We store our virtual_foo_maps in, /etc/posfix/maps/virtual_foo_maps.pgsql
and so the (read-only) database credentials are visible in that file. I'd like to tighten this up if possible, but I don't want to do anything stupid. If I'm not going about this all wrong, what can I do to prevent e.g. SSH users from reading the DB credentials? Ideally, I'd also like to prevent them from reading the rest of the maps, which contain lists of addresses, clients, etc.