os-postfix: add submission port (587) support#5398
Open
mbedworth wants to merge 1 commit intoopnsense:masterfrom
Open
os-postfix: add submission port (587) support#5398mbedworth wants to merge 1 commit intoopnsense:masterfrom
mbedworth wants to merge 1 commit intoopnsense:masterfrom
Conversation
Add submission_enabled and submission_sasl_local_domain fields to the Postfix plugin general settings. When submission_enabled is set the master.cf template activates the submission service on port 587 with SASL authentication required, TLS enforced, and permissive client/helo/sender restrictions (access control is handled by SASL and should be enforced at the firewall). The optional submission_sasl_local_domain field sets smtpd_sasl_local_domain for the submission service, which is required when using Cyrus SASL with realm-based authentication. Bump model version to 1.2.8.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The os-postfix plugin currently has the submission service block in
master.cfhardcoded as a comment with no way to enable it through the GUI or API. This means anyone who needs port 587 for authenticated relay (monitoring systems, MUAs) must either editmaster.cfdirectly or maintain a workaround outside the plugin — both of which get wiped bypostfix/service/reconfigure.This PR adds proper support through the model and template:
Changes
General.xml: addsubmission_enabled(BooleanField, default off) andsubmission_sasl_local_domain(TextField, optional). Model version bumped to 1.2.8.master.cf: replace the hardcoded commented submission block with a conditional — whensubmission_enabled=1the service is activated; otherwise the original comment is preserved.forms/general.xml: add UI fields for both new settings, placed after the TLS Wrapper Mode checkbox.Behaviour when enabled
The submission service enforces STARTTLS (
smtpd_tls_security_level=encrypt) and requires SASL authentication (smtpd_sasl_auth_enable=yes,smtpd_tls_auth_only=yes). The client, HELO, and sender restriction lists are explicitly cleared so that the upstreamsmtpd_recipient_restrictions(which may include strict checks appropriate for port 25) do not apply — relay access is controlled solely bysmtpd_relay_restrictions=permit_sasl_authenticated,reject. Port-level access control is left to the firewall, as is standard practice for submission services.submission_sasl_local_domainThis optional field sets
smtpd_sasl_local_domainin the submission block. It is only emitted when non-empty. It is needed for Cyrus SASL deployments where authentication credentials are scoped to a realm (e.g.smtp.example.com), so that clients can authenticate asuser@smtp.example.comrather thanuser@hostname.Testing
Tested on OPNsense 25.1 with os-postfix installed:
master.cfcontained the active submission block with correctsmtpd_sasl_local_domain.sockstat).config.xml).