-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rootless postfix? #195
Comments
Postfix drops privileges right after startup. OpenDKIM runs under its own account. Going completely rootless would be great, as you could run the image with higher security and with specific user. However, it does bring its own set of problem. OpenDKIM and Postfix both would need to run under the same account, for one. Not really sure how I feel about it, but as you mentioned, let's keep the ticket open and see if anybody comes up with any bright ideas. |
I have same problem with permission. After restart pod it's not readable
|
@maxclax unless you're trying to run this with specific |
repository: https://bokysan.github.io/docker-postfix/ All by default only dkim folder in persistence. Everything from zero works well but after restart pod that can not read dkim data because Permission denied. |
This has nothing to do with this ticket. Please raise another ticket and delete the comment from here. Thank you. |
@bokysan I did some research on running postfix without root privileges: it wouldn't be impossible, but it isn't really a scenario the maintainers would want to support. I think this thread sums it up: https://www.mail-archive.com/[email protected]/msg90253.html I don't think that pre-loading is a desirable solution to achieve rootless postfix, so I would suggest closing this issue, at least for the foreseeable future 🤷 (sorry for the late reply, I had misplaced the above link and only just came across it again) |
@thielj Appreciate the update. In this case I will close the ticket, as we need to wait for upstream and I want to ensure no unnecessary comments pop up here. |
Continuing from the other issue... The best solution to the chroot jail would probably be running "rootless" postfix. There's no local delivery, and binding ports < 1024 shouldn't need root privileges in a container (and if so, can always be mapped to 2525 or something like that).
That seems to be true from about docker version 20.10, see moby/moby#41030
Similar for Kubernetes and containerd
I'm leaving this here to maybe collect some pointers and see if it's feasible and desirable.
The text was updated successfully, but these errors were encountered: