Loading ...
Sorry, an error occurred while loading the content.
 

Update Postfix transport file on multiple servers

Expand Messages
  • Luis Esteves
    Hi everybody, In our organisation we have 4 postfix servers. Each time i need to add a new configuration to the transport file (for a new domain), i need to
    Message 1 of 16 , Feb 24, 2011
      Hi everybody,

      In our organisation we have 4 postfix servers.
      Each time i need to add a new configuration to the transport file (for a new
      domain), i need to update the transport file on each server.
      This is cumbersome. Connect on each server with ssh, update the transport
      file, et run make to generate a db file.

      Is there an easy way to update all files on each server easily (without
      generating ssh public/private keys and running these commands from one
      server) ?

      Is it a good idea to use a centralized PostgreSQL database to store the
      Postfix configuration files ?

      Thanks,
      Luis
      --
      View this message in context: http://old.nabble.com/Update-Postfix-transport-file-on-multiple-servers-tp31008507p31008507.html
      Sent from the Postfix mailing list archive at Nabble.com.
    • Victor Duchovni
      ... I commit configuration changes to an SVN repository, and use a push script from a trusted management node that checks out the latest commited versions of
      Message 2 of 16 , Feb 24, 2011
        On Thu, Feb 24, 2011 at 02:18:07PM -0800, Luis Esteves wrote:

        > In our organisation we have 4 postfix servers.
        >
        > Each time i need to add a new configuration to the transport file (for a new
        > domain), i need to update the transport file on each server.
        > This is cumbersome. Connect on each server with ssh, update the transport
        > file, et run make to generate a db file.
        >
        > Is there an easy way to update all files on each server easily (without
        > generating ssh public/private keys and running these commands from one
        > server) ?

        I commit configuration changes to an SVN repository, and use a push
        script from a trusted management node that checks out the latest
        commited versions of all pertinent files and deploys them to all
        the nodes.

        > Is it a good idea to use a centralized PostgreSQL database to store the
        > Postfix configuration files ?

        Databases are not particularly good file-systems, and typically revision
        control is a good idea. So "svn", "git" or even "cvs" is usually a better
        choice than a database.

        Now if the data in question is transport table entries, rather than
        main.cf, master.cf, ... a database is sometimes a reasonable way to
        manage tabular data.

        --
        Viktor.
      • Luis Esteves
        Many Thanks Victor for the answer. Luis ... -- View this message in context:
        Message 3 of 16 , Feb 24, 2011
          Many Thanks Victor for the answer.

          Luis


          Victor Duchovni wrote:
          >
          > On Thu, Feb 24, 2011 at 02:18:07PM -0800, Luis Esteves wrote:
          >
          >> In our organisation we have 4 postfix servers.
          >>
          >> Each time i need to add a new configuration to the transport file (for a
          >> new
          >> domain), i need to update the transport file on each server.
          >> This is cumbersome. Connect on each server with ssh, update the transport
          >> file, et run make to generate a db file.
          >>
          >> Is there an easy way to update all files on each server easily (without
          >> generating ssh public/private keys and running these commands from one
          >> server) ?
          >
          > I commit configuration changes to an SVN repository, and use a push
          > script from a trusted management node that checks out the latest
          > commited versions of all pertinent files and deploys them to all
          > the nodes.
          >
          >> Is it a good idea to use a centralized PostgreSQL database to store the
          >> Postfix configuration files ?
          >
          > Databases are not particularly good file-systems, and typically revision
          > control is a good idea. So "svn", "git" or even "cvs" is usually a better
          > choice than a database.
          >
          > Now if the data in question is transport table entries, rather than
          > main.cf, master.cf, ... a database is sometimes a reasonable way to
          > manage tabular data.
          >
          > --
          > Viktor.
          >
          >

          --
          View this message in context: http://old.nabble.com/Update-Postfix-transport-file-on-multiple-servers-tp31008507p31008714.html
          Sent from the Postfix mailing list archive at Nabble.com.
        • Victor Duchovni
          ... An answer anyway, there are a few ways to address this... Some people would use tools like cfengine or similar. Basically, anything that lets you manage
          Message 4 of 16 , Feb 24, 2011
            On Thu, Feb 24, 2011 at 02:52:17PM -0800, Luis Esteves wrote:

            >
            > Many Thanks Victor for the answer.

            An answer anyway, there are a few ways to address this... Some people
            would use tools like "cfengine" or similar. Basically, anything that
            lets you manage configuration files on multiple Unix hosts.

            --
            Viktor.
          • Xavier Beaudouin
            Hello, ... There is things like : - puppet - cfengine - chef that can do that for you.... This is what I use. Xavier
            Message 5 of 16 , Feb 25, 2011
              Hello,

              Le 24 févr. 2011 à 23:18, Luis Esteves a écrit :

              >
              > Hi everybody,
              >
              > In our organisation we have 4 postfix servers.
              > Each time i need to add a new configuration to the transport file (for a new
              > domain), i need to update the transport file on each server.
              > This is cumbersome. Connect on each server with ssh, update the transport
              > file, et run make to generate a db file.
              >
              > Is there an easy way to update all files on each server easily (without
              > generating ssh public/private keys and running these commands from one
              > server) ?
              >
              > Is it a good idea to use a centralized PostgreSQL database to store the
              > Postfix configuration files ?

              There is things like :

              - puppet
              - cfengine
              - chef

              that can do that for you.... This is what I use.

              Xavier
            • /dev/rob0
              ... Since we re talking about transport_maps here, my preference is DNS rather than transport_maps. I d use DNS views such that each mail host sees the
              Message 6 of 16 , Feb 25, 2011
                On Thu, Feb 24, 2011 at 02:18:07PM -0800, Luis Esteves wrote:
                > In our organisation we have 4 postfix servers.
                > Each time i need to add a new configuration to the transport
                > file (for a new domain), i need to update the transport file on
                > each server. This is cumbersome. Connect on each server with ssh,
                > update the transport file, et run make to generate a db file.

                Since we're talking about transport_maps here, my preference is DNS
                rather than transport_maps. I'd use DNS views such that each mail
                host sees the internal MX for each new domain rather than the MX as
                seen in the global DNS.

                Sounds like you're also talking about relay_domains and possibly
                relay_recipient_maps as well. You would still need a means of
                updating those, but that could be scripted and use SSH keys as
                suggested. Networked map types are possible for these, but in the
                case of relay_domains, not recommended.
                --
                Offlist mail to this address is discarded unless
                "/dev/rob0" or "not-spam" is in Subject: header
              • Luis Esteves
                Yes, relay_domains, sender_access, ....and more. Maybe the easier solution is to use the ssh/keys, but is it not dangerous to store private keys on a DMZ ?
                Message 7 of 16 , Feb 25, 2011
                  Yes, relay_domains, sender_access, ....and more.

                  Maybe the easier solution is to use the ssh/keys, but is it not dangerous to
                  store private keys on a DMZ ?

                  Luis



                  /dev/rob0 wrote:
                  >
                  > On Thu, Feb 24, 2011 at 02:18:07PM -0800, Luis Esteves wrote:
                  >> In our organisation we have 4 postfix servers.
                  >> Each time i need to add a new configuration to the transport
                  >> file (for a new domain), i need to update the transport file on
                  >> each server. This is cumbersome. Connect on each server with ssh,
                  >> update the transport file, et run make to generate a db file.
                  >
                  > Since we're talking about transport_maps here, my preference is DNS
                  > rather than transport_maps. I'd use DNS views such that each mail
                  > host sees the internal MX for each new domain rather than the MX as
                  > seen in the global DNS.
                  >
                  > Sounds like you're also talking about relay_domains and possibly
                  > relay_recipient_maps as well. You would still need a means of
                  > updating those, but that could be scripted and use SSH keys as
                  > suggested. Networked map types are possible for these, but in the
                  > case of relay_domains, not recommended.
                  > --
                  > Offlist mail to this address is discarded unless
                  > "/dev/rob0" or "not-spam" is in Subject: header
                  >
                  >

                  --
                  View this message in context: http://old.nabble.com/Update-Postfix-transport-file-on-multiple-servers-tp31008507p31018639.html
                  Sent from the Postfix mailing list archive at Nabble.com.
                • mouss
                  ... Use a trusted host in a trusted place to push the configuration to all your servers. This is typically done from a management zone connected using a
                  Message 8 of 16 , Feb 26, 2011
                    Le 26/02/2011 08:46, Luis Esteves a écrit :
                    >
                    > Yes, relay_domains, sender_access, ....and more.
                    >
                    > Maybe the easier solution is to use the ssh/keys, but is it not dangerous to
                    > store private keys on a DMZ ?
                    >

                    Use a trusted host in a trusted place to push the configuration to all
                    your servers. This is typically done from a management zone connected
                    using a management network.

                    so on the trusted host, you can have an ssh agent so that you don't need
                    to type your pass phrase too often, but still lock the key when you
                    don't need it.

                    as for communicating with the servers, you have many options.

                    - you can use sql, possibly with replication
                    - you can use rsync over ssh to copy/sync files to the servers
                    - if you need to run commands from time to time, use cron with a local
                    script. this script could check for changes and run custom commands.
                    - if you need to run specific commands "now": you can use ssh with a
                    forced command to restrict the damage should the key be compromised/theft.
                    - another way to restrict the list of commands is sudo
                    - ... etc



                    > [snip]
                  • Luis Esteves
                    Hi, Good idea. I ll soon install a centralized logs server (with rsync) for logs retention an alalysis, maybe I will use this server to update Postfix files.
                    Message 9 of 16 , Feb 28, 2011
                      Hi,

                      Good idea.

                      I'll soon install a centralized logs server (with rsync) for logs retention
                      an alalysis, maybe I will use this server to update Postfix files. It will
                      be in the trusted network, so, I will generate SSH Keys. The private Key
                      will be stored in the trusted network, and the public Key on each Postfix
                      server (DMZ).
                      All I need is to create a script that synchronize the files et then run the
                      Make (remote) command.

                      This seems to be the most suitable solution for me.

                      Thanks everybody,
                      Luis



                      mouss-4 wrote:
                      >
                      > Le 26/02/2011 08:46, Luis Esteves a écrit :
                      >>
                      >> Yes, relay_domains, sender_access, ....and more.
                      >>
                      >> Maybe the easier solution is to use the ssh/keys, but is it not dangerous
                      >> to
                      >> store private keys on a DMZ ?
                      >>
                      >
                      > Use a trusted host in a trusted place to push the configuration to all
                      > your servers. This is typically done from a management zone connected
                      > using a management network.
                      >
                      > so on the trusted host, you can have an ssh agent so that you don't need
                      > to type your pass phrase too often, but still lock the key when you
                      > don't need it.
                      >
                      > as for communicating with the servers, you have many options.
                      >
                      > - you can use sql, possibly with replication
                      > - you can use rsync over ssh to copy/sync files to the servers
                      > - if you need to run commands from time to time, use cron with a local
                      > script. this script could check for changes and run custom commands.
                      > - if you need to run specific commands "now": you can use ssh with a
                      > forced command to restrict the damage should the key be compromised/theft.
                      > - another way to restrict the list of commands is sudo
                      > - ... etc
                      >
                      >
                      >
                      >> [snip]
                      >
                      >

                      --
                      View this message in context: http://old.nabble.com/Update-Postfix-transport-file-on-multiple-servers-tp31008507p31038128.html
                      Sent from the Postfix mailing list archive at Nabble.com.
                    • Luis Esteves
                      Hi, I ll have a look to this tools, I m curious... Thanks a lot, Luis ... -- View this message in context:
                      Message 10 of 16 , Feb 28, 2011
                        Hi,

                        I'll have a look to this tools, I'm curious...

                        Thanks a lot,
                        Luis


                        Victor Duchovni wrote:
                        >
                        > On Thu, Feb 24, 2011 at 02:52:17PM -0800, Luis Esteves wrote:
                        >
                        >>
                        >> Many Thanks Victor for the answer.
                        >
                        > An answer anyway, there are a few ways to address this... Some people
                        > would use tools like "cfengine" or similar. Basically, anything that
                        > lets you manage configuration files on multiple Unix hosts.
                        >
                        > --
                        > Viktor.
                        >
                        >

                        --
                        View this message in context: http://old.nabble.com/Update-Postfix-transport-file-on-multiple-servers-tp31008507p31038134.html
                        Sent from the Postfix mailing list archive at Nabble.com.
                      • aa
                        And what about using a shared disk space on a single machine that contains configuration file of every mail server. Every machine that has postfix can access
                        Message 11 of 16 , Mar 1, 2011
                          And what about using a shared disk space on a single machine that contains configuration file of every mail server.
                          Every machine that has postfix can access these configuration files using samba or NFS...a kind of shared folder that can be contained on a postfix server machine too without using a dedicated machine....

                          2011/3/1 Luis Esteves <luisdobenfica@...>

                          Hi,

                          I'll have a look to this tools, I'm curious...

                          Thanks a lot,
                          Luis


                          Victor Duchovni wrote:
                          >
                          > On Thu, Feb 24, 2011 at 02:52:17PM -0800, Luis Esteves wrote:
                          >
                          >>
                          >> Many Thanks Victor for the answer.
                          >
                          > An answer anyway, there are a few ways to address this... Some people
                          > would use tools like "cfengine" or similar. Basically, anything that
                          > lets you manage configuration files on multiple Unix hosts.
                          >
                          > --
                          >       Viktor.
                          >
                          >

                          --
                          View this message in context: http://old.nabble.com/Update-Postfix-transport-file-on-multiple-servers-tp31008507p31038134.html
                          Sent from the Postfix mailing list archive at Nabble.com.


                        • Reindl Harald
                          i would use mysql for some reasons * one master where write changes * every machine can run a replication slave * no single-point-of-failure * postfix needs
                          Message 12 of 16 , Mar 1, 2011
                            i would use mysql for some reasons

                            * one master where write changes
                            * every machine can run a replication slave
                            * no single-point-of-failure
                            * postfix needs only read-permissions so there nerver writes on any slave
                            * you can even define each mysqld in each postfix server for failover

                            samba/nfs is fine as long this machine/connection is alive
                            but if you have troubles there all your servers are down

                            Am 01.03.2011 10:51, schrieb aa:
                            > And what about using a shared disk space on a single machine that contains configuration file of every mail server.
                            > Every machine that has postfix can access these configuration files using samba or NFS...a kind of shared folder
                            > that can be contained on a postfix server machine too without using a dedicated machine....
                            >
                            > 2011/3/1 Luis Esteves <luisdobenfica@... <mailto:luisdobenfica@...>>
                            >
                            >
                            > Hi,
                            >
                            > I'll have a look to this tools, I'm curious...
                            >
                            > Thanks a lot,
                            > Luis
                            >
                            >
                            > Victor Duchovni wrote:
                            > >
                            > > On Thu, Feb 24, 2011 at 02:52:17PM -0800, Luis Esteves wrote:
                            > >
                            > >>
                            > >> Many Thanks Victor for the answer.
                            > >
                            > > An answer anyway, there are a few ways to address this... Some people
                            > > would use tools like "cfengine" or similar. Basically, anything that
                            > > lets you manage configuration files on multiple Unix hosts.
                            > >
                            > > --
                            > > Viktor.
                            > >
                            > >
                            >
                            > --
                            > View this message in context:
                            > http://old.nabble.com/Update-Postfix-transport-file-on-multiple-servers-tp31008507p31038134.html
                            > Sent from the Postfix mailing list archive at Nabble.com.
                            >
                            >

                            --

                            Mit besten Grüßen, Reindl Harald
                            the lounge interactive design GmbH
                            A-1060 Vienna, Hofmühlgasse 17
                            CTO / software-development / cms-solutions
                            p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
                            icq: 154546673, http://www.thelounge.net/
                          • aa
                            My proposal of using a machine that contains samba/nfs shared file is likely to create a critical node inthe architecture... I appreciate Harald s idea of
                            Message 13 of 16 , Mar 1, 2011
                              My proposal of using a machine that contains samba/nfs shared file  is likely to create a critical node inthe architecture...

                              I appreciate Harald's idea of using mysql server with replication clients....if I've understood well every postfix installation reads config informations from its own mysql replication server so you can modify only the master server and changes spread over the replication slaves....
                              a kind of the DNS working, isn't it?

                              2011/3/1 Reindl Harald <h.reindl@...>
                              i would use mysql for some reasons

                              * one master where write changes
                              * every machine can run a replication slave
                              * no single-point-of-failure
                              * postfix needs only read-permissions so there nerver writes on any slave
                              * you can even define each mysqld in each postfix server for failover

                              samba/nfs is fine as long this machine/connection is alive
                              but if you have troubles there all your servers are down

                              Am 01.03.2011 10:51, schrieb aa:
                              > And what about using a shared disk space on a single machine that contains configuration file of every mail server.
                              > Every machine that has postfix can access these configuration files using samba or NFS...a kind of shared folder
                              > that can be contained on a postfix server machine too without using a dedicated machine....
                              >
                              > 2011/3/1 Luis Esteves <luisdobenfica@... <mailto:luisdobenfica@...>>
                              >
                              >
                              >     Hi,
                              >
                              >     I'll have a look to this tools, I'm curious...
                              >
                              >     Thanks a lot,
                              >     Luis
                              >
                              >
                              >     Victor Duchovni wrote:
                              >     >
                              >     > On Thu, Feb 24, 2011 at 02:52:17PM -0800, Luis Esteves wrote:
                              >     >
                              >     >>
                              >     >> Many Thanks Victor for the answer.
                              >     >
                              >     > An answer anyway, there are a few ways to address this... Some people
                              >     > would use tools like "cfengine" or similar. Basically, anything that
                              >     > lets you manage configuration files on multiple Unix hosts.
                              >     >
                              >     > --
                              >     >       Viktor.
                              >     >
                              >     >
                              >
                              >     --
                              >     View this message in context:
                              >     http://old.nabble.com/Update-Postfix-transport-file-on-multiple-servers-tp31008507p31038134.html
                              >     Sent from the Postfix mailing list archive at Nabble.com.
                              >
                              >

                              --

                              Mit besten Grüßen, Reindl Harald
                              the lounge interactive design GmbH
                              A-1060 Vienna, Hofmühlgasse 17
                              CTO / software-development / cms-solutions
                              p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
                              icq: 154546673, http://www.thelounge.net/


                            • mouss
                              ... it s unclear what budget you have. I am biased toward large platforms (and even for small ones, toward large style processes implemented in the
                              Message 14 of 16 , Mar 2, 2011
                                Le 01/03/2011 06:37, Luis Esteves a écrit :
                                >
                                > Hi,
                                >
                                > Good idea.
                                >
                                > I'll soon install a centralized logs server (with rsync) for logs retention
                                > an alalysis, maybe I will use this server to update Postfix files. It will
                                > be in the trusted network, so, I will generate SSH Keys. The private Key
                                > will be stored in the trusted network, and the public Key on each Postfix
                                > server (DMZ).
                                > All I need is to create a script that synchronize the files et then run the
                                > Make (remote) command.
                                >
                                > This seems to be the most suitable solution for me.
                                >

                                it's unclear what "budget" you have. I am biased toward large platforms
                                (and even for small ones, toward "large style" processes implemented "in
                                the small").

                                ideally, you shouldn't mix the management hosts and the log servers.
                                role segregation is a good principle. management hosts are hosts you use
                                to "push" things onto your production. log servers are hosts that
                                receive things from your production servers. if you can't use different
                                hosts for that, then do everything to separate the roles (different user
                                accounts, different access control rules, ... etc).
                              • mouss
                                ... well, the problem is not file sharing here. if it s just for making files available, then rsync over ssh is a proven and robust mechanism. the issue is
                                Message 15 of 16 , Mar 2, 2011
                                  Le 01/03/2011 10:51, aa a écrit :
                                  > And what about using a shared disk space on a single machine that contains
                                  > configuration file of every mail server.
                                  > Every machine that has postfix can access these configuration files using
                                  > samba or NFS...a kind of shared folder that can be contained on a postfix
                                  > server machine too without using a dedicated machine....
                                  >


                                  well, the problem is not file sharing here. if it's just for making
                                  files available, then rsync over ssh is a proven and robust mechanism.

                                  the issue is that for some maps, a 'postfix reload' is needed and this
                                  is a harder problem because it requires privileges.

                                  sql is a good way to solve the problem, although it means allowing
                                  "inbound" sql access from the postfix servers. it also has the benefit
                                  of requiring no reload. add to this the possibility of using a web ui or
                                  other to manage data in an sql db.
                                • Luis Esteves
                                  Hi, Meybe there is another solution. Initaly I didn t want to generate private/public keys, because I was planning to use the root account. But, to solve this
                                  Message 16 of 16 , Mar 3, 2011
                                    Hi,

                                    Meybe there is another solution.

                                    Initaly I didn't want to generate private/public keys, because I was
                                    planning to use the root account.
                                    But, to solve this security issue, I create a user account with user rights,
                                    and generate ssh private/public keys (less dangerous that root account)
                                    I add command provileges to sudoers, so the account can run a script that
                                    will :

                                    - transfert needed files overs overs ssh to other servers
                                    - run make command to create the db files on all servers

                                    What do you think about this solution ?

                                    Luis


                                    Luis Esteves wrote:
                                    >
                                    > Hi everybody,
                                    >
                                    > In our organisation we have 4 postfix servers.
                                    > Each time i need to add a new configuration to the transport file (for a
                                    > new domain), i need to update the transport file on each server.
                                    > This is cumbersome. Connect on each server with ssh, update the transport
                                    > file, et run make to generate a db file.
                                    >
                                    > Is there an easy way to update all files on each server easily (without
                                    > generating ssh public/private keys and running these commands from one
                                    > server) ?
                                    >
                                    > Is it a good idea to use a centralized PostgreSQL database to store the
                                    > Postfix configuration files ?
                                    >
                                    > Thanks,
                                    > Luis
                                    >

                                    --
                                    View this message in context: http://old.nabble.com/Update-Postfix-transport-file-on-multiple-servers-tp31008507p31061754.html
                                    Sent from the Postfix mailing list archive at Nabble.com.
                                  Your message has been successfully submitted and would be delivered to recipients shortly.