-------- Original Message -------- Subject: New data_directory parameter in 20071205 snapshot Date: Tue, 4 Dec 2007 21:06:05 -0500 (EST) From: [EMAIL PROTECTED] (Wietse Venema) Reply-To: Postfix users <[EMAIL PROTECTED]> To: Postfix users <[EMAIL PROTECTED]> Postfix 2.5 experimental release 20071205 introduces a new configuration parameter called "data_directory", with the following description: data_directory (default: see postconf -d output) The directory with Postfix-writable data files (for exam- ple: caches, pseudo-random numbers). This directory must be owned by the mail_owner account, and must not be shared with non-Postfix software. The default directory is /var/lib/postfix, and it is automatically created with "make install" or "make upgrade". This directory is intended for cached TLS session keys, for saving the state of the pseudo-random number pool, and for storing databases that are maintained by the "update" feature of the proxymap program. These files are specified with "smtp_tls_session_cache_database", "smtpd_tls_session_cache_database", "tls_random_exchange_name", and the "proxy_write_maps" configuration parameter. In addition, the tlsmgr(8) and verify(8) servers will need to be updated so that they no longer create their files as root. The reasoning behind this is that Postfix-writable files should not exist in root-owned directories, and that root-owned files should not contain data that is maintained by an untrusted program such as Postfix. By moving Postfix-writable files out of root-owned directories I can avoid a potential security loophole where data ownership (root) does not match data provenance (Postfix). Of course this change from (opening files for write/create as root) to (opening files for write/create as Postfix) requires a transition. People must not suddenly have broken Postfix TLS and broken address verification just because Postfix no longer opens/creates those files as root. One option is to make tlsmgr(8) and verify(8) smarter: log a warning, and open files under $data_directory when the original parent directory isn't owned by Postfix. Implementing this is a pain but it keeps customers loyal. I also hope that no-one will attempt to store tlsmgr/verify/etc. maps in SQL, because that would really complicate the access permissions of the mysql/pgsql control files. Wietse