1 Topic by Radapompa

  • Radapompa
  • Member
  • Offline
  • Registered: 2016-05-18
  • Posts: 20

Topic: Some issues when upgrading from Debian 8 to 9

Hi all,
This is just to give some input on what you need to think of when upgrading from Debian 8 to Debian 9.

In another post, I mentioned that you need to remove !SSLv2 from ignored protocols in dovecot.conf. Go to http://www.iredmail.org/docs/upgrade.debian.8-9.html to read on how to fix this (hopefully these parts will be added there aswell smile ).

Now I've encountered an issue where postfix won't start. For starters I've removed all settings that excluded SSLv2 in main.cf (since that broke dovecot). But it still won't start. Syslog dosen't say much more than there is an issue.

Aug  4 10:03:05 testmail systemd[1]: Starting Postfix Mail Transport Agent (instance -)...
Aug  4 10:03:06 testmail systemd[1]: postfix@-.service: Control process exited, code=exited status=1
Aug  4 10:03:06 testmail systemd[1]: Failed to start Postfix Mail Transport Agent (instance -).
Aug  4 10:03:06 testmail systemd[1]: postfix@-.service: Unit entered failed state.
Aug  4 10:03:06 testmail systemd[1]: postfix@-.service: Failed with result 'exit-code'.
Aug  4 10:03:06 testmail systemd[1]: Starting Postfix Mail Transport Agent...
Aug  4 10:03:06 testmail systemd[1]: Started Postfix Mail Transport Agent.

This part in mail.log points at something that seems to be the issue:
Aug  4 10:03:05 testmail postmulti[8176]: fatal: instance /etc/postfix, shlib_directory=/usr/lib/postfix conflicts with instance /etc/postfix, daemon_directory=/usr/lib/postfix

So after some digging I finally found the answer to what to do. I first found an suggestion to move shlib_directory to /usr/lib/postfix/lib. The folder didn't exist, but I created it and tried. Then I got a new error saying that it couldn't find /usr/lib/postfix/postfix-script. Looking into the folder, I could see that it didn't exist.

After looking through some more I finally found this page: https://bbs.archlinux.org/viewtopic.php?id=195294, where they state that postfix-script has been moved to /usr/lib/postfix/bin (for arch-linux). And that you needed to point daemon_directory there.

In Debian though the folder is called /usr/lib/postfix/sbin. So after removing the shlib_directory from main.cf and added daemon_directory = /usr/lib/postfix/sbin. I finally got postfix started.

Next issue was with fail2ban. It didn't start and didn't get much from systemd and logs. So after trying to start it manually, I got that port was defined twice in pam-generic.

So what you need to do then is to open /etc/fail2ban/jail.conf and look for the section [pam-generic]. It will look like something like this:
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter   = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

What i did was to simply comment out port = anyport and restart fail2ban, and it started. Though I haven't found which of the ports are the valid one. So if you'll find which of the ports should be used, let me know smile.

I'll do some more testing and looking through my test system. If I find something else, I'll post it here.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Radapompa

  • Radapompa
  • Member
  • Offline
  • Registered: 2016-05-18
  • Posts: 20

Re: Some issues when upgrading from Debian 8 to 9

Here's another finding. In Debian 8, you have postfix 2.11.3. In Debian 9, you have postfix 3.1.4. The good thing though is that postfix is now by standard running in compatibility mode. Which means that it will use old default settings if none are set (which you can read more about here: http://www.postfix.org/COMPATIBILITY_README.html).
But you will have warnings in your mail.log file if it find something that is using a default setting which has changed. For me, I got these warnings:

Aug  4 11:58:20 testmail postfix/master[13581]: /etc/postfix/master.cf: line 13: using backwards-compatible default setting chroot=y

What you need to do then is to go to master.cf, and change all - to y. Since that was the old default. The new default is n. You can also change the description at the top that chroot is default no instead of yes.

When you're done with fixing all compatibility issues that you've found in the logs, you can turn off the compatibility mode. You do that by looking in the log file, it will say which number you need to set to turn it off. For me it said:

To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"

So just ran these two commands and the message disappeared. Just remember to never set it higher than what the logs are saying. Since this is a safety for whenever they release a new version of postfix. So if there are major changes which may disrupt your postfix installation, they will add a higher compatibility number. So you can fix the configuration before you start to use the newer version.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Some issues when upgrading from Debian 8 to 9

Updated: http://www.iredmail.org/docs/upgrade.debian.8-9.html

4 Reply by Radapompa (edited by Radapompa 2017-08-15 17:59:16)

  • Radapompa
  • Member
  • Offline
  • Registered: 2016-05-18
  • Posts: 20

Re: Some issues when upgrading from Debian 8 to 9

Thanks Zhang for adding these to the help page. Next issue now, PHP.

In Debian 9, php5 is no longer available. Which has been installed if you used Debian 8. So you need to migrate to PHP7.

First of all, you need to remove php5. It's not supported and won't get any security updates in Debian 9. So remove it so there won't be any issues in the future.

apt-get remove php5-cli php5-fpm php5-json php5-gd php5-mcrypt php5-curl

Next install all the php7 packages

apt-get install php-cli php-fpm php-json php-gd php-mcrypt php-curl php-intl php-xml php-mbstring

Now you need to simply configure php again. I've taken out the parts that are needed for the PHP on Debian 9 from the original iRedMail scripts. Save this script as php-mig.sh on the server.

#!/usr/bin/env bash

# path to php program
export PHP_BIN='/usr/bin/php'

# Path used to store php sessions (session.save_path)
export PHP_SESSION_SAVE_PATH='/var/lib/php/sessions'

# php-fpm
export PHP_FPM_RC_SCRIPT_NAME='php-fpm'
export PHP_FPM_SOCKET='/var/run/php-fpm.socket'
export PHP_FPM_POOL_WWW_CONF='/etc/php-fpm.d/www.conf'

# Disabled PHP functions.
#   - Roundcube plugin `enigma` requires: proc_open, proc_close, escapeshellarg.
export PHP_DISABLE_FUNCTIONS='posix_uname,eval,pcntl_wexitstatus,posix_getpwuid,xmlrpc_entity_decode,pcntl_wifstopped,pcntl_wifexited,pcntl_wifsignaled,phpAds_XmlRpc,pcntl_strerror,ftp_exec,pcntl_wtermsig,mysql_pconnect,php_uname,proc_nice,pcntl_sigtimedwait,posix_kill,pcntl_sigprocmask,fput,phpinfo,system,phpAds_remoteInfo,ftp_login,inject_code,posix_mkfifo,highlight_file,escapeshellcmd,show_source,pcntl_wifcontinued,fp,pcntl_alarm,pcntl_wait,ini_alter,posix_setpgid,parse_ini_file,ftp_raw,pcntl_waitpid,pcntl_getpriority,ftp_connect,pcntl_signal_dispatch,pcntl_wstopsig,ini_restore,ftp_put,passthru,proc_terminate,posix_setsid,pcntl_signal,pcntl_setpriority,proc_get_status,phpAds_xmlrpcEncode,pcntl_exec,ftp_nb_fput,ftp_get,phpAds_xmlrpcDecode,pcntl_sigwaitinfo,shell_exec,pcntl_get_last_error,ftp_rawlist,pcntl_fork,posix_setuid'

export PHP_INI='/etc/php/7.0/fpm/php.ini'

export PHP_FPM_POOL_WWW_CONF='/etc/php/7.0/fpm/pool.d/www.conf'
export PHP_FPM_RC_SCRIPT_NAME="php7.0-fpm"
export PHPENMOD_BIN='phpenmod'

perl -pi -e 's#^(expose_php.*=).*#${1} Off;#' ${PHP_INI}

perl -pi -e 's#^(memory_limit.*=).*#${1} 256M;#' ${PHP_INI}
perl -pi -e 's/^(upload_max_filesize.*=).*/${1} 10M;/' ${PHP_INI}
perl -pi -e 's/^(post_max_size.*=).*/${1} 12M;/' ${PHP_INI}
perl -pi -e 's/^(suhosin.session.encrypt.*=).*/${1} Off;/' ${PHP_INI}
perl -pi -e 's/^;(suhosin.session.encrypt.*=).*/${1} Off;/' ${PHP_INI}

# Add setting `disable_functions`
perl -pi -e 's#^;(disable_functions.*)#${1}#g' ${PHP_INI}
perl -pi -e 's#^(disable_functions).*#${1} = $ENV{PHP_DISABLE_FUNCTIONS}#g' ${PHP_INI}

# Create directory used to store session (session.save_path)
perl -pi -e 's#^;(session.save_path).*#${1}#g' ${PHP_INI}
perl -pi -e 's#^(session.save_path).*#session.save_path = "$ENV{PHP_SESSION_SAVE_PATH}"#g' ${PHP_INI}
# Set correct owner and permission
[ -d ${PHP_SESSION_SAVE_PATH} ] || mkdir -p ${PHP_SESSION_SAVE_PATH}
chown root:www-data ${PHP_SESSION_SAVE_PATH}
chmod 0770 ${PHP_SESSION_SAVE_PATH}

# Set date.timezone. Required by PHP-5.3.
grep '^date.timezone' ${PHP_INI} >/dev/null
if [ X"$?" == X"0" ]; then
       perl -pi -e 's#^(date.timezone).*#${1} = GMT#' ${PHP_INI}
   else
       perl -pi -e 's#^;(date.timezone).*#${1} = GMT#' ${PHP_INI}
fi

# Enable mcrypt
${PHPENMOD_BIN} mcrypt

# `intl` is required by Roundcube.
${PHPENMOD_BIN} intl

Next, you simply run it with bash.

bash php-mig.sh

And now you are on an php version that will be updated.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Some issues when upgrading from Debian 8 to 9

Did you try steps below? it should be easier:

- Install php7 (any conflict?)
- copy php5 php.ini to php7
- copy php5 config files (pool config file 'www.conf') to php7 directory
- remove php5

6 Reply by Radapompa

  • Radapompa
  • Member
  • Offline
  • Registered: 2016-05-18
  • Posts: 20

Re: Some issues when upgrading from Debian 8 to 9

ZhangHuangbin wrote:

Did you try steps below? it should be easier:

- Install php7 (any conflict?)
- copy php5 php.ini to php7
- copy php5 config files (pool config file 'www.conf') to php7 directory
- remove php5

Haven't tried this. But thought it would be better to edit a new php7 config. In case there are some changes made in the new configs that isn't in the old ones.

7 Reply by mir

  • mir
  • Member
  • Offline
  • Registered: 2014-05-30
  • Posts: 170

Re: Some issues when upgrading from Debian 8 to 9

Also all references of imap3 in jail.conf needs to be replaced with imap if imap is missing otherwise simply remove it.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Some issues when upgrading from Debian 8 to 9

mir wrote:

Also all references of imap3 in jail.conf needs to be replaced with imap if imap is missing otherwise simply remove it.

Not clear to me. Do you have any sample code to share? it will help others understand this better.

9 Reply by mir

  • mir
  • Member
  • Offline
  • Registered: 2014-05-30
  • Posts: 170

Re: Some issues when upgrading from Debian 8 to 9

ZhangHuangbin wrote:
mir wrote:

Also all references of imap3 in jail.conf needs to be replaced with imap if imap is missing otherwise simply remove it.

Not clear to me. Do you have any sample code to share? it will help others understand this better.

See: https://bugs.debian.org/cgi-bin/bugrepo … bug=858587