Debian Postfix v2 to v3 notes – including postmulti setup

Upgrading postfix configurations from Jessie to Stretch was ‘challenging‘  (my blog) it works but required manual startup rather than auto start on boot. Systemd being an annoyance and with the zoos config deemed bad or not as trendy as some newer configs i had to setup postmulti and learn systems syntax to auto start it

postfix upgrade-configuration resulted in these changes to already working postfix configurations (one per directory)

Upgrading Postfix

Editing /etc/postfix/master.cf, adding missing entry for postscreen TCP service
Editing /etc/postfix/master.cf, adding missing entry for smtpd unix-domain service
Editing /etc/postfix/master.cf, adding missing entry for dnsblog unix-domain service
Editing /etc/postfix/master.cf, adding missing entry for tlsproxy unix-domain service

Note: the following files or directories still exist but are no
longer part of Postfix:

/etc/postfix/postfix-script /etc/postfix/post-install
/usr/share/doc/postfix/QMQP_README

COMPATIBILITY: editing /etc/postfix/main.cf, setting
inet_protocols=ipv4. Specify inet_protocols explicitly if you want
to enable IPv6. In a future release

Version 2 issues

chroot issues your be doing a lot of as – does not mean n

submission inet n – – – – smtpd

to

submission inet n – n – – smtpd

I left my unrooted as i did not want to fight battles with sasl sockets and milters.

New features for v3

Quick Mail Queueing Protocol is i think something to do with 628 setting in master.cf that has been commented for years.  Quite what it does is still a mystery.

Postmulti

Meant copying directories and moving them as postmulti likes /etc/postfix-1 /etc/postfix-2  rather than /etc/postfix/1.  As an obliging ape did that inited the settings in /etc/postfix (different to postfix-1 etc) and imported with postmulti -I postfox1 -G mta

postmult works to start postmulti -p start|stop|reload|status

the systemd config changed on debian stretch to do it via group rather than the broken example in postfix@.service

i used a variant of

postmutli -g mta -p start

Rather than postmutli  -i %i -p eatbanana

I got friendly with postmulti first rather than wonder why the fuck systemd was doing what it was doing.

So it kind of works – i really should recreate my postfix config of over ten years but it is a lot of work and is spammer proof and a lot of other features that a new instance of postmutli mostly have.

systemctl status postfix
● postfix.service – Postfix Mail Transport Agent (instance )
Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset:
Active: active (running) since x BST; x ago
Docs: man:postfix(1)
Process: 15310 ExecStop=/usr/sbin/postmulti -g mta -p stop (code=exited, status=0/SUCCESS)
Process: 15669 ExecStart=/usr/sbin/postmulti -g mta -p start (code=exited, status=0/SUCCESS)
Process: 15609 ExecStartPre=/usr/lib/postfix/configure-instance.sh (code=exited, status=0/SUCCESS)
Main PID: 2255 (code=exited, status=0/SUCCESS)
Tasks: 14 (limit: 4915)
CGroup: /system.slice/postfix.service
├─15753 /usr/lib/postfix/sbin/master -w
├─15755 pickup -l -t fifo -u
├─15756 qmgr -l -t fifo -u
├─15836 /usr/lib/postfix/sbin/master -w
├─15837 pickup -l -t fifo -u
├─15838 qmgr -l -t fifo -u
├─15916 /usr/lib/postfix/sbin/master -w
├─15917 pickup -l -t fifo -u
├─15918 qmgr -l -t fifo -u
├─15996 /usr/lib/postfix/sbin/master -w
├─15997 pickup -l -t fifo -u
├─15998 qmgr -l -t fifo -u
├─16151 tlsmgr -l -t unix -u
└─16307 tlsmgr -l -t unix -u

Jul 11 11:03:01 mail2 postfix-x/smtpd[*]:

I managed to send mail to gmail and the existing config plus upgrades appears to sign and validate n dkim and spf.

Being bananas in the falklands some wit from systemd will probably overwrite my systemd posfix service file in the future just to make my life enjoyable as i am no expert with this limiting software and put it in the wrong place.

On a plus note i have a backup of my older postfix configs – who says systemd has good points*#

*this is called sarcasm

Further Debian Stretch as a server notes

rounding up the fairies

Following on from this (my blog) i continue my bug upgrade hunt.  Its not over.

I have mentioned many of these items before in this blog, it is not my job to tell you what they are.

Apache/Perl

Rkhunter say:

Warning: The command ‘/usr/bin/lwp-request’ has been replaced by a script: /usr/bin/lwp-request:
Perl script text executable

Might explain why perl did not exec via my ‘old’ cgi scripts as Jessie

Opendkim /Postfix

I ‘needed’ an extra line (also in /etc/default/opendkim)

PidFile /var/run/opendkim/opendkim.pid

in opendkim.conf – mail was being sent without dkim

I appear to not have dkim signatures in outbound email., opendkim-testkey thinks its config is good  i think it might be easier to reconfigure postfix from scratch.  It is not milter_protocol= 6 and 2 does not work.  Um no idea.   Opendkim seems up but not connected.

Opendkim was not working. Eventually this clued (not here) me in that the openkim config files where fine but the systemd script was buggered

So if your config files are right but the daemon refuses to follow orders try this

edit /lib/systemd/system/opendkim.service

from this

[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target

[Service]
Type=forking
PIDFile=/var/run/opendkim/opendkim.pid
User=opendkim
UMask=0007
ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID

[Install]
WantedBy=multi-user.target

to

[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target[Service]
Type=forking
PIDFile=/var/run/opendkim/opendkim.pid
User=opendkim
UMask=0007
ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock -p inet:8891:localhost
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID

[Install]
WantedBy=multi-user.target

run (as root)

  • systemctl daemon-reload
  • /etc/init.d/opendkim restart

I hate systemd – that caused me six days of bug hunting it is limiting

Postfix needs a blog post on its own.

Opendmarc

I needed to re-enable it to start on boot oh the joys of systemd where init.d is thought as an unreliable forgetful moron and systemd knows best when clearly it is as fucked up (my blog)

It still did connect so it is a journey in systemd to fix (see opendkim magic above)

dmarc reports does not like interval and day together which appeared ok in Jessie

It is still a bit broken so nobody is being sent reports – not that many dmarc enabled domains who ‘specailise’ in just that really care about (my blog).  HistoryFile does not record data – why – no idea

-rw-rw-r– 1 opendmarc opendmarc 0 Jul 10 10:08 opendmarc.log

So a headscratcher. – and not something i can fix.

Postgres 9.4

I chowned a snakeoiil key – tested more cosmetic this than a issue which continues from Jessie..

Logwatch

Is a use full thing in my opinion although a little lacking in places moves from 7am to midnight for timing

Bind

Stops telling you if you do not have a specific spf record even though i have text records containing spf for the benefit of all the mostly retarded who run microsoft windows servers who have issues

mod_defensibile

Jury is out on if this is broken or the dns is bad. Or alternatively no rbl listed ip’s visited.

To fix

opendmarc loging, postfix startup, mod_defensible

Would i recommend the upgrade – at this point no.