Samuel Sieb quoted the postfix aliases file: # For various security reasons, postfix WILL NOT deliver mail as root, so # ensure that the root alias is aliased to a HUMAN user, as otherwise # mail may get delivered to the $default_privs user (nobody). Alexander Dalloz wrote: > Ok Samuel, this default setup of Postfix is new to me. Thanks for > pointing this out. I will have to read the Postfix documentation to > understand the "various security reasons". As I understand it... Postfix is a "paranoid MTA", written in response to Sendmail security problems and Dan Bernstein's qmail (the package, the license, and the author have all been controversial). Postfix is not a program as such: it's a flock of mutually-suspicious programs, none of which trust each other, flying in close formation. The smtpd daemon that listens to port 25 (the SMTP port) is SUID root just long enough to open port 25, then drops root privileges before any connections are made. Everything else is done as the postfix user. And all the other programs just run as postfix, so a theoretical Postfix vulnerability would not give an attacker instant root (as a Sendmail vulnerability would). The exception is the final delivery to the mailbox, which is done with the rights of the owner of that mailbox. If that owner is root, then obviously that *would* make the "local" program run as root. So that isn't allowed. It's paranoid, and I'm happy to have it working for me. James. -- E-mail address: james | "We completely deny the allegations, and we're @westexe.demon.co.uk | trying to identify the alligators."
