On Jul 24, 2012, at 18:09, Michael Orlitzky wrote: > We store our virtual_foo_maps in, > > /etc/posfix/maps/virtual_foo_maps.pgsql > > and so the (read-only) database credentials are visible in that file. > I'd like to tighten this up if possible, but I don't want to do anything > stupid. > > If I'm not going about this all wrong, what can I do to prevent e.g. SSH > users from reading the DB credentials? Ideally, I'd also like to prevent > them from reading the rest of the maps, which contain lists of > addresses, clients, etc.
This works for us; $ ls -ald /etc/postfix drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix The postfix user is a member of the 'postcfg' group. Any admin accounts that need access to the contents can also be added if needs be. Cya, Jona