The story of server upgrades from 6.3 to 6.4
The TL;DR - I waited until after 6.4 was released to start practicing the upgrades. Knowing what changes were coming for OpenSMTPd, I should have practiced earlier.
----
For OpenBSD 6.4, OpenSMTPd went through a major change in its internal mail handling/structures. And that necessitated changing the grammar in its configuration file. The "accept" statement was replaced with separate "action" statements directing mail for further delivery, and "match" filter statements used to select the specified action statements.
I have been running my own small pair of mail severs with OpenSMTPd. But the main "upstream" mail server had a very complex configuration, handling mail from the Internet, directing internal mail, validating recipients, routing mail through SpamAssassin filtering, routing outbound mail through DKIM signing, and authenticating its tunneled connection with the internal, "downstream" server.
OpenSMTPd changed in OpenBSD -current shortly after 6.3 was released. And then a lot of people struggled with the new syntax and the new rules structure. So I said, "Hmmm... let's wait, and deal with it after things have settled down."
They did settle down. But I kept putting it off, because the change was so significant.
After about a week* of testing, on and off, as time allowed, I've upgraded and implemented the change. And there were increases in lines: my 7 "accept" rules were replaced with 12 statements: 8 "match" filters and 4 "action" directives. Even so, the total number of lines in my smtpd.conf(5) dropped substantially, from 95 to 64. The bulk of that was removal of comments, as the new grammar is easier to understand when the server provides many functions.
Testing was conducted using virtual machines that operated on an isolated network, to avoid creating any problems on the Internet. After testing completed, implementation in production went smoothly.
---
* I had two delays due to misreading the man pages. 1) I'd neglected to note that authorized SMTP mail transfer sessions between the two servers required valid certificate authorities by default. I was using self-signed certificates on the isolated network. The documentation for this is in the smtpd.conf(5) man page, but hidden in a paragraph about URL label values. The circumvention was to use "tls no-verify" on outbound relays. 2) The original "accept" rule set used "from local" and "for local" as defaults. This did not change with the new "match" filter, and I was caught with some match rules during the redesign that did not specify these explicitly. Mail was being rejected with "unknown recipient" errors when this occurred. Both of my smtp.conf files now have comments to remind me to specify both "from" and "for" explicitly in my match rules to avoid this error in the future. It happened to me before. It is said, "Wisdom is recognizing your mistakes when you make them again."
Last edited by jggimi; 25th November 2018 at 01:11 AM.
Reason: typo
|