refactor: Revised relay.sh helper#2604
Merged
polarathene merged 10 commits intodocker-mailserver:masterfrom Jun 4, 2022
Merged
refactor: Revised relay.sh helper#2604polarathene merged 10 commits intodocker-mailserver:masterfrom
relay.sh helper#2604polarathene merged 10 commits intodocker-mailserver:masterfrom
Conversation
Changes to `sed` handling that made it quicker to grok, and thus easier for maintainers like myself: - Switched regex to [extended regex](https://www.gnu.org/software/sed/manual/html_node/Extended-regexps.html). - Extracted `sed` patterns to be self-descriptive local vars. - Used a function to reduce noise from intent of loop input (each line as `DOMAIN_PART`). Input for the loop is filtered through `sort -u` to drop duplicates, reducing iterations. `DOMAIN` loop var renamed to less vague `DOMAIN_PART`. Additional comment in the containing method clarifies what the domain part refers to. --- `|` regexp syntax needed to be escaped due to switch. Not documented in the earlier link. `-r`/`-E` (ERE) aka extended regexp syntax is [detailed here](https://learnbyexample.github.io/learn_gnused/breere-regular-expressions.html#cheatsheet-and-summary).
`smtp_tls_note_starttls_offer = yes` - Only adds a log entry to let you know when an unencrypted connection was made, but STARTTLS was offered: https://www.postfix.org/postconf.5.html#smtp_tls_note_starttls_offer `smtp_tls_CAfile` is unnecessary. This was added before `smtp_tls_CApath = /etc/ssl/certs` was several months later via a separate PR.
These have been shifted to relevant logic for now. --- NOTE: `SASL_PASSWD` previously needed to define `RELAY_HOST` to set `smtp_sasl_password_maps` to enable the `/etc/postfix/sasl_passwd` table. This change now additionally blocks early on in `_relayhost_sasl`. Not likely important due to `RELAY_HOST` logic, user should be using the `RELAY_USER` + `RELAY_PASSWORD` ENV or `postfix-sasl-password.cf` instead. Especially the sender dependent parameters which are only relevant with user provided configs really. `SASL_PASSWD` is the oldest ENV for relay support before any other relay feature arrived. It is poorly documented and should not be used. Potential breakage risk considered acceptable.
Further clarifying current processing logic and adding some additional notes for future work.
The mapping should be in sync between the two configs. I also wanted to raise awareness of current state of support, which will likely need some refactoring. This also removes the need for the `RELAY_PORT` fallback method. The log message was adjusted as configuration is potentially for more than one relay host beyond the currently required ENV config to enable support. --- NOTE: The ENV `DEFAULT_RELAY_HOST` skips modifying the default transport for an authenticated relay (locked behind `RELAY_HOST` to activate). It presently will only relay mail through a relay host on port 25 instead of delivering directly to the destination. A separate use-case.
More verbose example configs with expanded documentation. Additional doc references for SASL support and cautioning maintainers that may reference popular relay service providers docs. May later be migrated to a "maintainers" section in official docs and link to that. Brief overview description of what `_populate_relayhost_map` is doing.
`_populate_relayhost_map` will get some refactoring in future and likely introduce some breaking changes for a future major release.
This helper now includes a description of it's purpose, links to relevant user docs and supported `setup.sh` commands. Intent is to keep a maintainer of the feature aware of anything relevant to this feature.
polarathene
added
priority/high
service/postfix
area/scripts
area/features
kind/improvement
6 tasks
georglauterbach
previously approved these changes
May 29, 2022
Member
georglauterbach
left a comment
georglauterbach
left a comment
There was a problem hiding this comment.
LGTM 👍🏼
Very nice with the comments you added to the code :D
Co-authored-by: Georg Lauterbach <[email protected]>
georglauterbach
approved these changes
May 30, 2022
casperklein
approved these changes
Jun 4, 2022
Member
casperklein
left a comment
casperklein
left a comment
There was a problem hiding this comment.
👍 for the extended comments.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This is a refactor of the current relay support offered via
docker-mailserver. For the most part, this is preparation for a future PR that will make some breaking changes to revise the relay support offered. I want to simplify review for that by covering the changes here.Reviewers that are not familiar with present relay support should have no trouble getting up to speed. Supporting comments can be dropped before merge or via follow-up commit if necessary. Changes have been staged out into separate commits (with their own commit messages for context) should that assist with review.
I also have a related change with
SASL_PASSWDsupport that would have added noise to the review here. I've opted to cherry-pick it out of this PR and into it's own PR that will follow upon merging of this PR. (EDIT: PR opened, will be rebased after merging this one)Overview of changes (ordered by appearance in
relay.sh)helpers/relay.shmanages._relayhost_default_port_fallback()has been dropped. It no longer serves a purpose._env_relay_host()has been added. It provides the default port fallback and ensures the configured relay-host is in sync between both/etc/postfix/sasl_passwdand/etc/postfix/relayhost_map, which is required for successful lookup.main.cfsettings configured viapostconfhave been relocated from_relayhost_configure_postfix()to their relevant sections of code. There may be potential risk of breakage in a deployment that relied on those being set regardless whenRELAY_HOSTENV was set, but did not leverage our feature support that specifically requires them (and for which they were originally added for). It is intended in future to manage separate transports beyond the present defaultmaster.cf:smtpone._populate_relayhost_mapshould function the same. The changes are mostly to make it's purpose and concerns for changes in future clear (normally I keep notes locally instead of inlining, but have chosen to make sure others can understand the feature quickly and what changes need to be done should future work lag behind on my part, someone else could pick it up). Plan is to better implement the features intent without the excessive approach with accounts currently used._relayhost_configure_postfix()is simplified. Some settings configured there were unnecessary, see associated commit for details. In future a separate SMTP client transport will be configured, which will better support the use-cases from past relay-host contributions and more easily allow for supporting multiple relay-hosts with different requirements (no auth, explicit TLS, implicit TLS, varying ports).Relay-host feature history:
I went through the history of the feature to understand why decisions for current support exist, use-cases and if any breakage may be an issue (especially around
SASL_PASSWDand why that path looked borked).Documenting that history here for others, which may be helpful to maintainers in future rather than trawling
git blame😅#83):main.cfcustomization via user config file (postfix-main.cf).SASL_PASSWDENV to automate creating a hash table (the generated.dbfile receivedchown/chmodadjustments, then temporary input file removed) as opposed to using plaintext with thestatictable type in themain.cfsetting.smtp_tls_security_level=noneto amavis transports.smtp_tls_wrappermode=nowas probably not set as port 465 was not as relevant in 2016.#194):main.cfdefault settings for configuring an authenticated relay-host, instead of expecting the user to know what to add with apostfix-main.cfthemselves. It was initially hard-coded to port 25, but future PRs resolved that.smtp_sasl_password_mapswas only enabled as part of this automated config. The priorSASL_PASSWDENV support was very basic and did not include even that.smtp_tls_CAfilewas also introduced for relay configs via this PR. A July 2016 PR introducedsmtp_tls_CApathas a default (#243), making the relay specific one redundant.hashtotexthash(#382).#926):#922).check-for-changes.sh.RELAY_HOSTand related ENV were added, replacing earlier ENV for AWS SES (despite the ENV name, was supporting other relays).setup.shrelay commands.postfix-relayhost.cfandpostfix-sasl-password.cffiles to support multiple per sender relay-hosts and/or credentials.main.cf:relayhostin favor of adopting sender dependent mappings. This seemed unnecessary, as it would append all domains frompostfix-accounts.cfby default, effectively mimickingmain.cf:relayhostanyway.. Presumably this was to provide support to opt-out a domain viapostix-relayhost.cf, but what they'd actually want really would be to opt-in such a domain to a separate outbound transport (a future PR will introduce this and bring backmain.cf:relayhost).DEFAULT_RELAY_HOSTto support default relay without authentication (#1104):RELAY_HOST. This would also be addressed with the future relay-host refactor.RELAY_HOSTper sender mapping support (#1596):_populate_relayhost_mapfunction to try sync some of the duplicated code that wasn't complete in the earlier copy added to the change detector script.relay.shhelper (#2260):Type of change
postconfsettings relocation)Checklist: