On 1/30/2017 10:27 AM, Wietse Venema wrote:
> Viktor Dukhovni:
>>> On Jan 30, 2017, at 8:57 AM, Jeremy T. Bouse <jeremy.bo...@undergrid.net>
>>> wrote:
>>>
>>> I also found when
>>> testing with 'postmap -q' I had to include the PGPASSFILE environment
>>> variable as it wasn't being read from main.cf apparently.
>> The "import_environment" setting is used to sanitize the environment
>> in master(8) and setgid programs by removing all variables not listed,
>> and overriding all variables with explicit assignments. This is not
>> appropriate for tools as postmap(1).
> There is no need to store the password in a separate file. Just
> set those restricted permissions on the postfix-mysql cf files,,
> and postmap will pick up the password from there.
In this particular use case that I'm working to setup, having the
password stored in a single file referenced by an environment variable
is a major improvement and simplification. I'm attempting to
containerize my entire incoming mail relay system and don't want to
store the password within the image and having to re-generate multiple
files successfully upon start up is risking complications. I've got a
Postfix container to build which will reference an Amavis container via
container link as well as a PostgreSQL container by container link also.
With the container links the hostnames are known so they can be embedded
in the necessary config files. I was intending to pass the password into
the container via Docker secrets so it needs to be read via an in-memory
only FD and I can actually pass that in PGPASS file format and then just
reference the location of that in-memory FD as PGPASSFILE to Postfix at
startup using postconf which is a much simpler approach than having to
re-generate all the .cf files.
> That said, postmap and other programs already depend on main.cf
> settings, so respecting import_environment might actually help to
> make program behavior more consistent. What do you think?
>
> Wietse
It would make a lot of sense if all the postfix utilities had access
to the same. I had ran postmap without passing the PGPASSFILE
environment on my command call because I had assumed that was the case.
Consistency would help with validation of the configuration.
smime.p7s
Description: S/MIME Cryptographic Signature
