Rootless postfix?

[thielj]

Continuing from the other issue... The best solution to the chroot jail would probably be running "rootless" postfix. There's no local delivery, and binding ports < 1024 shouldn't need root privileges in a container (and if so, can always be mapped to 2525 or something like that).

/app $ sysctl net.ipv4.ip_unprivileged_port_start
net.ipv4.ip_unprivileged_port_start = 0
/app $ id
uid=1000 gid=1000 groups=1000
/app $

That seems to be true from about docker version 20.10, see https://github.com/moby/moby/pull/41030

Similar for Kubernetes and containerd

I'm leaving this here to maybe collect some pointers and see if it's feasible and desirable.

[bokysan]

Postfix drops privileges right after startup. OpenDKIM runs under its own account. Going completely rootless would be great, as you could run the image with higher security and with specific user. However, it does bring its own set of problem. OpenDKIM and Postfix both would need to run under the same account, for one.

Not really sure how I feel about it, but as you mentioned, let's keep the ticket open and see if anybody comes up with any bright ideas.

[maxclax]

I have same problem with permission. After restart pod it's not readable

‣ INFO  DKIM_AUTOGENERATE set -- will try to auto-generate keys for ***.com.
‣ INFO  Key for domain ***.com already exists in /etc/opendkim/keys/***.com.private. Will not overwrite.
‣ NOTE  Configuring OpenDKIM.
        ...using socket inet:localhost:8891
        ...for domain ***.com (selector: mail)
        ...trying to reown /etc/opendkim/keys/***.com.private as it's not readable by OpenDKIM...
chown: changing ownership of '/etc/opendkim/keys/***.com.private': Permission denied`

[bokysan]

@maxclax unless you're trying to run this with specific securityContext (like in #199), this is most likely not the same issue. And since you have not given me any context (e.g. version of the image, is it Docker or Kubernetes, docker-compose.yaml file or helm values.yaml...) I cannot either comment on help with your problem.

[maxclax]

@maxclax unless you're trying to run this with specific securityContext (like in #199), this is most likely not the same issue. And since you have not given me any context (e.g. version of the image, is it Docker or Kubernetes, docker-compose.yaml file or helm values.yaml...) I cannot either comment on help with your problem.

mail:
  enabled: true
  replicaCount: 1
  service:
    type: ClusterIP
    port: 587
    labels: { }
    annotations: { }
  extraVolumeMounts:
    - name: mail
      mountPath: /etc/opendkim/keys
      subPath: dkim
  config:
    general:
      ALLOWED_SENDER_DOMAINS: "app.com"
      ALLOW_EMPTY_SENDER_DOMAINS: 'true'
      ANONYMIZE_EMAILS: 'smart'
      DKIM_AUTOGENERATE: 'true'
    postfix: { }
    opendkim: { }
  persistence:
    enabled: true
    size: 1Gi
    storageClass: local-path
  nodeSelector: { }
  tolerations: [ ]
  affinity: { }

repository: https://bokysan.github.io/docker-postfix/ version: v4.2.1

All by default only dkim folder in persistence. Everything from zero works well but after restart pod that can not read dkim data because Permission denied.

[bokysan]

This has nothing to do with this ticket. Please raise another ticket and delete the comment from here. Thank you.

[thielj]

@bokysan I did some research on running postfix without root privileges: it wouldn't be impossible, but it isn't really a scenario the maintainers would want to support. I think this thread sums it up:

https://www.mail-archive.com/postfix-users@postfix.org/msg90253.html

I don't think that pre-loading is a desirable solution to achieve rootless postfix, so I would suggest closing this issue, at least for the foreseeable future 🤷

---

(sorry for the late reply, I had misplaced the above link and only just came across it again)

[bokysan]

@thielj Appreciate the update. In this case I will close the ticket, as we need to wait for upstream and I want to ensure no unnecessary comments pop up here.