From dd1b3b077af7250742b710d53f983e271bff0b5b Mon Sep 17 00:00:00 2001 From: Tom Fitzhenry Date: Fri, 15 Sep 2023 15:06:20 +1000 Subject: nixos/postfix: add systemd hardening directives MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Inspired by https://github.com/gentoo/gentoo/blob/a9ccc48242da316f37b8e6ddf99bae660fadef48/mail-mta/postfix/files/postfix.service This decreases the systemd-analyze exposure level from UNSAFE to MEDIUM: ``` $ systemd-analyze security --offline=true postfix-hardened.service | grep Overall → Overall exposure level for postfix-hardened.service: 6.2 MEDIUM 😐 $ systemd-analyze security --offline=true postfix-original.service | grep Overall → Overall exposure level for postfix-original.service: 9.6 UNSAFE 😨 ``` --- nixos/modules/services/mail/postfix.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 23c47aaca7e23..e8b5f832e66eb 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -779,6 +779,19 @@ in ExecStart = "${pkgs.postfix}/bin/postfix start"; ExecStop = "${pkgs.postfix}/bin/postfix stop"; ExecReload = "${pkgs.postfix}/bin/postfix reload"; + + # Hardening + PrivateTmp = true; + PrivateDevices = true; + ProtectSystem = "full"; + CapabilityBoundingSet = [ "~CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE" ]; + MemoryDenyWriteExecute = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; }; }; -- cgit 1.4.1