From 17a452e349a8c72aa6e6f51cd78522b3ef427231 Mon Sep 17 00:00:00 2001
From: prim-8 <prim-8@users.noreply.github.com>
Date: Tue, 5 May 2026 09:53:16 -0700
Subject: [PATCH 1/2] feat(postfix): POSTFIX_CONF_* env var convention for
 runtime config overrides

---
 milter/entrypoint.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/milter/entrypoint.sh b/milter/entrypoint.sh
index 8fed8f3..6f4f3b6 100644
--- a/milter/entrypoint.sh
+++ b/milter/entrypoint.sh
@@ -77,6 +77,16 @@ if [[ -n "${MYNETWORKS_EXTRA:-}" ]]; then
     echo "Extended mynetworks with: ${MYNETWORKS_EXTRA}"
 fi
 
+# Apply POSTFIX_CONF_* env vars as runtime overrides (deployer-supplied tuning).
+# e.g., POSTFIX_CONF_DEFAULT_PROCESS_LIMIT=300 → postconf -e "default_process_limit=300"
+# Parameter names are derived by stripping the prefix and lowercasing.
+while IFS='=' read -r name value; do
+    param="${name#POSTFIX_CONF_}"
+    param="${param,,}"
+    postconf -e "${param}=${value}"
+    echo "postconf override: ${param}=${value}"
+done < <(env | grep '^POSTFIX_CONF_' || true)
+
 # Append custom transport to master.cf
 cat /opt/mx-box/postfix-master.cf.append >> /etc/postfix/master.cf
 

From e77855892402f50d3d20cdf14b39cd86932a56f1 Mon Sep 17 00:00:00 2001
From: prim-8 <prim-8@users.noreply.github.com>
Date: Tue, 5 May 2026 10:13:22 -0700
Subject: [PATCH 2/2] fix: move POSTFIX_CONF_* loop before TLS/mynetworks; use
 bash-native var expansion

---
 milter/entrypoint.sh | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/milter/entrypoint.sh b/milter/entrypoint.sh
index 6f4f3b6..f2a3252 100644
--- a/milter/entrypoint.sh
+++ b/milter/entrypoint.sh
@@ -57,6 +57,16 @@ fi
 # Render postfix main.cf
 envsubst '$MYHOSTNAME $MYDOMAIN' < /opt/mx-box/postfix-main.cf.template > /etc/postfix/main.cf
 
+# Apply POSTFIX_CONF_* env vars as runtime overrides before any hardcoded
+# security settings, so TLS paths and mynetworks always take precedence.
+# e.g., POSTFIX_CONF_DEFAULT_PROCESS_LIMIT=300 → postconf -e "default_process_limit=300"
+for name in "${!POSTFIX_CONF_@}"; do
+    param="${name#POSTFIX_CONF_}"
+    param="${param,,}"
+    postconf -e "${param}=${!name}"
+    echo "postconf override: ${param}=${!name}"
+done
+
 # Propagate TLS_CERT/TLS_KEY into Postfix. The template hardcodes the default
 # self-signed paths so the no-env-set case keeps working unchanged; postconf
 # overrides them when a caller has configured custom paths (or after the
@@ -77,16 +87,6 @@ if [[ -n "${MYNETWORKS_EXTRA:-}" ]]; then
     echo "Extended mynetworks with: ${MYNETWORKS_EXTRA}"
 fi
 
-# Apply POSTFIX_CONF_* env vars as runtime overrides (deployer-supplied tuning).
-# e.g., POSTFIX_CONF_DEFAULT_PROCESS_LIMIT=300 → postconf -e "default_process_limit=300"
-# Parameter names are derived by stripping the prefix and lowercasing.
-while IFS='=' read -r name value; do
-    param="${name#POSTFIX_CONF_}"
-    param="${param,,}"
-    postconf -e "${param}=${value}"
-    echo "postconf override: ${param}=${value}"
-done < <(env | grep '^POSTFIX_CONF_' || true)
-
 # Append custom transport to master.cf
 cat /opt/mx-box/postfix-master.cf.append >> /etc/postfix/master.cf