summaryrefslogtreecommitdiffstats
path: root/roles/MSA/files/etc/systemd/system
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-20 15:46:27 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-21 03:40:53 +0200
commit6d1daa0424c168eae4bfa9f6772add3f77ec506f (patch)
treea45e83f4fefa0a3976c534078d26d3ff003e9935 /roles/MSA/files/etc/systemd/system
parent5118f8d3394579a245b355c863c69410fe92e26e (diff)
postfix-sender-login: Better hardening.
Run as a dedicated user, not ‘postfix’.
Diffstat (limited to 'roles/MSA/files/etc/systemd/system')
-rw-r--r--roles/MSA/files/etc/systemd/system/postfix-sender-login.service6
1 files changed, 2 insertions, 4 deletions
diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
index f5e6d89..d652f75 100644
--- a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
+++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
@@ -4,8 +4,7 @@ After=mail-transport-agent.target
Requires=postfix-sender-login.socket
[Service]
-User=postfix
-Group=postfix
+User=_postfix-sender-login
StandardInput=null
SyslogFacility=mail
ExecStart=/usr/local/bin/postfix-sender-login.pl
@@ -13,10 +12,9 @@ ExecStart=/usr/local/bin/postfix-sender-login.pl
# Hardening
NoNewPrivileges=yes
PrivateDevices=yes
+PrivateNetwork=yes
ProtectHome=yes
ProtectSystem=strict
-PrivateDevices=yes
-PrivateNetwork=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes