- Previous message: Ralf Hildebrandt: "Re: mail relay via isp"
- Maybe in reply to: Wesley Jay Deypalan: "Name service error for name=yahoo.com"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Hunter Lewis (no email)
Date: Wed Jun 01 2005 - 08:27:03 EDT
/dev/rob0 wrote:
> Hunter Lewis wrote:
>
>> Wietse Venema wrote:
>> > Hunter Lewis:
>> >
>> >>Is there a good FAQ on postfix + chroot?
>> >>
>> >> From what I've picked up was to prevent some security issues in old
>> >>versions? is that right? just curious.
>> >
>> > Such as?
>>
>> I'm not sure. I was just hoping someone might know of a doc somewhere
>
>
> I obviously cannot speak for Wietse, but that question came across as an
> insinuation that older Postfices had security issues if not chrooted.
> TTBOMK there have been no major security issues with Postfix. Someone
> will probably correct me if wrong.
>
>> that explained the pros and cons of running postfix chrooted beyond
>> what's in the Basic Config Readme.
>
>
> It's simply a best security practice, to try to minimise the damage in
> the event of compromise. Security being like layers of an onion, chroot
> is one more layer.
>
>> It seems that chroot was the standard pre 2.0, but now it's less liked.
>>
>> Did something change?
>
>
> Probably the preferences of your packagers.
>
>> I've always chosen to run postfix chrooted for the added security, but
>> I don't know what the down side is to my choice.
>
>
> More work in configuring things, potentially more difficulty in
> troubleshooting your mistakes. That's why the standard advice is (and
> probably always was) to get things working without chroot, then try to
> chroot later.
>
>> I'm sorry I'm not being very clear.
>
>
> Does this answer your questions?
Yes.
For some reason I had it in my mind there was some mysterious piece to
this I was missing.
Thanks for the help.
--Hunter
|
|
|