File: postfix.service

package info (click to toggle)
postfix 3.10.6-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 27,968 kB
  • sloc: ansic: 134,721; makefile: 17,984; sh: 6,966; perl: 2,796; python: 1,448; awk: 158
file content (85 lines) | stat: -rw-r--r-- 3,133 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
[Unit]
Description=Postfix Mail Transport Agent (main/default instance)
Documentation=man:postfix(1)
After=network.target nss-lookup.target
# network-online.target is a semi-working work-around for specific
# network_interfaces, https://bugs.debian.org/854475#126
# Please add local override wanting network-online.target or
# systemd-networkd-wait-online@INTERFACE:no-carrier.service
#After=network-online.target
#Wants=network-online.target
ConditionPathExists=/etc/postfix/main.cf
# pre-3.9.1-7 multi-instance setup:
Conflicts=postfix@-.service

[Service]
Type=forking
# Force operations on single default instance, do not run postmulti wrapper
Environment=MAIL_CONFIG=/etc/postfix
# perform 2-stage startup
ExecStartPre=+postfix check
ExecStart=postfix debian-systemd-start
ExecStop=postfix stop
ExecReload=postfix reload

# Postfix consists of multiple processes run by a master(8) orchestrator,
# each of them having different requirements.  From the whole set, local(8)
# (the Postfix local delivery agent) is the most demanding one, because it
# runs things as user, and a user needs to be able to run suid/sgid programs
# (if not only to be able to deliver mail to /var/spool/postfix/postdrop).
# Individual Postfix daemons are started as root, optionally perform chroot
# into the queue directory, and drop privileges voluntarily.

# listen(2) on privileged ports (smtp)
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
# chroot into queue dir
CapabilityBoundingSet=CAP_SYS_CHROOT
# drop root privs, run as user when delivering local mail
CapabilityBoundingSet=CAP_SETGID CAP_SETUID
# processes access protected files in non-root-owned dirs (acl root:rwx);
CapabilityBoundingSet=CAP_DAC_OVERRIDE
# https://bugs.debian.org/1099891 :
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
# chown(2) is needed for procmail &Co to create /var/mail/$USER
CapabilityBoundingSet=CAP_CHOWN

# users might run suid/sgid programs from ~/.forward:
RestrictSUIDSGID=no
# for the same reason, NoNewPrivileges can not be set to yes
NoNewPrivileges=no

# if you don't use procmail for delivery to /var/mail/$USER,
# CAP_CHOWN can be removed.
# if you don't use local(8) at all, only doing local delivery over LMTP
# or using virtual(8), you can also set
#RestrictSUIDSGID=yes
#NoNewPrivileges=yes
# Also, CAP_DAC_OVERRIDE can be eliminated by adding root user to ACLs of
# postfix-owned dirs in spool: public, private; and whatever maps in protected
# subdirs you use, relying on cap_dac_override

LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectControlGroups=yes
ProtectClock=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
# ProtectProc is not usable with User=root:
#ProtectProc=noaccess
ProcSubset=pid
# ProtectSystem can be "yes" if rw maps are in /etc, or "full"
# Alternative would be "strict" +ReadWritePaths=/var
ProtectSystem=full
# Need to write to ~/Maildir/ etc:
ProtectHome=no
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes

SystemCallFilter=@system-service @setuid chroot

[Install]
WantedBy=multi-user.target