Martin Vegter: > > On 08/26/2014 12:56 AM, Viktor Dukhovni wrote: > >> Are there any reasons against using chrooted smtp ? > > > > Chroot jails require an expert administrator, able to trouble-shoot > > problems with plugins or system libraries that depend on resources > > that may not exist in the jail. > > > > Debian made the mistake of enabling chroot on machines operated by > > relatively inexperienced users, and failing to fully automate all > > the requisite chroot-jail care and feeding. > > I have found the problem: > > I had /var mounted with nosuid,nodev,noexec options. When I remount it > with nosuid,dev,exec then the hostname resolving works (even when chrooted) > > May I ask list members an opinion? > Now when chroot works, is it recommended to use it? Does it provide an > extra layer of security?
That depends on what else is running in your system. Besides a small unprivileged Postfix network daemon inside a chroot jail, do you have other network daemons running that are large, that have full access to the file system, and that run with high privilege level? Wietse