Forwarded to devs Postfix master.cf: submission not changed to use chroot during migration

[mow]

Username: mow

TITLE

Postfix master.cf: submission not changed to use chroot during migration

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Onyx to Obsidian 18.0.35 on debian 9.13

PROBLEM DESCRIPTION

master.cf before migration:

smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

master.cf after migration:

smtps      inet  n       -       y       -       -       smtpd
    -o smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

-> smtps is changed to use chroot during the migration, submission is not.

/usr/local/psa/admin/sbin/mchk --with-spam did not change anything in that line either. (Only change I noticed, it removed the VERP workaround ({recipient}->{user}@{nexthop}) from master.cf. But since Obsidian's plesk_virtual is able to handle VERP when enabled, that is okay.)

STEPS TO REPRODUCE

have submission enabled in postfix

migrate from onyx to obsidian

try to send mail using SASL DIGEST-MD5 or CRAM-MD5

ACTUAL RESULT

migration sets compatibility_level to 2 in main.cf, so the default for chroot changes from yes to no
migration changes line smpts to use chroot in master.cf, but not line submission, so submission doesn't use chroot anymore

mail submission using SASL DIGEST-MD5 fails with "warning: SASL authentication failure: no secret in database" & "SASL DIGEST-MD5 authentication failed: authentication failure". SASL PLAIN still works, btw.

EXPECTED RESULT

migration also changes line submission to use chroot in master.cf

mail submission works

ANY ADDITIONAL INFORMATION

Manually changed the start of that submission line to submission inet n - y - - smtpd, postfix reload, mail came in again.

Apparently the similar problem with line smtps was fixed in 18.0.35, but it needs to be applied to submission too.
This needs to be addressed in migration and in mchk.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[IgorG]

Thank you. Plesk Migrator does not touch the master.cf file. Keep in mind that it is a limitation of the migrator: What are the known limitations of Plesk Migrator Extension?:

Custom configuration (e.g. permissions set not via Plesk, web server configuration changes done not via Plesk) are not transferred.

The bug about submissions was already reported here Unable to send or receive emails in Postfix after updating to Plesk Obsidian 18.0.34 in Debian 9 OS: SASL authentication failure: no secret in database

 

[mow]

Thank you. Plesk Migrator does not touch the master.cf file.

Then what did? Something must have changed the smtps line in master.cf during migration.
And it was not mchk, because that would have changed the VERP workaround.

The bug about submissions was already reported here Unable to send or receive emails in Postfix after updating to Plesk Obsidian 18.0.34 in Debian 9 OS: SASL authentication failure: no secret in database

That doesn't come up in a forum search though ... always fun to have multiple places to search
And it was partially fixed in 18.0.35 obviously, just not the submission part.