On May 25, 2005, at 3:31 PM, Damien Hull wrote:
Thanks for the info. My concern is that OpenBSD is "secure by
default" when you do a base install but when you start adding
things like Postfix etc... are you still secure?
How is something that is not default, still default?
If we want to start jerking off to Zen koans, I'll go get some sake.
I know you can configure the system so that most files are read
only. I also know that you can run Postfix in a sandbox ( jail ).
It all depends on how much work I want to put into securing the
system. If the answer to the above question is "no!", then I'll
have to lock down Postfix etc... If the answer to the above
question is "Yes!" then I can leave things the way they are and
just install Postfix.
Postfix is pretty secure in and of itself. It's a well-designed
application: small helper apps operating under least privilege. The
number of security problems has been low over the years, and it's
easy to configure and maintain. Replacing sendmail with postfix is
trivial and headache free if you either know what you're doing or
can, y'know, read and follow instructions somewhat well.
There are trade offs between security and management over head.
Putting Postfix in a sandbox is a nice idea but my understanding is
that you have to take Postfix off-line to add any users and then
putt it back in the sandbox and then bring it back on-line. Leaving
Postfix outside of a sandbox means you just add users when you need
to. I did this once on a FreeBSD email server a few years back. I
decided that a sandbox was to much work.
"chroot", or "root jail", and Postfix chroots itself by default. The
only things that you need to concern with, generally, are:
1) Keeping things in /var/spool/postfix/etc in sycn with the rest of
the system. If you change DNS servers in /etc/resolv.conf, you will
need to copy the updated file to the spool dir. Write a script to do
it if it's likely you will forget.
2) Remembering that sockets will need to be in the chroot, or you
will need another method of IPC. e.g, if you are using SASL, you will
tell saslauthd to use /var/spool/postfix/var/sasl2 or whatever to
dump its socket. If you are using MySQL, you will either need to drop
the socket in a similar location under the chroot, or use TCP/IP to
talk to MySQL.
I'm still a long ways away from designing a system. I haven't even
decided which OS I want to use. If enough people on the list can
convince me that OpenBSD is the way to go I'll install it on a
system, ship it down to Seattle and collect my mail. This will be
on a test domain of course.
Maybe you should consider doing some test installs and playing around
with the system before finding inconsequential (and inaccurate)
things like "Postfix chroots are hard to deal with" to make you not
want to use it. (For the record, most Linux distros I've admin'd also
leave postfix chroot'd; FreeBSD seems to do so as well -- which
Postfix is by default; the Linux distros just have startup scripts to
maintain state between the system and the chroot for you. This is
trivial.)
(If you want to talk about chroots being "annoying", let's talk about
Apache, Perl, and suexec. :-)
There is system administration, and then there is application/service
administration. Modern package management tends to make the latter
trivial with regards to security updates. Configuration with regards
to either of these domains is where issues tend to occur. Configuring
OpenBSD is easy for all the reasons people have either already
mentioned, or will: Sane system layout, good docs, etc, etc.
Configuring your services is pretty much left up to you. Postfix
configuration is so easy as to be almost entirely unnecessary for a
lot of things. It's one of those few nice apps with sane defaults.
I run five well-used OpenBSD mailservers at the moment, all with:
Postfix+TLS+SASL
Amavis+SpamAssassin+ClamAV
Dovecot (IMAP-SSL)
I have zero complaints. OpenBSD is a sanely laid-out system, easy to
maintain, has well-written documentation, and very rarely gives me
any sort of headache. (Is there an echo in here?)
It's unlikely many people on this list will tell you much
differently. But then, ask the same question on any other list
dedicated to answering questions about something that *everyone on
the list already uses* and what kind of answers are you expecting? :-)
If you want something to convince you, maybe you should let ftp://
ftp.openbsd.org/pub/OpenBSD/3.7/ do the talking.
--
bda
cyberpunk is dead. long live cyberpunk.
