09.12.2024 17:17, Wietse Venema via Postfix-users wrote:
Turning on chroot is possible for most master.cf entries except those that use proxymap, postlogd, pipe, local, spawn (I may be missing one). You can use "postconf -F "*/*/command" to find these, and "postconf -F xxx/yyy/chroot=y" to turn on chroot selectively. Setting up the necessary helper files under /var/spool/postfix (nsswitch.conf, TLS, resolv.conf, services) remains platform-specific.
So things has become significantly easier now than 15 years ago ;) Yes, with such abilities to edit master.cf, it's doable, based on the command name. Touch known-good ones, keep others. Probably might even do it in levels, "none/most/all" - in terms of maintenance burden for the user. Unfortunately, the ones which might benefit from chroot most, who actually talk with the net - like smtp and smtpd - are also the ones which require most complex chroot setup and has most failure scenarios of all (sasl, tls, all sorts of things - while even a simple resolv.conf is having issue still, 25 years later).
If this can't be automated, then no-one wiill use it.
It's a very good point. Actually I thought about this too. So how do you think, is it good idea to let user to enable chroot "easily" in a distribution like debian, when this user might be absolutely unable to deal with the consequences - where the consequences are having non-working chroot environment as we've seen over the last 2.5 decades? Implementing this switch/button requires quite some efforts too, already. The prob here is that it isn't trivial at all to set up the chroot environment, despite all the efforts to solve this so far. Many things can be simplified greatly by using proxy maps for example, and that probably will be the way I'll recommend to use instead of copying all sorts of random stuff into chroot, regardless if it's needed there or not, or even if it helps there or not. Thanks, /mjt _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
