From 608a1255fc3700611bdabdc9c8635940ac3390af Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sat, 19 Feb 2022 00:55:03 -0500
Subject: [PATCH] harden exim

---
 mail-setup | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/mail-setup b/mail-setup
index 13f9947..28e02ce 100755
--- a/mail-setup
+++ b/mail-setup
@@ -3,9 +3,6 @@
 # Copyright (C) 2019 Ian Kelling
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-# todo: sandbox / harden exim:
-#  restrict its filesystem access from within systemd
-
 #  todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
 #  todo: consider hardening cups listening on 0.0.0.0
 #  todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
@@ -2355,6 +2352,19 @@ case $HOSTNAME in
 [Service]
 # see 56.2 Root privilege in exim spec
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+# https://www.redhat.com/sysadmin/mastering-systemd
+# things that seem good and reasonabl.e
+PrivateTmp=yes
+ProtectHome=yes
+# note, in t10 systemd, if one of these is an sshfs mountpoint,
+# this whole setting doesnt work. tried it with a newer systemd 250 though
+# an nspawn, and it worked there.
+InaccessiblePaths=d m media mnt nocow o p q
+NoNewPrivileges=yes
+ProtectSystem=yes
+
+# when we get newer systemd
+#ProtectDevices=yes
 EOF
     i /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
 # see 56.2 Root privilege in exim spec
-- 
2.30.2