Created
July 22, 2017 17:57
-
-
Save lucaswerkmeister/52e33ea61dcf42b78b842e95537950f1 to your computer and use it in GitHub Desktop.
systemd sandbox for Postfix on Debian Stretch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Service] | |
| # change user for worker processes | |
| CapabilityBoundingSet=CAP_SETUID CAP_SETGID | |
| # bind to ports 25 and 587 | |
| CapabilityBoundingSet=CAP_NET_BIND_SERVICE | |
| # explore /var/spool/postfix subdirectories as root (owned by postfix:root, not accessible to group) | |
| CapabilityBoundingSet=CAP_DAC_OVERRIDE | |
| # chroot to /var/spool/postfix | |
| CapabilityBoundingSet=CAP_SYS_CHROOT | |
| PrivateTmp=yes | |
| PrivateDevices=yes | |
| ProtectSystem=strict | |
| ProtectHome=yes | |
| ProtectKernelTunables=yes | |
| ProtectControlGroups=yes | |
| MountFlags=slave | |
| NoNewPrivileges=yes | |
| # note: @mount is needed by the pickup service | |
| SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io | |
| SystemCallArchitecture=native | |
| # note: AF_NETLINK is needed for getifaddrs(3) | |
| RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK | |
| RestrictNamespaces=yes | |
| ProtectKernelModules=yes | |
| MemoryDenyWriteExecute=yes | |
| RestrictRealtime=yes | |
| # partially undo ProtectSystem=strict | |
| ReadWritePaths=/var/spool/postfix | |
| ReadWritePaths=/var/lib/postfix | |
| # to deliver mail, Postfix spawns a dovecot-lda process without talking to the dovecot service, so this needs to be writable | |
| ReadWritePaths=/var/mail/vmail | |
| # partially mitigate CAP_DAC_OVERRIDE | |
| InaccessiblePaths=/etc/ssh /etc/opendkim /etc/shadow /etc/gshadow /var/lib/sudo /var/lib/tor |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Based on the Dovecot sandbox, with the same caveats of possibly different configuration, and the same sad note about mounting.
Usage: drop it in
/etc/systemd/system/[email protected]/(notice the@– it’s an instanced service),systemctl daemon-reload,systemctl restart postfix@*. Then checksystemctl status postfix@*for errors.