needing to set proxy_read_maps?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

needing to set proxy_read_maps?

Matthew Selsky
Hi everyone,

We're running multi-instance postfix 3.1.15 and we want to rewrite message headers via LDAP tables using smtp generic (so that it happens after transport selection).

Our transport table has:
domain1.invalid                 affiliate:[external1.invalid]

And master.cf has:
affiliate unix  -       -       n       -       -       smtp
  -o smtp_generic_maps=${ldap}generic-ldap.cf

smtp_generic_maps is unset in main.cf:
$ postmulti -i postfix-mta-out -x postconf  smtp_generic_maps
smtp_generic_maps =

We get the following warning in our logs:
2021-02-16T20:41:17.544+00:00 server.invalid postfix-mta-out/proxymap[634976]: warning: to approve this table for read-only access, list proxy:ldap:/etc/postfix-mta-out/generic-ldap.cf in main.cf:proxy_read_maps

To get around this, in main.cf, we set:
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps $smtpd_client_restrictions $smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions $smtpd_recipient_restrictions $address_verify_sender_dependent_default_transport_maps $address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps $fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps $lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps $mailbox_command_maps $mailbox_transport_maps $postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps $sender_dependent_default_transport_maps $sender_dependent_relayhost_maps $smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps $smtp_sasl_password_maps $smtp_tls_policy_maps $smtpd_discard_ehlo_keyword_address_maps $virtual_gid_maps $virtual_uid_maps, proxy:ldap:/etc/postfix-mta-out/generic-ldap.cf

Is this only necessary because we're setting smtp_generic_maps in master.cf instead of main.cf?

Thanks,
-Matt
Reply | Threaded
Open this post in threaded view
|

Re: needing to set proxy_read_maps?

Viktor Dukhovni
On Thu, Feb 18, 2021 at 09:02:26PM +0000, Matthew Selsky wrote:

> Our transport table has:
> domain1.invalid                 affiliate:[external1.invalid]
>
> And master.cf has:
> affiliate unix  -       -       n       -       -       smtp
>   -o smtp_generic_maps=${ldap}generic-ldap.cf
>
> smtp_generic_maps is unset in main.cf:
> $ postmulti -i postfix-mta-out -x postconf  smtp_generic_maps
> smtp_generic_maps =
>
> We get the following warning in our logs:
> 2021-02-16T20:41:17.544+00:00 server.invalid
>   postfix-mta-out/proxymap[634976]: warning: to approve this table for
>   read-only access, list proxy:ldap:/etc/postfix-mta-out/generic-ldap.cf
>   in main.cf:proxy_read_maps

Indeed, because your "$ldap" defininition in main.cf starts with
"proxy:ldap:", each LDAP table needs to be configured in
proxy_read_maps.

THerefore, you might want to actually "name" this table:

    main.cf:
        affiliate_generic_maps = ${ldap}generic-ldap.cf
        proxy_read_maps = ... $affiliate_generic_maps

    master.cf:
        affiliate unix  -       -       n       -       -       smtp
          -o smtp_generic_maps=$affiliate_generic_maps

> Is this only necessary because we're setting smtp_generic_maps in
> master.cf instead of main.cf?

Yes, because proxy_read_maps already tries to automatically capture all
the standard parameters that specify (lists of) tables.  But master.cf
is not covered.

It would be nice to have a "+=" syntax for Postfix parameters some day,
so that one could specify "default + custom", rather than stutter the
built-in defaults.

--
    Viktor.