10.12.2024 02:02, Wietse Venema via Postfix-users пишет:
Michael Tokarev via Postfix-users:
10.12.2024 00:46, Wietse Venema via Postfix-users wrote:
The prob here is that it isn't trivial at all to set up the
chroot environment, despite all the efforts to solve this so
far. Many things can be simplified greatly by using proxy
maps for example, and that probably will be the way I'll
recommend to use instead of copying all sorts of random stuff
into chroot, regardless if it's needed there or not, or even
if it helps there or not.
You could mount read-only,no-execute the dependencies under
/var/spool/postfix. Oh wait, systemd builds a symlink web of hell;
/etc/resolv.conf is no longer a file but a symlink info the void.
Good luck with duplicating that.
It's lovely you mention this. Very interesting.
2 points.
1. The deps which are required within chroot - they're just too
numerous. All sorts of various stuff from /etc and /lib.
SSL certs for STARTTLS. All cyrus and openssl stuff. Various
libnss modules, /etc/services /etc/host.conf etc (some are
for glibc). A *lot* of stuff. The prob with that is that
each basically needs its own mount.
And mounts wont actually help, since individual files gets
created anew and renamed to place, leaving the mount pointing
back to the old file.
I was assuming that the idea is to import *directories* (i.e.
colelctions of files) instead of individual files.
Some are dirs indeed. But most aren't. I just looked into my
/var/spool/postfix/usr/lib/ -- it has mozilla and firefox subdirs
with libnss.so files in there! :) It looks like they took all
possible libnss.so modules they were able to find :)
Linux allows mounting individual files from one dir to another.
BTW My resolv.conf points to a local resolver, which is always on
the same IP address, and thus, resolv.conf is essentially static.
So is mine. Either it's a server with static IP configuration which
works without any additional setup, or on a laptop, I run local
resolver, - so resolv.conf is static too.
Things become interesting when people rely on external resolver
provided by DHCP, with no local resolver running, -- this is where
most problems happens. Admittedly this is sort of not smart but
that's what we have.
I notice that path was taken by systemd as well.
It is not really true. Yes, systemd-networkd (a separate optional
component of systemd which acts as a local caching stub resolver)
can optionally symlink /etc/resolv.conf into /run/systemd/resolved/..
So it does not take this path, but it *optionally* redirects it.
The only reason for this is because the system *might* be configured
to accept DNS configuration over DHCP *including* local domain name
and domain search order. This is what changes in resolv.conf when
you move from one network to another. "nameser" line is never
changed.
The fact it does not change "nameserver" line, when I see dns is
managed by systemd-resolved, allows me to copy just this line into
postfix chroot once and be done with it. And arguable this is even
more correct (in some situations), in my view, than propagating the
domain search path too, - because hopefully postfix is not configured
to use bare names in various relayhosts etc which changes meaning
when domain search path changes..
When things aren't managed by systemd-resolved, I know I have to
propagate it entirely since I've no idea what's being changed.
Thanks,
/mjt
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
