As I can seen, there is the bind-chroot glue package, but is there a postfix-chroot.rpm glue ? I have looked for it, but I think there is not. If there is not, what is your opinion about creating one ? Thanks -- Vilela -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20060824/ed78bbc1/attachment-0002.html>
Leonardo Vilela Pinheiro schrieb:> As I can seen, there is the bind-chroot glue package, but is there a > postfix-chroot.rpm glue ? I have looked for it, but I think there is not.You are right, there is none. You may do an RFE in upstream's bugzilla. Though there is the /etc/postfix/postfix-chroot script shipping with the Postfix rpm.> If there is not, what is your opinion about creating one ?Other than with bind I take the security advantage of a chrooted Postfix little. Especially because other than bind Postfix typically calls other applications as for instance content filters (amavisd-new comes to mind) and, very prominently, uses Cyrus-SASL for client and server SMTP AUTH. So to be able to do SMTP AUTH with a chrooted Postfix you will have to do relocate the SASL libs - just copying into the chroot is not enough (Debian i.e. has its own patches for this). Do you have a working solution for CentOS / RHEL in your pocket? Cheers Alexander
Leonardo Vilela Pinheiro wrote:> As I can seen, there is the bind-chroot glue package, but is there a > postfix-chroot.rpm glue ? I have looked for it, but I think there is not. > > If there is not, what is your opinion about creating one ?not worth it. There has been no security issue with postfix itself since its 2.0 version and only one issue in an older version. Any security problems will come from external libraries such as cyrus-sasl/openssl and so making postfix chroot really means making a whole lot more chrooted if you plan to use these. From the master.cf file. # Chroot: whether or not the service runs chrooted to the mail queue # directory (pathname is controlled by the queue_directory configuration # variable in the main.cf file). Presently, all Postfix daemons can run # chrooted, except for the pipe, virtual and local delivery daemons. # The proxymap server can run chrooted, but doing so defeats most of # the purpose of having that service in the first place. # The files in the examples/chroot-setup subdirectory describe how # to set up a Postfix chroot environment for your type of machine.