3 files changed, 77 insertions, 1 deletions
diff --git a/README.md b/README.md
index a8b2f5c02..39ce41e22 100644
--- a/README.md
+++ b/README.md
@@ -336,7 +336,7 @@ Stats:
 ### New profiles:
 onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir,
-cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, 
+cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 858a0c9f6..b52bcaa11 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -1181,6 +1181,7 @@ blacklist ${HOME}/yt-dlp.conf.txt
 blacklist ${RUNUSER}/*firefox*
 blacklist ${RUNUSER}/akonadi
 blacklist ${RUNUSER}/psd/*firefox*
+blacklist /etc/ssmtp
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
 blacklist /var/games/nethack
diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile
new file mode 100644
index 000000000..1a224e7b0
--- /dev/null
+++ b/etc/profile-m-z/ssmtp.profile
@@ -0,0 +1,75 @@
+# Firejail profile for ssmtp
+# Description: Extremely simple MTA to get mail off the system to a mailhub
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ssmtp.local
+# Persistent global definitions
+include globals.local
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+noblacklist /etc/logcheck
+noblacklist /etc/ssmtp
+noblacklist /sbin
+noblacklist /usr/sbin
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+include disable-X11.inc
+mkfile ${HOME}/dead.letter
+whitelist ${HOME}/dead.letter
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+#nogroups breaks app
+noinput
+nonewprivs
+noprinters
+#noroot breaks app
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+# private works but then we lose ${HOME}/dead.letter
+# which is useful to get notified on mail issues
+#private
+private-bin mailq,newaliases,sendmail,ssmtp
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
+restrict-namespaces
+read-only ${HOME}
+read-write ${HOME}/dead.letter

diff --git a/README.md b/README.md index a8b2f5c02..39ce41e22 100644 --- a/README.md +++ b/README.md
@@ -336,7 +336,7 @@ Stats:
336	### New profiles:	336	### New profiles:
337		337
338	onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir,	338	onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir,
339	cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5,	339	cinelerra-gg, tesseract, avidemux3_cli, avidemux3_jobs_qt5, avidemux3_qt5, ssmtp
340		340
341		341
342		342


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 858a0c9f6..b52bcaa11 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -1181,6 +1181,7 @@ blacklist ${HOME}/yt-dlp.conf.txt
1181	blacklist ${RUNUSER}/firefox	1181	blacklist ${RUNUSER}/firefox
1182	blacklist ${RUNUSER}/akonadi	1182	blacklist ${RUNUSER}/akonadi
1183	blacklist ${RUNUSER}/psd/firefox	1183	blacklist ${RUNUSER}/psd/firefox
		1184	blacklist /etc/ssmtp
1184	blacklist /tmp/.wine-*	1185	blacklist /tmp/.wine-*
1185	blacklist /tmp/akonadi-*	1186	blacklist /tmp/akonadi-*
1186	blacklist /var/games/nethack	1187	blacklist /var/games/nethack


diff --git a/etc/profile-m-z/ssmtp.profile b/etc/profile-m-z/ssmtp.profile new file mode 100644 index 000000000..1a224e7b0 --- /dev/null +++ b/etc/profile-m-z/ssmtp.profile
@@ -0,0 +1,75 @@
		1	# Firejail profile for ssmtp
		2	# Description: Extremely simple MTA to get mail off the system to a mailhub
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include ssmtp.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	blacklist ${RUNUSER}
		11	blacklist /usr/libexec
		12
		13	noblacklist /etc/logcheck
		14	noblacklist /etc/ssmtp
		15	noblacklist /sbin
		16	noblacklist /usr/sbin
		17
		18	noblacklist ${DOCUMENTS}
		19	include disable-common.inc
		20	include disable-devel.inc
		21	include disable-exec.inc
		22	include disable-interpreters.inc
		23	include disable-proc.inc
		24	include disable-programs.inc
		25	include disable-shell.inc
		26	include disable-xdg.inc
		27	include disable-X11.inc
		28
		29	mkfile ${HOME}/dead.letter
		30	whitelist ${HOME}/dead.letter
		31	whitelist ${DOCUMENTS}
		32	whitelist ${DOWNLOADS}
		33	include whitelist-common.inc
		34	include whitelist-run-common.inc
		35	include whitelist-runuser-common.inc
		36	include whitelist-usr-share-common.inc
		37	include whitelist-var-common.inc
		38
		39	apparmor
		40	caps.drop all
		41	ipc-namespace
		42	machine-id
		43	netfilter
		44	no3d
		45	nodvd
		46	#nogroups breaks app
		47	noinput
		48	nonewprivs
		49	noprinters
		50	#noroot breaks app
		51	nosound
		52	notv
		53	nou2f
		54	novideo
		55	protocol unix,inet,inet6
		56	seccomp
		57	seccomp.block-secondary
		58	tracelog
		59
		60	disable-mnt
		61	# private works but then we lose ${HOME}/dead.letter
		62	# which is useful to get notified on mail issues
		63	#private
		64	private-bin mailq,newaliases,sendmail,ssmtp
		65	private-cache
		66	private-dev
		67	private-tmp
		68
		69	dbus-user none
		70	dbus-system none
		71
		72	memory-deny-write-execute
		73	restrict-namespaces
		74	read-only ${HOME}
		75	read-write ${HOME}/dead.letter