Hi,
first - thanks a lot for working on postfix packaging, it really needs
some love.
On 12/16/24 15:51, Michael Tokarev wrote:
> What do you think about this aspect of postfix on debian?
my opinion in short: I would get rid of the chrooted complexity, it's
not worth it and introduces way more problems that it could solve/more
extra work that it could ever save. Time and effort are better spend to
harden postfix elsewhere where it makes actually a difference.
smtpd daemons are a rare thing on the majority of users systems (even if
popcon reports a whopping 12% install base for postfix), so I mainly see
two scenarios for running postfix:
a) single power-user system (notebook/desktop) which has a local MTA
to send their own mail out to a proper mail server somewhere on the
internet
b) running a proper mail server on the internet
I do both and would welcome non-chrooted by default for both scenarios
in order to have a nicer, simpler and better integrated experience with
the rest of the system with less special casing. postfix would e.g. way
more profit from with namespace, capability and process restrictions set
(via systemd units?).
Regarding security concerns, imho:
For a) not really much of a problem because one sends his/her own stuff
out without accepting mail from the outside, so relatively small chance
of malicious mails that could trigger some postfix bug to compromise the
system.
For b), the real abuse/danger of the system isn't a malicious mail to
take out/over postfix, but the bazillion non-malicious-yet-unwanted
mails aka spam.
Regards,
Daniel
