scripts: cover SASLAUTHD_* variables in start-mailserver.sh

[casperklein]

Description

This PR moves the SASLAUTHD_ variables declaration from setup-stack.sh to start-mailserver.sh and adds them to the VARS array.

Fixes: #2541 (comment)

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (non-breaking change that does improve existing functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (README.md or the documentation under docs/)
• If necessary I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[wernerfred]

LGTM

[polarathene]

This doesn't seem like the right approach?

The only purpose these ENV appear to serve is to generate a saslauthd config based on container ENV and fallbacks which is only when SASLAUTHD_MECHANISMS has the value ldap:

docker-mailserver/target/supervisor/conf.d/saslauth.conf

Line 7 in b4c49d2

command=/usr/sbin/saslauthd -d -a ldap -O /etc/saslauthd.conf

Config is generated in two approaches, assigning the ENV (or fallback directly), presumably for required config values, and then lines only referencing the ENV that also set the values key if set, otherwise resulting in empty lines:

docker-mailserver/target/scripts/startup/setup-stack.sh

Lines 587 to 610 in b4c49d2

	if [[ ! -f /etc/saslauthd.conf ]]
	then
	_log 'trace' 'Creating /etc/saslauthd.conf'
	cat > /etc/saslauthd.conf << EOF
	ldap_servers: ${SASLAUTHD_LDAP_SERVER}
	ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD}
	ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN}
	ldap_bind_pw: ${SASLAUTHD_LDAP_PASSWORD}
	ldap_search_base: ${SASLAUTHD_LDAP_SEARCH_BASE}
	ldap_filter: ${SASLAUTHD_LDAP_FILTER}
	ldap_start_tls: ${SASLAUTHD_LDAP_START_TLS}
	ldap_tls_check_peer: ${SASLAUTHD_LDAP_TLS_CHECK_PEER}
	${SASLAUTHD_LDAP_TLS_CACERT_FILE}
	${SASLAUTHD_LDAP_TLS_CACERT_DIR}
	${SASLAUTHD_LDAP_PASSWORD_ATTR}
	${SASLAUTHD_LDAP_MECH}
	ldap_referrals: yes
	log_level: 10
	EOF

docker-configomat is used presently to create similar files for DOVECOT_* and LDAP_* container ENV settings. This magic under the hood was partially documented in late 2020 but to a maintainer unfamiliar, it's not clear that those ENV were being processed that way. LDAP tests do cover them, and I was only aware of the configomat relation since September 2021.

Apart from some ENV to key mapping mismatches and slight syntax difference, that approach might work, or other approaches that have been used elsewhere to just append/sed update a config file.. Personally I'd rather we drop the configomat submodule at some point.

---

I'm happy to go forward with the PR regardless if you like, but I think it might be worth adding a comment that makes the maintainer reading aware that this block of ENV isn't serving any purpose in /etc/dms-settings and is just for generating a /etc/saslauthd.conf file for LDAP setups which seem to require SASL auth? (I haven't looked into setting up LDAP)

[polarathene]

SASLAUTHD_LDAP_SERVER is only used to append itself as a value for the ldap_servers: key as one of the lines for a default /etc/saslauthd.conf fallback:

docker-mailserver/target/scripts/startup/setup-stack.sh

Lines 587 to 591 in b4c49d2

	if [[ ! -f /etc/saslauthd.conf ]]
	then
	_log 'trace' 'Creating /etc/saslauthd.conf'
	cat > /etc/saslauthd.conf << EOF
	ldap_servers: ${SASLAUTHD_LDAP_SERVER}

The config file, despite it's name is only relevant / used by LDAP configs it seems:

docker-mailserver/target/supervisor/conf.d/saslauth.conf

Line 7 in b4c49d2

command=/usr/sbin/saslauthd -d -a ldap -O /etc/saslauthd.conf

---

LDAP_SERVER_HOST is not included in VARS or defined anywhere in our scripts.

It's available in:

• Env:
  • mailserver.env
  • test/mail_with_ldap.bats (used as container ENV arg)
• Docs (set with example placeholders or referenced as a fallback for another ENV):
  • README.md
  • docs/content/config/environment.md
  • docs/content/config/advanced/auth-ldap.md
  • docs/content/examples/use-cases/forward-only-mailserver-with-ldap-authentication.md
• Scripts
• target/scripts/startup/setup-stack.sh - in _setup_ldap (as a third fallback for DOVECOT_LDAP_MAPPING) and _setup_saslauthd (handled in this PR)

Doesn't seem to be a problem then since it's expected to be a container set ENV?

[polarathene]

Also not covered but seem to otherwise be container ENV that our scripts only use for SASLAUTHD_* ENV fallbacks:

• LDAP_BIND_DN - mailserver.env and ENV docs both reference SASL_LDAP_BIND_DN, but are meant to be referencing SASLAUTHD_LDAP_BIND_DN.
• LDAP_BIND_PW
• LDAP_SEARCH_BASE

---

Other SASLAUTHD_* ENV with the exception of SASLAUTHD_MECHANISMS are only being used to generate config.

Only DOVECOT_* and LDAP_* ENV is processed by configomat.sh here in setup-stack.sh:_setup_ldap:

docker-mailserver/target/scripts/startup/setup-stack.sh

Lines 340 to 374 in b4c49d2

	for FILE in "${FILES[@]}"
	do
	[[ ${FILE} =~ ldap-user ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_USER}"
	[[ ${FILE} =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}"
	[[ ${FILE} =~ ldap-aliases ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_ALIAS}"
	[[ ${FILE} =~ ldap-domains ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_DOMAIN}"
	[[ ${FILE} =~ ldap-senders ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_SENDERS}"
	configomat.sh "LDAP_" "${FILE}"
	done
	_log 'trace' "Configuring Dovecot LDAP"
	declare -A DOVECOT_LDAP_MAPPING
	DOVECOT_LDAP_MAPPING['DOVECOT_BASE']="${DOVECOT_BASE:="${LDAP_SEARCH_BASE}"}"
	DOVECOT_LDAP_MAPPING['DOVECOT_DN']="${DOVECOT_DN:="${LDAP_BIND_DN}"}"
	DOVECOT_LDAP_MAPPING['DOVECOT_DNPASS']="${DOVECOT_DNPASS:="${LDAP_BIND_PW}"}"
	DOVECOT_LDAP_MAPPING['DOVECOT_URIS']="${DOVECOT_URIS:="${DOVECOT_HOSTS:="${LDAP_SERVER_HOST}"}"}"
	# Add protocol to DOVECOT_URIS so that we can use dovecot's "uris" option:
	# https://doc.dovecot.org/configuration_manual/authentication/ldap/
	if [[ ${DOVECOT_LDAP_MAPPING["DOVECOT_URIS"]} != *'://'* ]]
	then
	DOVECOT_LDAP_MAPPING['DOVECOT_URIS']="ldap://${DOVECOT_LDAP_MAPPING["DOVECOT_URIS"]}"
	fi
	# Default DOVECOT_PASS_FILTER to the same value as DOVECOT_USER_FILTER
	DOVECOT_LDAP_MAPPING['DOVECOT_PASS_FILTER']="${DOVECOT_PASS_FILTER:="${DOVECOT_USER_FILTER}"}"
	for VAR in "${!DOVECOT_LDAP_MAPPING[@]}"
	do
	export "${VAR}=${DOVECOT_LDAP_MAPPING[${VAR}]}"
	done
	configomat.sh "DOVECOT_" "/etc/dovecot/dovecot-ldap.conf.ext"

Should we really migrate this logic for storing in /etc/dms-settings? One might argue that ENV config is the wrong approach vs just overwriting an example config and mounting that with other config files?

[polarathene]

This is fine, the ENV is specified here clearly as a default instead of baked in as a default via docker image ENV.

It is used later in this script by calling:

docker-mailserver/target/scripts/start-mailserver.sh

Line 231 in b4c49d2

[[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_start_daemon '_start_daemon_saslauthd'

which uses the ENV:

docker-mailserver/target/scripts/startup/daemons-stack.sh

Lines 39 to 42 in b4c49d2

	function _start_daemon_saslauthd
	{
	_default_start_daemon "saslauthd_${SASLAUTHD_MECHANISMS}"
	}

Technically the fallback could exist within that function unless we have anything else that would justify storing this information into /etc/dms-settings.

By keeping the ENV in the Dockerfile like it was, the fallback would be implicit and always available, without being dependent upon this script that strives to ensure any ENV fallbacks are accessible to other processes through /etc/dms-settings.

---

This distinction might be worth having (with documentation for maintainers). ENV usage has become vague as we see in this PR, where we're moving ENV to a common ENV setup and to persist but ignoring the intention?

Dropping this line in favor of restoring ENV SASLAUTHD_MECHANISMS=pam in the Dockerfile? (with some context comment to avoid repeating the misunderstanding?).

[casperklein]

I am very low on time for the next weeks. I will look into this by the end of may.

[casperklein]

This doesn't seem like the right approach?

My aim with this PR is to streamline our logic. At the moment, not all user configurable ENVs are present in our VARS array, as you also noticed.
But that should be the case.

---

I think it might be worth adding a comment that makes the maintainer reading aware that this block of ENV isn't serving any purpose in /etc/dms-settings

But this is also true for most of the other ENVs in that file? Or did I misunderstand you? The file serves two purposes IMO:

1. To quickly see inside the container, which default/user-defined settings/ENVs this container uses.
2. To be sourced/used by any script that likes to

---

LDAP_SERVER_HOST is not included in VARS or defined anywhere in our scripts.

Yes. But it can be configured by the user, so it should be in $VARS.

---

SASLAUTHD_MECHANISMS
By keeping the ENV in the Dockerfile like it was, the fallback would be implicit and always available, without being dependent
upon this script that strives to ensure any ENV fallbacks are accessible to other processes through /etc/dms-settings.

Not a fan of this. I like the approach from a maintenance point of view, to see all (available) used VARS in one place: start-mailserver.sh. In Dockerfile only those ENVs should be defined, that are strictly needed while building or while container startup.

---

Should we really migrate this logic for storing in /etc/dms-settings? One might argue that ENV config is the wrong approach vs just overwriting an example config and mounting that with other config files?

I guess, we looked with different expectations on this PR 😆 My main intend was to streamline our code/logic. Your general concerns (if ENVs are the best way to go to alter config files) are also valid, but from my POV not directly related to this PR.

[polarathene]

I like the approach from a maintenance point of view, to see all (available) used VARS in one place: start-mailserver.sh.

• All of these SASLAUTHD_ ENV are dependent upon SASLAUTHD_MECHANISMS=ldap being set, to be of any relevance:

  Expand to view relevant project references

  docker-mailserver/target/scripts/startup/daemons-stack.sh

  Lines 39 to 42 in 05e45c3

  	function _start_daemon_saslauthd
  	{
  	_default_start_daemon "saslauthd_${SASLAUTHD_MECHANISMS}"
  	}

  docker-mailserver/target/supervisor/conf.d/saslauth.conf

  Lines 1 to 8 in 05e45c3

  	[program:saslauthd_ldap]
  	startsecs=0
  	autostart=false
  	autorestart=true
  	stdout_logfile=/var/log/supervisor/%(program_name)s.log
  	stderr_logfile=/var/log/supervisor/%(program_name)s.log
  	command=/usr/sbin/saslauthd -d -a ldap -O /etc/saslauthd.conf
  	pidfile=/var/run/saslauthd/saslauthd.pid

  And if /etc/saslauthd.conf does not exist, to use the SASLAUTHD_ ENV to generate the config (but only if ENABLE_SASLAUTHD is also defined):

  Expand to view relevant project references

  docker-mailserver/target/scripts/start-mailserver.sh

  Line 152 in 05e45c3

  [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_setup_function '_setup_saslauthd'

  docker-mailserver/target/scripts/startup/setup-stack.sh

  Lines 587 to 611 in 05e45c3

  	if [[ ! -f /etc/saslauthd.conf ]]
  	then
  	_log 'trace' 'Creating /etc/saslauthd.conf'
  	cat > /etc/saslauthd.conf << EOF
  	ldap_servers: ${SASLAUTHD_LDAP_SERVER}
  	ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD}
  	ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN}
  	ldap_bind_pw: ${SASLAUTHD_LDAP_PASSWORD}
  	ldap_search_base: ${SASLAUTHD_LDAP_SEARCH_BASE}
  	ldap_filter: ${SASLAUTHD_LDAP_FILTER}
  	ldap_start_tls: ${SASLAUTHD_LDAP_START_TLS}
  	ldap_tls_check_peer: ${SASLAUTHD_LDAP_TLS_CHECK_PEER}
  	${SASLAUTHD_LDAP_TLS_CACERT_FILE}
  	${SASLAUTHD_LDAP_TLS_CACERT_DIR}
  	${SASLAUTHD_LDAP_PASSWORD_ATTR}
  	${SASLAUTHD_LDAP_MECH}
  	ldap_referrals: yes
  	log_level: 10
  	EOF
  	fi

• When those dependencies are not met, any fallback values assigned are irrelevant and should not persist to /etc/dms-settings as that would be misleading/redundant for lookup. With the present config, such assignments are properly guarded, you've removed those with the current state of ENV logic migration.

• This dependency should be made clear to maintainers. If you're going to migrate all the ENV here for the reasons you cite, then make it clear to maintainers that all SASLAUTHD_ is only relevant to that dependency. Wrap into a conditional to communicate that.

---

Yes. But it can be configured by the user, so it should be in $VARS.

Why aren't you including LDAP_SERVER_HOST into $VARS too then? It seems odd to insist migrating ENV here for such a reason, when they reference ENV that has not been given the same treatment?

Do you intend to do a follow-up PR covering the LDAP_ and DOVECOT_ vars used by configomat implicitly (we document them, and may use the ENV for fallbacks - but these two set of ENV are similar to SASLAUTHD_ as convenience for per-line config generation).

Likewise, I noted several other LDAP_ ENV that are used to support SASLAUTHD_ and configomat, but should also be added to $VARS if you insist on this?

At the very least, perhaps mailserver.env and our ENV docs should make the correction: SASL_LDAP_BIND_DN => SASLAUTHD_LDAP_BIND_DN.

---

My aim with this PR is to streamline our logic. At the moment, not all user configurable ENVs are present in our VARS array, as you also noticed.
But that should be the case.

Yes I noticed it was not, not if it should be.

My opinion is that the feature is niche in support (we already have a lack of maintainer support for LDAP itself), and no one has requested these ENV be persisted to /etc/dms-settings.

The actual config file could be parsed to get the same information and is probably a better source for such information if any other manipulation of the config was to occur.

Especially since we've got a conditional to check for existence of the config file, users may be explicitly mounting their own config where those ENV would be unrelated, and any fallbacks assigned misleading, vs the actual information. Restoring the proper guards / dependencies for the ENV being managed would at least help avoid that problem.

---

But this is also true for most of the other ENVs in that file? Or did I misunderstand you?

I recall /etc/dms-settings being created to support a test that ran a command to check ENV in a container, but that was lacking access to an ENV or the correct one (fallback value IIRC), so you implemented support this way to get access to such.

That's valid. I don't see it as valid in this case where the sole purpose is use the ENV as values into a config file being generated. Nothing else depends or cares about those ENV, fallbacks are only relevant during the logic to generate config if one does not already exist.

Perhaps I'm not thinking of a situation where this would actually be useful. For us, it's expected that any issues provide the ENV used, and if anyone did troubleshoot an issue regarding the feature these ENV support, we'd likely ask them to share /etc/saslauthd.conf. Between those two and the very isolated script section that handles it, I don't see us having any real need for the ENV being persisted to /etc/dms-settings.

I don't believe all ENV we support should live in that file. Personally, if I had the time I would look back through the history of where and why the ENV was contributed, and consider a breaking change PR that drops support for it. It seems more suited to be it's own helper script/command for setup.sh or third-party/community in that sense.

When/if I find time to go through LDAP support, my intent would be to try isolate the feature support into it's own layer, as right now that support has been rotting and very reliant upon community contributions (we generally only get issues and very few fixes these days for LDAP).

---

You may want to move these lines closer to each other, the first $VARS assignment also seems unnecessary?:

VARS[SASLAUTHD_LDAP_SERVER]="${SASLAUTHD_LDAP_SERVER:=${LDAP_SERVER_HOST}}"
# ...
[[ ${SASLAUTHD_LDAP_SERVER} != *'://'* ]] && SASLAUTHD_LDAP_SERVER="ldap://${SASLAUTHD_LDAP_SERVER}"
VARS[SASLAUTHD_LDAP_SERVER]="${SASLAUTHD_LDAP_SERVER}"

---

TL;DR

I am of the opinion that these ENV do not belong in /etc/dms-settings. I cannot think of a situation that they're useful, given the context above. Specifically that ENV only intended for lines in a config file - it is better to parse that config file directly, since that is the source of truth in this case.

I will provide approval, on the basis that:

• You restore the dependency guards, so that they're only managed (and stored in /etc/dms-settings) if they'd actually be used for their purpose. AFAIK, that purpose is solely to generate a config file when one does not exist; and only for LDAP users. Dependencies are: SASLAUTHD_MECHANISMS=ldap, ENABLE_SASLAUTHD=1, [[ ! -f /etc/saslauthd.conf ]].
• Update mailserver.env and ENV docs LDAP_BIND_DN reference of SASL_LDAP_BIND_DN to SASLAUTHD_LDAP_BIND_DN.
• Intend to follow-up with PRs for other related ENV, or at least those that are referenced by the SASLAUTHD_ ENV assignment in this PR. Note that our docs for some like LDAP_BIND_DN claim default values, but no such defaults are actually applied by us (anymore?), so those would need to be corrected (updating docs to remove default claims as assigning actual defaults may be a breaking change?).

[casperklein]

All of these SASLAUTHD_ ENV are dependent upon SASLAUTHD_MECHANISMS=ldap being set, to be of any relevance:
This dependency should be made clear to maintainers. If you're going to migrate all the ENV here for the reasons you cite, then make it clear to maintainers that all SASLAUTHD_ is only relevant to that dependency. Wrap into a conditional to communicate that.

Yes. But that's like it was ever since - so no regression: This applies for any ENVs that depends on other ENVs like ENABLE_*? For example:

SA_KILL, SA_TAG are only used when also ENABLE_SPAMASSASSIN=1 is given, however they are in VARS, no matter if SA is enabled or not. I am not introducing a new behaviour here, I just carry on the existing logic.
VARS include all default/user defined values, no matter if used or not.

If that behaviour should generally be changed, this should be discussed/changed in a separate issue/PR.

---

Why aren't you including LDAP_SERVER_HOST into $VARS too then?

Because I overlooked it at first. I am going to add it as well 👍

---

Do you intend to do a follow-up PR covering the LDAP_ and DOVECOT_ vars used by configomat implicitly

You are right, they should also be covered. But I don't have immediate plans to do so. Maybe in the long term, I've other ideas that I want to contribute first. This PR already took me more afford than initially planed 😉

---

Likewise, I noted several other LDAP_ ENV that are used to support SASLAUTHD_

Yep, I will add LDAP_BIND_DN, LDAP_BIND_PW, LDAP_SEARCH_BASE also 👍

---

I don't believe all ENV we support should live in that file

I think, we just have different expectations about the VARS array and therefore the content of /etc/dms-settings & /root/.bashrc.
To follow your expectation, than we could remove most of the VARS[XXX]="${XXX:=}" lines in start-mailserver.sh, with the few exceptions of those that are used indirectly via sourcing dms-settings file in other scripts. Then only 6-7 lines would be left.
Afaik no more ENVs are indirectly used via sourcing /etc/dms-settings by those scripts: listmailuser, virus-wiper, check-for-changes.sh.

I am the opinion, that having all ENVs in $VARS is nice to have, no matter if actively used or not. They don't hurt in any way. However, technically most of them are not needed and just there for convenience.

You may want to move these lines closer to each other, the first $VARS assignment also seems unnecessary?:

VARS[SASLAUTHD_LDAP_SERVER]="${SASLAUTHD_LDAP_SERVER:=${LDAP_SERVER_HOST}}"
# ...
[[ ${SASLAUTHD_LDAP_SERVER} != *'://'* ]] && SASLAUTHD_LDAP_SERVER="ldap://${SASLAUTHD_LDAP_SERVER}"
VARS[SASLAUTHD_LDAP_SERVER]="${SASLAUTHD_LDAP_SERVER}"

Why you think it's unnecessary? Without, the value of LDAP_SERVER_HOST would not be covered?

tl;dr:

• I can add those 4 missing ENVs you mentioned
• Your other concerns may be valid, (please don't get me wrong) but not scope of this PR. This should just be a little step, to make our code base more consistent.

We have three options now I guess:

1. Discarding this PR and leaving as it is. $VARS will not contain all vars and unused ones will still be there. No progress.
2. Discarding this PR and removing most entrys in $VARS. (keeping only those few needed by scripts).
3. Keeping the current behaviour, merging this PR and extending VARS even more to also cover LDAP_ etc. in the future.

I am clearly for the third option. I also understand your point of view, but I have a different opinion ✌️

[polarathene]

EDIT: Feel free to ignore the comment below and merge. I'll raise a follow-up PR.

---

Original Response

so no regression: This applies for any ENVs that depends on other ENVs like ENABLE_*?

I was pointing out that you're changing the current behaviour by dropping all those dependencies. Technically there is no impact since it's just processing ENV that was otherwise only handled when relevant. Actual logic to use them remains behind the dependencies.

Still I'm not fond of unconditionally running the ENV handling.

SA_KILL, SA_TAG are only used when also ENABLE_SPAMASSASSIN=1 is given, however they are in VARS, no matter if SA is enabled or not.

Fair, but that doesn't mean it should be that way. Just because it's not properly wrapped elsewhere does not justify ignoring it with this PR imo.

VARS include all default/user defined values, no matter if used or not.

I could see it being useful for users to include the output of with reports. Usually they dump the mailserver.env file which has added noise. At least we could leverage /etc/dms-settings to only store what's relevant, or better diff out defaults (for a setup command only) that allows us to only see the explicitly set ENV.

/etc/dms-settings is still useful to reference config state that our scripts modify during startup, which isn't available within the containers ENV. If a user isn't using LDAP, it helps nobody to include partial SASLAUTHD_ ENV, it's noise. Why you want to encourage supporting that is beyond me.

If that behaviour should generally be changed, this should be discussed/changed in a separate issue/PR.

That's fine. I'm not requesting this PR address that issue in full. Just that since SASLAUTHD_ was never assigned to VARS (and thus stored in files like /etc/dms-settings), we have the opportunity to ensure it's properly handled in this PR. I don't see a strong reason not to do so, or to defer to a separate PR.

---

Why you think it's unnecessary? Without, the value of LDAP_SERVER_HOST would not be covered?

I meant the ENV did not need to be part of VARS at that point, it gets re-assigned to VARS a 2nd time regardless. Moving the line to group with the other two would also be more appropriate to group them together.

At first I had a double-take when I saw the double VARS assignment in two locations thinking one of the lines might have accidentally been assigned to the wrong VARS key.

-VARS[SASLAUTHD_LDAP_SERVER]="${SASLAUTHD_LDAP_SERVER:=${LDAP_SERVER_HOST}}"
# ...
+SASLAUTHD_LDAP_SERVER="${SASLAUTHD_LDAP_SERVER:=${LDAP_SERVER_HOST}}"
[[ ${SASLAUTHD_LDAP_SERVER} != *'://'* ]] && SASLAUTHD_LDAP_SERVER="ldap://${SASLAUTHD_LDAP_SERVER}"
VARS[SASLAUTHD_LDAP_SERVER]="${SASLAUTHD_LDAP_SERVER}"

---

• I can add those 4 missing ENVs you mentioned

I'd rather you don't if you're not covering all of LDAP_.

You've said you'd like to tackle that in future, but unsure when. Might as well leave that support blank rather than partial? Since those also need their outdated documented defaults corrected (unrelated to SASLAUTHD_), that makes more sense scoped to it's own PR.

• Your other concerns may be valid, (please don't get me wrong) but not scope of this PR. This should just be a little step, to make our code base more consistent.

I think the concern regarding mailserver.env and ENV docs correcting the ENV name to the proper SASLAUTHD_ ENV is valid for this PR. Your PR is unconditionally including these ENV elsewhere now, and they reference an ENV where the docs incorrectly refer to an ENV that doesn't exist instead of the correct SASLAUTHD_ one.

---

I would still appreciate some inline documentation regarding the ENV. Now that they've been pulled out of the only function that uses them, maintainers may not be aware that is the only relevant location and need to consider the scope of these ENV in future maintenance work? (grep isn't really sufficient for confidence, eg with ENV dependent upon configomat)

Prior to this PR, it was not obvious to me what the ENV were dependent upon for relevance. As our LDAP support in future remains questionable, I'd prefer that we keep it obvious. Without a conditional wrapping them, I'm also wary of ENV being shuffled around (less of an issue with the SASLAUTHD_ grouping prefix at least).

Could we please at least go from the vague # SASL specific variables to something like:

# Only applies when ENABLE_SASLAUTHD=1 and SASLAUTHD_MECHANISMS=ldap
# SASLAUTHD ENV to generate config when /etc/postfix/saslauthd.conf does not exist

That's not much more to add, but vastly improves the communication of purpose for these ENV to maintainers. SASL is used elsewhere beyond the purpose covered here and differs in relevancy. As a maintainer I want to think less and ideally not need to trawl the project or git blame (which is not fun).

---

We have three options now I guess:

Or the fourth that I requested, wrap these ENV in a conditional, retaining the current chain of dependencies for their relevance, rather than further ambiguating that..

I'm willing to go with your third option (this PR), with a compromise of better inline documentation (the two line comment suggestion above).

I am clearly for the third option. I also understand your point of view, but I have a different opinion

EDIT: Since two other maintainers have approved this and not joined in my review concerns, I'm not going to fight this further. Merge it and I'll raise a separate PR with the documentation concerns I have.

[casperklein]

WTF. I wanted to update the branch, not merge it 😱

Edit: I'll provide a follow up PR with the promised changes.
Edit2: Okay.. I already started to doubt myself 😆 But I realized, that auto-merge was enabled by @polarathene ☺️

[polarathene]

Yeah sorry @casperklein I thought it was good to merge (I couldn't update the branch though, preventing that) and so I had prepared the squash commit for merging 😅

There's a "Revert" button I can click, I assume it will undo the merge?

[casperklein]

There's a "Revert" button I can click, I assume it will undo the merge?

No Problem. I already did the follow up PR.