----- Message from Matus UHLAR - fantomas <uh...@fantomas.sk> ---------
Date: Sun, 21 Mar 2021 15:26:12 +0100
From: Matus UHLAR - fantomas <uh...@fantomas.sk>
Subject: Re: upgrade 2.10 - 3.3 config compatibility
To: postfix-users@postfix.org
I have a well established 2.10 Postfix instance on 2.10 (CentOS7)
which is to be migrated to a new machine running Postfix 3.3 (on
RHEL8).
I've been reading
http://www.postfix.org/COMPATIBILITY_README.html, and from what I
can see the backward compatibility issues I may run into are (with
existing config from 2.10)
- append_dot_mydomain (not explicitly set on 2.10, i.e. implicitly "yes")
- chroot (explicitly set to n on 2.10 in master.cf)
- smtpd_relay_restrictions (explicitly set to empty on 2.10)
- mynetworks_style (not explicitly set on 2.10, i.e. implicitly "subnet")
- relay_domains (not explicitly set on 2.10, i.e. implicitly
"$mydestination")
To re-use the existing configuration I'm thinking I need to:
1. explicitly set append_dot_mydomain to yes
2. explicitly set mynetworks_style to subnet (2.10 config =
"mynetworks = 127.0.0.0/8, 192.168.1.0/24")
3. explicitly set relay_domains=$mydestination
If I do those should I explicitly set compatibility_level, or
would it not be needed because I have addressed the compatibility
issues?
And are there any other 'gotchas' to be aware of with this upgrade?
On 21.03.21 21:57, Simon Wilson wrote:
Ok, I migrated the config from the 2.10 server, and added new
specific configuration items for:
append_dot_mydomain = yes
localhost is in mydestination, so the first message noted at
http://www.postfix.org/COMPATIBILITY_README.html won't happen...
mydomain is not explicitly set, so postconf -d tells me it is
'simonandkate.lan', as expected. Local servers using this server as
SMTP do send using emails without FQDN - hence I set
append_dot_mydomain = yes. Is that incorrect? The test I suppose would
be to unset it, put compatibility_level to less than 1 and monitor?
mynetworks_style = subnet
relay_domains = $mydestination
I recommend avoiding setting any, unless you really need them.
it's better to explicitly configyre "mynetworks" to your local subnets.
mynetworks is explicitly set already:
[root@emp87 ~]# postconf -n | grep "mynetworks ="
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 103.16.129.171
...re-reading the doco
http://www.postfix.org/postconf.5.html#mynetworks, I do *not* need to
set mynetworks_style... thank you, corrected.
and using only relay_domains makes sense if you are relay for anyone.
The server is set to reject_unath_destination:
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/client_checks, permit_mynetworks,
check_recipient_access hash:/etc/postfix/recipient_access,
reject_unauth_destination, check_sender_access
hash:/etc/postfix/sender_access, reject_unauth_pipelining,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org, check_policy_service
unix:private/policyd-spf permit
If relay_domains is empty, will it still accept to act as a local
network relay (with restricted access) to domains listed in
mydestination from mynetworks - I assume yes, from
'permit_mynetworks'? In which case, I can leave relay_domains blank?
With those set, all services in master.cf explicitly chroot=n, and
compatibility_level set to 99
don't do this. You never know what changes in the future and will require
your intervention.
I've removed mynetworks_style based on improved knowledge as noted
above; commented out append_dot_mydomain and relay_domains, have set
compatibility_level to 0, and will monitor for messages.
Thanks
Simon
--
Simon Wilson
M: 0400 12 11 16
