Please read all the way to the bottom before replying. It will save time. > a) single power-user system (notebook/desktop) which has a local MTA > to send their own mail out to a proper mail server somewhere on the > internet > b) running a proper mail server on the internet > > I do both and would welcome non-chrooted by default for both scenarios > in order to have a nicer, simpler and better integrated experience with > the rest of the system with less special casing. postfix would e.g. way > more profit from with namespace, capability and process restrictions set > (via systemd units?).
I also do both of these things. > For a) not really much of a problem because one sends his/her own stuff > out without accepting mail from the outside, so relatively small chance > of malicious mails that could trigger some postfix bug to compromise the > system. Locally exploitable vulnerabilities generally rate lower than remotely exploitable vulnerabilities. This part is true. However, privilege escalation is still a serious issue and should not be minimized by its likelihood. The sort of attackers who exploit these vulnerabilities are not sitting around doing it by hand any more. They are highly automated nowadays and very capable of doing things like this: a) Determine that a remote system can be induced to execute code unprivileged. b) Use remote unprivileged code execution to examine the rest of the system. c) Use information from b) and abilities from a) to escalate privileges and take over the system. > For b), the real abuse/danger of the system isn't a malicious mail to > take out/over postfix, but the bazillion non-malicious-yet-unwanted > mails aka spam. No, the COMMON abuse is from that. The "REAL" danger is the system takeover, as it is much more damaging to surrounding systems, harder to detect, and harder to recover from. No one wants to join the botnet hordes. ALL THAT SAID This is not to say that we have to have chroot and it's the only way to make things safe. Quite the opposite. Using chroot is sometimes used as an excuse to leave things UNsafe, for obvious reasons. Better to fix the underlying issues and have a less complex system. Less complexity means easier to support, troubleshoot, AND keep secure. But let us not minimize the importance of keeping our systems "un-pwned" by botnet operators. It's not about YOU. It's not about YOUR data. It's about not allowing your resources to become tools for malicious actors to use against everyone else. --J P.S. I have never run into any issues with postfix related to running in a chroot, myself, but I acknowledge that it's exactly the sort of thing that can suddenly become a real pain, so I won't be sad to see it become "not the default" any more.
