Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1004537: exim4: Does not reload expiring TLS certificate; clients cannot connect
122 views
Skip to first unread message
Harri Suutari
Jan 30, 2022, 4:00:04 AM1/30/22
to
Package: exim4
Version: 4.92-8+deb10u6
Severity: normal
During long server uptime TLS certificate can expire and clients cannot connect
anymore. For example Let's Encrypt offers only three months valid time for
certificates.
Manual fix if is to restart the server manually or by Cron, but maybe this
should be handled as default by the package configuration.
In Debian I have noticed this bug affecting Exim, Docevot and Ejabberd so far.
-- Package-specific info:
Exim version 4.92 #3 built 01-May-2021 09:42:39
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event OCSP PRDR PROXY SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /var/lib/exim4/config.autogenerated
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable'), (100, 'buster-fasttrack')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 4.19.0-18-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_DK.utf8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=en_DK.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages exim4 depends on:
ii debconf [debconf-2.0] 1.5.71+deb10u1
ii exim4-base 4.92-8+deb10u6
ii exim4-daemon-heavy 4.92-8+deb10u6
exim4 recommends no packages.
exim4 suggests no packages.
-- debconf information excluded
Version: 4.92-8+deb10u6
Severity: normal
During long server uptime TLS certificate can expire and clients cannot connect
anymore. For example Let's Encrypt offers only three months valid time for
certificates.
Manual fix if is to restart the server manually or by Cron, but maybe this
should be handled as default by the package configuration.
In Debian I have noticed this bug affecting Exim, Docevot and Ejabberd so far.
-- Package-specific info:
Exim version 4.92 #3 built 01-May-2021 09:42:39
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event OCSP PRDR PROXY SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /var/lib/exim4/config.autogenerated
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable'), (100, 'buster-fasttrack')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 4.19.0-18-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_DK.utf8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=en_DK.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages exim4 depends on:
ii debconf [debconf-2.0] 1.5.71+deb10u1
ii exim4-base 4.92-8+deb10u6
ii exim4-daemon-heavy 4.92-8+deb10u6
exim4 recommends no packages.
exim4 suggests no packages.
-- debconf information excluded
Marc Haber
Jan 30, 2022, 11:30:03 AM1/30/22
to
severity #1004537 minor
thanks
On Sun, Jan 30, 2022 at 10:43:02AM +0200, Harri Suutari wrote:
> During long server uptime TLS certificate can expire and clients cannot connect
> anymore. For example Let's Encrypt offers only three months valid time for
> certificates.
>
> Manual fix if is to restart the server manually or by Cron, but maybe this
> should be handled as default by the package configuration.
Not even Apache reloads automatically.
Restarting the mail server can trivially be accomplished by the process
that renews the certificate.
I don't see this as a bug or an item that is worth spending developer
time on.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
thanks
On Sun, Jan 30, 2022 at 10:43:02AM +0200, Harri Suutari wrote:
> During long server uptime TLS certificate can expire and clients cannot connect
> anymore. For example Let's Encrypt offers only three months valid time for
> certificates.
>
> Manual fix if is to restart the server manually or by Cron, but maybe this
> should be handled as default by the package configuration.
Restarting the mail server can trivially be accomplished by the process
that renews the certificate.
I don't see this as a bug or an item that is worth spending developer
time on.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
0 new messages