Minimal permissions on /etc/postfix

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Minimal permissions on /etc/postfix

Michael Orlitzky-2
We store our virtual_foo_maps in,

  /etc/posfix/maps/virtual_foo_maps.pgsql

and so the (read-only) database credentials are visible in that file.
I'd like to tighten this up if possible, but I don't want to do anything
stupid.

If I'm not going about this all wrong, what can I do to prevent e.g. SSH
users from reading the DB credentials? Ideally, I'd also like to prevent
them from reading the rest of the maps, which contain lists of
addresses, clients, etc.
Reply | Threaded
Open this post in threaded view
|

Re: Minimal permissions on /etc/postfix

DTNX Postmaster
On Jul 24, 2012, at 18:09, Michael Orlitzky wrote:

> We store our virtual_foo_maps in,
>
>  /etc/posfix/maps/virtual_foo_maps.pgsql
>
> and so the (read-only) database credentials are visible in that file.
> I'd like to tighten this up if possible, but I don't want to do anything
> stupid.
>
> If I'm not going about this all wrong, what can I do to prevent e.g. SSH
> users from reading the DB credentials? Ideally, I'd also like to prevent
> them from reading the rest of the maps, which contain lists of
> addresses, clients, etc.

This works for us;

$ ls -ald /etc/postfix
drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix

The postfix user is a member of the 'postcfg' group. Any admin accounts
that need access to the contents can also be added if needs be.

Cya,
Jona

Reply | Threaded
Open this post in threaded view
|

Re: Minimal permissions on /etc/postfix

Michael Orlitzky-2
On 07/24/12 12:24, DTNX Postmaster wrote:

> On Jul 24, 2012, at 18:09, Michael Orlitzky wrote:
>
>> We store our virtual_foo_maps in,
>>
>>  /etc/posfix/maps/virtual_foo_maps.pgsql
>>
>> and so the (read-only) database credentials are visible in that file.
>> I'd like to tighten this up if possible, but I don't want to do anything
>> stupid.
>>
>> If I'm not going about this all wrong, what can I do to prevent e.g. SSH
>> users from reading the DB credentials? Ideally, I'd also like to prevent
>> them from reading the rest of the maps, which contain lists of
>> addresses, clients, etc.
>
> This works for us;
>
> $ ls -ald /etc/postfix
> drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix
>
> The postfix user is a member of the 'postcfg' group. Any admin accounts
> that need access to the contents can also be added if needs be.
>

Thanks, I actually tried this but ran into a problem:

  Jul 24 01:45:50 localhost postfix/sendmail[26795]: fatal: open
  /etc/postfix/main.cf: Permission denied

That alone is easy to fix (allow $authorized_submit_users read access to
main.cf), but it suggested that I might run into more subtle problems if
I started messing with /etc/postfix.

Reply | Threaded
Open this post in threaded view
|

Re: Minimal permissions on /etc/postfix

Zhang Huangbin
In reply to this post by Michael Orlitzky-2


On Wednesday, July 25, 2012 at 12:09 AM, Michael Orlitzky wrote:

> We store our virtual_foo_maps in,
>
> /etc/posfix/maps/virtual_foo_maps.pgsql
>
> and so the (read-only) database credentials are visible in that file.
> I'd like to tighten this up if possible, but I don't want to do anything
> stupid.
>
> If I'm not going about this all wrong, what can I do to prevent e.g. SSH
> users from reading the DB credentials? Ideally, I'd also like to prevent
> them from reading the rest of the maps, which contain lists of
> addresses, clients, etc.


Works for me with owner 'root', group 'postfix', permission 0640.

----
Zhang Huangbin

iRedMail: Open Source Mail Server Solution for Red Hat Enterprise Linux,
CentOS, Scientific Linux, Debian, Ubuntu, Gentoo, openSUSE,
FreeBSD, OpenBSD: http://www.iredmail.org/



Reply | Threaded
Open this post in threaded view
|

Re: Minimal permissions on /etc/postfix

mouss-4
In reply to this post by Michael Orlitzky-2
Le 24/07/2012 18:09, Michael Orlitzky a écrit :

> We store our virtual_foo_maps in,
>
>   /etc/posfix/maps/virtual_foo_maps.pgsql
>
> and so the (read-only) database credentials are visible in that file.
> I'd like to tighten this up if possible, but I don't want to do anything
> stupid.
>
> If I'm not going about this all wrong, what can I do to prevent e.g. SSH
> users from reading the DB credentials? Ideally, I'd also like to prevent
> them from reading the rest of the maps, which contain lists of
> addresses, clients, etc.
>


map_directory = /var/db/postmap
cidr = cidr:${map_directory}/cidr
db = ${db_type}:${map_directory}/${db_type}
map_directory = /var/db/postmap
regex = ${regex_type}:${map_directory}/${regex_type}
sql = ${sql_type}:${map_directory}/${sql_type}
...

ls -l /var/db/
...
drwxr-x---    9 root      postfix       512 Feb 10  2011 postmap/
...


note that I prefer
        /somedir/pgsql/foo_map
over
        /somedir/foo_map.pgsql
this is because I can do

db_type=mysql
foo_map=${db_type}:/somedir/${db_type}/foo_map

Reply | Threaded
Open this post in threaded view
|

Re: Minimal permissions on /etc/postfix

Michael Orlitzky-2
On 07/24/2012 07:33 PM, mouss wrote:

>
> map_directory = /var/db/postmap
> cidr = cidr:${map_directory}/cidr
> db = ${db_type}:${map_directory}/${db_type}
> map_directory = /var/db/postmap
> regex = ${regex_type}:${map_directory}/${regex_type}
> sql = ${sql_type}:${map_directory}/${sql_type}
> ...
>
> ls -l /var/db/
> ...
> drwxr-x---    9 root      postfix       512 Feb 10  2011 postmap/
> ...

Ok, thanks, I'll stick with this for a while and see what happens. It
seems sendmail needs to read main.cf, but not any of the map files (at
least, not the ones I'm using in the way I'm using them) or master.cf.

We've only got two boxes that have anything sensitive in the maps; on
the one with the mail store, I have just:

  /etc/postfix:
  cp -R etc/postfix /etc/
  chgrp -R postfix /etc/postfix
  find /etc/postfix -type d -print0 | xargs -0 chmod 755
  find /etc/postfix -type f -print0 | xargs -0 chmod 640
  chmod 644 /etc/postfix/main.cf

which is close to what you posted, modulo master.cf and 'rx' of the maps
directory.

On the MX, I also need to make one of the map files readable to the
amavis user, but there's nothing sensitive in that map, so 644 is fine
there.

I'll report if anything else breaks =)
Reply | Threaded
Open this post in threaded view
|

Re: Minimal permissions on /etc/postfix

Reindl Harald-2
In reply to this post by Michael Orlitzky-2


Am 24.07.2012 18:58, schrieb Michael Orlitzky:

> Thanks, I actually tried this but ran into a problem:
>
>   Jul 24 01:45:50 localhost postfix/sendmail[26795]: fatal: open
>   /etc/postfix/main.cf: Permission denied
>
> That alone is easy to fix (allow $authorized_submit_users read access to
> main.cf), but it suggested that I might run into more subtle problems if
> I started messing with /etc/postfix

the main config AFAIK needs 644
sensible files can be done with proxymap and so restricted

http://www.postfix.org/proxymap.8.html

-rw-r--r-- 1 root root     21K 2012-06-13 00:58 access
-rw-r--r-- 1 root root     12K 2012-06-13 00:58 canonical
-rw-r--r-- 1 root root    9,7K 2012-06-13 00:58 generic
-rw-r--r-- 1 root root     22K 2012-06-13 00:58 header_checks
-rw-r--r-- 1 root root    6,7K 2012-06-13 00:58 relocated
-rw-r--r-- 1 root root     13K 2012-06-13 00:58 transport
-rw-r--r-- 1 root root     13K 2012-06-13 00:58 virtual
-rw-r--r-- 1 root root    4,0K 2011-01-16 04:05 bounce.cf
-rw-r--r-- 1 root root    8,5K 2012-07-05 15:27 main.cf
-rw-r--r-- 1 root root    3,1K 2012-02-29 18:44 master.cf
-rw-r----- 1 root postfix  195 2011-04-27 18:59 mysql-aliases.cf
-rw-r----- 1 root postfix  294 2011-05-28 19:06 mysql-forwarders.cf
-rw-r----- 1 root postfix  201 2011-04-27 18:59 mysql-mydestination.cf
-rw-r----- 1 root postfix  195 2011-04-27 18:59 mysql-mynetworks.cf
-rw-r----- 1 root postfix  196 2011-04-27 18:59 mysql-recipients.cf
-rw-r----- 1 root postfix  463 2011-04-27 18:59 mysql-rewritedomains.cf
-rw-r----- 1 root postfix  203 2011-04-27 18:59 mysql-rewritesenders.cf
-rw-r----- 1 root postfix  327 2011-04-27 18:59 mysql-senderaccess.cf
-rw-r----- 1 root postfix  365 2011-05-12 23:32 mysql-sender_relay_hosts_auth.cf
-rw-r----- 1 root postfix  202 2011-04-27 18:59 mysql-sender_relay_hosts.cf
-rw-r----- 1 root postfix  198 2011-04-27 18:59 mysql-spamfilter.cf
-rw-r----- 1 root postfix  262 2011-04-27 18:59 mysql-transport.cf


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Minimal permissions on /etc/postfix

Viktor Dukhovni
On Wed, Jul 25, 2012 at 10:29:44AM +0200, Reindl Harald wrote:

> the main config AFAIK needs 644

Correct, the main.cf and master.cf files should be world-readable.

> sensible files can be done with proxymap and so restricted
>
> http://www.postfix.org/proxymap.8.html

Proxymap does not matter here, regardless of which postfix daemon
reads the table, the table ".cf" files are read before the daemons
drop privileges and (potentially) enter a chroot jail. Therefore,
these tables are read as "root", and so can have permissions of
"0600 root root" or "0400 root root" (if maintained indirectly
and should not be directly edited by root).

> -rw-r--r-- 1 root root    8,5K 2012-07-05 15:27 main.cf
> -rw-r--r-- 1 root root    3,1K 2012-02-29 18:44 master.cf

Good.


> -rw-r----- 1 root postfix  195 2011-04-27 18:59 mysql-aliases.cf
> -rw-r----- 1 root postfix  294 2011-05-28 19:06 mysql-forwarders.cf
> -rw-r----- 1 root postfix  201 2011-04-27 18:59 mysql-mydestination.cf
> -rw-r----- 1 root postfix  195 2011-04-27 18:59 mysql-mynetworks.cf
> -rw-r----- 1 root postfix  196 2011-04-27 18:59 mysql-recipients.cf
> -rw-r----- 1 root postfix  463 2011-04-27 18:59 mysql-rewritedomains.cf
> -rw-r----- 1 root postfix  203 2011-04-27 18:59 mysql-rewritesenders.cf
> -rw-r----- 1 root postfix  327 2011-04-27 18:59 mysql-senderaccess.cf
> -rw-r----- 1 root postfix  365 2011-05-12 23:32 mysql-sender_relay_hosts_auth.cf
> -rw-r----- 1 root postfix  202 2011-04-27 18:59 mysql-sender_relay_hosts.cf
> -rw-r----- 1 root postfix  198 2011-04-27 18:59 mysql-spamfilter.cf
> -rw-r----- 1 root postfix  262 2011-04-27 18:59 mysql-transport.cf

The group can be "root" and the file permissions need not allow group
read. The only exceptions are configurations for tables used with:

        $ postconf -d | grep '^authorized_' | grep static:
        authorized_flush_users = static:anyone
        authorized_mailq_users = static:anyone
        authorized_submit_users = static:anyone

such tables should be world readable, or otherwise readable by the
"setgid_group" group (default "postdrop" on many systems).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Minimal permissions on /etc/postfix

Wietse Venema
Viktor Dukhovni:

> On Wed, Jul 25, 2012 at 10:29:44AM +0200, Reindl Harald wrote:
>
> > the main config AFAIK needs 644
>
> Correct, the main.cf and master.cf files should be world-readable.
>
> > sensible files can be done with proxymap and so restricted
> >
> > http://www.postfix.org/proxymap.8.html
>
> Proxymap does not matter here, regardless of which postfix daemon
> reads the table, the table ".cf" files are read before the daemons
> drop privileges and (potentially) enter a chroot jail. Therefore,
> these tables are read as "root", and so can have permissions of
> "0600 root root" or "0400 root root" (if maintained indirectly
> and should not be directly edited by root).

Correct. However, if a table is searched through the proxymap daemon,
then its file will be opened after the proxymap daemon has dropped
root privileges, so "postfix" (group) permission would be needed.

        Wietse

> > -rw-r--r-- 1 root root    8,5K 2012-07-05 15:27 main.cf
> > -rw-r--r-- 1 root root    3,1K 2012-02-29 18:44 master.cf
>
> Good.
>
>
> > -rw-r----- 1 root postfix  195 2011-04-27 18:59 mysql-aliases.cf
> > -rw-r----- 1 root postfix  294 2011-05-28 19:06 mysql-forwarders.cf
> > -rw-r----- 1 root postfix  201 2011-04-27 18:59 mysql-mydestination.cf
> > -rw-r----- 1 root postfix  195 2011-04-27 18:59 mysql-mynetworks.cf
> > -rw-r----- 1 root postfix  196 2011-04-27 18:59 mysql-recipients.cf
> > -rw-r----- 1 root postfix  463 2011-04-27 18:59 mysql-rewritedomains.cf
> > -rw-r----- 1 root postfix  203 2011-04-27 18:59 mysql-rewritesenders.cf
> > -rw-r----- 1 root postfix  327 2011-04-27 18:59 mysql-senderaccess.cf
> > -rw-r----- 1 root postfix  365 2011-05-12 23:32 mysql-sender_relay_hosts_auth.cf
> > -rw-r----- 1 root postfix  202 2011-04-27 18:59 mysql-sender_relay_hosts.cf
> > -rw-r----- 1 root postfix  198 2011-04-27 18:59 mysql-spamfilter.cf
> > -rw-r----- 1 root postfix  262 2011-04-27 18:59 mysql-transport.cf
>
> The group can be "root" and the file permissions need not allow group
> read. The only exceptions are configurations for tables used with:
>
> $ postconf -d | grep '^authorized_' | grep static:
> authorized_flush_users = static:anyone
> authorized_mailq_users = static:anyone
> authorized_submit_users = static:anyone
>
> such tables should be world readable, or otherwise readable by the
> "setgid_group" group (default "postdrop" on many systems).
>
> --
> Viktor.
>
Reply | Threaded
Open this post in threaded view
|

Re: Minimal permissions on /etc/postfix

DTNX Postmaster
In reply to this post by DTNX Postmaster
On Jul 24, 2012, at 18:24, DTNX Postmaster wrote:

> This works for us;
>
> $ ls -ald /etc/postfix
> drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix
>
> The postfix user is a member of the 'postcfg' group. Any admin accounts
> that need access to the contents can also be added if needs be.

To clarify, this is what we use on relay servers that do not have any
local processes besides Postfix that need access. On servers where this
is needed, such as for the use of 'sendmail', the '/etc/postfix'
directory is kept world readable, as are the .cf files.

Everything that isn't part of the default config, such as map files, is
kept inside a subdirectory inside '/etc/postfix', which has the limited
permissions. That way the permissions on the files themselves are not
as critical.

Cya,
Jona