On Wed, 20 Aug 2003 at 12:59:39 +0200, Lupe Christoph wrote: > Quoting Tomasz Papszun <[EMAIL PROTECTED]>: > > On Wed, 20 Aug 2003 at 10:55:55 +0200, Sven Riedel wrote: > > > > is there any documentation on securing a postfix server readily > > > available? I didn't find anything much at the postfix homepage, nor in > > > the postfix-doc package. > > > I'd be especially interested in chrooting postfix processes. > > > In Debian, postfix is chrooted by default. > > Not true. A number of processes are chrooted, but not all. Please look > at /etc/postfix/master.cf (IIRC). This is a standard feature of Postfix.
Sure, I know it. ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (50) # ========================================================================== smtp inet n - - - - smtpd #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr #qmgr fifo n - - 300 1 nqmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce flush unix n - - 1000? 0 flush smtp unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp But I think that (almost?) all process that _can_ be chrooted, _are_ chrooted. How could the 'local' process deliver mail to user mailboxes if it would be chrooted?? If I'm wrong and it's possible somehow, someone may correct me of course. > Sven, do you want to chroot *all* processes? Postfix is supposed to be > secure out of the box I think the same :-) . > (except for programming errors, as we recently saw :-( ). Even those, they were just vulnerable to DoS and "bounce scans", not break-ins. > So improving Postfix security should be done inside of > Postfix. You may want to you the Postfix mailing list (warning: lots > of traffic!) and ask there. > > Lupe Christoph -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]