5

If I run postfix check on my debian squeeze server, I get this:

postfix/postfix-script: warning: /var/spool/postfix/lib/libnss_nisplus-2.11.3.so and /lib/libnss_nisplus-2.11.3.so differ
postfix/postfix-script: warning: /var/spool/postfix/lib/libnss_files-2.11.3.so and /lib/libnss_files-2.11.3.so differ
postfix/postfix-script: warning: /var/spool/postfix/lib/libnss_compat-2.11.3.so and /lib/libnss_compat-2.11.3.so differ
postfix/postfix-script: warning: /var/spool/postfix/lib/libnss_hesiod-2.11.3.so and /lib/libnss_hesiod-2.11.3.so differ
postfix/postfix-script: warning: /var/spool/postfix/lib/libnss_nis-2.11.3.so and /lib/libnss_nis-2.11.3.so differ
postfix/postfix-script: warning: /var/spool/postfix/lib/libnss_dns-2.11.3.so and /lib/libnss_dns-2.11.3.so differ

Somebody know a solution to fix this ?

mivk
  • 3,457
  • 1
  • 34
  • 29
Nicolas BADIA
  • 356
  • 1
  • 6
  • 15

3 Answers3

4

/var/spool/postfix is a chroot where postfix can optionally run, The idea is that if postfix is somehow compromised, the only thing the attacker would have access to is this small subset of your system instead of your whole system. The warning here is that the files in /var/spool/postfix no longer match the files in your regular system that they were copied from. You might verify that the files in /lib were expected to change (like, was libnss recently upgraded?), then consider copying these versions into the /var/spool/postfix/ chroot, so that the chroot also gets this upgrade.

stew
  • 9,263
  • 1
  • 28
  • 43
2

As per stew's answer, to kindly save people typing. As root:

cd /lib; cp libnss_files-2.11.3.so libnss_nis-2.11.3.so libnss_dns-2.11.3.so libnss_compat-2.11.3.so libnss_nisplus-2.11.3.so libnss_hesiod-2.11.3.so /var/spool/postfix/lib/

nosey
  • 21
  • 1
0

Nowadays (at least with Ubuntu server) you can fix this issue by restarting the Postfix service simply by running either

sudo systemctl restart postfix

or

sudo service postfix restart

This works because Postfix creates the chroot environment during the service start but doesn't follow modified files when you apply security updates. As a result, these files may differ when you have been running Postfix for long enough and installed security updates without rebooting the whole system (which is usually not required).

If you always restart the affected services after installing security updates you should hit this case very rarely.

Mikko Rantalainen
  • 858
  • 12
  • 27