Hi All, I've just moved to Postfix from SendMail on a new hosting server I have built, just wanting to hear of any issues anyone has had, if any, with putting postfix in a chroot jail. Config:- CentOS 6.3 x64 ISPConfig 3 Postfix 2.6.6 Roundcube Webmail client 0.7.3 Looking to install MailScanner and MailWatch on the server too. TIA Chris
On Sun, 30 Dec 2012, chris@chrisbailey.au.com wrote:
I've just moved to Postfix from SendMail on a new hosting server I have built, just wanting to hear of any issues anyone has had, if any, with putting postfix in a chroot jail.
In a default configuration Postfix uses a chroot for some of it's own processes. See field 4 in /etc/postfix/master.cf. Generally Postfix uses minimum privileges for it's processes and it has a really good security history (unlike Sendmail) so you probably don't need to do anything more. I use SE Linux on all the mail servers that matter to me. The SE Linux policy is written for non-chroot Postfix programs so you have to configure it to not use chroot. Giving the Postfix master process the ability to chroot would involve giving Postfix more access to the system not less. A Postfix process that's not chrooted on a SE Linux system is more restricted than a chrooted process on a non-SE system. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Russell Coker <russell@coker.com.au> writes:
On Sun, 30 Dec 2012, chris@chrisbailey.au.com wrote:
I've just moved to Postfix from SendMail on a new hosting server I have built, just wanting to hear of any issues anyone has had, if any, with putting postfix in a chroot jail.
In a default configuration Postfix uses a chroot for some of it's own processes. See field 4 in /etc/postfix/master.cf.
Generally Postfix uses minimum privileges for it's processes and it has a really good security history (unlike Sendmail) so you probably don't need to do anything more.
+1. Security-wise, postfix is one of my least concerns. I run each service inside its own container (LXC). I give each container its own rootfs, but it's not exactly minimal -- they each run syslogd and sshd and have apt and suchlike. I presume that's not what you're talking about. Also, to avoid going completely insane, I am obliged to host postfix and dovecot in the same container. If I ran mailman, it would also have to go in the same container. I've also deployed zimbra (which contains postfix) in anger, but I'm pretty sure it was under KVM, not LXC.
On 30/12/2012, at 21:08, chris@chrisbailey.au.com wrote:
I've just moved to Postfix from SendMail on a new hosting server I have built, just wanting to hear of any issues anyone has had, if any, with putting postfix in a chroot jail.
Config:- CentOS 6.3 x64 ISPConfig 3 Postfix 2.6.6 Roundcube Webmail client 0.7.3
if you are concerned with security, I'd entirely avoid running roundcube.. I've had nothing but trouble with it
hannah commodore <hannah@tinfoilhat.net> writes:
Roundcube Webmail client 0.7.3 if you are concerned with security, I'd entirely avoid running roundcube.. I've had nothing but trouble with it
Ah, I didn't spot that part of the original post. I have a blanket ban on PHP for security reasons, so I never looked closely at roundcube or squirrelmail. I *did* find prayer. It's written in C, speaks HTTP/HTTPS to the front end (so no need for apache or fastcgi on the same host), and IMAP/IMAPS to the backend (so you *will* need dovecot). It's old-school enough that it works in proper browsers (like w3m) as well as fancy-pants bloaty ones. I can recommend it with the following caveats: - it has two themes. You want the newer, non-default one. - it's an OK fallback MUA, but you don't want to use it every day. - for some bizarre reason when I put it behind an apache reverse proxy (to do the LDAP auth layer), clicking on an attachment doesn't work. apache returns a 404 without even asking prayer for the attachment. The URLs look the same, so I'm completely stuck on that one.
On 2012-12-31 22:28, trentbuck@gmail.com wrote:
hannah commodore <hannah@tinfoilhat.net> writes:
Roundcube Webmail client 0.7.3 if you are concerned with security, I'd entirely avoid running roundcube.. I've had nothing but trouble with it
Ah, I didn't spot that part of the original post.
I have a blanket ban on PHP for security reasons, so I never looked closely at roundcube or squirrelmail. I *did* find prayer.
It's written in C, speaks HTTP/HTTPS to the front end (so no need for apache or fastcgi on the same host), and IMAP/IMAPS to the backend (so you *will* need dovecot). It's old-school enough that it works in proper browsers (like w3m) as well as fancy-pants bloaty ones.
I can recommend it with the following caveats:
- it has two themes. You want the newer, non-default one.
- it's an OK fallback MUA, but you don't want to use it every day.
- for some bizarre reason when I put it behind an apache reverse proxy (to do the LDAP auth layer), clicking on an attachment doesn't work. apache returns a 404 without even asking prayer for the attachment. The URLs look the same, so I'm completely stuck on that one.
Hi Trent, Thanks for the recommendation, but this is for hosting emails for corporate customers, so having issues with attachments would be an issue, most are using M$ Outlook as their main MUA, but I'm needing a nice web based one for when they are not in their offices. SquirrelMail, which is the recommended for ISPConfig is just UGLY and I've had issues with installing Horde in the past, hence Roundcube. Cheers, Chris
Quoting Christopher M. Bailey (chris@chrisbailey.au.com):
Thanks for the recommendation, but this is for hosting emails for corporate customers, so having issues with attachments would be an issue, most are using M$ Outlook as their main MUA, but I'm needing a nice web based one for when they are not in their offices.
Trent did say the problem arises only when he puts it behind an Apache reverse proxy. ('Hope that helps!) -- Cheers, Nothing's hotter than having a copyeditor correct your sex scenes. Rick Moen -- Max Barry rick@linuxmafia.com McQ! (4x80)
"Christopher M. Bailey" <chris@chrisbailey.au.com> writes:
this is for hosting emails for corporate customers [...] most are using M$ Outlook as their main MUA, but I'm needing a nice web based one for when they are not in their offices.
Then IMO you're screwed; there are no "nice" webmail MUAs -- at least not nice in the sense that chucklehead management types mean it. If they have smartphones, you could encourage them to use an IMAPS-backed MUA on them. I am also given to understand that outlook sucks at IMAP, which is why all the for-profit groupware suites charge for their MAPI servers or outlook connectors. Since all the groupware solutions suck, I would also be encouraging your management types to use tbird or similar. Another alternative is of course somethiny SaaS-y like "gmail for business" or whatever it's called.
participants (7)
-
chris@chrisbailey.au.com -
Christopher M. Bailey
-
hannah commodore -
Rick Moen -
Russell Coker -
trentbuck@gmail.com -
twb@cyber.com.au