16.12.2024 01:16, Wietse Venema via Postfix-users wrote:
Michael Tokarev via Postfix-users:
09.12.2024 17:17, Wietse Venema via Postfix-users wrote:
..
Does nsswitch use lazy initialization or greedy initialization?
It's as lazy as possible, as it turns out, at least in glibc.
I'm trying to find out the correct way to force its init, will
report back on this. If there's a way, it could be patched into
postfix locally in debian for evaluation first.
The good news though is that all libnss_*.so which comes with glibc
are not needed in chroot at all, they're built-in to the libc.so
proper, and separate .so files are provided for compatibility only.
I would expect that calling getaddrinfo() with a non-existent
hostname will initialize all the plugins needed for host address
lookup. Call it instead with an existing hostname, and it may
initialize even less.
Yes, that should be the case, though it's dirty too, and also might
might result in extra startup delays.
We do know what functions Postfix calls directly, but not what
may be called by libraries such as libldap, libsasl, or lib*sql*.
For ldap and *sql we've a solution already: it is "proxy:" map type.
But for libsasl things are more interesting indeed. I never used
it before, and am reading about setting it up, to try it myself.
It'd be good to communicate with sasld through a socket, but it
looks like not all mechanisms are available there, for some, not
only additional libraries might be required, but also the whole
sasl secrets database.
And I'm reading various really dirty examples and HOWTOs on the
'net, suggesting to link /run/sasl2/saslauth socket to
/var/spool/postfix/run/sasl2/saslauth, so saslauthd will create
its socket in /var/spool/postfix *instead* of in regular /run/.
And move&link sasl secrets database there too. Sigh.
This should be stopped somehow.. either with a way to take it
under control, or by refusing to operate in a chroot when things
like this are configured.
BTW, how about this, - for certain map types and functions, issue
a warning if chroot is configured, suggesting to use proxy: for
map or suggesting to un-chroot for things like sasl?
The prob here is: even for a more experienced user who enables
chroot by their own, it's sometimes quite difficult to debug
some parts of the bigger picture, without understanding which
component gets into play at which stage. Just like with the
nsswitch init, - without understanding how it is related to
disable_dns_lookups or smtp_host_lookups, - I can't say I'm
a complete novice here, but it wasn't clear for me until I
did some experiments.
Thanks,
/mjt
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
