[pfx] Re: pushing changes to remote system
Hi guys, On Thu, Mar 7, 2024 at 6:01 PM Steffen Nurpmeso via Postfix-users < postfix-users@postfix.org> wrote: > Dan Mahoney via Postfix-users wrote in > <56abb6d4-e690-4f94-aadb-2f646a6d1...@prime.gushi.org>: > |> On Mar 6, 2024, at 16:52, Wietse Venema via Postfix-users > |> @postfix.org> wrote: > |> Alex via Postfix-users: > |>> Hi, > |>> I have a few postfix systems on fedora38 with nearly identical > |>> configurations. I'd like to be able to push changes to them from a > third > |>> system without having to login to them directly to do so. What's the > |>> best/most secure way to do this? > |>> > |>> For example, I'd like to push the recipient access file to both > systems > |>> since they both relay mail for the same domains. Currently I'm doing \ > |>> this > |>> with rsync/ssh as root but would like to use a regular user. > |> > |> rsync renames files into place. That is good, because there is no > |> risk that it overwrites a file while some program reads from it. > |> > |> But if an unprivileged user can replace files in /etc/postfix, they > |> they are root equivalent. That is not the improvement that you > |> appear to be looking for. > |> > |> Maybe you can use a pull model instead, like curl and a REST server. > | > |This is a solved problem, using tools like ansible, chef, or puppet. \ > | Puppet specifically can be configured to do periodic pulls without \ > |having to login. > > I use git for all that. Plus some hooks/scripts. > Special repo with a special post-receive hook would surely do your > specific use case. > It's taken me some time to get to this, but I hoped I could ask for your help. Do you have more information you can share about how I might do this? The main system would push the updates to git, then perhaps a cron script (as root?) that run git checkout on each host to check for updates? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: pushing changes to remote system
Dan Mahoney via Postfix-users wrote in <56abb6d4-e690-4f94-aadb-2f646a6d1...@prime.gushi.org>: |> On Mar 6, 2024, at 16:52, Wietse Venema via Postfix-users @postfix.org> wrote: |> Alex via Postfix-users: |>> Hi, |>> I have a few postfix systems on fedora38 with nearly identical |>> configurations. I'd like to be able to push changes to them from a third |>> system without having to login to them directly to do so. What's the |>> best/most secure way to do this? |>> |>> For example, I'd like to push the recipient access file to both systems |>> since they both relay mail for the same domains. Currently I'm doing \ |>> this |>> with rsync/ssh as root but would like to use a regular user. |> |> rsync renames files into place. That is good, because there is no |> risk that it overwrites a file while some program reads from it. |> |> But if an unprivileged user can replace files in /etc/postfix, they |> they are root equivalent. That is not the improvement that you |> appear to be looking for. |> |> Maybe you can use a pull model instead, like curl and a REST server. | |This is a solved problem, using tools like ansible, chef, or puppet. \ | Puppet specifically can be configured to do periodic pulls without \ |having to login. I use git for all that. Plus some hooks/scripts. Special repo with a special post-receive hook would surely do your specific use case. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: pushing changes to remote system
> On Mar 6, 2024, at 16:52, Wietse Venema via Postfix-users > wrote: > > Alex via Postfix-users: >> Hi, >> I have a few postfix systems on fedora38 with nearly identical >> configurations. I'd like to be able to push changes to them from a third >> system without having to login to them directly to do so. What's the >> best/most secure way to do this? >> >> For example, I'd like to push the recipient access file to both systems >> since they both relay mail for the same domains. Currently I'm doing this >> with rsync/ssh as root but would like to use a regular user. > > rsync renames files into place. That is good, because there is no > risk that it overwrites a file while some program reads from it. > > But if an unprivileged user can replace files in /etc/postfix, they > they are root equivalent. That is not the improvement that you > appear to be looking for. > > Maybe you can use a pull model instead, like curl and a REST server. This is a solved problem, using tools like ansible, chef, or puppet. Puppet specifically can be configured to do periodic pulls without having to login. -Dan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: pushing changes to remote system
Alex via Postfix-users: > Hi, > I have a few postfix systems on fedora38 with nearly identical > configurations. I'd like to be able to push changes to them from a third > system without having to login to them directly to do so. What's the > best/most secure way to do this? > > For example, I'd like to push the recipient access file to both systems > since they both relay mail for the same domains. Currently I'm doing this > with rsync/ssh as root but would like to use a regular user. rsync renames files into place. That is good, because there is no risk that it overwrites a file while some program reads from it. But if an unprivileged user can replace files in /etc/postfix, they they are root equivalent. That is not the improvement that you appear to be looking for. Maybe you can use a pull model instead, like curl and a REST server. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: pushing changes to remote system
On Wed, Mar 06, 2024 at 07:12:18PM -0500, Alex via Postfix-users wrote: > I have a few postfix systems on fedora38 with nearly identical > configurations. I'd like to be able to push changes to them from a third > system without having to login to them directly to do so. What's the > best/most secure way to do this? Keep the configurations in a git repository and pull them as root, using an SSH key in batch mode with a preseeded known-hosts file. Pull only the source files for tables, and then run "make" to run "postmap", ... You could use an 'https' git remote URL, but without additional configuration that trusts too many CAs, so SSH is better. > For example, I'd like to push the recipient access file to both systems > since they both relay mail for the same domains. Currently I'm doing this > with rsync/ssh as root but would like to use a regular user. That'd be a mistake, Postfix configuration files should belong to root. > Postifx complains when changing ownership of these files to a regular > user, so I thought of using setfacl on the individual files I need. Will > that cause a problem? > > # setfacl -m g:appuser:rwx /etc/postfix > # setfacl -m g:appuser:wx /etc/postfix/client_checks.cidr > # setfacl -m g:appuser:wx /etc/postfix/recipient_checks > > $ postmap recipient_checks > $ ls -l recipient_checks* > -rw-rwxr--+ 1 rootroot1065 Nov 15 2020 recipient_checks > -rw-r--r-- 1 appuser appuser 2305 Mar 6 18:37 recipient_checks.cdb Avoid pushing computed binary artefacts, pull the source and run make.. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
