From: /dev/rob0 (no email)
Date: Wed Jun 01 2005 - 08:10:35 EDT
Hunter Lewis wrote:
> Wietse Venema wrote:
> > Hunter Lewis:
> >
> >>Is there a good FAQ on postfix + chroot?
> >>
> >> From what I've picked up was to prevent some security issues in old
> >>versions? is that right? just curious.
> >
> > Such as?
>
> I'm not sure. I was just hoping someone might know of a doc somewhere
I obviously cannot speak for Wietse, but that question came across as an
insinuation that older Postfices had security issues if not chrooted.
TTBOMK there have been no major security issues with Postfix. Someone
will probably correct me if wrong.
> that explained the pros and cons of running postfix chrooted beyond
> what's in the Basic Config Readme.
It's simply a best security practice, to try to minimise the damage in
the event of compromise. Security being like layers of an onion, chroot
is one more layer.
> It seems that chroot was the standard pre 2.0, but now it's less liked.
>
> Did something change?
Probably the preferences of your packagers.
> I've always chosen to run postfix chrooted for the added security, but I
> don't know what the down side is to my choice.
More work in configuring things, potentially more difficulty in
troubleshooting your mistakes. That's why the standard advice is (and
probably always was) to get things working without chroot, then try to
chroot later.
> I'm sorry I'm not being very clear.
Does this answer your questions?
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
|
|
|