Skip to content

Add SQL backend files #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add SQL backend files #5

wants to merge 1 commit into from

Conversation

PhrozenByte
Copy link

@PhrozenByte PhrozenByte commented Sep 11, 2016
edited
Loading

If you don't want to use a plain file Postfix lookup table to manage TLS policy maps, but a SQL backend, you'll very likely find the files in this directory helpful. You can use them as follows:

  1. Create a tls_policy table in the SQL database you want to use with Postfix. You can use the provided scheme.sql if you want to.

  2. Create a proxy configuration file (e.g. /etc/postfix/tls_policy.cf) to tell Postfix the SQL query to use. You can again use the provided postfix_proxy.cf as a blueprint, but don't forget to change username and password.

  3. Configure Postfix to actually use the proxy configuration file by setting the smtp_tls_policy_maps parameter in Postfix's main.cf accordingly. Don't forget to reload/restart Postfix afterwards.

    smtp_tls_policy_maps = mysql:/etc/postfix/tls_policy.cf

  4. Use the provided update_database.sh to convert the plain file Postfix lookup table to SQL queries and execute them. You can e.g. simply pipe stdout of the script to the mysql command.

    $ ./update_database.sh ../tls_policy | mysql --user=db_user --password "db_name"

    You can change the built-in SQL query template by setting the environment variable TEMPLATE. You can use the placeholders {domain}, {policy} and {params} in the template. As a reference, this is the script's default template:

    DELETE FROM tls_policy WHERE domain = '{domain}'; INSERT INTO tls_policy (domain, policy, params) VALUES ('{domain}', '{policy}', '{params}');

  5. You may want to repeat Step 4 on a regular basis (e.g. weekly) to always use the newest upstream TLS policy maps on your server. The provided update_database.sh always validates the policy file before converting it into SQL queries, so you can safely automatize this task with a cronjob. The following crontab line is intended to provide inspiration for you to create your own cronjob (it will work with Debian only). Most importantly, you'll have to find a way to safely pass the password of the SQL user to the cronjob.

    0 4  * * 7   root    curl -sS "https://raw.githubusercontent.com/csware/postfix-tls-policy/master/tls_policy" | /path/to/update_database.sh - | mysql --defaults-file="/etc/mysql/debian.cnf" --silent "db_name"

@PhrozenByte
Add SQL backend files
ebae15f 
If you don't want to use a plain file Postfix lookup table to manage TLS policy maps, but a SQL backend, you'll very likely find the files in this directory helpful.

See sql/README.md for details.
@macgeneral
Copy link

I would change the sql query in sql/postfix_proxy.cf to:
query = SELECT policy, CASE WHEN params = '' THEN ' ' ELSE params END AS params FROM tls_policy WHERE domain = '%s'
to avoid error messages of the kind:

postfix/postmap[]: warning: table "mysql:/etc/postfix/sql/tls_policy.cf": empty lookup result for: "domain.tld" -- ignored

if the params column is empty (postfix doesn't like null results)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PhrozenByte @macgeneral