On Wednesday 20 August 2003 06:26 am, Tomasz Papszun wrote: > Sure, I know it. > > ========================================================================== > # service type private unpriv chroot wakeup maxproc command + args > # (yes) (yes) (yes) (never) (50) > # > ========================================================================== > local unix - n n - - local > virtual unix - n n - - virtual > lmtp unix - - n - - lmtp > > > But I think that (almost?) all process that _can_ be chrooted, _are_ > chrooted. > How could the 'local' process deliver mail to user mailboxes if it would > be chrooted?? > > If I'm wrong and it's possible somehow, someone may correct me of > course. > It is possible, but with some extra work. You need to have the delivery desination in the chroot jail with it. For example, if you have it chroot to /var/spool/postfix then you want to make /var/spool/postfix/var/spool/mail/ as that will be where mail is delivered to by default. Using "mount -o bind /var/spool/mail /var/spool/postfix/var/spool/mail" you can have the same stuff in both locations (or reverse it if you are really parinoid about security).
> > Sven, do you want to chroot *all* processes? Postfix is supposed to be > > secure out of the box > > I think the same :-) . I think the added steps of chrooting the last three proccess is unneccicary, except for overly parinod experts. I say experts, because in changing the default behavior of postifx, it is possible to open up more security problems than you are preventing, and at the same time make it harder for you to dectect such problems. > > (except for programming errors, as we recently saw :-( ). > > Even those, they were just vulnerable to DoS and "bounce scans", not > break-ins. These sort of things will always be around, in every mail system. It's due to the fact SMTP is such a horrid protocol. But we are stuck with it, so we do the best we can with tradeoffs. > > So improving Postfix security should be done inside of > > Postfix. You may want to you the Postfix mailing list (warning: lots > > of traffic!) and ask there. There is also several irc channels for postfix scattered about- they are not real talkitive, but its certianly less traffic than the postfix list. Jay -- Jay Kline http://www.slushpupie.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]