sasl_password.db is not encrypted, and can be read e.g. using the
command string sasl_password.db. Change its permission mode to 0600, so
it can only be read by the file's owner, root.
Implemented by creating the file using postmap, without the -p flag, so
it will inherit the desired permissions from the input file
sasl_password. Previously -p was used, to set the default mode 0644
(readable by all users).
This was tested on Debian 10, and accords with the postfix docs.
Keep the SASL client password file in /etc/postfix, and make the file
read+write only for root to protect the username/password combinations
against other users. The Postfix SMTP client will still be able to read
the SASL client passwords. It opens the file as user root before it drops
privileges, and before entering an optional chroot jail.
Use the postmap command whenever you change the /etc/postfix/sasl_passwd file.
Partial revert of commit e5e3f55bf3bd7 / #90
"Fix sasl_passwd.db permissions and enable sender canonical maps to be
regexp"
I don't know the reason that mode 0644 was believed to be necessary.
sasl_password.dbis not encrypted, and can be read e.g. using the commandstring sasl_password.db. Change its permission mode to 0600, so it can only be read by the file's owner,root.Implemented by creating the file using
postmap, without the-pflag, so it will inherit the desired permissions from the input filesasl_password. Previously-pwas used, to set the default mode 0644 (readable by all users).This was tested on Debian 10, and accords with the postfix docs.
Partial revert of commit e5e3f55bf3bd7 / #90 "Fix sasl_passwd.db permissions and enable sender canonical maps to be regexp"
I don't know the reason that mode 0644 was believed to be necessary.
Fixes #114
CC @kgizdov