chroot setting in master.cf

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

chroot setting in master.cf

Michael Fox
I'm configuring master.cf to add amavisd-new.  The amavisd-new documentation
(/usr/share/doc/amavisd-new/README.postfix.html) differs from the default
master.cf file regarding the chroot setting for the cleanup (and
pre-cleanup) service.  I presume that the amavisd-new documentation is in
error and that I should go with the chroot setting that's in the default
master.cf.  But I don't know enough about the implications of one vs. the
other to be sure.

Specifically, I have three questions:

1) Section 4.2.1 of the above web page shows adding a pre-cleanup service
with chroot=n.  But the default master.cf has the cleanup service configured
with chroot=y.  Should I use the same chroot=y setting for the pre-cleanup
service?  

2) Section 4.2.2 of the above web page shows modifying the existing cleanup
service to add some "-o" options.  But it shows the cleanup service with
chroot=n.  Should I leave chroot=y for the cleanup service?

3) The above web page also shows the new "amavisfeed" and "127.0.0.1:10025"
services with chroot=n.  But similar services in master.cf have chroot=y.
Should these two new services also use chroot=y?

Thanks in advance,
Michael


Reply | Threaded
Open this post in threaded view
|

Re: chroot setting in master.cf

Noel Jones-2
On 8/10/2017 2:46 PM, Michael Fox wrote:

> I'm configuring master.cf to add amavisd-new.  The amavisd-new documentation
> (/usr/share/doc/amavisd-new/README.postfix.html) differs from the default
> master.cf file regarding the chroot setting for the cleanup (and
> pre-cleanup) service.  I presume that the amavisd-new documentation is in
> error and that I should go with the chroot setting that's in the default
> master.cf.  But I don't know enough about the implications of one vs. the
> other to be sure.
>
> Specifically, I have three questions:
>
> 1) Section 4.2.1 of the above web page shows adding a pre-cleanup service
> with chroot=n.  But the default master.cf has the cleanup service configured
> with chroot=y.  Should I use the same chroot=y setting for the pre-cleanup
> service?  
>
> 2) Section 4.2.2 of the above web page shows modifying the existing cleanup
> service to add some "-o" options.  But it shows the cleanup service with
> chroot=n.  Should I leave chroot=y for the cleanup service?
>
> 3) The above web page also shows the new "amavisfeed" and "127.0.0.1:10025"
> services with chroot=n.  But similar services in master.cf have chroot=y.
> Should these two new services also use chroot=y?
>
> Thanks in advance,
> Michael
>
>

The default master.cf as distributed by postfix has all services as
chroot "n", and that is the recommended setting.






  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: chroot setting in master.cf

Michael Fox
> The default master.cf as distributed by postfix has all services as
> chroot "n", and that is the recommended setting.
> -- Noel Jones

Thanks Noel.

Interesting.  From http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup, the recommendation seems to be to use chroot wherever possible.  In fact, it says:  "The author's own porcupine.org mail server runs all daemons chrooted that can be chrooted."  (Maybe this is left over from when the default for chroot was "y"?)

The Debian/Ubuntu package defaults seem to be following that advice.  But evidently, the default distributed by postfix is going the other way.  

That leaves a basic user like me unsure of what to do.  So, let me ask my question this way:  Given that the default master.cf file from Ubuntu (see below) has chroot="y" for the cleanup service, then presumably they've also done whatever needs to be done to make cleanup work inside the chroot jail.  So, given all of that, does it make sense to continue using chroot=y for cleanup (and pre-cleanup)?  Or should I switch to chroot=n anyway?

Thanks,
Michael


# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
$ postconf -Mf
smtp       inet  n       -       y       -       -       smtpd
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn
    argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
    user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R
    user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
    ${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR
    user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
    ${user}

Reply | Threaded
Open this post in threaded view
|

Re: chroot setting in master.cf

Wietse Venema
Michael Fox:

> > The default master.cf as distributed by postfix has all services as
> > chroot "n", and that is the recommended setting.
> > -- Noel Jones
>
> Thanks Noel.
>
> Interesting.  From
> http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup, the
> recommendation seems to be to use chroot wherever possible.  In
> fact, it says:  "The author's own porcupine.org mail server runs
> all daemons chrooted that can be chrooted."  (Maybe this is left
> over from when the default for chroot was "y"?)

With Postfix 3, chroot is no longer the default. It remains an
available option for people who want to go through the effort.

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: chroot setting in master.cf

Michael Fox
> With Postfix 3, chroot is no longer the default. It remains an
> available option for people who want to go through the effort.
>
> Wietse

Yes, but that wasn't my question.  Again, my question was:

I'm configuring master.cf to add amavisd-new.  The amavisd-new documentation
(/usr/share/doc/amavisd-new/README.postfix.html) differs from the default
master.cf file regarding the chroot setting for the cleanup (and
pre-cleanup) service.  I presume that the amavisd-new documentation is in
error and that I should go with the chroot setting that's in the default
master.cf.  But I don't know enough about the implications of one vs. the
other to be sure.

Specifically, I have three questions:

1) Section 4.2.1 of the above web page shows adding a pre-cleanup service
with chroot=n.  But the default master.cf (from Ubuntu) has the cleanup
service configured
with chroot=y.  Should I use the same chroot=y setting for the pre-cleanup
service?  

2) Section 4.2.2 of the above web page shows modifying the existing cleanup
service to add some "-o" options.  But it shows the cleanup service with
chroot=n.  Should I leave chroot=y for the cleanup service?

3) The above web page also shows the new "amavisfeed" and "127.0.0.1:10025"
services with chroot=n.  But similar services in master.cf have chroot=y.
Should these two new services also use chroot=y?

Thanks in advance,
Michael

Reply | Threaded
Open this post in threaded view
|

Re: chroot setting in master.cf

Patrick Ben Koetter-2
* Michael Fox <[hidden email]>:

> > With Postfix 3, chroot is no longer the default. It remains an
> > available option for people who want to go through the effort.
> >
> > Wietse
>
> Yes, but that wasn't my question.  Again, my question was:
>
> I'm configuring master.cf to add amavisd-new.  The amavisd-new documentation
> (/usr/share/doc/amavisd-new/README.postfix.html) differs from the default
> master.cf file regarding the chroot setting for the cleanup (and
> pre-cleanup) service.  I presume that the amavisd-new documentation is in
> error and that I should go with the chroot setting that's in the default
> master.cf.  But I don't know enough about the implications of one vs. the
> other to be sure.

I wrote README.postfix.html for amavisd-new many years ago and I don't recall
why master.cf was in the state it was by then. I wouldn't say it the
documentation is in error - it's has simply not seen any update in many years.

Personally I don't use content_filter and smtpd_proxy_filter anymore. I prefer
the MILTER interface over the other methods. If you are interested in this and
if you can read German (or are able to handle google translate ;) you may read
my blog https://sys4.de/de/blog/2015/07/31/amavisd-milter-howto/ for
instructions.


> Specifically, I have three questions:
>
> 1) Section 4.2.1 of the above web page shows adding a pre-cleanup service
> with chroot=n.  But the default master.cf (from Ubuntu) has the cleanup
> service configured
> with chroot=y.  Should I use the same chroot=y setting for the pre-cleanup
> service?  
>
> 2) Section 4.2.2 of the above web page shows modifying the existing cleanup
> service to add some "-o" options.  But it shows the cleanup service with
> chroot=n.  Should I leave chroot=y for the cleanup service?
>
> 3) The above web page also shows the new "amavisfeed" and "127.0.0.1:10025"
> services with chroot=n.  But similar services in master.cf have chroot=y.
> Should these two new services also use chroot=y?

The all general answer is: If you plan to run Postfix chrooted, chroot as much
as you can. It's a design question. Chrooting a service like Postfix comes at
the price of quite some management overhead. You can automate most of that,
but you need to take care of it.

Many years ago Wietse wrote chrooting Postfix only makes sense on a hardened
server. I agree with that. If the server isn't hardened, forget to chroot the
service as there are very likely much more easily exploitable "entry points"
to the server.

p@rick

--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|

RE: chroot setting in master.cf

Michael Fox
> I wrote README.postfix.html for amavisd-new many years ago and I don't
> recall
> why master.cf was in the state it was by then. I wouldn't say it the
> documentation is in error - it's has simply not seen any update in many
> years.

Ah, OK.  Thanks.  That explains the differences.


> Personally I don't use content_filter and smtpd_proxy_filter anymore. I
> prefer
> the MILTER interface over the other methods. If you are interested in this
> and
> if you can read German (or are able to handle google translate ;) you may
> read
> my blog https://sys4.de/de/blog/2015/07/31/amavisd-milter-howto/ for
> instructions.

OK. Thanks.


> The all general answer is: If you plan to run Postfix chrooted, chroot as
> much
> as you can. It's a design question. Chrooting a service like Postfix comes
> at
> the price of quite some management overhead. You can automate most of
> that,
> but you need to take care of it.
>
> Many years ago Wietse wrote chrooting Postfix only makes sense on a
> hardened
> server. I agree with that. If the server isn't hardened, forget to chroot
> the
> service as there are very likely much more easily exploitable "entry
> points"
> to the server.

OK.  That all makes sense and provides me a good recommendation.  

Michael