From 3d6e7a7bb81f7d4868b32539b23e1187cecc0134 Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Sun, 5 Jun 2022 12:10:20 +1200
Subject: [PATCH] service(postfix): Better handling of the
 `compatibility_level` setting (#2597)

* chore: Fix typo

* chore: Apply explicit chroot default for `sender-cleanup`

The implicit default is set to `y` as a compatibility fallback, but otherwise it is [advised to set to `n` going forward](http://www.postfix.org/COMPATIBILITY_README.html#chroot).

Test was changed to catch any backwards-compatibility logs, not just those for `chroot=y`. `using` added as a prefix to avoid catching log message whenever a setting is changed that the default compatibility level is active.

* chore: Set `compatibility_level` in `main.cf`

We retain the level`2` value previously set via scripts. This avoids log noise that isn't helpful.

Applied review feedback to give maintainers some context with this setting and why we have it presently set to `2`.
---
 target/postfix/main.cf                | 27 ++++++++++++++++++---------
 target/postfix/master.cf              |  2 +-
 target/scripts/startup/setup-stack.sh |  3 ---
 test/tests.bats                       |  2 +-
 4 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/target/postfix/main.cf b/target/postfix/main.cf
index 48a53d76..1ce6b261 100644
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@@ -56,14 +56,14 @@ disable_vrfy_command = yes
 # Postscreen settings to drop zombies/open relays/spam early
 postscreen_dnsbl_action = enforce
 postscreen_dnsbl_sites = zen.spamhaus.org*3
-	bl.mailspike.net
-	b.barracudacentral.org*2
-	bl.spameatingmonkey.net
-	dnsbl.sorbs.net
-	psbl.surriel.com
-	list.dnswl.org=127.0.[0..255].0*-2
-	list.dnswl.org=127.0.[0..255].1*-3
-	list.dnswl.org=127.0.[0..255].[2..3]*-4
+    bl.mailspike.net
+    b.barracudacentral.org*2
+    bl.spameatingmonkey.net
+    dnsbl.sorbs.net
+    psbl.surriel.com
+    list.dnswl.org=127.0.[0..255].0*-2
+    list.dnswl.org=127.0.[0..255].1*-3
+    list.dnswl.org=127.0.[0..255].[2..3]*-4
 postscreen_dnsbl_threshold = 3
 postscreen_dnsbl_whitelist_threshold = -1
 postscreen_greet_action = enforce
@@ -101,5 +101,14 @@ policyd-spf_time_limit = 3600
 # Header checks for content inspection on receiving
 header_checks = pcre:/etc/postfix/maps/header_checks.pcre
 
-# Remove unwanted headers that reveail our privacy
+# Remove unwanted headers that reveal our privacy
 smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
+
+# The default compatibility_level is 0 - which retains legacy settings defaults:
+# http://www.postfix.org/COMPATIBILITY_README.html
+# If backwards-compaitibilty log messages appear, fix them by explicitly adding
+# the legacy or new default value (alternatively raise the compatibility_level)
+#
+# TODO: The next compatibility_level is 3.6, when Postfix 3.6 is available consider
+# bumping this value after taking the compaitibilty changes into account.
+compatibility_level = 2
diff --git a/target/postfix/master.cf b/target/postfix/master.cf
index 747a8bef..4369f276 100644
--- a/target/postfix/master.cf
+++ b/target/postfix/master.cf
@@ -67,7 +67,7 @@ lmtp      unix  -       -       n       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
 
-sender-cleanup unix n   -       -       -       0       cleanup
+sender-cleanup unix n   -       n       -       0       cleanup
   -o syslog_name=postfix/sender-cleanup
   -o header_checks=pcre:/etc/postfix/maps/sender_header_filter.pcre
 
diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh
index 63843f4b..0d8293f5 100644
--- a/target/scripts/startup/setup-stack.sh
+++ b/target/scripts/startup/setup-stack.sh
@@ -762,9 +762,6 @@ function _setup_postfix_override_configuration
   else
     _log 'trace' "No extra Postfix settings loaded because optional '/tmp/docker-mailserver/postfix-master.cf' was not provided"
   fi
-
-  _log 'trace' "Set Postfix's compatibility level to 2"
-  postconf compatibility_level=2
 }
 
 function _setup_postfix_sasl_password
diff --git a/test/tests.bats b/test/tests.bats
index 453ae85f..5ace6b09 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -510,7 +510,7 @@ EOF
   assert_failure
   run docker exec mail grep -i '(!)connect' /var/log/mail/mail.log
   assert_failure
-  run docker exec mail grep -i 'backwards-compatible default setting chroot=y' /var/log/mail/mail.log
+  run docker exec mail grep -i 'using backwards-compatible default setting' /var/log/mail/mail.log
   assert_failure
   run docker exec mail grep -i 'connect to 127.0.0.1:10023: Connection refused' /var/log/mail/mail.log
   assert_failure