Re: Minimal permissions on /etc/postfix
On Jul 24, 2012, at 18:24, DTNX Postmaster wrote: > This works for us; > > $ ls -ald /etc/postfix > drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix > > The postfix user is a member of the 'postcfg' group. Any admin accounts > that need access to the contents can also be added if needs be. To clarify, this is what we use on relay servers that do not have any local processes besides Postfix that need access. On servers where this is needed, such as for the use of 'sendmail', the '/etc/postfix' directory is kept world readable, as are the .cf files. Everything that isn't part of the default config, such as map files, is kept inside a subdirectory inside '/etc/postfix', which has the limited permissions. That way the permissions on the files themselves are not as critical. Cya, Jona
Re: Minimal permissions on /etc/postfix
Viktor Dukhovni: > On Wed, Jul 25, 2012 at 10:29:44AM +0200, Reindl Harald wrote: > > > the main config AFAIK needs 644 > > Correct, the main.cf and master.cf files should be world-readable. > > > sensible files can be done with proxymap and so restricted > > > > http://www.postfix.org/proxymap.8.html > > Proxymap does not matter here, regardless of which postfix daemon > reads the table, the table ".cf" files are read before the daemons > drop privileges and (potentially) enter a chroot jail. Therefore, > these tables are read as "root", and so can have permissions of > "0600 root root" or "0400 root root" (if maintained indirectly > and should not be directly edited by root). Correct. However, if a table is searched through the proxymap daemon, then its file will be opened after the proxymap daemon has dropped root privileges, so "postfix" (group) permission would be needed. Wietse > > -rw-r--r-- 1 root root8,5K 2012-07-05 15:27 main.cf > > -rw-r--r-- 1 root root3,1K 2012-02-29 18:44 master.cf > > Good. > > > > -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-aliases.cf > > -rw-r- 1 root postfix 294 2011-05-28 19:06 mysql-forwarders.cf > > -rw-r- 1 root postfix 201 2011-04-27 18:59 mysql-mydestination.cf > > -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-mynetworks.cf > > -rw-r- 1 root postfix 196 2011-04-27 18:59 mysql-recipients.cf > > -rw-r- 1 root postfix 463 2011-04-27 18:59 mysql-rewritedomains.cf > > -rw-r- 1 root postfix 203 2011-04-27 18:59 mysql-rewritesenders.cf > > -rw-r- 1 root postfix 327 2011-04-27 18:59 mysql-senderaccess.cf > > -rw-r- 1 root postfix 365 2011-05-12 23:32 > > mysql-sender_relay_hosts_auth.cf > > -rw-r- 1 root postfix 202 2011-04-27 18:59 mysql-sender_relay_hosts.cf > > -rw-r- 1 root postfix 198 2011-04-27 18:59 mysql-spamfilter.cf > > -rw-r- 1 root postfix 262 2011-04-27 18:59 mysql-transport.cf > > The group can be "root" and the file permissions need not allow group > read. The only exceptions are configurations for tables used with: > > $ postconf -d | grep '^authorized_' | grep static: > authorized_flush_users = static:anyone > authorized_mailq_users = static:anyone > authorized_submit_users = static:anyone > > such tables should be world readable, or otherwise readable by the > "setgid_group" group (default "postdrop" on many systems). > > -- > Viktor. >
Re: Minimal permissions on /etc/postfix
On Wed, Jul 25, 2012 at 10:29:44AM +0200, Reindl Harald wrote: > the main config AFAIK needs 644 Correct, the main.cf and master.cf files should be world-readable. > sensible files can be done with proxymap and so restricted > > http://www.postfix.org/proxymap.8.html Proxymap does not matter here, regardless of which postfix daemon reads the table, the table ".cf" files are read before the daemons drop privileges and (potentially) enter a chroot jail. Therefore, these tables are read as "root", and so can have permissions of "0600 root root" or "0400 root root" (if maintained indirectly and should not be directly edited by root). > -rw-r--r-- 1 root root8,5K 2012-07-05 15:27 main.cf > -rw-r--r-- 1 root root3,1K 2012-02-29 18:44 master.cf Good. > -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-aliases.cf > -rw-r- 1 root postfix 294 2011-05-28 19:06 mysql-forwarders.cf > -rw-r- 1 root postfix 201 2011-04-27 18:59 mysql-mydestination.cf > -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-mynetworks.cf > -rw-r- 1 root postfix 196 2011-04-27 18:59 mysql-recipients.cf > -rw-r- 1 root postfix 463 2011-04-27 18:59 mysql-rewritedomains.cf > -rw-r- 1 root postfix 203 2011-04-27 18:59 mysql-rewritesenders.cf > -rw-r- 1 root postfix 327 2011-04-27 18:59 mysql-senderaccess.cf > -rw-r- 1 root postfix 365 2011-05-12 23:32 > mysql-sender_relay_hosts_auth.cf > -rw-r- 1 root postfix 202 2011-04-27 18:59 mysql-sender_relay_hosts.cf > -rw-r- 1 root postfix 198 2011-04-27 18:59 mysql-spamfilter.cf > -rw-r- 1 root postfix 262 2011-04-27 18:59 mysql-transport.cf The group can be "root" and the file permissions need not allow group read. The only exceptions are configurations for tables used with: $ postconf -d | grep '^authorized_' | grep static: authorized_flush_users = static:anyone authorized_mailq_users = static:anyone authorized_submit_users = static:anyone such tables should be world readable, or otherwise readable by the "setgid_group" group (default "postdrop" on many systems). -- Viktor.
Re: Minimal permissions on /etc/postfix
Am 24.07.2012 18:58, schrieb Michael Orlitzky: > Thanks, I actually tried this but ran into a problem: > > Jul 24 01:45:50 localhost postfix/sendmail[26795]: fatal: open > /etc/postfix/main.cf: Permission denied > > That alone is easy to fix (allow $authorized_submit_users read access to > main.cf), but it suggested that I might run into more subtle problems if > I started messing with /etc/postfix the main config AFAIK needs 644 sensible files can be done with proxymap and so restricted http://www.postfix.org/proxymap.8.html -rw-r--r-- 1 root root 21K 2012-06-13 00:58 access -rw-r--r-- 1 root root 12K 2012-06-13 00:58 canonical -rw-r--r-- 1 root root9,7K 2012-06-13 00:58 generic -rw-r--r-- 1 root root 22K 2012-06-13 00:58 header_checks -rw-r--r-- 1 root root6,7K 2012-06-13 00:58 relocated -rw-r--r-- 1 root root 13K 2012-06-13 00:58 transport -rw-r--r-- 1 root root 13K 2012-06-13 00:58 virtual -rw-r--r-- 1 root root4,0K 2011-01-16 04:05 bounce.cf -rw-r--r-- 1 root root8,5K 2012-07-05 15:27 main.cf -rw-r--r-- 1 root root3,1K 2012-02-29 18:44 master.cf -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-aliases.cf -rw-r- 1 root postfix 294 2011-05-28 19:06 mysql-forwarders.cf -rw-r- 1 root postfix 201 2011-04-27 18:59 mysql-mydestination.cf -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-mynetworks.cf -rw-r- 1 root postfix 196 2011-04-27 18:59 mysql-recipients.cf -rw-r- 1 root postfix 463 2011-04-27 18:59 mysql-rewritedomains.cf -rw-r- 1 root postfix 203 2011-04-27 18:59 mysql-rewritesenders.cf -rw-r- 1 root postfix 327 2011-04-27 18:59 mysql-senderaccess.cf -rw-r- 1 root postfix 365 2011-05-12 23:32 mysql-sender_relay_hosts_auth.cf -rw-r- 1 root postfix 202 2011-04-27 18:59 mysql-sender_relay_hosts.cf -rw-r- 1 root postfix 198 2011-04-27 18:59 mysql-spamfilter.cf -rw-r- 1 root postfix 262 2011-04-27 18:59 mysql-transport.cf signature.asc Description: OpenPGP digital signature
Re: Minimal permissions on /etc/postfix
On 07/24/2012 07:33 PM, mouss wrote: > > map_directory = /var/db/postmap > cidr = cidr:${map_directory}/cidr > db = ${db_type}:${map_directory}/${db_type} > map_directory = /var/db/postmap > regex = ${regex_type}:${map_directory}/${regex_type} > sql = ${sql_type}:${map_directory}/${sql_type} > ... > > ls -l /var/db/ > ... > drwxr-x---9 root postfix 512 Feb 10 2011 postmap/ > ... Ok, thanks, I'll stick with this for a while and see what happens. It seems sendmail needs to read main.cf, but not any of the map files (at least, not the ones I'm using in the way I'm using them) or master.cf. We've only got two boxes that have anything sensitive in the maps; on the one with the mail store, I have just: /etc/postfix: cp -R etc/postfix /etc/ chgrp -R postfix /etc/postfix find /etc/postfix -type d -print0 | xargs -0 chmod 755 find /etc/postfix -type f -print0 | xargs -0 chmod 640 chmod 644 /etc/postfix/main.cf which is close to what you posted, modulo master.cf and 'rx' of the maps directory. On the MX, I also need to make one of the map files readable to the amavis user, but there's nothing sensitive in that map, so 644 is fine there. I'll report if anything else breaks =)
Re: Minimal permissions on /etc/postfix
Le 24/07/2012 18:09, Michael Orlitzky a écrit : > We store our virtual_foo_maps in, > > /etc/posfix/maps/virtual_foo_maps.pgsql > > and so the (read-only) database credentials are visible in that file. > I'd like to tighten this up if possible, but I don't want to do anything > stupid. > > If I'm not going about this all wrong, what can I do to prevent e.g. SSH > users from reading the DB credentials? Ideally, I'd also like to prevent > them from reading the rest of the maps, which contain lists of > addresses, clients, etc. > map_directory = /var/db/postmap cidr = cidr:${map_directory}/cidr db = ${db_type}:${map_directory}/${db_type} map_directory = /var/db/postmap regex = ${regex_type}:${map_directory}/${regex_type} sql = ${sql_type}:${map_directory}/${sql_type} ... ls -l /var/db/ ... drwxr-x---9 root postfix 512 Feb 10 2011 postmap/ ... note that I prefer /somedir/pgsql/foo_map over /somedir/foo_map.pgsql this is because I can do db_type=mysql foo_map=${db_type}:/somedir/${db_type}/foo_map
Re: Minimal permissions on /etc/postfix
On Wednesday, July 25, 2012 at 12:09 AM, Michael Orlitzky wrote: > We store our virtual_foo_maps in, > > /etc/posfix/maps/virtual_foo_maps.pgsql > > and so the (read-only) database credentials are visible in that file. > I'd like to tighten this up if possible, but I don't want to do anything > stupid. > > If I'm not going about this all wrong, what can I do to prevent e.g. SSH > users from reading the DB credentials? Ideally, I'd also like to prevent > them from reading the rest of the maps, which contain lists of > addresses, clients, etc. Works for me with owner 'root', group 'postfix', permission 0640. Zhang Huangbin iRedMail: Open Source Mail Server Solution for Red Hat Enterprise Linux, CentOS, Scientific Linux, Debian, Ubuntu, Gentoo, openSUSE, FreeBSD, OpenBSD: http://www.iredmail.org/
Re: Minimal permissions on /etc/postfix
On 07/24/12 12:24, DTNX Postmaster wrote: > On Jul 24, 2012, at 18:09, Michael Orlitzky wrote: > >> We store our virtual_foo_maps in, >> >> /etc/posfix/maps/virtual_foo_maps.pgsql >> >> and so the (read-only) database credentials are visible in that file. >> I'd like to tighten this up if possible, but I don't want to do anything >> stupid. >> >> If I'm not going about this all wrong, what can I do to prevent e.g. SSH >> users from reading the DB credentials? Ideally, I'd also like to prevent >> them from reading the rest of the maps, which contain lists of >> addresses, clients, etc. > > This works for us; > > $ ls -ald /etc/postfix > drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix > > The postfix user is a member of the 'postcfg' group. Any admin accounts > that need access to the contents can also be added if needs be. > Thanks, I actually tried this but ran into a problem: Jul 24 01:45:50 localhost postfix/sendmail[26795]: fatal: open /etc/postfix/main.cf: Permission denied That alone is easy to fix (allow $authorized_submit_users read access to main.cf), but it suggested that I might run into more subtle problems if I started messing with /etc/postfix.
Re: Minimal permissions on /etc/postfix
On Jul 24, 2012, at 18:09, Michael Orlitzky wrote: > We store our virtual_foo_maps in, > > /etc/posfix/maps/virtual_foo_maps.pgsql > > and so the (read-only) database credentials are visible in that file. > I'd like to tighten this up if possible, but I don't want to do anything > stupid. > > If I'm not going about this all wrong, what can I do to prevent e.g. SSH > users from reading the DB credentials? Ideally, I'd also like to prevent > them from reading the rest of the maps, which contain lists of > addresses, clients, etc. This works for us; $ ls -ald /etc/postfix drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix The postfix user is a member of the 'postcfg' group. Any admin accounts that need access to the contents can also be added if needs be. Cya, Jona