[Postfix] TLS protocols for submission and smtps can be overriden using extra.cf (submission_smtpd_tls_mandatory_protocols and smtps_smtpd_tls_mandatory_protocols), thanks to @christianbur

[Postfix] Show overriding warnings when starting Postfix, but hide them in syslog output
2019-11-24 14:18:27 +01:00 · 2019-11-24 14:18:27 +01:00 · 4a36eb014c
parent dff81eda19
commit 4a36eb014c
4 changed files with 16 additions and 4 deletions
--- a/data/Dockerfiles/postfix/syslog-ng.conf
+++ b/data/Dockerfiles/postfix/syslog-ng.conf
@ -32,10 +32,16 @@ destination d_redis_f2b_channel {
  );
 };
 filter f_mail { facility(mail); };
+# start
+# overriding warnings are still displayed when the entrypoint runs its initial check
+# warnings logged by postfix-mailcow to syslog are hidden to reduce repeating msgs
+filter f_overrides { not match("overriding earlier entry" value("MESSAGE")); };
+# end
 filter f_skip_local { not facility (local0, local1, local2, local3, local4, local5, local6, local7); };
 log {
  source(s_src);
  filter(f_skip_local);
+  filter(f_overrides);
  destination(d_stdout);
  filter(f_mail);
  destination(d_redis_ui_log);
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@ -187,8 +187,12 @@ transport_maps = pcre:/opt/postfix/conf/custom_transport.pcre,
 smtp_sasl_auth_soft_bounce = no
 postscreen_discard_ehlo_keywords = silent-discard, dsn
 compatibility_level = 2
-smtputf8_enable = no
+smtputf8_enable = yes
+# Define protocols for SMTPS and submission service
+submission_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

 # DO NOT EDIT ANYTHING BELOW #
 # User overrides #

+smtputf8_enable = no
--- a/data/conf/postfix/master.cf
+++ b/data/conf/postfix/master.cf
@ -6,18 +6,20 @@ smtpd      pass  -       -       n       -       -       smtpd
  -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain

 # smtpd tls-wrapped (smtps) on 465/tcp
+# TLS protocol can be modified by setting smtps_smtpd_tls_mandatory_protocols in extra.cf
 smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
+  -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes

 # smtpd with starttls on 587/tcp
+# TLS protocol can be modified by setting submission_smtpd_tls_mandatory_protocols in extra.cf
 submission inet n       -       n       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_security_level=encrypt
-  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
+  -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes

 # used by SOGo
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -223,7 +223,7 @@ services:
            - dovecot

    postfix-mailcow:
-      image: mailcow/postfix:1.42
+      image: mailcow/postfix:1.43
      volumes:
        - ./data/conf/postfix:/opt/postfix/conf
        - ./data/assets/ssl:/etc/ssl/mail/:ro