On Wed, Jul 25, 2012 at 10:29:44AM +0200, Reindl Harald wrote: > the main config AFAIK needs 644
Correct, the main.cf and master.cf files should be world-readable. > sensible files can be done with proxymap and so restricted > > http://www.postfix.org/proxymap.8.html Proxymap does not matter here, regardless of which postfix daemon reads the table, the table ".cf" files are read before the daemons drop privileges and (potentially) enter a chroot jail. Therefore, these tables are read as "root", and so can have permissions of "0600 root root" or "0400 root root" (if maintained indirectly and should not be directly edited by root). > -rw-r--r-- 1 root root 8,5K 2012-07-05 15:27 main.cf > -rw-r--r-- 1 root root 3,1K 2012-02-29 18:44 master.cf Good. > -rw-r----- 1 root postfix 195 2011-04-27 18:59 mysql-aliases.cf > -rw-r----- 1 root postfix 294 2011-05-28 19:06 mysql-forwarders.cf > -rw-r----- 1 root postfix 201 2011-04-27 18:59 mysql-mydestination.cf > -rw-r----- 1 root postfix 195 2011-04-27 18:59 mysql-mynetworks.cf > -rw-r----- 1 root postfix 196 2011-04-27 18:59 mysql-recipients.cf > -rw-r----- 1 root postfix 463 2011-04-27 18:59 mysql-rewritedomains.cf > -rw-r----- 1 root postfix 203 2011-04-27 18:59 mysql-rewritesenders.cf > -rw-r----- 1 root postfix 327 2011-04-27 18:59 mysql-senderaccess.cf > -rw-r----- 1 root postfix 365 2011-05-12 23:32 > mysql-sender_relay_hosts_auth.cf > -rw-r----- 1 root postfix 202 2011-04-27 18:59 mysql-sender_relay_hosts.cf > -rw-r----- 1 root postfix 198 2011-04-27 18:59 mysql-spamfilter.cf > -rw-r----- 1 root postfix 262 2011-04-27 18:59 mysql-transport.cf The group can be "root" and the file permissions need not allow group read. The only exceptions are configurations for tables used with: $ postconf -d | grep '^authorized_' | grep static: authorized_flush_users = static:anyone authorized_mailq_users = static:anyone authorized_submit_users = static:anyone such tables should be world readable, or otherwise readable by the "setgid_group" group (default "postdrop" on many systems). -- Viktor.
