Michael Tokarev via Postfix-users:
> > If this can't be automated, then no-one wiill use it.
>
> It's a very good point. Actually I thought about this too.
>
> So how do you think, is it good idea to let user to enable chroot
> "easily" in a distribution like debian, when this user might be
> absolutely unable to deal with the consequences - where the
> consequences are having non-working chroot environment as we've
> seen over the last 2.5 decades?
Probably not. Support only one configuration and stick with it.
Only the motivated should consider using chroot, and they can
maintain their own Postfix build without complicating thhings for
everyone else.
I run FreeBSD and that needs very little chroot setup
(/var/spool/postfix/var/run/log, /var/spool/postfix/etc/resolv.conf).
But then, my Postfix does not require PKI certificate verification.
> Implementing this switch/button requires quite some efforts too,
> already.
>
> The prob here is that it isn't trivial at all to set up the
> chroot environment, despite all the efforts to solve this so
> far. Many things can be simplified greatly by using proxy
> maps for example, and that probably will be the way I'll
> recommend to use instead of copying all sorts of random stuff
> into chroot, regardless if it's needed there or not, or even
> if it helps there or not.
You could mount read-only,no-execute the dependencies under
/var/spool/postfix. Oh wait, systemd builds a symlink web of hell;
/etc/resolv.conf is no longer a file but a symlink info the void.
Good luck with duplicating that.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
