[TODO]: Consider Postfix / Dovecot alternative deps

[polarathene]

Subject

Something else that requires developers attention

Description

This is a tracking issue related to information shared in this comment.

---

Changes

Amavis:

• Consider configuring to use a milter instead via the amavisd-milter package.
  • Presently Amavis is configured as a content_filter (processes mail post-queuing, unlike milters which are pre-queue). Mail arrives at smtpd (port 25), content filter directs it to the smtpd-amavis unix socket / transport defined in appended master.cf, which then directs to the destination (main.cf:content_filter = transport:destination) configured as localhost:10024 (Amavis service), which resubmits mail to localhost:10025 to return it back to Postfix.
  • There is some reasoning to prefer Amavis as a content_filter instead of milter.
  • Amavis config may need a revision based on the content filter and milter Postfix docs examples.
    • For Amavis config itself, there is this article which notes an issue with DKIM and an important difference between Postfix and Amavis mynetworks settings not being equivalent in behaviour.
    • That article also opts for the milter on port 25, but also uses the content filter on submission ports (whereas DMS does not have spam filtering for authenticated submissions, trusting the user isn't accidentally/intentionally sending spam/malware).

Dovecot:

• When v2.4 / 3.0 is released and DMS can update to it, switch from fts-xapian to flatcurve.
• Dovecot diverges by major version going forward with CE (2.4) and Pro (3.0). Breaking changes detailed here.

Postfix:

• Upgrade postsrsd to 1.12 / 2. Although this is less important once Docker Engine + Containerd releases drop LimitNOFILE=infinity.
• Consider switching from policyd-spf to pyspf-milter.

---

Relevant snippets from linked comment

Amavis:

• Instead of check_policy_service integration to Postfix, amavisd-milter package could be used instead.

Dovecot:

• dovecot-fts-xapian:
  • libxapian30 dep >= 1.4.19 + dovecot-abi-2.3.abiv19 virtual dep (provided via dovecot-core)
  • Package previously broke compatibility with Debian 11 Bullseye packages when mixed with third-party Dovecot repo for a newer dovecot-core which could no longer satisfy the ABI virtual dependency.
    • Solution was to build package dovecot-fts-xapian 1.5.5 from source via introducing build/compile.sh.
    • dovecot-fts-xapian was originally integrated into DMS in July 2021 via single package and a documented config guide.
  • When dovecot-core 2.4.0 is available, migrating to the flatcurve plugin becomes a viable option and may instead be a better replacement for this feature.
  • Additionally, the suggestion to migrate to the flatcurve plugin was proposed by the contributor that added support for the xapian plugin in DMS (which was due to the existing solr plugin having notable drawbacks).

Postfix:

• postsrsd (1.10)
  • There is a bug within common container environments that have containerd or similar service on the host configured with LimitNOFILE=infinity where fs.nr_open is a value of 2^30 instead of 2^20 (Debian).
    • That bug was fixed in Aug 2022 but only available with PostSRSd v1.12 / v2.
    • Thus users of this feature in DMS may need to explicitly configure the --ulimit to 1024:524288 (systemd implicit default since v240).
    • The fix also requires at least glibc of 2.35, which Debian 12 provides with glibc 2.36. Docker host kernel is required to be >= 5.9.
    • The bug described will be partially resolved with the workaround effectively becoming default in Docker Engine v25, but Docker must release with containerd release that also includes the change (presumably containerd 2.0). Both have the change merged in 2023, just a long wait for that to officially land in a release.
• postfix-policyd-spf-python (2.9.2 => 3.04)
  • 3.x dropped the python3-spf dep, which supposedly is not needed anymore to provide Postfix with an SPF check_policy_service.
  • NOTE: There also exists an alternative milter-based package pyspf-milter which appears to be part of python3-spf-engine too (available in spf-engine since 2.9.0). See the spf-engine README for advice on configuring Postfix with milter package.
  • References:
    • spf-engine upstream source and Debian source.
    • Some resources online provide nicer docs to browse.
      • policyd-spf Postfix integration advice (states version 2.0, but this seems to match the python-policy-spf 2.0.0 mention in README source (upstream)) notes that when using the check_policy_service it must come after reject_unauth_destination to avoid creating an open relay (DMS handles this correctly at present, but that expectation is not clearly documented inline for maintainers).
      • Similar pyspf-milter docs.