On Wed, Mar 06, 2024 at 07:12:18PM -0500, Alex via Postfix-users wrote:
> I have a few postfix systems on fedora38 with nearly identical
> configurations. I'd like to be able to push changes to them from a third
> system without having to login to them directly to do so. What's the
> best/most secure way to do this?
Keep the configurations in a git repository and pull them as root, using
an SSH key in batch mode with a preseeded known-hosts file. Pull only
the source files for tables, and then run "make" to run "postmap", ...
You could use an 'https' git remote URL, but without additional
configuration that trusts too many CAs, so SSH is better.
> For example, I'd like to push the recipient access file to both systems
> since they both relay mail for the same domains. Currently I'm doing this
> with rsync/ssh as root but would like to use a regular user.
That'd be a mistake, Postfix configuration files should belong to root.
> Postifx complains when changing ownership of these files to a regular
> user, so I thought of using setfacl on the individual files I need. Will
> that cause a problem?
>
> # setfacl -m g:appuser:rwx /etc/postfix
> # setfacl -m g:appuser:wx /etc/postfix/client_checks.cidr
> # setfacl -m g:appuser:wx /etc/postfix/recipient_checks
>
> $ postmap recipient_checks
> $ ls -l recipient_checks*
> -rw-rwxr--+ 1 root root 1065 Nov 15 2020 recipient_checks
> -rw-r--r-- 1 appuser appuser 2305 Mar 6 18:37 recipient_checks.cdb
Avoid pushing computed binary artefacts, pull the source and run make..
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
