DevHeads.net

chroot setting in master.cf

I'm configuring master.cf to add amavisd-new. The amavisd-new documentation
(/usr/share/doc/amavisd-new/README.postfix.html) differs from the default
master.cf file regarding the chroot setting for the cleanup (and
pre-cleanup) service. I presume that the amavisd-new documentation is in
error and that I should go with the chroot setting that's in the default
master.cf. But I don't know enough about the implications of one vs. the
other to be sure.

Specifically, I have three questions:

1) Section 4.2.1 of the above web page shows adding a pre-cleanup service
with chroot=n. But the default master.cf has the cleanup service configured
with chroot=y. Should I use the same chroot=y setting for the pre-cleanup
service?

2) Section 4.2.2 of the above web page shows modifying the existing cleanup
service to add some "-o" options. But it shows the cleanup service with
chroot=n. Should I leave chroot=y for the cleanup service?

3) The above web page also shows the new "amavisfeed" and "127.0.0.1:10025"
services with chroot=n. But similar services in master.cf have chroot=y.
Should these two new services also use chroot=y?

Thanks in advance,
Michael

Comments

Re: chroot setting in master.cf

By Noel Jones at 08/10/2017 - 15:49

On 8/10/2017 2:46 PM, Michael Fox wrote:
The default master.cf as distributed by postfix has all services as
chroot "n", and that is the recommended setting.

-- Noel Jones

RE: chroot setting in master.cf

By Michael Fox at 08/11/2017 - 00:57

Thanks Noel.

Interesting. From <a href="http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup" title="http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup">http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup</a>, the recommendation seems to be to use chroot wherever possible. In fact, it says: "The author's own porcupine.org mail server runs all daemons chrooted that can be chrooted." (Maybe this is left over from when the default for chroot was "y"?)

The Debian/Ubuntu package defaults seem to be following that advice. But evidently, the default distributed by postfix is going the other way.

That leaves a basic user like me unsure of what to do. So, let me ask my question this way: Given that the default master.cf file from Ubuntu (see below) has chroot="y" for the cleanup service, then presumably they've also done whatever needs to be done to make cleanup work inside the chroot jail. So, given all of that, does it make sense to continue using chroot=y for cleanup (and pre-cleanup)? Or should I switch to chroot=n anyway?

Thanks,
Michael

# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
$ postconf -Mf
smtp inet n - y - - smtpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}

Re: chroot setting in master.cf

By Wietse Venema at 08/11/2017 - 09:56

Michael Fox:
With Postfix 3, chroot is no longer the default. It remains an
available option for people who want to go through the effort.

Wietse

RE: chroot setting in master.cf

By Michael Fox at 08/12/2017 - 00:52

Yes, but that wasn't my question. Again, my question was:

I'm configuring master.cf to add amavisd-new. The amavisd-new documentation
(/usr/share/doc/amavisd-new/README.postfix.html) differs from the default
master.cf file regarding the chroot setting for the cleanup (and
pre-cleanup) service. I presume that the amavisd-new documentation is in
error and that I should go with the chroot setting that's in the default
master.cf. But I don't know enough about the implications of one vs. the
other to be sure.

Specifically, I have three questions:

1) Section 4.2.1 of the above web page shows adding a pre-cleanup service
with chroot=n. But the default master.cf (from Ubuntu) has the cleanup
service configured
with chroot=y. Should I use the same chroot=y setting for the pre-cleanup
service?

2) Section 4.2.2 of the above web page shows modifying the existing cleanup
service to add some "-o" options. But it shows the cleanup service with
chroot=n. Should I leave chroot=y for the cleanup service?

3) The above web page also shows the new "amavisfeed" and "127.0.0.1:10025"
services with chroot=n. But similar services in master.cf have chroot=y.
Should these two new services also use chroot=y?

Thanks in advance,
Michael

Re: chroot setting in master.cf

By Patrick Ben Koetter at 08/12/2017 - 03:00

* Michael Fox < ... at mefox dot org>:
I wrote README.postfix.html for amavisd-new many years ago and I don't recall
why master.cf was in the state it was by then. I wouldn't say it the
documentation is in error - it's has simply not seen any update in many years.

Personally I don't use content_filter and smtpd_proxy_filter anymore. I prefer
the MILTER interface over the other methods. If you are interested in this and
if you can read German (or are able to handle google translate ;) you may read
my blog <a href="https://sys4.de/de/blog/2015/07/31/amavisd-milter-howto/" title="https://sys4.de/de/blog/2015/07/31/amavisd-milter-howto/">https://sys4.de/de/blog/2015/07/31/amavisd-milter-howto/</a> for
instructions.

The all general answer is: If you plan to run Postfix chrooted, chroot as much
as you can. It's a design question. Chrooting a service like Postfix comes at
the price of quite some management overhead. You can automate most of that,
but you need to take care of it.

Many years ago Wietse wrote chrooting Postfix only makes sense on a hardened
server. I agree with that. If the server isn't hardened, forget to chroot the
service as there are very likely much more easily exploitable "entry points"
to the server.

p@rick

RE: chroot setting in master.cf

By Michael Fox at 08/13/2017 - 08:59

Ah, OK. Thanks. That explains the differences.

OK. Thanks.

OK. That all makes sense and provides me a good recommendation.

Michael