| Summary: | mail-mta/courier-0.76.4- breaks STARTTLS due to missing dhparams.pem | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Stefan Kiesler <heavymetal> |
| Component: | [OLD] Server | Assignee: | Hanno Böck <hanno> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | net-mail+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | patch for latest courier ebuild | ||
|
Description
Stefan Kiesler
2015-07-14 21:25:40 UTC
This happens with USE=gnutls (but probably works okay with openssl) due to a hard-coded path for certtool pointing to /usr/local/bin. This causes the mkcert scripts to fail silently thus no pem files get generated, either by the init script or by hand. To add even more fun, courier imad-ssl fails to log anything without the cert files (also hard-coded in the configs) so it's not very obvious what the problem is without a lot of poking and prodding. So, with the correct path, the scripts *do* work and create working cert files, but you *still* need to "force" ssl/tls on the server side, even after setting STARTBLAH=YES. After enabling the ssl version of the service (whether esmtpd, imapd, or pop3d) you should also set this: IMAP_TLS_REQUIRED=1 in spite of what the comments say about it. This appears to be required now (at least with the latest versions of courier) to make some mail clients actually do starttls/ssl. Lastly there's no dependency for the domainname command (and I don't even know which package provides it) so I switched it to the equivalent hostname command which should always be there. I'll attach my ebuild patch. Created attachment 507472 [details, diff]
patch for latest courier ebuild
Fixes missing command and bad certtool path.
2 more nuggets from a fresh arm64 install:
* USE=gnutls requires gnutls[tools] or the cert scripts will fail because of missing certtool
* the path to authdaemond changed but the /etc/init.d/courier script contains the old path (change ${libexecdir}/authlib/authdaemond to ${libexecdir}/courier-authlib/authdaemond)
diff of init script:
# diff -u /usr/portage/mail-mta/courier/files/courier-init-r4 /etc/init.d/courier
--- /usr/portage/mail-mta/courier/files/courier-init-r4 2017-02-28 15:43:13.000000000 -0500
+++ /etc/init.d/courier 2018-01-30 21:48:47.070280596 -0500
@@ -61,8 +61,8 @@
ebegin " Starting courierfilterd"
${sbindir}/courierfilter start
- [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/authlib/authdaemond ] && \
- ${libexecdir}/authlib/authdaemond start && ebegin " Starting authdaemond"
+ [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/courier-authlib/authdaemond ] && \
+ ${libexecdir}/courier-authlib/authdaemond start && ebegin " Starting authdaemond"
[ -x ${sbindir}/webmaild ] && \
${sbindir}/webmaild start && ebegin " Starting webmaild"
@@ -179,8 +179,8 @@
[ -x ${sbindir}/webmaild ] && \
( ${sbindir}/webmaild stop ; ebegin " Stopping webmaild" )
- [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/authlib/authdaemond ] && \
- ( ${libexecdir}/authlib/authdaemond stop ; ebegin " Stopping authdaemond" )
+ [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/courier-authlib/authdaemond ] && \
+ ( ${libexecdir}/courier-authlib/authdaemond stop ; ebegin " Stopping authdaemond" )
${sbindir}/courierfilter stop
ebegin " Stopping courierfilterd"
And one more stupid bug on arm64; the arm64 profile apparently has no /usr/lib symlink (instead it's a directory) so a few things get installed there instead of /usr/lib64, BUT the courier init scripts have /usr/lib and assume it *is* a symlink so courier-authlib fails silently when it can't find authdaemond. Changing the initscript to use /usr/lib64 for AUTHLIB makes it work as expected. |
