pop3/imap server - possibly stupid question

James Wilkinson james at westexe.demon.co.uk
Mon Aug 16 16:37:59 UTC 2004


Samuel Sieb quoted the postfix aliases file:

# For various security reasons, postfix WILL NOT deliver mail as root, so
# ensure that the root alias is aliased to a HUMAN user, as otherwise
# mail may get delivered to the $default_privs user (nobody).

Alexander Dalloz wrote:
> Ok Samuel, this default setup of Postfix is new to me. Thanks for
> pointing this out. I will have to read the Postfix documentation to
> understand the "various security reasons".

As I understand it...

Postfix is a "paranoid MTA", written in response to Sendmail security
problems and Dan Bernstein's qmail (the package, the license, and the
author have all been controversial).

Postfix is not a program as such: it's a flock of mutually-suspicious
programs, none of which trust each other, flying in close formation.
The smtpd daemon that listens to port 25 (the SMTP port) is SUID root
just long enough to open port 25, then drops root privileges before any
connections are made.  Everything else is done as the postfix user. And
all the other programs just run as postfix, so a theoretical Postfix
vulnerability would not give an attacker instant root (as a Sendmail
vulnerability would).

The exception is the final delivery to the mailbox, which is done with
the rights of the owner of that mailbox. If that owner is root, then
obviously that *would* make the "local" program run as root.

So that isn't allowed. It's paranoid, and I'm happy to have it working
for me.

James.

-- 
E-mail address: james | "We completely deny the allegations, and we're
@westexe.demon.co.uk  | trying to identify the alligators."





More information about the fedora-list mailing list