Paul Menzel:
> Dear Postfix folks,
>
> In our infrastructure, we are building Postfix from source with an
> unprivileged user, and also try to run most services as an unprivileged
> user. Privileged ports are forwarded to unprivileged ports, used by the
> service, by configuring Linux? packet filter rules with *iptables*.
Unprivileged Postfix comes up about once a year in this mailing
list. Rather than hashing out the arguments here again, please use
a search engine, or visit mailing list archives.
Wietse
> Currently, Postfix checks file ownership at startup according to
> `postfix-files`, which lists several files to be owned by the user
> *root* [1], for example:
>
> $config_directory:d:root:-:755:u
>
> Postfix warns about mismatches at startup.
>
> The mail owner and setgid group are already configurable, for example:
>
> $queue_directory/maildrop:d:$mail_owner:$setgid_group:730:uc
> $queue_directory/public:d:$mail_owner:$setgid_group:710:uc
> [?]
> $command_directory/postdrop:f:root:$setgid_group:2755:u
> $command_directory/postqueue:f:root:$setgid_group:2755:u
>
> Could the same be done for the ?postfix owner?? Or are there downsides?
>
> Kind regards,
>
> Paul
>
> [1]:
> https://github.com/vdukhovni/postfix/blob/2595917e491dfe704390b9bf1100bcdd35b21ae8/postfix/conf/postfix-files#L48
>
