Bug 50105 – Error in template leads to wrong config

Bug 50105 - Error in template leads to wrong config


Summary:	Error in template leads to wrong config

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Mail - Dovecot
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-1-errata
Assigned To:	Sönke Schwardt-Krummrich
QA Contact:	Erik Damrose

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-09-04 16:34 CEST by Nico Stöckigt
Modified:	2019-09-18 13:23 CEST (History)
CC List:	4 users (show)

See Also:	50192
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.091
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019090421000536
Bug group (optional):	Workaround is available
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nico Stöckigt

2019-09-04 16:34:25 CEST

In a customer environment with UCS 4.4-1e245 setting the CAcert results in

mail/dovecot/ssl/cafile = /etc/ssl/certs/intermediate-ca.crt

while the following was expected

mail/dovecot/ssl/cafile = < /etc/ssl/certs/intermediate-ca.crt

This leads into Validation problems while from the outside everything seems to be fine. It is not clear why a variable called 'file' should contain such a symbol.

UCR clearly should handle this or at least give a clear hint to tthe Dovecot SSL config.

Comment 1 Erik Damrose

2019-09-04 16:57:09 CEST

The expected value in the UCR variable could be documented better. Or, if the '<' is always working, it could be included in the template.

Workaround for the time beeing is to simply include the < in the UCR value:
ucr set mail/dovecot/ssl/cafile="< /path/to/cert"

Comment 2 Ole Schwiegert

2019-09-13 10:27:59 CEST

Package: univention-mail-dovecot
Version: 5.0.1-9A~4.4.0.201909131023
Branch: ucs_4.4-0
Scope: errata4.4-1

The < is now prepended by default in the template.
If it is present in the UCRV it is striped from it.

Comment 3 Sönke Schwardt-Krummrich

2019-09-13 16:31:48 CEST

If mail/dovecot/ssl/cafile is not set, there should be no "<" in the line.

ssl_ca =

vs.

ssl_ca = < /path/to/file.crt

If "ssl_ca = <" is set without trailing path, dovecot refuses to start.

→ REOPEN

Comment 4 Sönke Schwardt-Krummrich

2019-09-13 16:54:19 CEST

If this is fixed, there might be problems with certificate sending mail clients and the let's encrypt app. See Bug 50192.

Comment 5 Ole Schwiegert

2019-09-16 09:30:39 CEST

Package: univention-mail-dovecot
Version: 5.0.1-10A~4.4.0.201909160928
Branch: ucs_4.4-0
Scope: errata4.4-1

fixed that doozy

Comment 6 Sönke Schwardt-Krummrich

2019-09-16 13:12:31 CEST

OK: functional change
OK: code change
OK: installation
OK: update
??: ucs-test
OK: changelog entry
OK: advisory
OK: package built and installable

Comment 7 Sönke Schwardt-Krummrich

2019-09-17 14:10:05 CEST

(In reply to Sönke Schwardt-Krummrich from comment #6)
> ??: ucs-test

Of course they failed. But not triggered by Ole's changes. It looks like there has been a) a dependency change so that python-support is no longer automatically installed during package build and b) debian/control of univention-mail-dovecot does not contain "python-support" in the build dependency list.
Therefore the #DEBHELPER# part of the postinst script does not contain a 
update-python-modules call and the python files were no longer symlinked to python2.7.

[4.4-1] d3d0afc671 Bug #50105: add python-support to build dependencies

Comment 8 Sönke Schwardt-Krummrich

2019-09-17 14:13:22 CEST

Package: univention-mail-dovecot
Version: 5.0.1-11A~4.4.0.201909171353
Branch: ucs_4.4-0
Scope: errata4.4-1

Comment 9 Erik Damrose

2019-09-18 11:30:01 CEST

OK: d3d0afc6 build dependencies
~OK: Yaml, i adjusted the version and wording, Sönke gave his okay.
OK: tests.
Verified

Comment 10 Erik Damrose

2019-09-18 13:23:26 CEST

<http://errata.software-univention.de/ucs/4.4/278.html>