP + client. Reported by Ján Máté, fixed by Viktor Dukhovni. + File: tls/tls_misc.c. - Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log: + This new microrelease fixes the dane issue and the build against GCC 10 which makes us drop a patch applied in version 3.4.7-1 (80_glibc2.30-ftbfs.diff). - to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, - dsn=4.7.5, status=deferred (non DNSSEC destination) - - Output of the posttls-finger command with version 3.4.11 installed: - - $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space | grep DANE - posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F - - - Some warning messages show up when the command above is executed (if you remove the grep) but they can be ignored for now. As you can see among the comments below, even with those warnings users are able to send emails using dane-only policy with version 3.4.11 installed. - - [Regression Potential] - - According to upstream there are just 2 changes in this new microrelease: - fix build against GCC 10, and fix the dane support after upgrade to - glibc 2.31. The GCC 10 related changes could impact the build process - but it still build fine, the -fcommon option was added but it is the - default for GCC in most targets according to the manpage, this new - option might penalize the speed and the code size. The dane related - changes actually fix this bug, and since all the changes were made in - the DNS components, any regression involving DNS might be associated to - this update. [Original Description] My postfix configuration uses dane-only policies for some domains. After upgrading from LTS 18.04 to the current developing LTS 20.04 this stopped working. Compare the following commands: Ubuntu 18.04: $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space posttls-finger: initializing the client-side TLS engine posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F posttls-finger: setting up TLS connection to www.bueren.space[31.15.68.4]:25 Ubuntu 20.04: $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space posttls-finger: initializing the client-side TLS engine posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory posttls-finger: warning: no entropy for TLS key generation: disabling TLS support Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log: to=<xxx@bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: postfix 3.4.10-1 ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24 Uname: Linux 5.4.0-18-generic x86_64 ApportVersion: 2.20.11-0ubuntu21 Architecture: amd64 Date: Wed Mar 25 11:22:11 2020 EtcMailname: mail.kivitendo.de Hostname: www.kivitendo.de InstallationDate: Installed on 2016-12-14 (1196 days ago) InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3) PostconfMydomain: kivitendo-erp.de PostconfMyhostname: www.kivitendo-erp.de PostconfMyorigin: /etc/mailname ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ResolvConf: # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 nameserver 127.0.0.1 search kivitendo-erp.de SourcePackage: postfix UpgradeStatus: Upgraded to focal on 2020-03-02 (23 days ago)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868955 Title: [SRU] after upgrade to 20.04: dane support is not working To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1868955/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
