Upgrading to Debian 13 Trixie

Published on: August 12, 2025

Ah, the trials and tribulations of upgrading Debian 12 Bookworm to Debian 13 Trixie! I learned a valuable lesson this weekend with the update - always read the apt listchanges email. Always.

The upgrade itself went smoothly with no errors during the packages upgrading/installing. I run three main services on my server - nginx, exim, and dovecot. On reboot, all three had issues with the upgraded packages.

nginx

I received the following error in my nginx error.log:

2025/08/09 17:56:31 [warn] 3003529#3003529: the "listen ... http2"  
  directive is deprecated, use the "http2" directive instead in   
  /etc/nginx/sites-enabled/gnupit.net:24

The way http2 is turned on has changed. In a site’s configuration file, http2 was turned on in the server block as follows:

server {
  listen 74.207.251.91:443 ssl http2; # IPv4

This has been deprecated and is now changed to:

server {
  listen 74.207.251.91:443 ssl; # IPv4
  http2 on;

One error down and nginx is running fine. On to the next one - I couldn’t connect to send or receive mail at all.

exim

I couldn’t send mail at all. I would receive a "Connection refused" error. I was confused. Exim started fine. There were no messages in the panic log or any of the other logs. I use a custom configuration file so nothing should have been overwritten accidentally. I checked the default startup settings in /etc/default/exim4 and nothing had changed there. Exim was set to listen on both ports 25 and 465.

SMTPLISTENEROPTIONS='-oX 25:465 -oP /var/run/exim4/exim.pid'

My first step was to check what ports exim was actually listening on in case there was some issue there.

 # lsof -i -P -n | grep LISTEN | grep exim

exim4     102551 Debian-exim  4u  IPv4 285281      0t0  TCP 127.0.0.1:25 (LISTEN)
exim4     102551 Debian-exim  5u  IPv4 285282      0t0  TCP 74.207.251.91:25 (LISTEN)

Uh oh. Where is port 465? The ports are set in /etc/default/exim4 Port 465 is specified there. Also, in Exim’s confiuration file, the following is set for tls connections.

# Note:  daemon_smtp_ports is set in /etc/default/exim4 as part of the
# startup script so it is commented out here.
#daemon_smtp_ports = 25, 465
tls_on_connect_ports    = 465

Why is it not working? It literally has worked for years with these settings. I uncommented the line for daemon_smtp_ports, saved the file and restarted.

exim4     102834 Debian-exim  4u  IPv4 287075      0t0  TCP 127.0.0.1:25 (LISTEN)
exim4     102834 Debian-exim  5u  IPv4 287076      0t0  TCP 127.0.0.1:465 (LISTEN)
exim4     102834 Debian-exim  6u  IPv4 287077      0t0  TCP 74.207.251.91:25 (LISTEN)
exim4     102834 Debian-exim  7u  IPv4 287078      0t0  TCP 74.207.251.91:465 (LISTEN)

Lo and behold, there is port 465. I was now able to connect. I couldn’t send mail because I couldn’t authenticate, but at least I could connect. I had no idea why the exim service seemed to be ignoring /etc/default/exim4. I tried turning debugging on by adding -d-all+auth to ‘SMTPLISTENEROPTIONS’ to debug the authentication issue. No go. I couldn’t turn debugging on. Turns out the use of /etc/default/exim4 is deprecated.

From apt-listchanges:

exim4 (4.96-20) experimental; urgency=low

Drop support for configuring daemon startup by setting QUEUERUNNER in /etc/default/exim4. Also replace QFLAGS, QUEUEINTERVAL, COMMONOPTIONS, QUEUERUNNEROPTIONS and SMTPLISTENEROPTIONS settings for init script/service file in etc/default/exim4 with a combined EXIMSERVICE (for systemd) or EXIMDAEMONOPTS (init script) directive.

Most of the previous functionality is available by different means:

Disable running an exim daemon this way (’nodaemon’): -> Use the native functionality of the init system you are using, e.g. for systemd mask the service.

Start two separate daemon processes, one for listening on port 25 and another for queue running (‘separate’) -> Not supported anymore.

Run a daemon that both listens on port 25 and runs the queue. -> default behavior (’-bdf -q30m’ / ‘-bd -q30m’)

Run a daemon that either listens on port 25 and runs the queue. -> set to -bdf/-bd without -q30m or vice versa.

Only run queue when a ppp connection is made (‘ppp’): -> Disable queuerunner like noted above and remove the ’exit 0’ from the start of /etc/ppp/ip-up.d/exim4

Now I just need to figure out how to set debugging options.

dovecot

Dovecot 2.4 introduced major changes and came with the warning that the configuration files for dovecot 2.3 would need to be changed. They weren’t kidding. Everything (almost) that you need to know about upgrading dovecot 2.3 to 2.4 is here.

The first thing I tackled was getting Exim to authenticate. I headed over to the exim recommendations, Using Exim with Dovecot, and discovered that I needed to set type = auth-legacy in the unix_listener block.

service auth {
  ...
  # SASL
  unix_listener auth-exim {
    # Exim requires legacy auth type until it gets updated
    type = auth-legacy
    mode = 0660
    user = Debian-exim
  }
  ...
}

I then proceeded to update my configuration file with the changes needed. Once that was done, I restarted dovecot and was able to send and receive mails.

That is the upgrade to Trixie done and dusted.