Michael Tokarev via Postfix-users <[email protected]> writes:
> Hi! > > This is to inform the postfix community that I just uploaded > another postfix release to debian unstable which disables the > badly famous chroot-by-default of postfix services. Here's > the changelog entry: > > postfix (3.10.6-4) unstable; urgency=medium > > * disable chrooting by default finally, after 25 years of everyone > suffering. > Only limited support for chroot mode will be provided for backwards > compatibility. With this in mind, let's close all chroot-related bugs. > Closes: #151692, #1084167, #606007, #631665, #714770, #406348, > Closes: #1026394, #257096, #278530, #776685, #893516, #935825, > Closes: #678808, #896879, #412413, #802043 > > > When I started working on postfix packaging last year, the plan was > to make this a debconf question, - because 25 years of history is > not nothing, because everyone got used to chroot being enabled by > default on debian and derivates. But as it turns out, whole debconf > of postfix packaging needs a complete rewrite.. So there's no reason > to wait any longer with that and with chroot being off by default. > > I'm sorry I didn't do this for debian trixie (current debian stable > release), - I really wanted to make it configurable. Time makes its > own corrections though. I was all for turning this off by default in > debian all these years, but the former postfix maintainer in debian was > not listening. > > BTW, on my sites, I run postfix chrooted on all servers, with the > usage of actual chroot-update script from debian package, - the > chroot has become much simpler and smaller and doesn't need > babysitting anymore. But there are corner cases in various other > configurations still, endless amount of corner cases. Today, it is > more important to have various auth plugins (oauth2 etc), than to > run services within a sandbox. Hellow Michael, Since the Postfix itself is designed to be secure, chrooting itself is not really necessary, i think. My main outbond SMTP yw-1204 runs under Debian Bullseye. It operates like a very resilient Aegis cruiser. I really, really, really like it. Thanks, Postfix! Sincerely, Byunghee
signature.asc
Description: PGP signature
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
