
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
290
|
Chapter 9: Securing Internet Email
Running Postfix in a chroot Jail
One of the niftier things you can do to secure Postfix is to run selected parts of it
chrooted (see Chapter 6 for more information on the chroot technique). This usually
requires you to create copies of things needed by the chrooted process. For example,
if the process looks for /etc/mydaemon.conf on startup but is chrooted to /var/mydae-
mon, the process will actually look for mydaemon.conf in /var/mydaemon/etc/mydae-
mon.conf.
Happily, the preparations required to chroot Postfix are explained for a variety of
architectures, including Linux, in the examples/chroot-setup subdirectory of the Post-
fix source code. If you install Postfix from a binary package, the package may have
an installation script to make these preparations for you automatically after install-
ing Postfix. In SUSE, for example, the Postfix RPM package runs a script that creates
a complete directory tree for chrooted Postfix processes to use (etc, usr, lib,andso
forth). This directory tree then resides in /var/spool/postfix (the default Postfix home
directory and therefore the logical place to chroot its processes to), with the appro-
priate ownerships and permissions preset.
If your binary distribution doesn’t do this for you, simply download