Hello, I am running postfix (3.3.0-1ubuntu0.2) confined by Apparmor and I noticed the tlsproxy process is apparently trying to connect to tlsmgr's Unix socket while still running as root.
Since tlsmgr's socket is stored under $queue_directory/private that has perms set to 0700 and owned by postfix:root, the tlsproxy process needs to override the DAC checks using the CAP_DAC_READ_SEARCH capability. I can think of 2 ways to workaround this. One is to tell Apparmor to grant the tlsproxy process the needed capability and the other is to have the $queue_directory/private directory perms set to 0710 with the same owner/group. Tuning the private directory perms removes the need for the capability so that's my current workaround [*] but I'm looking for feedback on the possible ramifications of this diversion from the default perms. Regards, Simon *: I created postfix-files.d/private-group-search.files with "$queue_directory/private:d:$mail_owner:-:710:uc" P.S: while testing further, I also noticed that smtpd processes need the same cap to access proxymap's Unix socket also under queue_directory/private.
