Re: Minimal permissions on /etc/postfix

2012-07-25 Thread DTNX Postmaster 
On Jul 24, 2012, at 18:24, DTNX Postmaster wrote:

> This works for us;
> 
> $ ls -ald /etc/postfix 
> drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix
> 
> The postfix user is a member of the 'postcfg' group. Any admin accounts 
> that need access to the contents can also be added if needs be.

To clarify, this is what we use on relay servers that do not have any 
local processes besides Postfix that need access. On servers where this 
is needed, such as for the use of 'sendmail', the '/etc/postfix' 
directory is kept world readable, as are the .cf files.

Everything that isn't part of the default config, such as map files, is 
kept inside a subdirectory inside '/etc/postfix', which has the limited 
permissions. That way the permissions on the files themselves are not 
as critical.

Cya,
Jona

Re: Minimal permissions on /etc/postfix

2012-07-25 Thread Wietse Venema 
Viktor Dukhovni:
> On Wed, Jul 25, 2012 at 10:29:44AM +0200, Reindl Harald wrote:
> 
> > the main config AFAIK needs 644
> 
> Correct, the main.cf and master.cf files should be world-readable.
> 
> > sensible files can be done with proxymap and so restricted
> > 
> > http://www.postfix.org/proxymap.8.html
> 
> Proxymap does not matter here, regardless of which postfix daemon
> reads the table, the table ".cf" files are read before the daemons
> drop privileges and (potentially) enter a chroot jail. Therefore,
> these tables are read as "root", and so can have permissions of
> "0600 root root" or "0400 root root" (if maintained indirectly
> and should not be directly edited by root).

Correct. However, if a table is searched through the proxymap daemon,
then its file will be opened after the proxymap daemon has dropped
root privileges, so "postfix" (group) permission would be needed.

Wietse

> > -rw-r--r-- 1 root root8,5K 2012-07-05 15:27 main.cf
> > -rw-r--r-- 1 root root3,1K 2012-02-29 18:44 master.cf
> 
> Good.
> 
> 
> > -rw-r- 1 root postfix  195 2011-04-27 18:59 mysql-aliases.cf
> > -rw-r- 1 root postfix  294 2011-05-28 19:06 mysql-forwarders.cf
> > -rw-r- 1 root postfix  201 2011-04-27 18:59 mysql-mydestination.cf
> > -rw-r- 1 root postfix  195 2011-04-27 18:59 mysql-mynetworks.cf
> > -rw-r- 1 root postfix  196 2011-04-27 18:59 mysql-recipients.cf
> > -rw-r- 1 root postfix  463 2011-04-27 18:59 mysql-rewritedomains.cf
> > -rw-r- 1 root postfix  203 2011-04-27 18:59 mysql-rewritesenders.cf
> > -rw-r- 1 root postfix  327 2011-04-27 18:59 mysql-senderaccess.cf
> > -rw-r- 1 root postfix  365 2011-05-12 23:32 
> > mysql-sender_relay_hosts_auth.cf
> > -rw-r- 1 root postfix  202 2011-04-27 18:59 mysql-sender_relay_hosts.cf
> > -rw-r- 1 root postfix  198 2011-04-27 18:59 mysql-spamfilter.cf
> > -rw-r- 1 root postfix  262 2011-04-27 18:59 mysql-transport.cf
> 
> The group can be "root" and the file permissions need not allow group
> read. The only exceptions are configurations for tables used with:
> 
>   $ postconf -d | grep '^authorized_' | grep static:
>   authorized_flush_users = static:anyone
>   authorized_mailq_users = static:anyone
>   authorized_submit_users = static:anyone
> 
> such tables should be world readable, or otherwise readable by the
> "setgid_group" group (default "postdrop" on many systems).
> 
> -- 
>   Viktor.
>

Re: Minimal permissions on /etc/postfix

2012-07-25 Thread Viktor Dukhovni 
On Wed, Jul 25, 2012 at 10:29:44AM +0200, Reindl Harald wrote:

> the main config AFAIK needs 644

Correct, the main.cf and master.cf files should be world-readable.

> sensible files can be done with proxymap and so restricted
> 
> http://www.postfix.org/proxymap.8.html

Proxymap does not matter here, regardless of which postfix daemon
reads the table, the table ".cf" files are read before the daemons
drop privileges and (potentially) enter a chroot jail. Therefore,
these tables are read as "root", and so can have permissions of
"0600 root root" or "0400 root root" (if maintained indirectly
and should not be directly edited by root).

> -rw-r--r-- 1 root root8,5K 2012-07-05 15:27 main.cf
> -rw-r--r-- 1 root root3,1K 2012-02-29 18:44 master.cf

Good.


> -rw-r- 1 root postfix  195 2011-04-27 18:59 mysql-aliases.cf
> -rw-r- 1 root postfix  294 2011-05-28 19:06 mysql-forwarders.cf
> -rw-r- 1 root postfix  201 2011-04-27 18:59 mysql-mydestination.cf
> -rw-r- 1 root postfix  195 2011-04-27 18:59 mysql-mynetworks.cf
> -rw-r- 1 root postfix  196 2011-04-27 18:59 mysql-recipients.cf
> -rw-r- 1 root postfix  463 2011-04-27 18:59 mysql-rewritedomains.cf
> -rw-r- 1 root postfix  203 2011-04-27 18:59 mysql-rewritesenders.cf
> -rw-r- 1 root postfix  327 2011-04-27 18:59 mysql-senderaccess.cf
> -rw-r- 1 root postfix  365 2011-05-12 23:32 
> mysql-sender_relay_hosts_auth.cf
> -rw-r- 1 root postfix  202 2011-04-27 18:59 mysql-sender_relay_hosts.cf
> -rw-r- 1 root postfix  198 2011-04-27 18:59 mysql-spamfilter.cf
> -rw-r- 1 root postfix  262 2011-04-27 18:59 mysql-transport.cf

The group can be "root" and the file permissions need not allow group
read. The only exceptions are configurations for tables used with:

$ postconf -d | grep '^authorized_' | grep static:
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone

such tables should be world readable, or otherwise readable by the
"setgid_group" group (default "postdrop" on many systems).

-- 
Viktor.

Re: Minimal permissions on /etc/postfix

2012-07-25 Thread Reindl Harald 


Am 24.07.2012 18:58, schrieb Michael Orlitzky:

> Thanks, I actually tried this but ran into a problem:
> 
>   Jul 24 01:45:50 localhost postfix/sendmail[26795]: fatal: open
>   /etc/postfix/main.cf: Permission denied
> 
> That alone is easy to fix (allow $authorized_submit_users read access to
> main.cf), but it suggested that I might run into more subtle problems if
> I started messing with /etc/postfix

the main config AFAIK needs 644
sensible files can be done with proxymap and so restricted

http://www.postfix.org/proxymap.8.html

-rw-r--r-- 1 root root 21K 2012-06-13 00:58 access
-rw-r--r-- 1 root root 12K 2012-06-13 00:58 canonical
-rw-r--r-- 1 root root9,7K 2012-06-13 00:58 generic
-rw-r--r-- 1 root root 22K 2012-06-13 00:58 header_checks
-rw-r--r-- 1 root root6,7K 2012-06-13 00:58 relocated
-rw-r--r-- 1 root root 13K 2012-06-13 00:58 transport
-rw-r--r-- 1 root root 13K 2012-06-13 00:58 virtual
-rw-r--r-- 1 root root4,0K 2011-01-16 04:05 bounce.cf
-rw-r--r-- 1 root root8,5K 2012-07-05 15:27 main.cf
-rw-r--r-- 1 root root3,1K 2012-02-29 18:44 master.cf
-rw-r- 1 root postfix  195 2011-04-27 18:59 mysql-aliases.cf
-rw-r- 1 root postfix  294 2011-05-28 19:06 mysql-forwarders.cf
-rw-r- 1 root postfix  201 2011-04-27 18:59 mysql-mydestination.cf
-rw-r- 1 root postfix  195 2011-04-27 18:59 mysql-mynetworks.cf
-rw-r- 1 root postfix  196 2011-04-27 18:59 mysql-recipients.cf
-rw-r- 1 root postfix  463 2011-04-27 18:59 mysql-rewritedomains.cf
-rw-r- 1 root postfix  203 2011-04-27 18:59 mysql-rewritesenders.cf
-rw-r- 1 root postfix  327 2011-04-27 18:59 mysql-senderaccess.cf
-rw-r- 1 root postfix  365 2011-05-12 23:32 mysql-sender_relay_hosts_auth.cf
-rw-r- 1 root postfix  202 2011-04-27 18:59 mysql-sender_relay_hosts.cf
-rw-r- 1 root postfix  198 2011-04-27 18:59 mysql-spamfilter.cf
-rw-r- 1 root postfix  262 2011-04-27 18:59 mysql-transport.cf



signature.asc
Description: OpenPGP digital signature

Re: Minimal permissions on /etc/postfix

2012-07-24 Thread Michael Orlitzky 
On 07/24/2012 07:33 PM, mouss wrote:
> 
> map_directory = /var/db/postmap
> cidr = cidr:${map_directory}/cidr
> db = ${db_type}:${map_directory}/${db_type}
> map_directory = /var/db/postmap
> regex = ${regex_type}:${map_directory}/${regex_type}
> sql = ${sql_type}:${map_directory}/${sql_type}
> ...
> 
> ls -l /var/db/
> ...
> drwxr-x---9 root  postfix   512 Feb 10  2011 postmap/
> ...

Ok, thanks, I'll stick with this for a while and see what happens. It
seems sendmail needs to read main.cf, but not any of the map files (at
least, not the ones I'm using in the way I'm using them) or master.cf.

We've only got two boxes that have anything sensitive in the maps; on
the one with the mail store, I have just:

  /etc/postfix:
cp -R etc/postfix /etc/
chgrp -R postfix /etc/postfix
find /etc/postfix -type d -print0 | xargs -0 chmod 755
find /etc/postfix -type f -print0 | xargs -0 chmod 640
chmod 644 /etc/postfix/main.cf

which is close to what you posted, modulo master.cf and 'rx' of the maps
directory.

On the MX, I also need to make one of the map files readable to the
amavis user, but there's nothing sensitive in that map, so 644 is fine
there.

I'll report if anything else breaks =)

Re: Minimal permissions on /etc/postfix

2012-07-24 Thread mouss 
Le 24/07/2012 18:09, Michael Orlitzky a écrit :
> We store our virtual_foo_maps in,
> 
>   /etc/posfix/maps/virtual_foo_maps.pgsql
> 
> and so the (read-only) database credentials are visible in that file.
> I'd like to tighten this up if possible, but I don't want to do anything
> stupid.
> 
> If I'm not going about this all wrong, what can I do to prevent e.g. SSH
> users from reading the DB credentials? Ideally, I'd also like to prevent
> them from reading the rest of the maps, which contain lists of
> addresses, clients, etc.
> 


map_directory = /var/db/postmap
cidr = cidr:${map_directory}/cidr
db = ${db_type}:${map_directory}/${db_type}
map_directory = /var/db/postmap
regex = ${regex_type}:${map_directory}/${regex_type}
sql = ${sql_type}:${map_directory}/${sql_type}
...

ls -l /var/db/
...
drwxr-x---9 root  postfix   512 Feb 10  2011 postmap/
...


note that I prefer
/somedir/pgsql/foo_map
over
/somedir/foo_map.pgsql
this is because I can do

db_type=mysql
foo_map=${db_type}:/somedir/${db_type}/foo_map

Re: Minimal permissions on /etc/postfix

2012-07-24 Thread Zhang Huangbin 


On Wednesday, July 25, 2012 at 12:09 AM, Michael Orlitzky wrote:

> We store our virtual_foo_maps in,
> 
> /etc/posfix/maps/virtual_foo_maps.pgsql
> 
> and so the (read-only) database credentials are visible in that file.
> I'd like to tighten this up if possible, but I don't want to do anything
> stupid.
> 
> If I'm not going about this all wrong, what can I do to prevent e.g. SSH
> users from reading the DB credentials? Ideally, I'd also like to prevent
> them from reading the rest of the maps, which contain lists of
> addresses, clients, etc.


Works for me with owner 'root', group 'postfix', permission 0640.


Zhang Huangbin

iRedMail: Open Source Mail Server Solution for Red Hat Enterprise Linux,
CentOS, Scientific Linux, Debian, Ubuntu, Gentoo, openSUSE,
FreeBSD, OpenBSD: http://www.iredmail.org/

Re: Minimal permissions on /etc/postfix

2012-07-24 Thread Michael Orlitzky 
On 07/24/12 12:24, DTNX Postmaster wrote:
> On Jul 24, 2012, at 18:09, Michael Orlitzky wrote:
> 
>> We store our virtual_foo_maps in,
>>
>>  /etc/posfix/maps/virtual_foo_maps.pgsql
>>
>> and so the (read-only) database credentials are visible in that file.
>> I'd like to tighten this up if possible, but I don't want to do anything
>> stupid.
>>
>> If I'm not going about this all wrong, what can I do to prevent e.g. SSH
>> users from reading the DB credentials? Ideally, I'd also like to prevent
>> them from reading the rest of the maps, which contain lists of
>> addresses, clients, etc.
> 
> This works for us;
> 
> $ ls -ald /etc/postfix 
> drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix
> 
> The postfix user is a member of the 'postcfg' group. Any admin accounts 
> that need access to the contents can also be added if needs be.
> 

Thanks, I actually tried this but ran into a problem:

  Jul 24 01:45:50 localhost postfix/sendmail[26795]: fatal: open
  /etc/postfix/main.cf: Permission denied

That alone is easy to fix (allow $authorized_submit_users read access to
main.cf), but it suggested that I might run into more subtle problems if
I started messing with /etc/postfix.

Re: Minimal permissions on /etc/postfix

2012-07-24 Thread DTNX Postmaster 
On Jul 24, 2012, at 18:09, Michael Orlitzky wrote:

> We store our virtual_foo_maps in,
> 
>  /etc/posfix/maps/virtual_foo_maps.pgsql
> 
> and so the (read-only) database credentials are visible in that file.
> I'd like to tighten this up if possible, but I don't want to do anything
> stupid.
> 
> If I'm not going about this all wrong, what can I do to prevent e.g. SSH
> users from reading the DB credentials? Ideally, I'd also like to prevent
> them from reading the rest of the maps, which contain lists of
> addresses, clients, etc.

This works for us;

$ ls -ald /etc/postfix 
drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix

The postfix user is a member of the 'postcfg' group. Any admin accounts 
that need access to the contents can also be added if needs be.

Cya,
Jona

Minimal permissions on /etc/postfix

2012-07-24 Thread Michael Orlitzky 
We store our virtual_foo_maps in,

  /etc/posfix/maps/virtual_foo_maps.pgsql

and so the (read-only) database credentials are visible in that file.
I'd like to tighten this up if possible, but I don't want to do anything
stupid.

If I'm not going about this all wrong, what can I do to prevent e.g. SSH
users from reading the DB credentials? Ideally, I'd also like to prevent
them from reading the rest of the maps, which contain lists of
addresses, clients, etc.