I have a well established 2.10 Postfix instance on 2.10
(CentOS7) which is to be migrated to a new machine running
Postfix 3.3 (on RHEL8).
I've been reading
http://www.postfix.org/COMPATIBILITY_README.html, and from what
I can see the backward compatibility issues I may run into are
(with existing config from 2.10)
- append_dot_mydomain (not explicitly set on 2.10, i.e. implicitly "yes")
- chroot (explicitly set to n on 2.10 in master.cf)
- smtpd_relay_restrictions (explicitly set to empty on 2.10)
- mynetworks_style (not explicitly set on 2.10, i.e. implicitly "subnet")
- relay_domains (not explicitly set on 2.10, i.e. implicitly
"$mydestination")
To re-use the existing configuration I'm thinking I need to:
1. explicitly set append_dot_mydomain to yes
2. explicitly set mynetworks_style to subnet (2.10 config =
"mynetworks = 127.0.0.0/8, 192.168.1.0/24")
3. explicitly set relay_domains=$mydestination
If I do those should I explicitly set compatibility_level, or
would it not be needed because I have addressed the
compatibility issues?
And are there any other 'gotchas' to be aware of with this upgrade?
On 21.03.21 21:57, Simon Wilson wrote:
Ok, I migrated the config from the 2.10 server, and added new
specific configuration items for:
append_dot_mydomain = yes
On 22.03.21 10:17, Simon Wilson wrote:
localhost is in mydestination, so the first message noted at
http://www.postfix.org/COMPATIBILITY_README.html won't happen...
mydomain is not explicitly set, so postconf -d tells me it is
'simonandkate.lan', as expected. Local servers using this server as
SMTP do send using emails without FQDN - hence I set
append_dot_mydomain = yes. Is that incorrect? The test I suppose would
be to unset it, put compatibility_level to less than 1 and monitor?
you can set it as you want/need. If you set it to any value, you don't have to
take care of compatibility_level:
compatibility_level only affects default values, which is only problem if
you rely on defaults (and they change).
and using only relay_domains makes sense if you are relay for anyone.
The server is set to reject_unath_destination:
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/client_checks, permit_mynetworks,
check_recipient_access hash:/etc/postfix/recipient_access,
reject_unauth_destination, check_sender_access
hash:/etc/postfix/sender_access, reject_unauth_pipelining,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org, check_policy_service
unix:private/policyd-spf permit
If relay_domains is empty, will it still accept to act as a local
network relay (with restricted access) to domains listed in
mydestination from mynetworks - I assume yes, from
'permit_mynetworks'? In which case, I can leave relay_domains blank?
relay_domains is list of destination domains postfix accepts mail for, but
relays them to other servers (e.g. via transport_maps).
If you don't use this functionality, you can keep it empty.
setting relay_domains to mydestination (default for compatibility_level<2)
and parent_domain_matches_subdomains to include "relay_domains" means that
your mailserver accepts mail for all subdomains under domains in
"mydestination" and tries to pass it further.
I personally recommend to have parent_domain_matches_subdomains empty and
specify including subdomains as ".example.com"
With those set, all services in master.cf explicitly chroot=n, and
compatibility_level set to 99
don't do this. You never know what changes in the future and will require
your intervention.
I've removed mynetworks_style based on improved knowledge as noted
above; commented out append_dot_mydomain and relay_domains, have set
compatibility_level to 0, and will monitor for messages.
mynetworks_style is not used if you have configured mynetworks.
if you have configured all options needed, or you don't care of their
values, you can set compatibility_level=2
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
