chroot
Postfix provides multiple layers of security. One such layer is the option to permit most Postfix services to run within a chroot environment. The Unix chroot function allows a process to change its view of, and access to, its filesystem by changing its root directory to a new path other than the normal /.
The chroot feature is particularly beneficial for processes that must communicate with external, potentially hostile clients. If an attacker somehow manages to subvert the smtpd daemon, for example, the attacker gains only very limited access to the filesystem. Configuring for a chroot environment is an advanced Postfix feature that adds a layer of complexity that you or your administrators may not want to deal with. Generally, chroot is not needed, except for sites that use Postfix in a highly secure environment or on particularly exposed servers, such as dedicated firewall systems and bastion hosts.
All of the Postfix processes that use chroot change their root
directory to the directory specified in the queue_directory parameter, which is normally /var/spool/postfix. When a process runs
chrooted, the directory /var/spool/postfix/pid, for example, becomes
/pid to that process, and the
process cannot access any files other than those below its new
root.
To chroot individual components, edit your master.cf file. Change the fifth column to y. The chroot option is possible with all
components except the pipe, virtual, local, and proxymap services. In Example 4-1, chroot is ...