-
-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] Restrict access to user's home #1039
Comments
I suspect it's trying to read the .forward file. |
Yes, it is to read the user ~/.forward file |
I see, so failure to read |
It may actually be a bug. What if lmtp is a network socket and home directories are on a different host? |
This is no option to disable forward file lookup but that would be a good idea in my opinion.
I don't know as I'm not an LMTP user myself but to me we have to differentiate local and relay actions. In local actions, we are expecting a local account and user may use own MDA while in relay actions, we are expecting the mail to be relayed elsewhere. I don't know if the best option here is local LMTP with a new nodotforward option or a relay action, this should be put to discussion. |
any news on this discussion? |
no news as we're focusing on 6.7 release and no new features until tagged but I have it in my mind to submit a diff to introduce a no-forward action for local-only deliveries |
I'm experimenting with the hardened unit file, and I adopted ProtectHome=read-only. There also seems to be a capability missing for CentOS 8 system and I'm getting this:
Did you settle on these capabilities or did you have to add more? For now I adopted these to get rid of the error: CapabilityBoundingSet=~CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE |
This is what I currently have in my unit file
I have settled on this set of capabilitites, and I don't think opensmtpd needs more. And I am not 100% sure that |
Thank you all for ideas on capabilities options set! To be honest, I barely use local deliveries, but think we definitely need some minimal caps set in Fedora and RHEL7,8. |
I can confirm that CAP_DAC_OVERRIDE and CAP_FOWNER are needed on CentOS 8 to get rid of a combination of errors:
CAP_FSETID didn't seem to have an effect. |
My full opensmtpd.service file that I'm running on CentOS 8 now:
|
A diff has been sent to OpenBSD for adding a forward-file option: https://marc.info/?l=openbsd-tech&m=160841747511126&w=2 If this gets committed, then by default there will be no touch of the user home directories unless the admin explicitly stated there may be .forward files in there. |
Hi @poolpOrg I saw the whole email thread and it looks like nothing was committed. Is there something to do about that check/error message? Besides "grep -v" :) |
If anyone interested: I have scheduled most of the suggestions above to the upcoming RHEL8 (EPEL8) and Fedora 34+ updates. |
Hi Gilles, I am using systemd to restrict smtpd process. In particular I hide user directories and mount the rest of the filesystem read-only (with exception of
/var/spool/smpd
)I often get warning in the log:
warn: smtpd: parent_forward_open: /home/ngor: No such file or directory
when accepting mail.Although I have setup smtpd to deliver through lmtp socket. So the question is why smptd trying to access user's directory?
My config:
More complete log excerpt of mail delivery:
Full systemd unit:
The text was updated successfully, but these errors were encountered: