16.12.2024 20:08, Russ Allbery wrote:
So, I wouldn't object to undoing that given upstream's stance, but maybe it would be good to do that in conjunction with adding more hardening to the default configuration with systemd? systemd-analyze security postfix@- shows a whole lot of things that could potentially be improved in hardening settings, and while a lot of those won't work becuase of the number of things Postfix needs to be able to do, a lot of them are probably reasonable changes to the defaults if accompanied by instructions for how to turn them off with an override file. There is some obvious stuff like ProtectSystem, PrivateDevices, or ProtectKernelTunables that seems quite unlikely to break anything.
Yes, that's a very good suggestion. I'll definitely take a look at this list. It'd be nice to have some helping hand there, too.
BTW, is there a way for a systemd unit to take/inherit (security) settings from another unit? I'm about to ship 2 service units for different configs of postfix, and it'd be nice to have one set of settings. Or just create 2nd one from the first at build time. Thanks, /mjt
