17.12.2024 00:31, Henrik Ahlgren wrote:
Anyway, systemd's hardening features are so easy and effective that I would really like to see not only postfix, but ALL services use them as much as possible. Why we still have major packages like nginx shipping without any hardening out-of-the-box?
I would advise against this simplistic view on security and "hardening" - it often makes false sense of security instead of real security.
Besides, I yet to see an actual explanation how current postfix chroot is not as good as systemd unit hardening can bring us (omitting the complexity of postfix internal services architecture for now, let's say, just for smtpd service alone). Which treats linux abilities above POSIX (which can be applied using systemd or in other ways) are handled "better" than postfix already handles with its internal hardening, including its own chroot? /mjt
