Fix: Depricate RELAYHOST_TLS_LEVEL with Postfix equivivalent

thienohs · May 31, 2021 · a695d05 · a695d05
1 parent 552d73c
commit a695d05
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ Simple postfix relay host ("postfix null client") for your Docker containers. Ba
     * [Log format](#log-format)
   * [Postfix-specific options](#postfix-specific-options)
     * [RELAYHOST, RELAYHOST_USERNAME and RELAYHOST_PASSWORD](#relayhost-relayhost_username-and-relayhost_password)
-    * [RELAYHOST_TLS_LEVEL](#relayhost_tls_level)
+    * [POSTFIX_smtp_tls_security_level](#postfix_smtp_tls_security_level)
     * [XOAUTH2_CLIENT_ID, XOAUTH2_SECRET, XOAUTH2_INITIAL_ACCESS_TOKEN and XOAUTH2_INITIAL_REFRESH_TOKEN](#xoauth2_client_id-xoauth2_secret-xoauth2_initial_access_token-and-xoauth2_initial_refresh_token)
     * [MASQUERADED_DOMAINS](#masqueraded_domains)
     * [SMTP_HEADER_CHECKS](#smtp_header_checks)
@@ -162,7 +162,7 @@ To change the log format, set the (unsurprisingly named) variable `LOG_FORMAT=js
 * `RELAYHOST_USERNAME` = An (optional) username for the relay server
 * `RELAYHOST_PASSWORD` = An (optional) login password for the relay server
 * `RELAYHOST_PASSWORD_FILE` = An (optional) file containing the login password for the relay server. Mutually exclusive with the previous option.
-* `RELAYHOST_TLS_LEVEL` = Relay host TLS connection level
+* `POSTFIX_smtp_tls_security_level` = Relay host TLS connection level
 * `XOAUTH2_CLIENT_ID` = OAuth2 client id used when configured as a relayhost.
 * `XOAUTH2_SECRET` = OAuth2 secret used when configured as a relayhost.
 * `XOAUTH2_INITIAL_ACCESS_TOKEN` = Initial OAuth2 access token.
@@ -204,7 +204,7 @@ If your end server requires you to authenticate with username/password, add them
 docker run --rm --name postfix -e RELAYHOST=mail.google.com -e RELAYHOST_USERNAME=hello@gmail.com -e RELAYHOST_PASSWORD=world -p 1587:587 boky/postfix
 ```
 
-#### `RELAYHOST_TLS_LEVEL`
+#### `POSTFIX_smtp_tls_security_level`
 
 Define relay host TLS connection level. See [smtp_tls_security_level](http://www.postfix.org/postconf.5.html#smtp_tls_security_level) for details. By default, the permissive level ("may") is used, which basically means "use TLS if available" and should be a sane default in most cases.
 
@@ -226,7 +226,7 @@ Example:
 docker run --rm --name pruebas-postfix \
     -e RELAYHOST="[smtp.gmail.com]:587" \
     -e RELAYHOST_USERNAME="<put.your.account>@gmail.com" \
-    -e RELAYHOST_TLS_LEVEL="encrypt" \
+    -e POSTFIX_smtp_tls_security_level="encrypt" \
     -e XOAUTH2_CLIENT_ID="<put_your_oauth2_client_id>" \
     -e XOAUTH2_SECRET="<put_your_oauth2_secret>" \
     -e ALLOW_EMPTY_SENDER_DOMAINS="true" \
@@ -417,7 +417,7 @@ As an alternative to passing sensitive information via environment variables, `_
 docker run --rm --name pruebas-postfix \
     -e RELAYHOST="[smtp.gmail.com]:587" \
     -e RELAYHOST_USERNAME="<put.your.account>@gmail.com" \
-    -e RELAYHOST_TLS_LEVEL="encrypt" \
+    -e POSTFIX_smtp_tls_security_level="encrypt" \
     -e XOAUTH2_CLIENT_ID_FILE="/run/secrets/xoauth2-client-id" \
     -e XOAUTH2_SECRET_FILE="/run/secrets/xoauth2-secret" \
     -e ALLOW_EMPTY_SENDER_DOMAINS="true" \

diff --git a/helm/mail/values.yaml b/helm/mail/values.yaml
@@ -91,14 +91,14 @@ config:
     # RELAYHOST:
     # RELAYHOST_USERNAME:
     # RELAYHOST_PASSWORD:
-    # RELAYHOST_TLS_LEVEL:
     # MASQUERADED_DOMAINS:
     # SMTP_HEADER_CHECKS:
     # DKIM_SELECTOR:
     # DKIM_AUTOGENERATE:
   postfix: {}
     # e.g.
     # myhostname: "postfix"
+    # smtp_tls_security_level: "encrypt"
   opendkim: {}
     # e.g.
     # RequireSafeKeys: "yes"

diff --git a/integration-tests/xoauth2-error/docker-compose.yml b/integration-tests/xoauth2-error/docker-compose.yml
@@ -21,7 +21,7 @@ services:
       ALLOW_EMPTY_SENDER_DOMAINS: "true"
       RELAYHOST: "[smtp.gmail.com]:587"
       RELAYHOST_USERNAME: "${RELAYHOST_USERNAME}"
-      RELAYHOST_TLS_LEVEL: "encrypt"
+      POSTFIX_smtp_tls_security_level: "encrypt"
       XOAUTH2_CLIENT_ID: "${XOAUTH2_CLIENT_ID}"
       XOAUTH2_SECRET: "${XOAUTH2_SECRET}"
       #XOAUTH2_INITIAL_ACCESS_TOKEN: "${XOAUTH2_INITIAL_ACCESS_TOKEN}"

diff --git a/integration-tests/xoauth2/docker-compose.yml b/integration-tests/xoauth2/docker-compose.yml
@@ -20,7 +20,7 @@ services:
       ALLOW_EMPTY_SENDER_DOMAINS: "true"
       RELAYHOST: "[smtp.gmail.com]:587"
       RELAYHOST_USERNAME: "${RELAYHOST_USERNAME}"
-      RELAYHOST_TLS_LEVEL: "encrypt"
+      POSTFIX_smtp_tls_security_level: "encrypt"
       XOAUTH2_CLIENT_ID: "${XOAUTH2_CLIENT_ID}"
       XOAUTH2_SECRET: "${XOAUTH2_SECRET}"
       #XOAUTH2_INITIAL_ACCESS_TOKEN: "${XOAUTH2_INITIAL_ACCESS_TOKEN}"

diff --git a/scripts/common-run.sh b/scripts/common-run.sh
@@ -147,12 +147,14 @@ postfix_set_hostname() {
 }
 
 postfix_set_relay_tls_level() {
-	if [ -z "$RELAYHOST_TLS_LEVEL" ]; then
+	if [ ! -z "$RELAYHOST_TLS_LEVEL" ]; then
+		deprecated "${emphasis}RELAYHOST_TLS_LEVEL${reset} variable is deprecated. Please use ${emphasis}POSTFIX_smtp_tls_security_level${reset} instead."
+		POSTFIX_smtp_tls_security_level="$RELAYHOST_TLS_LEVEL"
+	fi
+
+	if [ -z "$POSTFIX_smtp_tls_security_level" ]; then
 		info "Setting smtp_tls_security_level: ${emphasis}may${reset}"
-		do_postconf -e "smtp_tls_security_level=may"
-	else
-		notice "Setting smtp_tls_security_level: ${emphasis}$RELAYHOST_TLS_LEVEL${reset}"
-		do_postconf -e "smtp_tls_security_level=$RELAYHOST_TLS_LEVEL"
+		POSTFIX_smtp_tls_security_level="may"
 	fi
 }
 
@@ -177,6 +179,9 @@ postfix_setup_relayhost() {
 				echo "$RELAYHOST $RELAYHOST_USERNAME:$RELAYHOST_PASSWORD" >> /etc/postfix/sasl_passwd
 			fi
 			postmap lmdb:/etc/postfix/sasl_passwd
+			chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.lmdb
+			chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.lmdb
+
 			do_postconf -e "smtp_sasl_auth_enable=yes"
 			do_postconf -e "smtp_sasl_password_maps=lmdb:/etc/postfix/sasl_passwd"
 			do_postconf -e "smtp_sasl_security_options=noanonymous"