Postfix daemon processes can be configured (via the master.cf
file) to run in a chroot jail. The processes run at a fixed low
privilege and with file system access limited to the Postfix queue
directories (/var/spool/postfix). This provides a significant
barrier against intrusion. The barrier is not impenetrable (chroot
limits file system access only), but every little bit helps.
With the exception of Postfix daemons that deliver mail locally
and/or that execute non-Postfix commands, every Postfix daemon can
run chrooted.
Sites with high security requirements should consider to chroot
all daemons that talk to the network: the
smtp(8) and
smtpd(8)
processes, and perhaps also the
lmtp(8) client. The author's own
porcupine.org mail server runs all daemons chrooted that can be
chrooted.
The default /etc/postfix/master.cf file specifies that no Postfix
daemon runs chrooted. In order to enable chroot operation, edit
the file /etc/postfix/master.cf, and follow instructions in the
file. When you're finished, execute "postfix reload" to make the
change effective.
Note that a chrooted daemon resolves all filenames relative to
the Postfix queue directory (/var/spool/postfix). For successful
use of a chroot jail, most UNIX systems require you to bring in
some files or device nodes. The examples/chroot-setup directory in
the source code distribution has a collection of scripts that help
you set up Postfix chroot environments on different operating
systems.
Additionally, you almost certainly need to configure syslogd
so that it listens on a socket inside the Postfix queue directory.
Examples of syslogd command line options that achieve this for
specific systems:
FreeBSD: syslogd -l /var/spool/postfix/var/run/log
Linux, OpenBSD: syslogd -a /var/spool/postfix/dev/log
