Am Montag, 27. Januar 2003 15:53 schrieb Kwan Lowe: > On Mon, 2003-01-27 at 02:25, Martin Fahrendorf wrote: > > this is no postfix nonsens, it is a nonsens in coniguration of postfix > > by mandrake. chroot is a very secure way to do something IF YOU KNOW > > WHAT YOU WANT. > > > > Please, Mandrake, disable the chroot stuff of postfix (at least the > > default settings). It is not worth the trubble. > > > > disable all the chroot stuff in /etc/postfix/master.cf and the > > configuration is much easier. > > This is probably one of those things that Mandrake is damned if they do > and damned if they don't. I think chroot'ed Postfix is a good idea and > well worth the hassle of configuring and hope that Mandrake continues to > do so. I can understand some of the frustrations that some of you are > seeing, but I'd rather they err on the side of caution than ship a less > secure product.
I think there is a reason, why Wietse Venema always pointed out, that chroot is only for experienced users. it is not easy to set up. Even if you dont have static IP addresses. Everytime you get your internet connection, you have to sync some config files (and you have to know which ones). Its is not that easy, to sync it only on postfix startup. An what is the benefit? in the default configuration of mandrake, postfix listens only on localhost device, so only local users are able to harm your host. But there are easyer ways for local users than compromize postfix. Na, I think chroot of postfix is not woth the trouble. Especialy, as long as bind is running not chroot. The simpliest way is to combine the chroot flags from postfix with the msec settings. in the secure mode 'higher' and 'paranoid' they use chroot and in all the other settings they don't. Martin -- ------------------------------------------------------------ H E L I X Gesellschaft f�r Software & Engineering mbH ------------------------------------------------------------ Hanauer Landstrasse 52 Telefon (069) 4789 35-30 60314 Frankfurt am Main Telefax (069) 4789 35-44 ------------------------------------------------------------ http://www.helix-gmbh.net [EMAIL PROTECTED] ------------------------------------------------------------
msg65055/pgp00000.pgp
Description: signature
