16.12.2024 14:52, Viktor Dukhovni via Postfix-users wrote:
On Mon, Dec 16, 2024 at 12:03:52PM +0300, Michael Tokarev via Postfix-users
wrote:
The good news though is that all libnss_*.so which comes with glibc
are not needed in chroot at all, they're built-in to the libc.so
proper, and separate .so files are provided for compatibility only.
But sufficiently clever users could provision custom nsswitch modules,
it is an extensible framework. Likely in with enterprise systems like
"FreeIPA" to add "directory services".
There are multiple existing modules in use. Systemd provides several
already, including host lookup interface. And we already have bug reports
in debian saying mdns doesn't work in postfix for example.
Chroot is not worth the trouble, stop the madness. Only expert
individual users willing to suffer the pain, might go there.
For the rest, turn it off.
This is exactly why I started this whole thread: is chroot in postfix worth
the efforts these days or not, from the upstream PoV? And the very first
reaction from Wietse seemed like it'd be nice to have (or else the feature
wouldn't be used at all).
Myself, I've been here since the very beginning of postfix, and I was
strongly against debian decision to make chroot the default, -- because
it was nothing than madness, with numerous frustrated users and
frustrated people on postfix-users always urging to turn the damn thing
off (me included).
On the other hand, looking at how things has improved today, and how
lacking the debian integration is, I thought maybe this is not that
bad after all. For the first time EVER I turned chroot on our servers
just to see how it goes, and the simplicity amazed me.
This sort of problem is handled with virtualisation these days.
It is still a different context/angle, especially when you want to integrate
several things (SASL being one of them).
But yeah, point taken, thank you Victor!
/mjt
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
