On Mon, Sep 29, 2025 at 12:00:01PM +0200, Hadmut Danisch via Postfix-users wrote:
> I was thinking about the best way to query external processes as databases > for postfix lookup tables. Almost all methods described in > > https://www.postfix.org/DATABASE_README.html > > are bound to a particular file format or a particular database, and the only > method that allows to contact an arbitrary separate process is tcp, which, > on the other hand, is rather limited based on > > https://www.postfix.org/tcp_table.5.html That's not the only or even preferred method of querying ad hoc external sources. Use socketmap_table(5) instead. > I'd therefore like to propose two enhancements: > > 1. (minor): Do support connecting to unix domain sockets as well. They > are a much better way to protect a service by keeping it completely > outside of internet protocols and allowing to use unix/linux file > owner ships and permissions. Should be simple to implement, just use > a unix domain socket and connect to a path. The socketmap_table(5) driver already supports unix-domain sockets. > 2. (major): Use HTTP(S)/REST as an alternative protocol, allowing > things like TLS, client certs, password authentication. You can use stunnel(1) or similar to wrap the I/O in TLS. The local stunnel endpoint can be a unix-domain socket. [unix-to-remote-tcp] client = yes accept = /path/to/unix-socket connect = server.example:port checkHost = server.example CAfile = ... CApath = ... # CA-based trust verifyChain = yes # Direct trust of known (in CAfile or CApath) EE cert # verifyPeer = yes -- Viktor. 🇺🇦 Слава Україні! _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
