On Sunday, 23 November 2025 at 00:31, Viktor Dukhovni via Postfix-users <[email protected]> wrote:
> > If the syntax of the URI is correct as documented in: > > https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING-URIS > > > specifying the right user name and password, then it is indeed > surprising that libpq still wants to map the smtpd process uid to a > login name, perhaps that's some sort of fallback behaviour when the > server rejects the login? > > Make sure that psql works with essentially the same URI: > > psql "postgresql://$user@$host:5433/$db?sslmode=require" > Yes, it absolutely is in that format. It is in that format for the "old" working connection. The only thing I did is `vi` the file and change the hostname and port. Indeed, I can also do `docker run -it --rm public.ecr.aws/docker/library/postgres:18-trixie psql 'postgres://....` on a test machine to confirm the URL is perfect. > (I expect it would prompt for the password). Then once that works, try > again while running with real and effective uid "109" (perhaps that's > the "postfix" user on your system). And if that still works, perhaps > your smtpd(8) is chrooted, try changing master.cf(5) to disable chroot. > Yes, 109 is the postfix user. But why should I need to mess around with chrooting ? To repeat myself, *nothing* has changed apart from the hostname and port number in *the same* file. Nothing else in the config has been changed and no new files added to the config directory (apart from the SSL cert mentioned below to eventually allow for `verify-full`). Is it possible postfix needs to be restarted and not just reloaded ? That's one thing I have not tried yet because its clear postfix did pick up the config change just with a reload ? > > The SSL settings are likely secondary, you need to get logins working > whether or not the login is vulnerable to password compromise via packet > captures. > Sure, of course. But we've got other protections in place anyway (psql=required, IP filtering on the psql side etc. etc. ). So the cert verification is just belt and braces. _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
