On Sun, 30 Dec 2012, chris@chrisbailey.au.com wrote:
I've just moved to Postfix from SendMail on a new hosting server I have built, just wanting to hear of any issues anyone has had, if any, with putting postfix in a chroot jail.
In a default configuration Postfix uses a chroot for some of it's own processes. See field 4 in /etc/postfix/master.cf. Generally Postfix uses minimum privileges for it's processes and it has a really good security history (unlike Sendmail) so you probably don't need to do anything more. I use SE Linux on all the mail servers that matter to me. The SE Linux policy is written for non-chroot Postfix programs so you have to configure it to not use chroot. Giving the Postfix master process the ability to chroot would involve giving Postfix more access to the system not less. A Postfix process that's not chrooted on a SE Linux system is more restricted than a chrooted process on a non-SE system. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/