Compare Config Files Side-by-Side Diff

[Unit] Description=Postfix Mail Transport Agent (main/default instance) Documentation=man:postfix(1) After=network.target nss-lookup.target # network-online.target is a semi-working work-around for specific # network_interfaces, https://bugs.debian.org/854475#126 # Please add local override wanting network-online.target or # systemd-networkd-wait-online@INTERFACE:no-carrier.service #After=network-online.target #Wants=network-online.target ConditionPathExists=/etc/postfix/main.cf # pre-3.9.1-7 multi-instance setup: Conflicts=postfix@-.service [Service] Type=forking # Force operations on single default instance, do not run postmulti wrapper Environment=MAIL_CONFIG=/etc/postfix # perform 2-stage startup ExecStartPre=+postfix check ExecStart=postfix debian-systemd-start ExecStop=postfix stop ExecReload=postfix reload # Postfix consists of multiple processes run by a master(8) orchestrator, # each of them having different requirements. From the whole set, local(8) # (the Postfix local delivery agent) is the most demanding one, because it # runs things as user, and a user needs to be able to run suid/sgid programs # (if not only to be able to deliver mail to /var/spool/postfix/postdrop). # Individual Postfix daemons are started as root, optionally perform chroot # into the queue directory, and drop privileges voluntary # listen(2) on privileged ports (smtp) CapabilityBoundingSet=CAP_NET_BIND_SERVICE # chroot into queue dir CapabilityBoundingSet=CAP_SYS_CHROOT # drop root privs, run as user when delivering local mail CapabilityBoundingSet=CAP_SETGID CAP_SETUID # processes access protected files in non-root-owned dirs (acl root:rwx); CapabilityBoundingSet=CAP_DAC_OVERRIDE # https://bugs.debian.org/1099891 : CapabilityBoundingSet=CAP_DAC_READ_SEARCH # chown(2) is needed for procmal &Co to create /var/mail/$USER CapabilityBoundingSet=CAP_CHOWN # users might run suid/sgid programs from ~/.forward: RestrictSUIDSGID=no # for the same reason, NoNewPrivileges can not be set to yes NoNewPrivileges=no # if you don't use procmail for delivery to /var/mail/$USER, # CAP_CHOWN can be removed. # if you don't use local(8) at all, only doing local delivery over LMTP # or using virtual(8), you can also set #RestrictSUIDSGID=yes #NoNewPrivileges=yes # Also, CAP_DAC_OVERRIDE can be eliminated by adding root user to ACL to # postfix-owned dis in spool: public, private; and whatever maps in protected # subdirs you use, relying on cap_dac_override LockPersonality=yes MemoryDenyWriteExecute=yes ProtectControlGroups=yes ProtectClock=yes PrivateDevices=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes # ProtectProc is not usable with User=root: #ProtectProc=noaccess ProcSubset=pid # ProtectSystem can be "yes" if rw maps are in /etc, or "full" # Alternative would be "strict" +ReadWritePaths=/var ProtectSystem=full # Need to write to ~/Maildir/ etc: ProtectHome=no RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes SystemCallFilter=@system-service @setuid chroot [Install] WantedBy=multi-user.target