service(postfix): Better handling of the `compatibility_level` setting (#2597)

* chore: Fix typo

* chore: Apply explicit chroot default for `sender-cleanup`

The implicit default is set to `y` as a compatibility fallback, but otherwise it is [advised to set to `n` going forward](http://www.postfix.org/COMPATIBILITY_README.html#chroot).

Test was changed to catch any backwards-compatibility logs, not just those for `chroot=y`. `using` added as a prefix to avoid catching log message whenever a setting is changed that the default compatibility level is active.

* chore: Set `compatibility_level` in `main.cf`

We retain the level`2` value previously set via scripts. This avoids log noise that isn't helpful.

Applied review feedback to give maintainers some context with this setting and why we have it presently set to `2`.

target/postfix/main.cf

@@ -56,14 +56,14 @@ disable_vrfy_command = yes
 # Postscreen settings to drop zombies/open relays/spam early
 postscreen_dnsbl_action = enforce
 postscreen_dnsbl_sites = zen.spamhaus.org*3
-	bl.mailspike.net
+    bl.mailspike.net
-	b.barracudacentral.org*2
+    b.barracudacentral.org*2
-	bl.spameatingmonkey.net
+    bl.spameatingmonkey.net
-	dnsbl.sorbs.net
+    dnsbl.sorbs.net
-	psbl.surriel.com
+    psbl.surriel.com
-	list.dnswl.org=127.0.[0..255].0*-2
+    list.dnswl.org=127.0.[0..255].0*-2
-	list.dnswl.org=127.0.[0..255].1*-3
+    list.dnswl.org=127.0.[0..255].1*-3
-	list.dnswl.org=127.0.[0..255].[2..3]*-4
+    list.dnswl.org=127.0.[0..255].[2..3]*-4
 postscreen_dnsbl_threshold = 3
 postscreen_dnsbl_whitelist_threshold = -1
 postscreen_greet_action = enforce
@@ -101,5 +101,14 @@ policyd-spf_time_limit = 3600
 # Header checks for content inspection on receiving
 header_checks = pcre:/etc/postfix/maps/header_checks.pcre
 
-# Remove unwanted headers that reveail our privacy
+# Remove unwanted headers that reveal our privacy
 smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
+
+# The default compatibility_level is 0 - which retains legacy settings defaults:
+# http://www.postfix.org/COMPATIBILITY_README.html
+# If backwards-compaitibilty log messages appear, fix them by explicitly adding
+# the legacy or new default value (alternatively raise the compatibility_level)
+#
+# TODO: The next compatibility_level is 3.6, when Postfix 3.6 is available consider
+# bumping this value after taking the compaitibilty changes into account.
+compatibility_level = 2

target/postfix/master.cf

@@ -67,7 +67,7 @@ lmtp      unix  -       -       n       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
 
-sender-cleanup unix n   -       -       -       0       cleanup
+sender-cleanup unix n   -       n       -       0       cleanup
   -o syslog_name=postfix/sender-cleanup
   -o header_checks=pcre:/etc/postfix/maps/sender_header_filter.pcre
 

target/scripts/startup/setup-stack.sh

@@ -762,9 +762,6 @@ function _setup_postfix_override_configuration
   else
     _log 'trace' "No extra Postfix settings loaded because optional '/tmp/docker-mailserver/postfix-master.cf' was not provided"
   fi
-
-  _log 'trace' "Set Postfix's compatibility level to 2"
-  postconf compatibility_level=2
 }
 
 function _setup_postfix_sasl_password

test/tests.bats

@@ -510,7 +510,7 @@ EOF
   assert_failure
   run docker exec mail grep -i '(!)connect' /var/log/mail/mail.log
   assert_failure
-  run docker exec mail grep -i 'backwards-compatible default setting chroot=y' /var/log/mail/mail.log
+  run docker exec mail grep -i 'using backwards-compatible default setting' /var/log/mail/mail.log
   assert_failure
   run docker exec mail grep -i 'connect to 127.0.0.1:10023: Connection refused' /var/log/mail/mail.log
   assert_failure