How to patch and secure postfix?

Posted on 2003-03-27
Medium Priority
Last Modified: 2010-04-20
I downloaded the patch for postfix but how do I apply it?  I tried patch < name of patch but it askes me for file to patch.

Is there a guide on how to run postfix in chroot? or do I just need to edit the master.cf and change the chroot of every daemon except for local and pipe to y than reload postfix?

Question by:evenq
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 14

Expert Comment

ID: 8221122
what kind of distribution are you using ? Redhat ?
the patch you downloaded is for source code, and i guess you have never compiled anything on linux.
So the best way for you to patch postfix is to update your postfix package, and then it's depending on your distro.
IMHO running postfix in a chroot is useless, since it has been designed with security as a primary goal by a very experienced developper.

Author Comment

ID: 8221237
I'm actually using Trustix 1.5.  I have and know how to compile source code on linux boxes.  What I found so far is to use the patch command to patch postfix.  I guess I could download the latest package and re-compile it but it's easy to just patch it.  As for running postfix in chroot jail is highly recommended even if postfix is secure.  It's really not that hard to do if you know how to.  I just need to find out which files do I copy to run postfix correctly in chroot jail.  If someone tries to break in they will be trapped in that directory only.

Expert Comment

ID: 8222767
Here are some notes I wrote for chrooting Postfix in the past.  The notes were written for 1.1, but its probably the same for 2.x.  

Running Postfix in a chroot environment
- As an extra security measure, Postfix can run in a restricted area on the mail server.  This ensures that even if Postfix is compromised, the attacker will not be able to access files in the mail server system directories.  
- the Unix chroot program forces a command to treat the specified directory as the filesystem root directory.
- to run the Postfix core programs in a chroot environment, you must indicate which programs are going to be run chrooted in the master.cf file and you must modify the /var/spool/postfix directory to accommodate being used as the root directory
- with the exception of the Postfix local delivery and `pipe' daemons, every Postfix daemon can run chrooted.  Sites with high security requirements should consider to chroot all daemons that talk to the network:  the smtp and smtpd processes, and perhaps also the lmtp client.
- Note that a chrooted daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). For successful use of a chroot jail,  most UNIX systems require you to bring in some files or device nodes.  The examples/chroot-setup directory has a collection of scripts that help you set up chroot environments for Postfix systems.
- to activate the chroot environment for a service, place a y character in the chroot field (fifth field) of the master.cf file.  Next, run the appropriate script in the Postfix source directory under examples/chroot-setup to move the appropriate files to the jail

How To Reduce Deployment Times With Pre-Baked AMIs

Even if we can't include all the files in the base image, we can sometimes include some of the larger files that we would otherwise have to download, and we can also sometimes remove the most time-consuming steps. This can help a lot with reducing deployment times.


Author Comment

ID: 8222804
I have the same notes actually but I can't find the examples/chroot-setup directory.  Trustix came with postfix already so I did not personally install the package.  I'll keep digging around.

Accepted Solution

fluid11 earned 150 total points
ID: 8222898
The examples/chroot-setup directory is part of the Postfix source code.  Download the source from www.postfix.org and extract it to /usr/local/src/.  You'll find the script in /usr/local/src/postfix-x.x.x/examples/chroot-setup.


Expert Comment

ID: 9087596
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Featured Post

Use Filtering Commands to Process Files in Linux

Learn how to manipulate data with the help of various filtering commands such as `cat`, `fmt`, `pr`, and others in Linux.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question