On 25/02/2021 09:43, Emond Papegaaij wrote:
> Hi all,
>
> We are hardening our services and would like to run postfix as a
> non-root user. All our primary services, including postfix run as
> docker containers. We use postfix as a forwarding agent only: mail is
> delivered from the other services to postfix and then forwarded to
> another MTA. Because postfix runs inside a docker container, we are
> not bound by the default smtp port. It is very easy to map port for
> example 8025 to port 25 via docker. Still, postfix refuses to start as
> non-root. It seems the postfix command has an explicit check to refuse
> to start when not root.
>
> My question is: is there any way to start the forwarding agent as
> non-root? If not, are there any plans to support this in a future
> release?
>
> Best regards,
> Emond Papegaaij
>
It is an *ANCIENT* reference, but the but the O'Reilly book "Building Internet
Firewalls" describes a simple program called smap.
It runs without root privileges and ONLY accepts incoming SMTP connections,
dropping messages into a queue for processing by another program.
(Could this be the MAILDROP queue perhaps?)
They say it is only 700 lines of code long, and is part of the TIS FWTK
(firewall toolkit)
Just a random thought. . .
Allen C
