On Wed 09 Nov 2022 19:29:56 +1100, Trent W. Buck wrote:
> In short, what I'm saying is:
>
> 1. you can't harden a script/daemon that uses the "fork+exec
> /usr/sbin/sendmail" API, because
> different /usr/sbin/sendmail implementations (e.g. postfix) require
> different privileges.
>
> In particular, "requires setgid" prevents ALL of the following hardening
> options:
>
> DynamicUser LockPersonality MemoryDenyWriteExecute
> NoNewPrivileges PrivateDevices ProtectClock
> ProtectHostname ProtectKernelLogs ProtectKernelModules
> ProtectKernelTunables RestrictAddressFamilies RestrictNamespaces
> RestrictRealtime RestrictSUIDSGID
> SystemCallArchitectures
> SystemCallFilter SystemCallLog
>
> 2. the smtp://localhost:25 API is usually available.
>
> It prevents fewer hardening options:
>
> PrivateNetwork=yes
> IPAddressDeny=any
> RestrictAddressFamilies=~AF_TCP
>
> Basically you have to leave TCP/IP unblocked, but that's all.
I made a minor braino here, it should be AF_INET AF_INET6 not AF_TCP.
My old (Debian 9) notes about different techniques are here:
https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/tree/main/systemd/system/0-EXAMPLES
30-allow-mail-msmtp.conf: # → Overall exposure
level: 1.0 OK 🙂
30-allow-mail-postfix-via-msmtp.conf: # → Overall exposure
level: 0.9 SAFE 😀
30-allow-mail-postfix-root-dac-override.conf: # → Overall exposure
level: 1.1 OK 🙂
30-allow-mail-postfix-root-sys-admin.conf: # → Overall exposure
level: 1.4 OK 🙂
30-allow-mail-postfix-non-root-addgroup.conf: # → Overall exposure
level: 0.5 SAFE 😀
30-allow-mail-postfix-non-root-dac-override.conf: # → Overall exposure
level: 0.9 SAFE 😀
30-allow-mail-postfix-non-root-setgid.conf: # → Overall exposure
level: 2.4 OK 🙂
