Postfix daemon processes can be configured (via
master.cf) to
run in a chroot jail. The processes run at a fixed low privilege
and with access only to the Postfix queue directories (/var/spool/postfix).
This provides a significant barrier against intrusion. The barrier
is not impenetrable, but every little bit helps.
With the exception of Postfix daemons that deliver mail locally
and/or that execute non-Postfix commands, every Postfix daemon can
run chrooted.
Sites with high security requirements should consider to chroot
all daemons that talk to the network: the
smtp(8) and
smtpd(8)
processes, and perhaps also the
lmtp(8) client. The author's own
porcupine.org mail server runs all daemons chrooted that can be
chrooted.
The default /etc/postfix/
master.cf file specifies that no
Postfix daemon runs chrooted. In order to enable chroot operation,
edit the file /etc/postfix/
master.cf. Instructions are in the file.
Note that a chrooted daemon resolves all filenames relative to
the Postfix queue directory (/var/spool/postfix). For successful
use of a chroot jail, most UNIX systems require you to bring in
some files or device nodes. The examples/chroot-setup directory
in the source code distribution has a collection of scripts that
help you set up Postfix chroot environments on different operating
systems.
Additionally, you almost certainly need to configure syslogd
so that it listens on a socket inside the Postfix queue directory.
Examples for specific systems:
- FreeBSD:
-
# mkdir -p /var/spool/postfix/var/run
# syslogd -l /var/spool/postfix/var/run/log
- Linux, OpenBSD:
-
# mkdir -p /var/spool/postfix/dev
# syslogd -a /var/spool/postfix/dev/log
