Re: Minimal permissions on /etc/postfix
Am 24.07.2012 18:58, schrieb Michael Orlitzky: Thanks, I actually tried this but ran into a problem: Jul 24 01:45:50 localhost postfix/sendmail[26795]: fatal: open /etc/postfix/main.cf: Permission denied That alone is easy to fix (allow $authorized_submit_users read access to main.cf), but it suggested that I might run into more subtle problems if I started messing with /etc/postfix the main config AFAIK needs 644 sensible files can be done with proxymap and so restricted http://www.postfix.org/proxymap.8.html -rw-r--r-- 1 root root 21K 2012-06-13 00:58 access -rw-r--r-- 1 root root 12K 2012-06-13 00:58 canonical -rw-r--r-- 1 root root9,7K 2012-06-13 00:58 generic -rw-r--r-- 1 root root 22K 2012-06-13 00:58 header_checks -rw-r--r-- 1 root root6,7K 2012-06-13 00:58 relocated -rw-r--r-- 1 root root 13K 2012-06-13 00:58 transport -rw-r--r-- 1 root root 13K 2012-06-13 00:58 virtual -rw-r--r-- 1 root root4,0K 2011-01-16 04:05 bounce.cf -rw-r--r-- 1 root root8,5K 2012-07-05 15:27 main.cf -rw-r--r-- 1 root root3,1K 2012-02-29 18:44 master.cf -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-aliases.cf -rw-r- 1 root postfix 294 2011-05-28 19:06 mysql-forwarders.cf -rw-r- 1 root postfix 201 2011-04-27 18:59 mysql-mydestination.cf -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-mynetworks.cf -rw-r- 1 root postfix 196 2011-04-27 18:59 mysql-recipients.cf -rw-r- 1 root postfix 463 2011-04-27 18:59 mysql-rewritedomains.cf -rw-r- 1 root postfix 203 2011-04-27 18:59 mysql-rewritesenders.cf -rw-r- 1 root postfix 327 2011-04-27 18:59 mysql-senderaccess.cf -rw-r- 1 root postfix 365 2011-05-12 23:32 mysql-sender_relay_hosts_auth.cf -rw-r- 1 root postfix 202 2011-04-27 18:59 mysql-sender_relay_hosts.cf -rw-r- 1 root postfix 198 2011-04-27 18:59 mysql-spamfilter.cf -rw-r- 1 root postfix 262 2011-04-27 18:59 mysql-transport.cf signature.asc Description: OpenPGP digital signature
Re: Minimal permissions on /etc/postfix
On Wed, Jul 25, 2012 at 10:29:44AM +0200, Reindl Harald wrote: the main config AFAIK needs 644 Correct, the main.cf and master.cf files should be world-readable. sensible files can be done with proxymap and so restricted http://www.postfix.org/proxymap.8.html Proxymap does not matter here, regardless of which postfix daemon reads the table, the table .cf files are read before the daemons drop privileges and (potentially) enter a chroot jail. Therefore, these tables are read as root, and so can have permissions of 0600 root root or 0400 root root (if maintained indirectly and should not be directly edited by root). -rw-r--r-- 1 root root8,5K 2012-07-05 15:27 main.cf -rw-r--r-- 1 root root3,1K 2012-02-29 18:44 master.cf Good. -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-aliases.cf -rw-r- 1 root postfix 294 2011-05-28 19:06 mysql-forwarders.cf -rw-r- 1 root postfix 201 2011-04-27 18:59 mysql-mydestination.cf -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-mynetworks.cf -rw-r- 1 root postfix 196 2011-04-27 18:59 mysql-recipients.cf -rw-r- 1 root postfix 463 2011-04-27 18:59 mysql-rewritedomains.cf -rw-r- 1 root postfix 203 2011-04-27 18:59 mysql-rewritesenders.cf -rw-r- 1 root postfix 327 2011-04-27 18:59 mysql-senderaccess.cf -rw-r- 1 root postfix 365 2011-05-12 23:32 mysql-sender_relay_hosts_auth.cf -rw-r- 1 root postfix 202 2011-04-27 18:59 mysql-sender_relay_hosts.cf -rw-r- 1 root postfix 198 2011-04-27 18:59 mysql-spamfilter.cf -rw-r- 1 root postfix 262 2011-04-27 18:59 mysql-transport.cf The group can be root and the file permissions need not allow group read. The only exceptions are configurations for tables used with: $ postconf -d | grep '^authorized_' | grep static: authorized_flush_users = static:anyone authorized_mailq_users = static:anyone authorized_submit_users = static:anyone such tables should be world readable, or otherwise readable by the setgid_group group (default postdrop on many systems). -- Viktor.
Re: Minimal permissions on /etc/postfix
Viktor Dukhovni: On Wed, Jul 25, 2012 at 10:29:44AM +0200, Reindl Harald wrote: the main config AFAIK needs 644 Correct, the main.cf and master.cf files should be world-readable. sensible files can be done with proxymap and so restricted http://www.postfix.org/proxymap.8.html Proxymap does not matter here, regardless of which postfix daemon reads the table, the table .cf files are read before the daemons drop privileges and (potentially) enter a chroot jail. Therefore, these tables are read as root, and so can have permissions of 0600 root root or 0400 root root (if maintained indirectly and should not be directly edited by root). Correct. However, if a table is searched through the proxymap daemon, then its file will be opened after the proxymap daemon has dropped root privileges, so postfix (group) permission would be needed. Wietse -rw-r--r-- 1 root root8,5K 2012-07-05 15:27 main.cf -rw-r--r-- 1 root root3,1K 2012-02-29 18:44 master.cf Good. -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-aliases.cf -rw-r- 1 root postfix 294 2011-05-28 19:06 mysql-forwarders.cf -rw-r- 1 root postfix 201 2011-04-27 18:59 mysql-mydestination.cf -rw-r- 1 root postfix 195 2011-04-27 18:59 mysql-mynetworks.cf -rw-r- 1 root postfix 196 2011-04-27 18:59 mysql-recipients.cf -rw-r- 1 root postfix 463 2011-04-27 18:59 mysql-rewritedomains.cf -rw-r- 1 root postfix 203 2011-04-27 18:59 mysql-rewritesenders.cf -rw-r- 1 root postfix 327 2011-04-27 18:59 mysql-senderaccess.cf -rw-r- 1 root postfix 365 2011-05-12 23:32 mysql-sender_relay_hosts_auth.cf -rw-r- 1 root postfix 202 2011-04-27 18:59 mysql-sender_relay_hosts.cf -rw-r- 1 root postfix 198 2011-04-27 18:59 mysql-spamfilter.cf -rw-r- 1 root postfix 262 2011-04-27 18:59 mysql-transport.cf The group can be root and the file permissions need not allow group read. The only exceptions are configurations for tables used with: $ postconf -d | grep '^authorized_' | grep static: authorized_flush_users = static:anyone authorized_mailq_users = static:anyone authorized_submit_users = static:anyone such tables should be world readable, or otherwise readable by the setgid_group group (default postdrop on many systems). -- Viktor.
Re: Minimal permissions on /etc/postfix
On Jul 24, 2012, at 18:24, DTNX Postmaster wrote: This works for us; $ ls -ald /etc/postfix drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix The postfix user is a member of the 'postcfg' group. Any admin accounts that need access to the contents can also be added if needs be. To clarify, this is what we use on relay servers that do not have any local processes besides Postfix that need access. On servers where this is needed, such as for the use of 'sendmail', the '/etc/postfix' directory is kept world readable, as are the .cf files. Everything that isn't part of the default config, such as map files, is kept inside a subdirectory inside '/etc/postfix', which has the limited permissions. That way the permissions on the files themselves are not as critical. Cya, Jona
Re: Minimal permissions on /etc/postfix
On Jul 24, 2012, at 18:09, Michael Orlitzky wrote: We store our virtual_foo_maps in, /etc/posfix/maps/virtual_foo_maps.pgsql and so the (read-only) database credentials are visible in that file. I'd like to tighten this up if possible, but I don't want to do anything stupid. If I'm not going about this all wrong, what can I do to prevent e.g. SSH users from reading the DB credentials? Ideally, I'd also like to prevent them from reading the rest of the maps, which contain lists of addresses, clients, etc. This works for us; $ ls -ald /etc/postfix drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix The postfix user is a member of the 'postcfg' group. Any admin accounts that need access to the contents can also be added if needs be. Cya, Jona
Re: Minimal permissions on /etc/postfix
On 07/24/12 12:24, DTNX Postmaster wrote: On Jul 24, 2012, at 18:09, Michael Orlitzky wrote: We store our virtual_foo_maps in, /etc/posfix/maps/virtual_foo_maps.pgsql and so the (read-only) database credentials are visible in that file. I'd like to tighten this up if possible, but I don't want to do anything stupid. If I'm not going about this all wrong, what can I do to prevent e.g. SSH users from reading the DB credentials? Ideally, I'd also like to prevent them from reading the rest of the maps, which contain lists of addresses, clients, etc. This works for us; $ ls -ald /etc/postfix drwxr-x--- 5 root postcfg 4096 Jul 24 18:05 /etc/postfix The postfix user is a member of the 'postcfg' group. Any admin accounts that need access to the contents can also be added if needs be. Thanks, I actually tried this but ran into a problem: Jul 24 01:45:50 localhost postfix/sendmail[26795]: fatal: open /etc/postfix/main.cf: Permission denied That alone is easy to fix (allow $authorized_submit_users read access to main.cf), but it suggested that I might run into more subtle problems if I started messing with /etc/postfix.
Re: Minimal permissions on /etc/postfix
On Wednesday, July 25, 2012 at 12:09 AM, Michael Orlitzky wrote: We store our virtual_foo_maps in, /etc/posfix/maps/virtual_foo_maps.pgsql and so the (read-only) database credentials are visible in that file. I'd like to tighten this up if possible, but I don't want to do anything stupid. If I'm not going about this all wrong, what can I do to prevent e.g. SSH users from reading the DB credentials? Ideally, I'd also like to prevent them from reading the rest of the maps, which contain lists of addresses, clients, etc. Works for me with owner 'root', group 'postfix', permission 0640. Zhang Huangbin iRedMail: Open Source Mail Server Solution for Red Hat Enterprise Linux, CentOS, Scientific Linux, Debian, Ubuntu, Gentoo, openSUSE, FreeBSD, OpenBSD: http://www.iredmail.org/
Re: Minimal permissions on /etc/postfix
Le 24/07/2012 18:09, Michael Orlitzky a écrit :
We store our virtual_foo_maps in,
/etc/posfix/maps/virtual_foo_maps.pgsql
and so the (read-only) database credentials are visible in that file.
I'd like to tighten this up if possible, but I don't want to do anything
stupid.
If I'm not going about this all wrong, what can I do to prevent e.g. SSH
users from reading the DB credentials? Ideally, I'd also like to prevent
them from reading the rest of the maps, which contain lists of
addresses, clients, etc.
map_directory = /var/db/postmap
cidr = cidr:${map_directory}/cidr
db = ${db_type}:${map_directory}/${db_type}
map_directory = /var/db/postmap
regex = ${regex_type}:${map_directory}/${regex_type}
sql = ${sql_type}:${map_directory}/${sql_type}
...
ls -l /var/db/
...
drwxr-x---9 root postfix 512 Feb 10 2011 postmap/
...
note that I prefer
/somedir/pgsql/foo_map
over
/somedir/foo_map.pgsql
this is because I can do
db_type=mysql
foo_map=${db_type}:/somedir/${db_type}/foo_map
Re: Minimal permissions on /etc/postfix
On 07/24/2012 07:33 PM, mouss wrote:
map_directory = /var/db/postmap
cidr = cidr:${map_directory}/cidr
db = ${db_type}:${map_directory}/${db_type}
map_directory = /var/db/postmap
regex = ${regex_type}:${map_directory}/${regex_type}
sql = ${sql_type}:${map_directory}/${sql_type}
...
ls -l /var/db/
...
drwxr-x---9 root postfix 512 Feb 10 2011 postmap/
...
Ok, thanks, I'll stick with this for a while and see what happens. It
seems sendmail needs to read main.cf, but not any of the map files (at
least, not the ones I'm using in the way I'm using them) or master.cf.
We've only got two boxes that have anything sensitive in the maps; on
the one with the mail store, I have just:
/etc/postfix:
cp -R etc/postfix /etc/
chgrp -R postfix /etc/postfix
find /etc/postfix -type d -print0 | xargs -0 chmod 755
find /etc/postfix -type f -print0 | xargs -0 chmod 640
chmod 644 /etc/postfix/main.cf
which is close to what you posted, modulo master.cf and 'rx' of the maps
directory.
On the MX, I also need to make one of the map files readable to the
amavis user, but there's nothing sensitive in that map, so 644 is fine
there.
I'll report if anything else breaks =)
