postfwd2 - chroot setup


If you care about security and want to run postfwd2 within a chroot environment you have to setup it up before. This document will give you an idea about what has to be prepared. 

How to create a minimal chroot environment for postfwd2
=======================================================

Tested with SLES 11 x86_64, customize this to suit your specific system.
For example, on SLES 10 x86_64, use perl version 5.8.8 instead of 5.10.0
and glibc version 2.4 instead of 2.11.1.

cd $CHROOTDIR
for dir in tmp dev var var/tmp etc lib64 usr usr/lib usr/lib/perl5 \
  usr/lib/perl5/site_perl \
  usr/lib/perl5/site_perl/5.10.0 \
  usr/lib/perl5/site_perl/5.10.0/Net \
  usr/lib/perl5/site_perl/5.10.0/Net/Server \
  usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto ; do
    mkdir $dir
    chmod --reference /$dir $dir
    chown --reference /$dir $dir
done
for file in dev/null etc/protocols etc/localtime etc/resolv.conf \
  lib64/libnss_files-2.11.1.so lib64/libnss_files.so.2 \
  usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm \
  usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm ; do
    cp -p /$file $file
done
grep nobody /etc/passwd > etc/passwd
grep nobody /etc/group > etc/group
echo -e 'passwd: files\ngroup: files\nprotocols: files' > etc/nsswitch.conf

=> Configure your syslog daemon to listen to $CHROOTDIR/dev/log:
    echo 'SYSLOGD_ADDITIONAL_SOCKET_POSTFWD="$CHROOTDIR/dev/log"' \
      >> /etc/sysconfig/syslog
    /etc/init.d/syslog restart

=> Place your postfwd configuration in $CHROOTDIR:
    cp $POSTFWDCONF $CHROOTDIR/etc/postfwd.conf

=> Start postfwd2:
    /usr/local/sbin/postfwd2 --file=/etc/postfwd.conf --chroot=$CHROOTDIR


List of directories
===================

tmp
lib64
dev
var
var/tmp
etc
usr
usr/lib
usr/lib/perl5
usr/lib/perl5/site_perl
usr/lib/perl5/site_perl/5.10.0
usr/lib/perl5/site_perl/5.10.0/Net
usr/lib/perl5/site_perl/5.10.0/Net/Server
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto


List of files
=============

lib64/libnss_files.so.2
lib64/libnss_files-2.11.1.so
dev/null
dev/log
etc/localtime
etc/protocols
etc/postfwd.conf
etc/nsswitch.conf
etc/passwd
etc/resolv.conf
etc/group
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm

Thanks to Lukas Wunner for providing this howto and the patch for postfwd2!