Re: Minimal permissions on /etc/postfix

Wed, 25 Jul 2012 08:44:34 -0700 

Viktor Dukhovni:
> On Wed, Jul 25, 2012 at 10:29:44AM +0200, Reindl Harald wrote:
> 
> > the main config AFAIK needs 644
> 
> Correct, the main.cf and master.cf files should be world-readable.
> 
> > sensible files can be done with proxymap and so restricted
> > 
> > http://www.postfix.org/proxymap.8.html
> 
> Proxymap does not matter here, regardless of which postfix daemon
> reads the table, the table ".cf" files are read before the daemons
> drop privileges and (potentially) enter a chroot jail. Therefore,
> these tables are read as "root", and so can have permissions of
> "0600 root root" or "0400 root root" (if maintained indirectly
> and should not be directly edited by root).

Correct. However, if a table is searched through the proxymap daemon,
then its file will be opened after the proxymap daemon has dropped
root privileges, so "postfix" (group) permission would be needed.

        Wietse

> > -rw-r--r-- 1 root root    8,5K 2012-07-05 15:27 main.cf
> > -rw-r--r-- 1 root root    3,1K 2012-02-29 18:44 master.cf
> 
> Good.
> 
> 
> > -rw-r----- 1 root postfix  195 2011-04-27 18:59 mysql-aliases.cf
> > -rw-r----- 1 root postfix  294 2011-05-28 19:06 mysql-forwarders.cf
> > -rw-r----- 1 root postfix  201 2011-04-27 18:59 mysql-mydestination.cf
> > -rw-r----- 1 root postfix  195 2011-04-27 18:59 mysql-mynetworks.cf
> > -rw-r----- 1 root postfix  196 2011-04-27 18:59 mysql-recipients.cf
> > -rw-r----- 1 root postfix  463 2011-04-27 18:59 mysql-rewritedomains.cf
> > -rw-r----- 1 root postfix  203 2011-04-27 18:59 mysql-rewritesenders.cf
> > -rw-r----- 1 root postfix  327 2011-04-27 18:59 mysql-senderaccess.cf
> > -rw-r----- 1 root postfix  365 2011-05-12 23:32 
> > mysql-sender_relay_hosts_auth.cf
> > -rw-r----- 1 root postfix  202 2011-04-27 18:59 mysql-sender_relay_hosts.cf
> > -rw-r----- 1 root postfix  198 2011-04-27 18:59 mysql-spamfilter.cf
> > -rw-r----- 1 root postfix  262 2011-04-27 18:59 mysql-transport.cf
> 
> The group can be "root" and the file permissions need not allow group
> read. The only exceptions are configurations for tables used with:
> 
>       $ postconf -d | grep '^authorized_' | grep static:
>       authorized_flush_users = static:anyone
>       authorized_mailq_users = static:anyone
>       authorized_submit_users = static:anyone
> 
> such tables should be world readable, or otherwise readable by the
> "setgid_group" group (default "postdrop" on many systems).
> 
> -- 
>       Viktor.
>

Reply via email to