Skip to content

Commit

Permalink
Improve config file documenting comments
Browse files Browse the repository at this point in the history
  * Fix misleading `unprivileged-user` and `chroot-dir` documentation (leaving
    these values unset does not disable their respective features).
  * Document which files are read/created before chrooting and which are after.
  • Loading branch information
rhansen committed Aug 25, 2023
1 parent bb353b0 commit fea2ac4
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 25 deletions.
28 changes: 16 additions & 12 deletions data/postsrsd.conf.in
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ domains = {}
# Local domains (file storage)
# Instead of listing your local domains directly, you can also write them to a
# file and have PostSRSd read it. This is particularly useful if you have a
# large number of domains for which you need to act as mail forwarder.
# large number of domains for which you need to act as mail forwarder. PostSRSd
# reads this file before it chroots and drops root privileges.
#
# Example:
# domains-file = "@POSTSRSD_CONFIGDIR@/@PROJECT_NAME@.domains"
Expand All @@ -38,7 +39,8 @@ domains = {}
# Traditionally, PostSRSd interacts with Postfix through the canonicalization
# lookup tables of the cleanup daemon. If you use a unix socket, be aware that
# most Postfix instances will jail their cleanup daemon in a /var/spool/postfix
# chroot, so no other path will be visible to them.
# chroot, so no other path will be visible to them. Unix sockets are created
# before PostSRSd chroots and drops root privileges.
#
# Examples:
# socketmap = unix:/var/spool/postfix/srs
Expand All @@ -58,7 +60,8 @@ keep-alive = 30

# Milter endpoint for MTA integration.
# PostSRSd can act as a milter to rewrite envelope addresses if it has been
# built with milter support.
# built with milter support. Unix sockets are created before PostSRSd chroots
# and drops root privileges.
#
# Examples:
# milter = unix:/var/spool/postfix/srs_milter
Expand Down Expand Up @@ -90,8 +93,8 @@ original-envelope = embedded
# used. The option is ignored if original-envelope is set to "embedded". Also
# note that PostSRSd needs to be built with SQLite or Redis support for this.
#
# Also note that you need to put the SQLite database into the chroot directory
# if you jail PostSRSd; otherwise, the database file will not be accessible.
# PostSRSd reads this database after it chroots and drops root privileges, so
# the actual filename is the chroot directory joined with this filename.
#
# Examples:
# envelope-database = "sqlite:@CHROOTABLE_DATADIR@/senders.db"
Expand All @@ -107,7 +110,8 @@ original-envelope = embedded
# signatures will always be generated with the first configured secret.
#
# For security reasons, you should also make sure that the file is owned and
# only accessible by root (chmod 600).
# only accessible by root (chmod 600). PostSRSd reads this file before it
# chroots and drops root privileges.
#
# Example:
# secrets-file = "@POSTSRSD_CONFIGDIR@/@PROJECT_NAME@.secret"
Expand Down Expand Up @@ -152,19 +156,19 @@ hash-minimum = 4
always-rewrite = off

# Execute PostSRSd as unprivileged user
# If you set this highly recommended option, PostSRSd will drop root
# privileges and switch to the configured user before it enters the main loop
# to handle untrusted input.
# Drop root privileges and run as this user before entering the main loop and
# handling untrusted input. To prevent PostSRSd from changing users, set this to
# the empty string.
#
# Example:
# unprivileged-user = "nobody"
#
unprivileged-user = "@POSTSRSD_USER@"

# Execute PostSRSd in chroot jail
# If you set this highly recommended option, PostSRSd will jail itself
# in the given directory, which adds an additional layer of protection
# against the exploitation of security bugs in PostSRSd.
# PostSRSd will jail itself in the given directory, which adds an additional
# layer of protection against the exploitation of security bugs in PostSRSd. To
# prevent PostSRSd from chrooting, set this to the empty string.
#
# Example:
# chroot-dir = "@CMAKE_INSTALL_FULL_LOCALSTATEDIR@/lib/@PROJECT_NAME@"
Expand Down
30 changes: 17 additions & 13 deletions doc/postsrsd.conf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# PostSRSd example configuration file
# Copyright 2022 Timo Röhling
# Copyright 2022-2023 Timo Röhling
# SPDX-License-Identifier: FSFUL
#
# The copyright holder gives unlimited permission to copy, distribute and modify
Expand All @@ -16,7 +16,8 @@ domains = {}
# Local domains (file storage)
# Instead of listing your local domains directly, you can also write them to a
# file and have PostSRSd read it. This is particularly useful if you have a
# large number of domains for which you need to act as mail forwarder.
# large number of domains for which you need to act as mail forwarder. PostSRSd
# reads this file before it chroots and drops root privileges.
#
# Example:
# domains-file = "/usr/local/etc/postsrsd.domains"
Expand All @@ -38,7 +39,8 @@ domains = {}
# Traditionally, PostSRSd interacts with Postfix through the canonicalization
# lookup tables of the cleanup daemon. If you use a unix socket, be aware that
# most Postfix instances will jail their cleanup daemon in a /var/spool/postfix
# chroot, so no other path will be visible to them.
# chroot, so no other path will be visible to them. Unix sockets are created
# before PostSRSd chroots and drops root privileges.
#
# Examples:
# socketmap = unix:/var/spool/postfix/srs
Expand All @@ -58,7 +60,8 @@ keep-alive = 30

# Milter endpoint for MTA integration.
# PostSRSd can act as a milter to rewrite envelope addresses if it has been
# built with milter support.
# built with milter support. Unix sockets are created before PostSRSd chroots
# and drops root privileges.
#
# Examples:
# milter = unix:/var/spool/postfix/srs_milter
Expand Down Expand Up @@ -90,8 +93,8 @@ original-envelope = embedded
# used. The option is ignored if original-envelope is set to "embedded". Also
# note that PostSRSd needs to be built with SQLite or Redis support for this.
#
# Also note that you need to put the SQLite database into the chroot directory
# if you jail PostSRSd; otherwise, the database file will not be accessible.
# PostSRSd reads this database after it chroots and drops root privileges, so
# the actual filename is the chroot directory joined with this filename.
#
# Examples:
# envelope-database = "sqlite:./senders.db"
Expand All @@ -107,7 +110,8 @@ original-envelope = embedded
# signatures will always be generated with the first configured secret.
#
# For security reasons, you should also make sure that the file is owned and
# only accessible by root (chmod 600).
# only accessible by root (chmod 600). PostSRSd reads this file before it
# chroots and drops root privileges.
#
# Example:
# secrets-file = "/usr/local/etc/postsrsd.secret"
Expand Down Expand Up @@ -152,19 +156,19 @@ hash-minimum = 4
always-rewrite = off

# Execute PostSRSd as unprivileged user
# If you set this highly recommended option, PostSRSd will drop root
# privileges and switch to the configured user before it enters the main loop
# to handle untrusted input.
# Drop root privileges and run as this user before entering the main loop and
# handling untrusted input. To prevent PostSRSd from changing users, set this to
# the empty string.
#
# Example:
# unprivileged-user = "nobody"
#
unprivileged-user = "nobody"

# Execute PostSRSd in chroot jail
# If you set this highly recommended option, PostSRSd will jail itself
# in the given directory, which adds an additional layer of protection
# against the exploitation of security bugs in PostSRSd.
# PostSRSd will jail itself in the given directory, which adds an additional
# layer of protection against the exploitation of security bugs in PostSRSd. To
# prevent PostSRSd from chrooting, set this to the empty string.
#
# Example:
# chroot-dir = "/usr/local/var/lib/postsrsd"
Expand Down

0 comments on commit fea2ac4

Please sign in to comment.