Postfix master.cf versus main.cf

Question

I see a lot of the time that the same settings can be specified in both main.cf, and also in master.cf using the -o prefix.

My question is, does one override the other, and if so, which file is given priority if the same setting (with a different value) is found in both?

For instance, if

smtpd_tls_auth_only=yes

was specified in main.cf, but

-o smtpd_tls_auth_only=no

was specified in master.cf, which one would postfix pay attention to?

score 16 · Accepted Answer · answered Jan 04 '13 at 10:48

As documented,

-o name=value
                 Override  the  named  main.cf  configuration
                 parameter.

main.cf sets the default values used by all services defined in master.cf; -o options in master.cf can override these on a per-service basis.

score 6 · Answer 2 · answered Jan 04 '13 at 01:52

6

Basically settings in main.cf are valid and used globally unless they are overridden in master.cf for specific Postfix daemons (smtpd, trivial-rewrite, cleanup, pickup, ...). You may specify, for example, smtp_tls_security_level = may in main.cf and disable it for the submission port bound to localhost for the smtpd daemon:

localhost:submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=none

But for the submission port on an external IP address you may enforce encryption:

1.2.3.4:submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o ...

In certain situations you might have to override a global setting, for example when using Amavisd, address mappings (alias expansion, etc) need to be disabled when sending mail through the Amavisd smtpd daemon. Otherwise recipients might receive duplicate messages:

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
  -o content_filter=
  -o ...
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
  -o ...

Of course, during regular operation, outside of Amavis, you want address mappings, so by default they are enabled in main.cf.

answered Jan 04 '13 at 01:52

daff

4,809
2
28
27

1

You cannot simply set a new IP:port for a service; this creates a second instance of the service, with the same name (potentially confusing), and is more than likely outside the OPs purview. If you do duplicate services, always set `-o syslog_name=secondservice` to distinguish the service in your logs. – adaptr Jan 04 '13 at 10:43
Thanks for the comment, but I am well aware of that. Multiple instances of services are necessary when hosting multiple domains with different SSL certificates and therefore different IP addresses. I simply gave a real-world example where one would override settings from main.cf in master.cf. – daff Jan 04 '13 at 12:36
It didn't answer the OP's question, and did not include the syslog_name change I explained above. I'd not consider this "real-world" and fail to see where "SSL certificates" enter into it. – adaptr Jan 04 '13 at 14:10
1

I answerd OP's question in my first sentence. And yes, it is a real-world example, taken from one of our Postfix servers hosting 18 domains. "SSL certificates" enter into it since there is no such thing as SSL name-based virtual hosting in Postfix (in practice), so one needs to assign one IP address per domain. Otherwise there is no way to present correct SSL certificates to clients. To do that multiple instances of the `smtpd` service are needed, each with different settings for `myhostname`, `smtpd_tls_key_file`, `smtpd_tls_cert_file` and so on. Those settings are overrides of main.cf. – daff Jan 04 '13 at 15:37

Postfix master.cf versus main.cf

2 Answers2

Linked