Thomas Schachtner via Mailman-users writes:
But that's not the full deal. Postfix needs access to some hashed configuration files containing the transport maps and the domains of the mailman installation,
The transport is constant: lmtp:[$IP_OF_MAILMAN]:$LMTP_PORT. What the MTA needs is to confirm domains and list addresses. Individual addresses can be confirmed by your SQL RDBMS or by Mailman over TCP/IP. The Postgres implementation for Postfix is here:
https://gitlab.com/mailman/mailman/-/merge_requests/1161
It's not ready for merge yet, but it has been used for 6 months in production on a site with ~20k lists and ~100k posts/day. I think the same approach works for MySQL and SQLite3. The callout implementation for Exim is here:
https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/docs/mta.ht...
This probably can be adapted to Postfix but I haven't tried. See https://www.postfix.org/ADDRESS_VERIFICATION_README.html
Note that one of the benefits of MR #1161 is that for large sites it dramatically speeds up the process of creating lists by inhibiting the creation of the Postfix transport map files. It's not necessary for either approach, but the difference is noticable at O(1000) lists, and at 10000 lists a quite powerful host (with Postgres on a separate host) took 24 hours merely to migrate list configurations (and it appears the time cost is quadratic, so we gave up and devised the "ask Postgres" approach). Mailman cold start was taking ~15 minutes, because it was recreating that file. You'd get the same benefits of that patch when using the callout approach.
and mailman needs the contents of the postfix configuration file.
Backwards. Mailman *creates* the Postfix configuration file but otherwise does not use it.
Are there any best practices recommendations [for sharing file systems]?
Docker clusters usually use NFS, I think. That's what the AWS configs I've heard of use, too (AWS-branded, of course, but under the hood it's NFS). If you're worried about exposing NFS to the Internet of Threats, firewalls permitting only the Mailman and Postfix hosts to access the NFS service, and certificate-authenticated TLS for the connections should be as safe as anything exposed to the Internet.
The minimal attack surface approach is the LMTP RCPT TO callout approach in the Exim configuration above. Mailman's LMTP service must be accessible to the MTA anyway, so then you don't need to open any other ports such as Postgres or NFS.
Steve