From d5896fb2c642f051df11edf13191060ac7d28358 Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Wed, 1 Dec 2021 12:40:28 +0000 Subject: [PATCH] Add log rotation (if logging to file). Make rsyslog the default. --- core/postfix/Dockerfile | 2 +- core/postfix/conf/logrotate.conf | 11 +++++++++++ core/postfix/conf/rsyslog.conf | 2 +- core/postfix/start.py | 10 ++++++++-- docs/configuration.rst | 14 +++++++------- docs/faq.rst | 1 + 6 files changed, 29 insertions(+), 11 deletions(-) create mode 100644 core/postfix/conf/logrotate.conf diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile index 145da4fb..2aafd552 100644 --- a/core/postfix/Dockerfile +++ b/core/postfix/Dockerfile @@ -19,7 +19,7 @@ RUN apk add --no-cache --virtual .build-deps gcc musl-dev python3-dev RUN pip3 install --no-binary :all: postfix-mta-sts-resolver==1.0.1 RUN apk del .build-deps gcc musl-dev python3-dev -RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-login rsyslog +RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-login rsyslog logrotate COPY conf /conf COPY start.py /start.py diff --git a/core/postfix/conf/logrotate.conf b/core/postfix/conf/logrotate.conf new file mode 100644 index 00000000..5882607c --- /dev/null +++ b/core/postfix/conf/logrotate.conf @@ -0,0 +1,11 @@ +{{POSTFIX_LOG_FILE}} { +weekly +rotate 52 +nocompress +extension log +create 0644 root root + postrotate + /bin/kill -HUP $(cat /run/rsyslogd.pid) + postfix reload + endscript +} diff --git a/core/postfix/conf/rsyslog.conf b/core/postfix/conf/rsyslog.conf index d8a7bdf4..7d55b7ba 100644 --- a/core/postfix/conf/rsyslog.conf +++ b/core/postfix/conf/rsyslog.conf @@ -33,7 +33,7 @@ module(load="imuxsock") {% if POSTFIX_LOG_FILE %} # Log mail logs to file -mail.* -{{LOG_FILE}} +mail.* -{{POSTFIX_LOG_FILE}} {% endif %} # Log mail logs to stdout diff --git a/core/postfix/start.py b/core/postfix/start.py index 458bf58d..de97baf6 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -46,7 +46,8 @@ os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT", os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin") os.environ["ANTISPAM_MILTER_ADDRESS"] = system.get_host_address_from_environment("ANTISPAM_MILTER", "antispam:11332") os.environ["LMTP_ADDRESS"] = system.get_host_address_from_environment("LMTP", "imap:2525") -os.environ["POSTFIX_LOG_SYSLOG"] = os.environ.get("POSTFIX_LOG_SYSLOG","disabled") +os.environ["POSTFIX_LOG_SYSLOG"] = os.environ.get("POSTFIX_LOG_SYSLOG","local") +os.environ["POSTFIX_LOG_FILE"] = os.environ.get("POSTFIX_LOG_FILE", "") for postfix_file in glob.glob("/conf/*.cf"): conf.jinja(postfix_file, os.environ, os.path.join("/etc/postfix", os.path.basename(postfix_file))) @@ -81,10 +82,15 @@ if "RELAYUSER" in os.environ: conf.jinja("/conf/sasl_passwd", os.environ, path) os.system("postmap {}".format(path)) -if os.environ["POSTFIX_LOG_SYSLOG"]=="local": +if os.environ["POSTFIX_LOG_SYSLOG"] == "local": # Configure and start local rsyslog server conf.jinja("/conf/rsyslog.conf", os.environ, "/etc/rsyslog.conf") os.system("/usr/sbin/rsyslogd -n &") + # Configure logrotate + if os.environ["POSTFIX_LOG_FILE"] != "": + conf.jinja("/conf/logrotate.conf", os.environ, "/etc/logrotate.d/postfix.conf") + if os.path.exists("/overrides/logrotate.conf"): + shutil.copyfile("/overrides/logrotate.conf", "/etc/logrotate.d/postfix.conf") # Run Podop and Postfix multiprocessing.Process(target=start_podop).start() diff --git a/docs/configuration.rst b/docs/configuration.rst index 00556fd7..0709e37b 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -188,9 +188,6 @@ Log messages equal or higher than this priority will be printed. Can be one of: CRITICAL, ERROR, WARNING, INFO, DEBUG or NOTSET. See the `python docs`_ for more information. -``POSTFIX_LOG_FILE`` enables postfix logging to the given file (in addition to log to stdout). -Log rotation should be done externally. - .. _`python docs`: https://docs.python.org/3.6/library/logging.html#logging-levels The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send the ISRG Root X1 certificate in TLS handshakes. This is required for `android handsets older than 7.1.1` but slows down the performance of modern devices. @@ -270,8 +267,11 @@ Mail log settings By default, all services log directly to stdout/stderr. Logs can be collected by any docker log processing solution. -In some situations, a separate mail log is required (e.g. for legal reasons). Postfix can be configured to write the logs to a -syslog server that stores the log files to a volume. It can be configured by the following options: +Postfix writes the logs to a syslog server which logs to stdout. This is used to filter out messages from the healthcheck. +In some situations, a separate mail log is required (e.g. for legal reasons). The syslog server can be configured to write log files to a volume. It can be configured by the following options: -- ``POSTFIX_LOG_SYSLOG``: (default: ``disabled``) set to ``local`` to enable a local syslog server for postfix -- ``POSTFIX_LOG_FILE``: The file to log the mail log to +- ``POSTFIX_LOG_SYSLOG`` (default: ``local`` ): Set to ``local`` (default) to enable the syslog server. Set to ``disable`` to disable the syslog server. If disabled, Postfix will log directly to stdout and the healthcheck messages will not be filtered out. +- ``POSTFIX_LOG_FILE``: The file to log the mail log to. When enabled, the syslog server will also log to stdout. + +When ``POSTFIX_LOG_FILE`` is enabled, the logrotate program will automatically rotate the logs every week and keep 52 logs. +To override the logrotate configuration, create the file logrotate.conf with the desired configuration in the :ref:`Postfix overrides folder`. diff --git a/docs/faq.rst b/docs/faq.rst index 177e65d7..ced46237 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -263,6 +263,7 @@ correct syntax. The following file names will be taken as override configuration - All ``$ROOT/overrides/postfix/*.map`` files - For both ``postfix.cf`` and ``postfix.master``, you need to put one configuration per line, as they are fed line-by-line to postfix. + - ``logrotate.conf`` as ``$ROOT/overrides/postfix/logrotate.conf`` - Replaces the logrotate.conf file used for rotating ``POSTFIX_LOG_FILE``. - `Dovecot`_ - ``dovecot.conf`` in dovecot sub-directory; - `Nginx`_ - All ``*.conf`` files in the ``nginx`` sub-directory; - `Rspamd`_ - All files in the ``rspamd`` sub-directory.