On 1/27/2017 7:03 AM, Wietse Venema wrote: > Jeremy T. Bouse: >>> https://www.postgresql.org/docs/current/static/libpq-pgservice.html >>> https://www.postgresql.org/docs/current/static/libpq-connect.html >>> https://www.postgresql.org/docs/current/static/libpq-pgpass.html >>> >>> I need to test that. >>> >>> Regards, >>> Christoph >> This would seem like a much cleaner and secure means by which to do >> it and provide additional configuration options in the process but I'd >> be curious how it might be affected when using proxy:pgsql:* as well as >> simply pgsql:* mappings. > You could set PGPASSFILE via main.cf:export_environment, and set > permissions (group read for 'postfix'). > > But, there is no need for passwords in main.cf; If you configure > the table as pgsql:/path/to/file, you can reduce access permission > for that file. > > Wietse I downloaded the source code and poked around a little and doing a little testing on my current system... I tried to set up a PGPASSFILE that I 'chmod 0600' and 'chown postfix' then added the export_environment setting to my main.cf pointing to it. When I commented out the 'user' and 'password' sections in my pgsql .cf files and attempted to test using 'postmap -q' I was getting the error:
postmap: warning: connect to pgsql server psqldb.undergrid.net:
fe_sendauth: no password supplied?
postmap: fatal: table pgsql:/etc/postfix/pgsql/virtual_domains.cf: query
error: Success
When I poked around the /proc filesystem I noticed that only the
spawn'd policyd-spf process had the PGPASSFILE value set in the environ
file under /proc/<pid> and looking through the source code that seems to
be confirmed as I could only find the VAR_EXPORT_ENVIRON being used in
global/mail_stream.c, local/command.c, pipe/pipe.c and spawn/spawn.c
which doesn't seem to include the processes that would actually be doing
the lookups for the virtual_* config settings.
smime.p7s
Description: S/MIME Cryptographic Signature
