fix: Opt-out of implicit TLS for Amavis SMTP client transport#2607
Merged
polarathene merged 2 commits intodocker-mailserver:masterfrom Jun 5, 2022
Merged
Conversation
Presently relay-host support modifies `main.cf` settings directly. This adjusts the default transport (`smtp`) which other transports in `master.cf` inherit from. When configuring for implicit TLS to a `relay-host` this would set `main.cf:smtp_tls_wrappermode = yes` and affect the transport `master.cf:smtp-amavis` which does not set an override like it does for `smtp_tls_security_level`. This causes Amavis to fail working which the default transport relies on due to `main.cf:content_filter`. Easy fix, by explicitly adding the override `smtp_tls_wrappermode=no`.`no` is default in `main.cf` so inheriting this setting hasn't been a problem in the past for other relay-hosts using StartTLS.
casperklein
approved these changes
Jun 4, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Explicitly set
smtp_tls_wrappermode=noformaster.cf:smtp-amavisso that it does not inherit this setting frommain.cfwhen updated for relay-host support, which the configured Amavis transport does not support (at least withsmtp_tls_security_level=none).Additionally adds service names for better visibility of amavis specific
master.cfclient/server logs.This change enables supporting relay-host connections over implicit TLS (port 465).
Commit message (verbose description)
Presently relay-host support modifies
main.cfsettings directly. This adjusts the default transport (smtp) which other transports inmaster.cfinherit from.When configuring for implicit TLS to a
relay-hostthis would setmain.cf:smtp_tls_wrappermode = yesand affect the transportmaster.cf:smtp-amaviswhich does not set an override like it does forsmtp_tls_security_level. This causes Amavis to fail working which the default transport relies on due tomain.cf:content_filter.Easy fix, by explicitly adding the override
smtp_tls_wrappermode=no.nois default inmain.cfso inheriting this setting hasn't been a problem in the past for other relay-hosts using StartTLS.Fixes: #2601
This is a partial fix for supporting implicit TLS with relay-hosts. The user still needs to configure
main.cfto enablesmtp_tls_wrappermode = yeswithpostfix-main.cforuser-patches.sh. We do not document this, and future improvements to relay support are planned to simplify support.Type of change
Checklist: