From 608a1255fc3700611bdabdc9c8635940ac3390af Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sat, 19 Feb 2022 00:55:03 -0500 Subject: [PATCH] harden exim --- mail-setup | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/mail-setup b/mail-setup index 13f9947..28e02ce 100755 --- a/mail-setup +++ b/mail-setup @@ -3,9 +3,6 @@ # Copyright (C) 2019 Ian Kelling # SPDX-License-Identifier: AGPL-3.0-or-later -# todo: sandbox / harden exim: -# restrict its filesystem access from within systemd - # todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it. # todo: consider hardening cups listening on 0.0.0.0 # todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use. @@ -2355,6 +2352,19 @@ case $HOSTNAME in [Service] # see 56.2 Root privilege in exim spec AmbientCapabilities=CAP_NET_BIND_SERVICE +# https://www.redhat.com/sysadmin/mastering-systemd +# things that seem good and reasonabl.e +PrivateTmp=yes +ProtectHome=yes +# note, in t10 systemd, if one of these is an sshfs mountpoint, +# this whole setting doesnt work. tried it with a newer systemd 250 though +# an nspawn, and it worked there. +InaccessiblePaths=d m media mnt nocow o p q +NoNewPrivileges=yes +ProtectSystem=yes + +# when we get newer systemd +#ProtectDevices=yes EOF i /etc/exim4/conf.d/main/000_local-noroot <<'EOF' # see 56.2 Root privilege in exim spec -- 2.30.2