From 09cd9f998780fb7179b7fc23c593c305a12b050a Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 6 Dec 2018 21:06:38 +0100
Subject: MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons.

Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
---
 roles/common/templates/etc/postfix/master.cf.j2 | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

(limited to 'roles/common/templates/etc/postfix')

diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 10fc303..4356363 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -13,17 +13,15 @@
 {% if inst is not defined %}
 [127.0.0.1]:16132 inet n -      y       -       -       smtpd
 {% elif inst == 'MX' %}
-smtpd     pass  -       -       n       -       -       smtpd
-  -o cleanup_service_name=cleanup_nochroot
-smtp      inet  n       -       n       -       1       postscreen
-tlsproxy  unix  -       -       n       -       0       tlsproxy
-dnsblog   unix  -       -       n       -       0       dnsblog
-cleanup_nochroot unix n -       n       -       0       cleanup
+smtpd     pass  -       -       y       -       -       smtpd
+smtp      inet  n       -       y       -       1       postscreen
+tlsproxy  unix  -       -       y       -       0       tlsproxy
+dnsblog   unix  -       -       y       -       0       dnsblog
 {% elif inst == 'MSA' %}
 submission inet n       -       y       -       -       smtpd
   -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
 {% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
-[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n       -       -       -       -       smtpd
+[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n       -       y       -       -       smtpd
   -o broken_sasl_auth_clients=no
   -o smtpd_tls_security_level=none
   -o smtpd_sasl_security_options=noanonymous
@@ -31,7 +29,7 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
 {% endif %}
 {% elif inst in ['IMAP', 'out', 'lists'] %}
-[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n       -       -       -       -       smtpd
+[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n       -       y       -       -       smtpd
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
 {% endif %}
 pickup    unix  n       -       y       60      1       pickup
-- 
cgit v1.2.3