Russell Coker <russell@coker.com.au> writes:
On Sun, 30 Dec 2012, chris@chrisbailey.au.com wrote:
I've just moved to Postfix from SendMail on a new hosting server I have built, just wanting to hear of any issues anyone has had, if any, with putting postfix in a chroot jail.
In a default configuration Postfix uses a chroot for some of it's own processes. See field 4 in /etc/postfix/master.cf.
Generally Postfix uses minimum privileges for it's processes and it has a really good security history (unlike Sendmail) so you probably don't need to do anything more.
+1. Security-wise, postfix is one of my least concerns. I run each service inside its own container (LXC). I give each container its own rootfs, but it's not exactly minimal -- they each run syslogd and sshd and have apt and suchlike. I presume that's not what you're talking about. Also, to avoid going completely insane, I am obliged to host postfix and dovecot in the same container. If I ran mailman, it would also have to go in the same container. I've also deployed zimbra (which contains postfix) in anger, but I'm pretty sure it was under KVM, not LXC.