[pfx] Re: server does not pick up new certificates

2023-07-25 Thread Olivier via Postfix-users 
lejeczek via Postfix-users  writes:

> On 23/07/2023 22:44, Viktor Dukhovni via Postfix-users wrote:
>> On 23 Jul 2023, at 4:21 pm, Charles Sprickman via Postfix-users 
>>  wrote:
>>
>>> In the case of the dehydrated ACME client
>>> (https://github.com/dehydrated-io/dehydrated) there's an option to run
>>> a bunch of commands on successful update, including something like
>>> "postfix reload" - one could also insert an email or other command to
>>> note the update. I can't imagine other ACME clients don't offer a
>>> similar function...
>> The "certbot" ACME client offers post-hooks, but they're not "reliable".
>> If the hook fails or doesn't run, it won't be retried.  A robust
>> "post-hook" should have "at least once" semantics, its implementation
>> should be idempotent, ait and should be retried until it succeeds.
>>
> I have had those hooks doing 'postmap' for SNI map and then 
> I found myself in that situation as originally described 
> here - thus asking the list for I got quite confused, 
> thinking 'postfix' might be keeping those even closer to the 
> chest than what was obvious.
> But between the two - having more direct/dynamic pointers to 
> the certs/keys VS more secure 'postifx'(as guys explained) 
> as it is with lookup/cached tables - I'm thinking... that 
> certbot's hooks is what I'll keep using, only need to invest 
> more there.

I have developped my own solution, with a database backend. One script
update the certificates in the database (with certbot or acme.sh and DNS
authorization), other scripts upload the certificates on each server and
restart what need to be restarted.

It works well for Postfix, but also Apache, OpenLdap, Freeradius, VMware
ESXi,...

Olivier
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: sender_dependend_relay_host_maps and local recipients

2023-07-25 Thread Robert Senger via Postfix-users 
Thanks Wietse, that works. Almost... Had to add
"receive_override_options = no_address_mappings,
no_unknown_recipient_checks" to make sure local recipients/aliases are
preserved, and moved that to a separate smtpd port for that I use only
for sending through external ESP servers. Now it all works as desired.

Regards,

Robert


Am Montag, dem 24.07.2023 um 14:18 -0400 schrieb Wietse Venema via
Postfix-users:
> Robert Senger via Postfix-users:
> > Hi Viktor,
> > 
> > thank you. So, it's not possible to route email different when sent
> > from an authenticated user through port 587, than imcoming email
> > sent
> > through port 25? This would avoid a loop, as far as I understand
> > things...
> 
> Postfix routing does not care if email was received via MUA service
> (submission), MTA service (port 25), command line, or otherwise,
> 
> You can override routing in the port 587 SMTP daemon with content
> filter actions, for example, a check_sender_access map with
> "u...@example.net FILTER smtp:isp-for-example-net" but configuration
> will be simpler without context-dependent routing.
> 
>     Wietse
> 
> > I think I'll set up a separate instance for the external accounts
> > in
> > the long run.
> > 
> > Regards, 
> > 
> > Robert
> > 
> > 
> > Am Montag, dem 24.07.2023 um 10:00 -0400 schrieb Viktor Dukhovni
> > via
> > Postfix-users:
> > > On Mon, Jul 24, 2023 at 03:53:17PM +0200, Robert Senger via
> > > Postfix-
> > > users wrote:
> > > 
> > > > I have a few freemail accounts that I use mainly for testing
> > > > and
> > > > special purposes. All those accounts are forwaring incoming
> > > > mail to
> > > > a
> > > > corresponding account at my ow server, like
> > > > "r.senger_@example.com". For sending, I've defined
> > > > sender_dependent_relayhost_maps that relay all mail sent by any
> > > > of
> > > > these accounts to the ESP's smpt server (credentials stored in
> > > > sasl_passwd).
> > > > 
> > > > That works fine as long as mail ist sent to foreign domains.
> > > > But if
> > > > I
> > > > send mail from one of these local accounts to any recipient at
> > > > the
> > > > local domain, e.g. robert.sen...@example.com, it gets delivered
> > > > locally
> > > > rather that though the ISP's server, since
> > > > sender_dependend_relay_host_maps has low priority. This can for
> > > > example
> > > > cause issues if the mail goes to a locally hosted mailinglist,
> > > > since it
> > > > misses the ESP's dkim signature when sent out to the
> > > > subscibers.
> > > > 
> > > > Is there a possibility to get all mail sent from a certain
> > > > local
> > > > authenticated user through an external relay, even if the
> > > > recipient
> > > > is
> > > > a local virtual user?
> > > > 
> > > > I know I could configure the MUA to use the ESP's smpt server,
> > > > but
> > > > that's not desired. I think a multi instance setup could do
> > > > that
> > > > job,
> > > > but that requires a lot reconfiguration of the system.
> > > 
> > > What you propose would loop, when the mail returns to your system
> > > for
> > > delivery.? The simplest approach is a separate Postfix instance
> > > that
> > > for outbound mail that does not have any "local" domains, all
> > > mail
> > > is relayed somewhere else, possibly to the inbound instance for
> > > local
> > > delivery.
> > > 
> > > ??? https://www.postfix.org/MULTI_INSTANCE_README.html
> > > 
> > 
> > -- 
> > Robert Senger
> > 
> > 
> > 
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
> > 
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org

-- 
Robert Senger



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org