[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Postfix Security Documentation

On Wednesday 20 August 2003 06:26 am, Tomasz Papszun wrote:
> Sure, I know it.
> ==========================================================================
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (50)
> #
> ==========================================================================
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> But I think that (almost?) all process that _can_ be chrooted, _are_
> chrooted.
> How could the 'local' process deliver mail to user mailboxes if it would
> be chrooted??
> If I'm wrong and it's possible somehow, someone may correct me of
> course.
It is possible, but with some extra work. You need to have the delivery 
desination in the chroot jail with it.  For example, if you have it chroot to 
/var/spool/postfix  then you want to make /var/spool/postfix/var/spool/mail/ 
as that will be where mail is delivered to by default. Using "mount -o bind 
/var/spool/mail /var/spool/postfix/var/spool/mail" you can have the same 
stuff in both locations (or reverse it if you are really parinoid about 

> > Sven, do you want to chroot *all* processes? Postfix is supposed to be
> > secure out of the box
> I think the same :-) .

I think the added steps of chrooting the last three proccess is unneccicary, 
except for overly parinod experts.  I say experts, because in changing the 
default behavior of postifx, it is possible to open up more security problems 
than you are preventing, and at the same time make it harder for you to 
dectect such problems.  

> > (except for programming errors, as we recently saw :-( ).
> Even those, they were just vulnerable to DoS and "bounce scans", not
> break-ins.

These sort of things will always be around, in every mail system. It's due to 
the fact SMTP is such a horrid protocol.  But we are stuck with it, so we do 
the best we can with tradeoffs.

> > So improving Postfix security should be done inside of
> > Postfix. You may want to you the Postfix mailing list (warning: lots
> > of traffic!) and ask there.

There is also several irc channels for postfix scattered about- they are not 
real talkitive, but its certianly less traffic than the postfix list.


Jay Kline

Reply to: