On Sat, Dec 21, 2024 at 1:34 AM Michael Tokarev via Postfix-users <postfix-users@postfix.org> wrote:
> The prob with postfix and all these system-specific security mechanisms > is that you can configure any path for the log file in postfix's main.cf, > and you have to adjust the security mechanism accordingly, -- there's Yes, indeed! One must go along with defaults or be prepared for pain and suffering if you want to adopt SELInux. In my case I unwittingly took advantage of the Postfix's logging without realizing this. I sat down with the web page for the main.conf and jotted down the options that I thought I needed. I didn't realize it at the time what I did! > no way redhat will be able to fix this. Ditto for many other aspects > with ability to configure things and to have security policies adjusted > to reflect actual configuration. Red Hat did try to suggest an adjustment to allow me to continue to use Postfix's logging. We quickly abandoned this in favor of using the support for syslog which just meant backing out the configuration options I specified for Postfix's logging. The distribution already has log rotation setup for /var/log/maillog so this issue was very easy to resolve when all was said and done. > The only place for such documentation addition is the Postfix's readme > file(s), mentioning how to adjust the selinux security policy about this > matter. I think that many of us who use a Linux distribution for our source of Postfix might lean more on the Postfix web site vs any documentation included in the sources. To that end I would suggest a "shout out" on the web site to understand the implications of using these settings: maillog_file = /var/log/maillog maillog_file_compressor = bzip2 Perhaps under item 2. in the section labeled "Configuring logging to file" on page https://www.postfix.org/MAILLOG_README.html, something like "If using SELinux or similar technologies you should use the default of syslog instead of Postfix's logging system." And/or on the same page under the Overview section change "(which remains the default)" to "(which remains the default and compatible with SELinux). > BTW, there are a few other things which require additional tweaks when > selinux is enabled. For example, postfix spool sub-directories needs > to have selinux security context, which is not provided by the > `post-install create-missing' functionality (since it knows nothing > about selinux). Redhat might address this for the default instance > (in /var/spool/postfix) explicitly, but might miss this for other Yes, Redhat does address this for the default location you called out. In fact Postfix runs out of the box with SELinux enabled (which as you indicated is the default) with their sample config which is quite a bit longer than the starting point suggested on the Postfix web site. > non-default instances. Also, for chroot to work on a selinux-enabled > system, the chroot support files needs their own selinux context. > And so on - this is a large topic. Are there those who see a need for chroot in addition to SELinux? A developer of another application recommends skipping chroot and go with SELinux. That application didn't have a logging system so I didn't struggle at all to deploy the app with SELinux. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
