postfix-sender-login: Better hardening.

Run as a dedicated user, not ‘postfix’.
author: Guilhem Moulin <guilhem@fripost.org> 2020-05-20 15:46:27 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2020-05-21 03:40:53 +0200
commit: 6d1daa0424c168eae4bfa9f6772add3f77ec506f (patch)
tree: a45e83f4fefa0a3976c534078d26d3ff003e9935 /roles/MSA/files/etc
parent: 5118f8d3394579a245b355c863c69410fe92e26e (diff)
1 files changed, 2 insertions, 4 deletions
diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
index f5e6d89..d652f75 100644
--- a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
+++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service
@@ -4,8 +4,7 @@ After=mail-transport-agent.target
 Requires=postfix-sender-login.socket
 
 [Service]
-User=postfix
-Group=postfix
+User=_postfix-sender-login
 StandardInput=null
 SyslogFacility=mail
 ExecStart=/usr/local/bin/postfix-sender-login.pl
@@ -13,10 +12,9 @@ ExecStart=/usr/local/bin/postfix-sender-login.pl
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
+PrivateNetwork=yes
 ProtectHome=yes
 ProtectSystem=strict
-PrivateDevices=yes
-PrivateNetwork=yes
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
author	Guilhem Moulin <guilhem@fripost.org>	2020-05-20 15:46:27 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2020-05-21 03:40:53 +0200
commit	6d1daa0424c168eae4bfa9f6772add3f77ec506f (patch)
tree	a45e83f4fefa0a3976c534078d26d3ff003e9935 /roles/MSA/files/etc
parent	5118f8d3394579a245b355c863c69410fe92e26e (diff)