On Thu, Jun 23, 2022 at 03:13:33PM -0300, Luc GMail wrote:
> I researched and changed a few 'y' options to 'n' in master.conforme so now
> a few processes are no longer chrooted.
>
> I sent out a test message from claws-mail and it worked!
Congratulations you have a largely working system.
> But I'm not so sure I am a happy camper.
>
> Shouldn't I be running everything chrooted for better security? Isn't
> turning that off a bad idea?
Not necessarily, chroot is only at all effective if the rest of the
system is substantially hardened. In a typical system a non-chrooted
Postfix is still a significantly harder target than various other
services or attack surfaces.
> > Your Postfix SMTP service chrooted, you need to provide a mux socket
> > *inside* the chroot jail [...]
>
> And how exactly do I do that? I found many discussions involving this
> so-called mux file, but none of them explains how to make a chrooted mailer
> find the mux file.
The Postfix chroot jail is the Postfix queue directory (typically
/var/spool/postfix). So the mux socket needs to be:
/var/spool/postfix/var/run/saslauthd/mux
you need to create the containing directory:
mkdir -p -m 0755 /var/spool/postfix/var/run
mkdir -m 0700 /var/spool/postfix/var/run/saslauthd
chown postfix:sasl /var/spool/postfix/var/run/saslauthd
And then change your saslauthd command to specify the jailed mux
directory pathname:
saslauthd -a pam -m /var/spool/postfix/var/run/saslauthd
Chroot requires the saslauthd configuation to be carefully coordinated
with use of chroot in the Postfix configuration. The effort may not be
worth it. Correctly working chroot also requires various other
configuration files (resolv.conf, nsswitch.conf, hosts, ...) to be up to
date inside the jail. This is more complex to administer.
Security vs. ease of use, never confuse the two.
--
Viktor.
