Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How to patch and secure postfix?

Posted on 2003-03-27
Medium Priority
Last Modified: 2010-04-20
I downloaded the patch for postfix but how do I apply it?  I tried patch < name of patch but it askes me for file to patch.

Is there a guide on how to run postfix in chroot? or do I just need to edit the master.cf and change the chroot of every daemon except for local and pipe to y than reload postfix?

Question by:evenq
LVL 14

Expert Comment

ID: 8221122
what kind of distribution are you using ? Redhat ?
the patch you downloaded is for source code, and i guess you have never compiled anything on linux.
So the best way for you to patch postfix is to update your postfix package, and then it's depending on your distro.
IMHO running postfix in a chroot is useless, since it has been designed with security as a primary goal by a very experienced developper.

Author Comment

ID: 8221237
I'm actually using Trustix 1.5.  I have and know how to compile source code on linux boxes.  What I found so far is to use the patch command to patch postfix.  I guess I could download the latest package and re-compile it but it's easy to just patch it.  As for running postfix in chroot jail is highly recommended even if postfix is secure.  It's really not that hard to do if you know how to.  I just need to find out which files do I copy to run postfix correctly in chroot jail.  If someone tries to break in they will be trapped in that directory only.

Expert Comment

ID: 8222767
Here are some notes I wrote for chrooting Postfix in the past.  The notes were written for 1.1, but its probably the same for 2.x.  

Running Postfix in a chroot environment
- As an extra security measure, Postfix can run in a restricted area on the mail server.  This ensures that even if Postfix is compromised, the attacker will not be able to access files in the mail server system directories.  
- the Unix chroot program forces a command to treat the specified directory as the filesystem root directory.
- to run the Postfix core programs in a chroot environment, you must indicate which programs are going to be run chrooted in the master.cf file and you must modify the /var/spool/postfix directory to accommodate being used as the root directory
- with the exception of the Postfix local delivery and `pipe' daemons, every Postfix daemon can run chrooted.  Sites with high security requirements should consider to chroot all daemons that talk to the network:  the smtp and smtpd processes, and perhaps also the lmtp client.
- Note that a chrooted daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). For successful use of a chroot jail,  most UNIX systems require you to bring in some files or device nodes.  The examples/chroot-setup directory has a collection of scripts that help you set up chroot environments for Postfix systems.
- to activate the chroot environment for a service, place a y character in the chroot field (fifth field) of the master.cf file.  Next, run the appropriate script in the Postfix source directory under examples/chroot-setup to move the appropriate files to the jail

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 8222804
I have the same notes actually but I can't find the examples/chroot-setup directory.  Trustix came with postfix already so I did not personally install the package.  I'll keep digging around.

Accepted Solution

fluid11 earned 150 total points
ID: 8222898
The examples/chroot-setup directory is part of the Postfix source code.  Download the source from www.postfix.org and extract it to /usr/local/src/.  You'll find the script in /usr/local/src/postfix-x.x.x/examples/chroot-setup.


Expert Comment

ID: 9087596
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month10 days, 22 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question