Excellent post Scott, showing best practice. I think we need more like this

On Mon, 23 Mar 2020, 13:46 Scott McCarty, <smccarty@redhat.com> wrote:
It's possible, but it would require running the container in a privileged mode. It would essentially mitigate any security benefit you get from running the MTA in containers.

I would recommend copying all of these files into a directory in /srv dedicated to the service (in this case the MTA). For example, I would create a directory structure something like:

/srv/mail.example.com/etc/passwd
/srv/mail.example.com/etc/shadow
/srv/mail.example.com/etc/etc/group
/srv/mail.example.com/etc/etc/gshadow
/srv/mail.example.com/etc/home/user/Maildir

Then, I would bind mount each of these in. This is what I do for Mediawiki, MySQL, and Wordpress. Sadly, I don't think I've created a GitHub repo to show people how to do it.

Personally, I also run systemd in the container (because I hate reverse engineering startup scripts) and I run the whole thing read-only. IMHO, thisngives me a balance of security and convenience. 

If you don't run systemd, you could even run rootless.

Best Regards
Scott M


On Sun, Mar 22, 2020, 9:18 PM Philip Rhoades <phil@pricom.com.au> wrote:
People,

I want to have a MTA running from a container but is it possible for the
containerised MTA:

1. to deliver mails to users on the host's file system dir (eg
/home/user/Maildir)?

2. to have access to the host's:

    /etc/passwd
    /etc/shadow
    /etc/group
    /etc/gshadow

files for users who are logging in to the host to look at their mails?

Thanks,

Phil.
--
Philip Rhoades

PO Box 896
Cowra  NSW  2794
Australia
E-mail:  phil@pricom.com.au
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io