* Michael Fox <n...@mefox.org>:
> > With Postfix 3, chroot is no longer the default. It remains an
> > available option for people who want to go through the effort.
> > 
> >     Wietse
> Yes, but that wasn't my question.  Again, my question was:
> I'm configuring master.cf to add amavisd-new.  The amavisd-new documentation
> (/usr/share/doc/amavisd-new/README.postfix.html) differs from the default
> master.cf file regarding the chroot setting for the cleanup (and
> pre-cleanup) service.  I presume that the amavisd-new documentation is in
> error and that I should go with the chroot setting that's in the default
> master.cf.  But I don't know enough about the implications of one vs. the
> other to be sure.

I wrote README.postfix.html for amavisd-new many years ago and I don't recall
why master.cf was in the state it was by then. I wouldn't say it the
documentation is in error - it's has simply not seen any update in many years.

Personally I don't use content_filter and smtpd_proxy_filter anymore. I prefer
the MILTER interface over the other methods. If you are interested in this and
if you can read German (or are able to handle google translate ;) you may read
my blog https://sys4.de/de/blog/2015/07/31/amavisd-milter-howto/ for

> Specifically, I have three questions:
> 1) Section 4.2.1 of the above web page shows adding a pre-cleanup service
> with chroot=n.  But the default master.cf (from Ubuntu) has the cleanup
> service configured
> with chroot=y.  Should I use the same chroot=y setting for the pre-cleanup
> service?  
> 2) Section 4.2.2 of the above web page shows modifying the existing cleanup
> service to add some "-o" options.  But it shows the cleanup service with
> chroot=n.  Should I leave chroot=y for the cleanup service?
> 3) The above web page also shows the new "amavisfeed" and ""
> services with chroot=n.  But similar services in master.cf have chroot=y.
> Should these two new services also use chroot=y?

The all general answer is: If you plan to run Postfix chrooted, chroot as much
as you can. It's a design question. Chrooting a service like Postfix comes at
the price of quite some management overhead. You can automate most of that,
but you need to take care of it.

Many years ago Wietse wrote chrooting Postfix only makes sense on a hardened
server. I agree with that. If the server isn't hardened, forget to chroot the
service as there are very likely much more easily exploitable "entry points"
to the server.


[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Reply via email to