tersmitten
commented
3 years ago See #90
Closed sourcejedi closed 3 years ago
tersmitten
commented
3 years ago See #90
tersmitten
commented
3 years ago tersmitten
commented
3 years ago I'm not sure that it's an issue. What do you think?
sourcejedi
commented
3 years ago Thanks!
80: Run postmap -p on sasl_passwd which is mode 0600 to get sasl_passwd.db with mode 0644 as per official docs, otherwise the postfix service cannot see the db file and cannot get the auth info. The *.db file's contents are protected and do not need to be hidden.
I think there was some reason for writing the above, but that in general it's all wrong.
The howto's I saw don't recommend mode 0644 / postmap -p, rather the opposite. I google searched for postmap -p, and this role was basically the only result...
Official docs: Important
Keep the SASL client password file in /etc/postfix, and make the file read+write only for root to protect the username/password combinations against other users. The Postfix SMTP client will still be able to read the SASL client passwords. It opens the file as user root before it drops privileges, and before entering an optional chroot jail.
Use the postmap command whenever you change the /etc/postfix/sasl_passwd file.
The following patch worked fine on my system.
diff --git a/handlers/main.yml b/handlers/main.yml
index d4da700..b09c7ed 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -9,7 +9,7 @@
when: postfix_default_database_type != 'regexp'
- name: postmap sasl_passwd
- command: postmap -p {{ postfix_default_database_type }}:{{ postfix_sasl_passwd_file }}
+ command: postmap {{ postfix_default_database_type }}:{{ postfix_sasl_passwd_file }}
when: postfix_default_database_type != 'regexp'
- name: postmap sender_canonical_mapsCan you make a PR?
Running role v3.5.0 on Debian 10.
This seems to be because the
postmap sasl_passwdhandler is usingpostmap -p. This looks deliberate, since the other handlers don't. I think it's a mistake?