Hi! For 25 years, Postfix the MTA in Debian has been setup to run chrooted by default (that's where most postfix internal components run chrooted in /var/spool/postfix/, to limit possible system damage after a possible compromise).
This setup has been criticized for 25 years, because of significant pain it caused to users and upstream and postfix-users support. The conclusion by Wietse Venema, who is the author of Postfix: Look, I changed the Postfix default to not chroot 10+ years ago, because it was already impossible on LINUX. I expected tht package maintainers understand that non-chroot shall be the norm for most installs. On LINUX systems, chroot is for people who want to suffer pain. On my FreeBSD server, Postfix chroot is painles. So chroot is 'nice to have' but not for LINUX. (https://marc.info/?l=postfix-users&m=173435292323792&w=2). But what's interesting is that actually, running postfix chrooted in Linux is *exactly* as painful (or painless) as on FeeBSD. Exactly. The chroot setup for postfix on FreeBSD, examples/chroot-setup/FreeBSD2 - where it's suggested to copy resolv.conf localtime host.conf hosts services files to the chroot jail - is exactly which I come with on linux when I tried it myself. The problem though, arises in 2 places. 1. Extra nsswitch modules, such as mdns, systemd-resolved (which is optional since resolv.conf works), and so on, which expects their files to be in the chroot jail (exacly like on FreeBSD with this same mechanism). 2. Cyrus SASL, - for any non-trivial (PLAIN or LOGIN) methods, it needs the secrets database to be accessible in the chroot, and people on the 'net suggest really crazy things to fix this (like moving /etc/sasl2 userdb to /var/spool/postfix/etc/ and symlinking it back to /etc/sasl2). 3. Various postfix map lookup types which require additional stuff - for these, there's an easy solution in postfix exists for over 20 years, which is a proxy: map. So this is not an issue. My initial intention was to turn chroot in postfix immediately. However, I can't do anything without understanding the root issues first. And my discovery turned out to be quite interesting. So I really wonder... What do you think about this aspect of postfix on debian? A security expert in me think it's worth the effort to make it work as much as it is easy to do. And for *most* things, it actually is rather easy. For certain things (like SASL), I can write a guide to be served as a *good* example; or to recommend un-chrooting postfix when it detects sasl usage and chroot, something like that. Thanks, /mjt
