[SOLVED] Permanent Postfix main.cf Changes Under ZCS 5.0.x

[LMStone]

We just upgraded to ZCS 5.0.4.

While we expected our Postfix main.cf tweaks under 4.5.11 to have disappeared during the upgrade, it seems the previous method of using "postconf -e <variable>=<value>" followed a "postfix restart" doesn't survive a server restart.

We see there are a lot of new Postfix variables set in localconfig.xml.

Is editing localconfig.xml now the correct way to make permanent tweaks to Postfix?

We'd like to set the following:

<key name="postfix_smtpd_hard_error_limit">
<value>4</value>
<key name="postfix_smtpd_soft_error_limit">
<value>2</value>
<key name="postfix_smtpd_error_sleep_time">
<value>30s</value>
<key name="postfix_proxy_interfaces">
<value>[Server Public IP Address]</value>

(The first three together we find to be an effective anti-UCE technique.)

We are not finding anything in the Administrators Manual or the Support Portal about this.

Thanks!
Mark

[uxbod]

Sorry, not in-front of my server but are these variables available from the zmlocalconfig ? So please try :-

Code:

zmlocalconfig -s | grep -i postfix

[LMStone]

Quote:

Originally Posted by uxbod

Sorry, not in-front of my server but are these variables available from the zmlocalconfig ? So please try :-

Code:

zmlocalconfig -s | grep -i postfix

That command gets you the current postfix main.cf variables set via localconfig.xml of course, but what I am asking is how do we permanently set additional variables.

Not exactly sure what you mean by "not in-front of my server", but we find the first three variables effective against connections from mail servers performing "dictionary" attacks.

By "dictionary" attack, I mean where a remote server continuously connects to try to send email to a series of clearly guessed, but invalid, recipients (e.g. "john@, james@, kevin@, louis@, etc., etc.)

Sure, Postfix rejects the connection due to invalid recipient, but doing so requires repeated ldap lookups and also consumes an smtp connection for the duration.

When the above three main.cf variables are in place, Postfix just silently does not respond to the sending mail server for thirty seconds, giving legitimate email connections a better opportunity to get through, and reducing the resources used on the server.

In actual fact, Postfix does this by default anyway, but the default soft error limit is 10 and the default sleep time is 1 second.

So, we really aren't introducing any new Postfix behavior here; just "adjusting" somewhat already existing behavior.

And, it's not our idea; we gleaned it from the excellent No Starch Press book "The Book of Postfix".

Hope that helps!

All the best,
Mark

[phoenix]

Mark

You don't need to edit the file, you can enter them as follows:

Code:

zmlocalconfig -e postfix_smtpd_hard_error_limit=3
zmlocalconfig -e postfix_smtpd_soft_error_limit=2

try that (plus the rest of your changes) and see if it does what you need, it also updates the config file.

[uxbod]

Bill,

just for my own understanding when using the zmlocalconfig -e that will put the entries in for you even if they don't exist ? do these changes persist across upgrades ?

Thx.

[LMStone]

Quote:

Originally Posted by phoenix

Mark

You don't need to edit the file, you can enter them as follows:

Code:

zmlocalconfig -e postfix_smtpd_hard_error_limit=3
zmlocalconfig -e postfix_smtpd_soft_error_limit=2

try that (plus the rest of your changes) and see if it does what you need, it also updates the config file.

Hi Bill,

Thanks for the above!

We ran the above commands (and few others) and saw the changes in ~/conf/localconfig.xml OK.

We then ran:

Code:

zmmtactl reload

as the zimbra user followed by:

Code:

/opt/zimbra/postfix/sbin/postconf -n

as root, but didn't see our changes. Looking at /opt/zimbra/postfix/conf/main.cf directly confirmed our changes in localconfig.xml didn't propagate to main.cf.

Is there any way short of doing a

Code:

zmcontrol stop
zmcontrol start

to implement these changes?

Thanks!
Mark

[uxbod]

If you do a postconf -e with those same variables, and then a postfix reload they should take effect. And now that you have them in the localconfig.xml they will remain persistent across restarts.

[chh]

I don't think that changes via postconf -e are persistent across updates.
I just upgraded a customer from 5.0.1 to 5.04 and had to run
posfconf -e again to allow plaintext auth to the smtp server. So at least this one is not carried over. (I ran all the commands again and did not check all the other setting, so I am only sure about this one)

Christian

[uxbod]

The postconf ones will not be persistent, but LMStone has also added them to the localconfig.xml via zmlocalconfig -e. Using postconf was more to get them in quickly to the running config without having to restart all the ZCS services. All that would be required is a zmmtactl reload I think.

[LMStone]

Beauty Mate!

Running postconf -e [blah] followed by a ./postfix restart enabled us to put the changes we wanted into immediate effect.

That we already did a zmlocalconfig -e [blah] for the same main.cf parameters we are hoping means the changes will persist across restarts; we don't want to do a zmcontrol stop/start during normal working hours.

Cheers!
Mark