Hola, On Mon, Dec 16, 2024 at 05:51:34PM +0300, Michael Tokarev wrote: > Hi! > > For 25 years, Postfix the MTA in Debian has been setup to run chrooted by > default (that's where most postfix internal components run chrooted in > /var/spool/postfix/, to limit possible system damage after a possible > compromise). > > This setup has been criticized for 25 years, because of significant pain > it caused to users and upstream and postfix-users support. The conclusion > by Wietse Venema, who is the author of Postfix:
I am running (also professionally) postfix mail relays and i had never the requirement to "un-chroot" - there is always a way to map the required resource, and only those, into the postfix chroot. And i am running postfix with uucp and satellite connections, imap setups of various sizes, high volume mail exchanger frontends for MS Exchange setups etc etc. As an admin i like the "security first" approach here and thats the way debian should handle it. The default setting should be to be chrooted as thats what 99.5% ours users are using today without issues, and it its another layer in the cheese model for security. Even if we find a vulnerability in one of the network facing services, it makes it harder to abuse the machine and lets me sleep well. And in the end - its easy as changing a "y" to a "n" in master.cf to unchroot for the setups where users fail to adapt their postfix from the chroot. But the default should be security first. Flo -- Florian Lohoff f...@zz.de Any sufficiently advanced technology is indistinguishable from magic.
signature.asc
Description: PGP signature
