16.12.2024 20:45, Marco d'Itri wrote:
On Dec 16, Michael Tokarev <m...@tls.msk.ru> wrote:
What do you think about this aspect of postfix on debian?
I do not remember ever having any issues about this, and I have been
using Postfix since before it was called Postfix. But if Wietse says
that a chroot default is not worth it then I fully trust him.
It turns out the reason for this is a myth, which we believed to for
25 years - a myth that "On FreeBSD, chroot is painless, but on Linux,
chroot never works and is only suitable for the ones who want pain".
Actually, it looks like, chroot on linux is *exactly* the same as on
FreeBSD, and the pain level completely depends on which features you
use (I mentioned all 3 possible issues in my initial email). It feels
like this is the sole source of this opinion.
I'd love to debunk this myth somehow, just for the sake of debunking
a good big old myth (which I've been part of all this time too).
*And*, after this is done, happily turn chroot by default off in postfix
package in debian.
The security track record of Postfix is good enough that I believe that
chrooting is overkill.
/mjt
