From e868450cf54326aaefd1f3c1e965e0df3a68578c Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Wed, 28 Sep 2022 02:53:50 +0200
Subject: [PATCH] fix(postfix): rework postscreen integration
This patch sets the postscreen config options more explicitly and
provides enables the TLS proxy, which should allow proper TLS access
directly within postscreen.
It seems this resolved the weird latency issues we saw previously.
---
images/postfix/config/main.cf | 4 ++--
images/postfix/config/master.cf | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/images/postfix/config/main.cf b/images/postfix/config/main.cf
index 11281de1a..d11e4e34f 100644
--- a/images/postfix/config/main.cf
+++ b/images/postfix/config/main.cf
@@ -87,6 +87,8 @@ virtual_transport = lmtp:inet:dovecot-internal:24
## Postscreen Configuration
##
+postscreen_upstream_proxy_protocol = haproxy
+postscreen_upstream_proxy_timeout = 5s
postscreen_access_list = permit_mynetworks
postscreen_blacklist_action = drop
postscreen_greet_action = ignore
@@ -172,5 +174,3 @@ maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
unverified_recipient_reject_code = 577
compatibility_level = 2
-
-postscreen_upstream_proxy_protocol = haproxy
diff --git a/images/postfix/config/master.cf b/images/postfix/config/master.cf
index 3002042fa..e556ec4b8 100644
--- a/images/postfix/config/master.cf
+++ b/images/postfix/config/master.cf
@@ -3,11 +3,13 @@
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
10025 inet n - - - 1 postscreen
+ -o postscreen_upstream_proxy_protocol=haproxy
+ -o syslog_name=postfix/10025
smtpd pass - - - - - smtpd
-o smtpd_tls_received_header=yes
-o content_filter=
dnsblog unix - - - - 0 dnsblog
-#tlsproxy unix - - - - 0 tlsproxy
+tlsproxy unix - - - - 0 tlsproxy
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
--
GitLab