service(postfix): Better handling of the compatibility_level setting (#2597)

* chore: Fix typo

* chore: Apply explicit chroot default for `sender-cleanup`

The implicit default is set to `y` as a compatibility fallback, but otherwise it is [advised to set to `n` going forward](http://www.postfix.org/COMPATIBILITY_README.html#chroot).

Test was changed to catch any backwards-compatibility logs, not just those for `chroot=y`. `using` added as a prefix to avoid catching log message whenever a setting is changed that the default compatibility level is active.

* chore: Set `compatibility_level` in `main.cf`

We retain the level`2` value previously set via scripts. This avoids log noise that isn't helpful.

Applied review feedback to give maintainers some context with this setting and why we have it presently set to `2`.
This commit is contained in:
Brennan Kinney 2022-06-05 12:10:20 +12:00 committed by GitHub
parent 1bd8ef3976
commit 3d6e7a7bb8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 20 additions and 14 deletions

View file

@ -56,14 +56,14 @@ disable_vrfy_command = yes
# Postscreen settings to drop zombies/open relays/spam early
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3
bl.mailspike.net
b.barracudacentral.org*2
bl.spameatingmonkey.net
dnsbl.sorbs.net
psbl.surriel.com
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].[2..3]*-4
bl.mailspike.net
b.barracudacentral.org*2
bl.spameatingmonkey.net
dnsbl.sorbs.net
psbl.surriel.com
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].[2..3]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
@ -101,5 +101,14 @@ policyd-spf_time_limit = 3600
# Header checks for content inspection on receiving
header_checks = pcre:/etc/postfix/maps/header_checks.pcre
# Remove unwanted headers that reveail our privacy
# Remove unwanted headers that reveal our privacy
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
# The default compatibility_level is 0 - which retains legacy settings defaults:
# http://www.postfix.org/COMPATIBILITY_README.html
# If backwards-compaitibilty log messages appear, fix them by explicitly adding
# the legacy or new default value (alternatively raise the compatibility_level)
#
# TODO: The next compatibility_level is 3.6, when Postfix 3.6 is available consider
# bumping this value after taking the compaitibilty changes into account.
compatibility_level = 2

View file

@ -67,7 +67,7 @@ lmtp unix - - n - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
sender-cleanup unix n - - - 0 cleanup
sender-cleanup unix n - n - 0 cleanup
-o syslog_name=postfix/sender-cleanup
-o header_checks=pcre:/etc/postfix/maps/sender_header_filter.pcre

View file

@ -762,9 +762,6 @@ function _setup_postfix_override_configuration
else
_log 'trace' "No extra Postfix settings loaded because optional '/tmp/docker-mailserver/postfix-master.cf' was not provided"
fi
_log 'trace' "Set Postfix's compatibility level to 2"
postconf compatibility_level=2
}
function _setup_postfix_sasl_password

View file

@ -510,7 +510,7 @@ EOF
assert_failure
run docker exec mail grep -i '(!)connect' /var/log/mail/mail.log
assert_failure
run docker exec mail grep -i 'backwards-compatible default setting chroot=y' /var/log/mail/mail.log
run docker exec mail grep -i 'using backwards-compatible default setting' /var/log/mail/mail.log
assert_failure
run docker exec mail grep -i 'connect to 127.0.0.1:10023: Connection refused' /var/log/mail/mail.log
assert_failure