On Sun, Oct 06, 2024 at 11:06:21AM -0400, Bill Cole via Postfix-users wrote: > On 2024-10-06 at 04:34:16 UTC-0400 (Sun, 06 Oct 2024 10:34:16 +0200) > Danjel Jungersen via Postfix-users <dan...@jungersen.dk> > is rumored to have said: > > > Hey! > > > > Can someone explain this to me (being a newbie). > > That seems like a very open query... > > The maintainer of the Debian (and by descent, Ubuntu) Postfix package > long ago decided to take advantage of Postfix's support for chroot by > enabling it on more components of Postfix than the defaults. That
Yes, and it is difficult to change a default value/config once you introduce it to your users. There are a lot of systems out there and any migration path you choose will likely break one. It takes care and is costly. So, one typically avoids doing that and accepts the cost of, hopefully infrequent, explanation/help. And adds one more item to the long list of lessons learned: think long and hard before diverging from an upstream default. Are the benefits worth the cost of maintaining this patch forever? Do I really know better or are my users really a subset of general population with different needs? Or is there a better way? Can you work with upstream instead? etc -- Eray > created many potential issues because Postfix itself doesn't populate > the chroot jail with the necessary files. The Debian install process > *should* handle that, but it is inherently fragile. Using simple chroot > to isolate net-connected daemons was a bit of a fad in security many > years ago which has mostly been replaced by more robust models like > "containers" and FreeBSD's "jails" which don't rely on support in the > constrained processes. > > Problems due to a chroot can present as name resolution discrepancies > due to variant config files inside the chroot and seemingly bogus "no > such file or directory" errors for missing items. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
