I'm probably doing something wrong here without knowing it. I have the base Virtualmin set-up as system hostname srv1.myHostingURL.com. Then I made the first virtual server as domain name myHostingURL.com; I had the automatic Let's Encrypt options selected in System Settings, Virtualmin Configuration. Then while tinkering around in the Server Configuration under the Manage SSL Certificate module, I clicked the "Copy to Postfix" button. Now I see these Postfix warnings:
/usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
/usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
/usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
/usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
/usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
/usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
and in that master.cf file I see this single line statement I don't recall being part of the Postfix base, or their formatting style:
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
So is that normal? Do I ignore these warnings? Should I rework that single line into multiple lines the way Postfix normally has things?
Comments
Submitted by andreychek on Fri, 12/22/2017 - 12:08 Comment #1
Howdy -- thanks for contacting us!
Just to verify, is Postfix starting, in spite of those warnings?
If so, they are safe to ignore.
Jamie's been looking into what generates those warnings, though they are harmless. However, if Postfix isn't starting, we'd need to look deeper into that.
Submitted by JamieCameron on Fri, 12/22/2017 - 16:25 Comment #2
Note that VIrtualmin never sets options like
mua_sender_restrictions
, so the only way this error could occur is if they were already set in the Postfix config.Thanks for both responses. Postfix does run despite the warnings. I have to respectfully disagree ( with a moderate degree of confidence ) that Postfix came with smtps inet enabled. I just downloaded the Ubuntu Postfix installer and extracted the archive. The salient piece is in master.cf is:
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
Those referential macros are there but you can see they are positively commented out which is different than the state it is in now. The error message didn't happen until after creating the first virtual server and was noticed almost immediately after doing that operation that copies the key & cert to the main Webmin areas. Not a lot happened to the system between those two moments. I think something in that procedure of clicking the button for "Copy to Postfix" did it. I feel like a bit of a mook here at this point because I don't know what software would need that inetd part of Postfix. Apparently, Wietse thought the mail user agent would be communicating with Postfix to fill in those restrictions.
Hopefully, this isn't too big of a tangent, but the reason I noticed it ( and here's where you don't let kids play with guns ) was I was trying to set-up TLSA in Postfix before I made the first virtual server. I ran these commands in a terminal window:
sudo postfix tls new-server-key
sudo postfix tls deploy-server-cert /etc/postfix/cert-20171216-062044.pem /etc/postfix/key-20171220-062044.pem
sudo postfix tls output-server-tlsa -h myServersURL.com /etc/postfix/key-20171216-062044.pem
Then over at Google Domains, I added the TLSA signature to my custom resource records.
It was after clicking the "Copy to Postfix" button, I realized it had written over the top of the Postfix key and cert I made earlier, which means the TLSA info changed. When I re-ran that sudo postfix tls output-server-tlsa command, I saw the new parameter and the error messages. I'm not at the level of understanding I'd like to be with encryption yet, so I may have made blunders there.
Submitted by andreychek on Sat, 12/23/2017 - 09:02 Comment #4
I'm unfortunately not sure how those got there, though if you want to get rid of the warnings, you can remove the parts of the master.cf config that have a "$mua" in them... those shouldn't be needed.
For example, this parameter here that you mentioned in your initial post above can be removed:
smtpd_client_restrictions=$mua_client_restrictions