Why did the postfix default change to non-chroot processes?

security postfix chroot

With compatibility_level=2 in recent postfix versions, the default for the postfix daemons changed from chroot to non-chroot. While the page describes that it changed and what you can do to continue using chroot or stop using it, there are no reasons given.

Why did they change the default value? Is there any advantage in running it without chroot?


If you download the Postfix source code and examine the HISTORY file, you can see that this change was made on the 1st October 2014 (Snapshot 20141001):

New defaults for master.cf chroot (n), append_dot_mydomain (no) and smtputf8_enable (yes).

The corresponding git commit shows all the changes that were made to the source code and documentation at this time. Unfortunately, there’s little explanation of the reasons for changing this default setting.

As you’ve already noted, the Postfix Backwards-Compatibility Safety Net states that

The new default avoids the need for copies of system files under the Postfix queue directory.

And the Postfix Basic Configuration

If your machine has unusual security requirements you may want to run Postfix daemon processes inside a chroot environment.

Some Internet searching turned up a few clues to the rationale behind this change:

In a 2008 discussion on the use of chroot, Wietse said

I think it is inappropriate to chroot Postfix by default. Chroot make sense on dedicated firewalls. General-purpose desktops run web browsers and have a much bigger attack surface than Postfix will ever have.

Later in 2011

Chroot support makes sense for sites that have very restricted access policies.

I also read the following in the SASL_README from Postfix 2.6:

To run software chrooted with SASL support is an interesting exercise. It is not worth the trouble.

The text of this file has changed in more recent releases but this indicates that there were issues being caused by running the mail server in a chroot jail. Scanning through the archives of the postfix-users mailing list shows that this was causing problems with some users.

I personally run Postfix in a chroot jail and, while I don’t use saslauthd, I did have to take a few extra steps configuring milters so that they could communicate with chrooted Postfix daemons via Unix sockets.

Related

How do I unmount one of two devices mounted to the same mount point?
Why is only index.html available from an S3 bucket served by CloudFront, and nothing else?
Hyper-V Windows Server 2016 VM is super slow
How do I stop my ssh tunnel when it is in the background?
Cannot connect to OpenVPN server under Ubuntu 16.04
Configure Windows Server 2016 Firewall for FTP
VM CPU usage at 100%
How to change the mouse pointer theme [duplicate]
Install Eclipse IDE for java ee dev via apt-get. Is it Possible?
TIme of execution of daily anacron job
How to add some additional DNS search domains without ignoring the ones returned by DHCP?
Bridging: Losing WLAN network connection with 4addr on option - Why?