On 07/24/12 12:24, DTNX Postmaster wrote: > On Jul 24, 2012, at 18:09, Michael Orlitzky wrote: > >> We store our virtual_foo_maps in, >> >> /etc/posfix/maps/virtual_foo_maps.pgsql >> >> and so the (read-only) database credentials are visible in that file. >> I'd like to tighten this up if possible, but I don't want to do anything >> stupid. >> >> If I'm not going about this all wrong, what can I do to prevent e.g. SSH >> users from reading the DB credentials? Ideally, I'd also like to prevent >> them from reading the rest of the maps, which contain lists of >> addresses, clients, etc. > > This works for us; > > $ ls -ald /etc/postfix > drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix > > The postfix user is a member of the 'postcfg' group. Any admin accounts > that need access to the contents can also be added if needs be. >
Thanks, I actually tried this but ran into a problem: Jul 24 01:45:50 localhost postfix/sendmail[26795]: fatal: open /etc/postfix/main.cf: Permission denied That alone is easy to fix (allow $authorized_submit_users read access to main.cf), but it suggested that I might run into more subtle problems if I started messing with /etc/postfix.
