Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554916 - mail-mta/courier-0.76.4- breaks STARTTLS due to missing dhparams.pem
Summary: mail-mta/courier-0.76.4- breaks STARTTLS due to missing dhparams.pem
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Hanno Böck
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-14 21:25 UTC by Stefan Kiesler
Modified: 2018-01-31 21:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch for latest courier ebuild (0001-mail-mta-courier-packge-config-and-gnutls-path-fixes.patch,1.38 KB, patch)
2017-11-30 22:34 UTC, Steve Arnold
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Kiesler 2015-07-14 21:25:40 UTC
The latest courier update breaks existing installations configured to use STARTTLS.
As the new parameter TLS_DHPARAMS is set by default in the new configuration files, pointing to /usr/share/courier/dhparams.pem, this file should get automatically created somehow.
This could be done in the courier init script (as it's already done with the server certificates) or - as suggested by the mkdhparams manpage - in a monthly cron job, or maybe in the ebuild's postinstall step.

As a side note, the file locations used by courier (on Gentoo only?) seem to be suboptimal. The autogenerated certificates and the dhparams should be located in /etc/courier, /usr/share/courier just feels wrong for dynamically created configuration data.
Comment 1 Steve Arnold gentoo-dev 2017-11-30 22:33:22 UTC
This happens with USE=gnutls (but probably works okay with openssl) due to a hard-coded path for certtool pointing to /usr/local/bin.  This causes the mkcert scripts to fail silently thus no pem files get generated, either by the init script or by hand.

To add even more fun, courier imad-ssl fails to log anything without the cert files (also hard-coded in the configs) so it's not very obvious what the problem is without a lot of poking and prodding.

So, with the correct path, the scripts *do* work and create working cert files, but you *still* need to "force" ssl/tls on the server side, even after setting STARTBLAH=YES.  After enabling the ssl version of the service (whether esmtpd, imapd, or pop3d) you should also set this:

IMAP_TLS_REQUIRED=1

in spite of what the comments say about it.  This appears to be required now (at least with the latest versions of courier) to make some mail clients actually do starttls/ssl.

Lastly there's no dependency for the domainname command (and I don't even know which package provides it) so I switched it to the equivalent hostname command which should always be there.

I'll attach my ebuild patch.
Comment 2 Steve Arnold gentoo-dev 2017-11-30 22:34:48 UTC
Created attachment 507472 [details, diff]
patch for latest courier ebuild

Fixes missing command and bad certtool path.
Comment 3 Steve Arnold gentoo-dev 2018-01-31 03:22:02 UTC
2 more nuggets from a fresh arm64 install:

* USE=gnutls requires gnutls[tools] or the cert scripts will fail because of missing certtool

* the path to authdaemond changed but the /etc/init.d/courier script contains the old path (change ${libexecdir}/authlib/authdaemond to ${libexecdir}/courier-authlib/authdaemond)
Comment 4 Steve Arnold gentoo-dev 2018-01-31 03:22:57 UTC
diff of init script:

# diff -u /usr/portage/mail-mta/courier/files/courier-init-r4 /etc/init.d/courier
--- /usr/portage/mail-mta/courier/files/courier-init-r4 2017-02-28 15:43:13.000000000 -0500
+++ /etc/init.d/courier 2018-01-30 21:48:47.070280596 -0500
@@ -61,8 +61,8 @@
        ebegin " Starting courierfilterd"
        ${sbindir}/courierfilter start

-       [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/authlib/authdaemond ] && \
-       ${libexecdir}/authlib/authdaemond start && ebegin " Starting authdaemond"
+       [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/courier-authlib/authdaemond ] && \
+       ${libexecdir}/courier-authlib/authdaemond start && ebegin " Starting authdaemond"

        [ -x ${sbindir}/webmaild ] && \
          ${sbindir}/webmaild start && ebegin " Starting webmaild"
@@ -179,8 +179,8 @@
        [ -x ${sbindir}/webmaild ] && \
          ( ${sbindir}/webmaild stop ; ebegin " Stopping webmaild" )

-       [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/authlib/authdaemond ] && \
-       ( ${libexecdir}/authlib/authdaemond stop ; ebegin " Stopping authdaemond" )
+       [ ! -d /etc/courier/authlib ] && [ -x ${libexecdir}/courier-authlib/authdaemond ] && \
+       ( ${libexecdir}/courier-authlib/authdaemond stop ; ebegin " Stopping authdaemond" )

        ${sbindir}/courierfilter stop
        ebegin " Stopping courierfilterd"
Comment 5 Steve Arnold gentoo-dev 2018-01-31 21:54:26 UTC
And one more stupid bug on arm64; the arm64 profile apparently has no /usr/lib symlink (instead it's a directory) so a few things get installed there instead of /usr/lib64, BUT the courier init scripts have /usr/lib and assume it *is* a symlink so courier-authlib fails silently when it can't find authdaemond.  Changing the initscript to use /usr/lib64 for AUTHLIB makes it work as expected.