[Postfix] Merge syslog filters

[Postfix] Create sasl_access map; Use JSON_VALUE and remove unnecessary like command
2020-09-17 19:47:11 +02:00 · 2020-09-17 19:47:11 +02:00 · 85b027aa9d
parent 09ec4fcd81
commit 85b027aa9d
3 changed files with 29 additions and 15 deletions
--- a/data/Dockerfiles/postfix/postfix.sh
+++ b/data/Dockerfiles/postfix/postfix.sh
@ -97,7 +97,7 @@ query = SELECT IF(EXISTS(
          SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
            WHERE alias_domain='%d'
        )
-      ) AND json_extract(attributes, '$.tls_enforce_in') LIKE '%%1%%' AND mailbox.active = '1'
+      ) AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.tls_enforce_in')) = '1' AND mailbox.active = '1'
  ), 'reject_plaintext_session', NULL) AS 'tls_enforce_in';
 EOF

@ -117,7 +117,7 @@ query = SELECT GROUP_CONCAT(transport SEPARATOR '') AS transport_maps
              WHERE alias_domain = '%d'
          )
        )
-        AND json_extract(attributes, '$.tls_enforce_out') LIKE '%%1%%'
+        AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.tls_enforce_out')) = '1'
        AND mailbox.active = '1'
    ), 'smtp_enforced_tls:', 'smtp:') AS 'transport'
    UNION ALL
@ -264,7 +264,7 @@ user = ${DBUSER}
 password = ${DBPASS}
 hosts = unix:/var/run/mysqld/mysqld.sock
 dbname = ${DBNAME}
-query = SELECT CONCAT(JSON_UNQUOTE(JSON_EXTRACT(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%u/') FROM mailbox WHERE username='%s' AND (active = '1' OR active = '2')
+query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%u/') FROM mailbox WHERE username='%s' AND (active = '1' OR active = '2')
 EOF

 cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf
@ -318,6 +318,16 @@ query = SELECT goto FROM alias
      AND alias_domain.active='1'
 EOF

+# Reject sasl usernames with smtp disabled
+cat <<EOF > /opt/postfix/conf/sql/mysql_sasl_access_maps.cf
+# Autogenerated by mailcow
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = unix:/var/run/mysqld/mysqld.sock
+dbname = ${DBNAME}
+query = SELECT 'REJECT' FROM mailbox WHERE username = '%u' AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.smtp_access')) = '0';
+EOF
+
 cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_spamalias_maps.cf
 # Autogenerated by mailcow
 user = ${DBUSER}
--- a/data/Dockerfiles/postfix/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/postfix/syslog-ng-redis_slave.conf
@ -35,15 +35,17 @@ filter f_mail { facility(mail); };
 # start
 # overriding warnings are still displayed when the entrypoint runs its initial check
 # warnings logged by postfix-mailcow to syslog are hidden to reduce repeating msgs
-filter f_overrides { not match("overriding earlier entry" value("MESSAGE")); };
+# Some other warnings are ignored
+filter f_ignore {
+  not match("overriding earlier entry" value("MESSAGE"));
+  not match("TLS SNI from checks.mailcow.email" value("MESSAGE"));
+  not match("no SASL support" value("MESSAGE"));
+  not facility (local0, local1, local2, local3, local4, local5, local6, local7);
+};
 # end
-filter f_skip_local { not facility (local0, local1, local2, local3, local4, local5, local6, local7); };
-filter f_checks { not match("TLS SNI from checks.mailcow.email" value("MESSAGE")); };
 log {
  source(s_src);
-  filter(f_skip_local);
-  filter(f_overrides);
-  filter(f_checks);
+  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
  destination(d_redis_ui_log);
--- a/data/Dockerfiles/postfix/syslog-ng.conf
+++ b/data/Dockerfiles/postfix/syslog-ng.conf
@ -35,15 +35,17 @@ filter f_mail { facility(mail); };
 # start
 # overriding warnings are still displayed when the entrypoint runs its initial check
 # warnings logged by postfix-mailcow to syslog are hidden to reduce repeating msgs
-filter f_overrides { not match("overriding earlier entry" value("MESSAGE")); };
+# Some other warnings are ignored
+filter f_ignore {
+  not match("overriding earlier entry" value("MESSAGE"));
+  not match("TLS SNI from checks.mailcow.email" value("MESSAGE"));
+  not match("no SASL support" value("MESSAGE"));
+  not facility (local0, local1, local2, local3, local4, local5, local6, local7);
+};
 # end
-filter f_skip_local { not facility (local0, local1, local2, local3, local4, local5, local6, local7); };
-filter f_checks { not match("TLS SNI from checks.mailcow.email" value("MESSAGE")); };
 log {
  source(s_src);
-  filter(f_skip_local);
-  filter(f_overrides);
-  filter(f_checks);
+  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
  destination(d_redis_ui_log);