Immediately send Postfix messages to HOLD

For a project, I needed to find some way to purposefully and immediately throw sent messages into the Postfix HOLD queue so they could be released programmatically.

On Debian, you’ll need the postfix-pcre package, and then:

In /etc/postfix/
header_checks = pcre:/etc/postfix/header_checks

And then in /etc/postfix/header_checks:
/^X-My-Custom-Header: .*YES/ HOLD

In your application, for applicable messages you can set X-My-Custom-Header: YES and the messages will immediately go into HOLD.

Let’s Encrypt and nginx

With the distrust of StartCom by Google and Mozilla, the Let’s Encrypt movement is gaining steam rapidly.

You can use CertBot to get instructions on how to use Let’s Encrypt automatically. Here’s my implementation:

1.) enable jessie-backports and make sure your domain is pointing at your webserver. Then:
2.) # apt-get install certbot -t jessie-backports
3.) # certbot certonly --standalone -d -d --pre-hook "service nginx stop" --post-hook "service nginx start"
4.) You should now have the necessary files in /etc/letsencrypt/live/ in a folder named after your domain. Add them to the appropriate nginx config thus:

listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

(note: I don’t cover dhparams or cipher order in this post.)

Let’s Encrypt certificates are valid for 90 days, so the last step is to automate renewals. In root’s crontab I use the following for quiet monthly renewal attempts, noting that if nothing is due for renewal, no action is taken:

@monthly certbot renew -q --standalone --pre-hook "service nginx stop" --post-hook "service nginx start"

There are other ways to do this; while certbot has a renewal cron in /etc/cron.d/certbot, Certbot’s own advanced setup documentation illustrates how to use the ‘webroot’ plugin which will work with any webserver you like, but since I don’t mind stopping my webserver once a month for this quick check, I simply use the ‘standalone’ plugin instead.