Michael Tokarev <m...@tls.msk.ru> writes: > The problem though, arises in 2 places.
> 1. Extra nsswitch modules, such as mdns, systemd-resolved (which is > optional since resolv.conf works), and so on, which expects their > files to be in the chroot jail (exacly like on FreeBSD with this > same mechanism). > 2. Cyrus SASL, - for any non-trivial (PLAIN or LOGIN) methods, it > needs the secrets database to be accessible in the chroot, and > people on the 'net suggest really crazy things to fix this (like > moving /etc/sasl2 userdb to /var/spool/postfix/etc/ and symlinking > it back to /etc/sasl2). > 3. Various postfix map lookup types which require additional stuff - > for these, there's an easy solution in postfix exists for over > 20 years, which is a proxy: map. So this is not an issue. > My initial intention was to turn chroot in postfix immediately. > However, I can't do anything without understanding the root issues > first. And my discovery turned out to be quite interesting. So I > really wonder... > What do you think about this aspect of postfix on debian? I personally have been very happy with the default chroot of Postfix and have not had any trouble with it, but I also don't do any of the three things you list, so that makes sense. It's a nice default for simple systems, but I understand why it's frustrating for people who are doing more complex things. So, I wouldn't object to undoing that given upstream's stance, but maybe it would be good to do that in conjunction with adding more hardening to the default configuration with systemd? systemd-analyze security postfix@- shows a whole lot of things that could potentially be improved in hardening settings, and while a lot of those won't work becuase of the number of things Postfix needs to be able to do, a lot of them are probably reasonable changes to the defaults if accompanied by instructions for how to turn them off with an override file. There is some obvious stuff like ProtectSystem, PrivateDevices, or ProtectKernelTunables that seems quite unlikely to break anything. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
