I've a 2-postfix setup.
The frontend
is open to 'net only on port 25
receives email for my domains from 'net
applies restrictions
forwards to backend if PASS
serves as outbound SMARTHOST to backend; accepts no direct submission
generates log entries that feed fail2ban
does NOT deliver directly into backend's IMAP store
The backend
is open to 'net only on port 587
receives email for my domains only fwd'd from frontend
delivers email to local IMAP store
serves as the smtp server used for MUA port 587 submissions, from
end-user clients, for outbound delivery
It's all nicely 'bolted down'.
My next steps are to
(1) enable submission of system mail by non-postfix services running on
the frontend -- in this example, for delivery of fail2ban-generated admin
messages.
(2) enable submission of port 587 MUA submission on the frontend,
ensuring concurrent delivery of submitted/sent mail to sender-account's backend
IMAP store
Questions:
(re: 1) What's the right, secure UID to use for the fail2ban-generated
injection into Postfix?
(re: 2) What mechanism can/should be used to copy
frontend-submitted-and-sent mail to the backend's IMAP store?
Re: 1, fail2ban is configured to inject/submit those messages using the postfix
instance's sendmail,
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from
`uname -n`
...
" | /usr/local/sbin/sendmail -f <sender> <dest>
Currently fail2ban runs as root.
With a config edit,
/main.cf
- authorized_submit_users =
+ authorized_submit_users = root
messages are delivered as intended.
Is submission by root user a security risk from postfix' perspective?
Options, if needed, include exec'ing fail2ban 'rootless', as UID=
'fail2ban'(unique) or 'postfix'(shared), or leaving it run as root and simply
submit as other UID.
What's the recommendation to NOT poke silly holes into my postfix setup?
