-------- Original Message --------
Subject: New data_directory parameter in 20071205 snapshot
Date: Tue, 4 Dec 2007 21:06:05 -0500 (EST)
From: [EMAIL PROTECTED] (Wietse Venema)
Reply-To: Postfix users <[EMAIL PROTECTED]>
To: Postfix users <[EMAIL PROTECTED]>
Postfix 2.5 experimental release 20071205 introduces a new
configuration parameter called "data_directory", with the
following description:
data_directory (default: see postconf -d output)
The directory with Postfix-writable data files (for exam-
ple: caches, pseudo-random numbers). This directory must
be owned by the mail_owner account, and must not be shared
with non-Postfix software.
The default directory is /var/lib/postfix, and it is automatically
created with "make install" or "make upgrade".
This directory is intended for cached TLS session keys, for saving
the state of the pseudo-random number pool, and for storing databases
that are maintained by the "update" feature of the proxymap program.
These files are specified with "smtp_tls_session_cache_database",
"smtpd_tls_session_cache_database", "tls_random_exchange_name",
and the "proxy_write_maps" configuration parameter.
In addition, the tlsmgr(8) and verify(8) servers will need to be
updated so that they no longer create their files as root. The
reasoning behind this is that Postfix-writable files should not
exist in root-owned directories, and that root-owned files should
not contain data that is maintained by an untrusted program such
as Postfix. By moving Postfix-writable files out of root-owned
directories I can avoid a potential security loophole where data
ownership (root) does not match data provenance (Postfix).
Of course this change from (opening files for write/create as root)
to (opening files for write/create as Postfix) requires a transition.
People must not suddenly have broken Postfix TLS and broken address
verification just because Postfix no longer opens/creates those
files as root. One option is to make tlsmgr(8) and verify(8) smarter:
log a warning, and open files under $data_directory when the original
parent directory isn't owned by Postfix.
Implementing this is a pain but it keeps customers loyal.
I also hope that no-one will attempt to store tlsmgr/verify/etc. maps
in SQL, because that would really complicate the access permissions
of the mysql/pgsql control files.
Wietse
