From owner-freebsd-jail@FreeBSD.ORG Thu Jul 26 21:46:10 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5210716A419 for ; Thu, 26 Jul 2007 21:46:10 +0000 (UTC) (envelope-from znerd@FreeBSD.org) Received: from sumo.dreamhost.com (sumo.dreamhost.com [66.33.216.29]) by mx1.freebsd.org (Postfix) with ESMTP id 4001613C465 for ; Thu, 26 Jul 2007 21:46:10 +0000 (UTC) (envelope-from znerd@FreeBSD.org) Received: from spaceymail-a2.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by sumo.dreamhost.com (Postfix) with ESMTP id 05B39185633 for ; Thu, 26 Jul 2007 14:15:37 -0700 (PDT) Received: from [192.168.2.100] (dsl-083-247-122-068.solcon.nl [83.247.122.68]) by spaceymail-a2.g.dreamhost.com (Postfix) with ESMTP id 4838310A039 for ; Thu, 26 Jul 2007 14:15:36 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v752.3) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-jail@freebsd.org From: Ernst de Haan Date: Thu, 26 Jul 2007 23:15:20 +0200 X-Mailer: Apple Mail (2.752.3) Subject: Mails from jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2007 21:46:10 -0000 I want to restrict my jail sandboxes to sending mail only. Could anyone give me some advice? This is for a web-/applicationserver that needs to be able to send mail, but should never be running any mail service on external network interfaces. My preference is a minimalistic approach; I was thinking of creating one specialized sandbox that only provides mail sending functionality for the other sandboxes: - make it listen for SMTP connections on the loopback device (e.g. 127.0.0.5), only allowing incoming connections from the other sandboxes (127.0.0.255); - forward the mail to a 'real' SMTP server using mail/ssmtp, via a secure (SSL) connection, with authentication; Does anyone have experience with such an approach? If so, what would you use for the SMTP forwarding? Any advice? Cheers, Ernst From owner-freebsd-jail@FreeBSD.ORG Fri Jul 27 06:45:50 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A73816A418; Fri, 27 Jul 2007 06:45:50 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id EA72513C428; Fri, 27 Jul 2007 06:45:49 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A55842.dip.t-dialin.net [84.165.88.66]) by redbull.bpaserver.net (Postfix) with ESMTP id 9984E2E14F; Fri, 27 Jul 2007 08:22:06 +0200 (CEST) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 4899E5B48DD; Fri, 27 Jul 2007 08:19:53 +0200 (CEST) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l6R6JrYA044123; Fri, 27 Jul 2007 08:19:53 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Fri, 27 Jul 2007 08:19:52 +0200 Message-ID: <20070727081952.wessjbs9vk00wk80@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Fri, 27 Jul 2007 08:19:52 +0200 From: Alexander Leidinger To: Ernst de Haan References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.3, required 8, BAYES_00 -15.00, DKIM_POLICY_SIGNSOME 0.00, J_CHICKENPOX_34 0.60, RDNS_DYNAMIC 0.10) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@FreeBSD.org Subject: Re: Mails from jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jul 2007 06:45:50 -0000 Quoting Ernst de Haan (from Thu, 26 Jul 2007 =20 23:15:20 +0200): > I want to restrict my jail sandboxes to sending mail only. Could anyone > give me some advice? This is for a web-/applicationserver that needs to > be able to send mail, but should never be running any mail service on > external network interfaces. > > My preference is a minimalistic approach; I was thinking of creating > one specialized sandbox that only provides mail sending functionality > for the other sandboxes: > - make it listen for SMTP connections on the loopback device > (e.g. 127.0.0.5), only allowing incoming connections from > the other sandboxes (127.0.0.255); > - forward the mail to a 'real' SMTP server using mail/ssmtp, > via a secure (SSL) connection, with authentication; > > Does anyone have experience with such an approach? If so, what would > you use for the SMTP forwarding? Any advice? In my jails at home I configured sendmail with a smarthost =20 (respectively a msp for the submit.mc) and use sendmail_enable=3D"NO" sendmail_submit_enable=3D"YES" in rc.conf. My smarthost is postfix in another jail and it delivers via TLS+sasl =20 to a box with an official and static IP which is responsible for the =20 final delivery. Bye, Alexander. --=20 Fact is solidified opinion. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-jail@FreeBSD.ORG Fri Jul 27 13:08:07 2007 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40BD916A468 for ; Fri, 27 Jul 2007 13:08:07 +0000 (UTC) (envelope-from znerd@FreeBSD.org) Received: from spaceymail-a4.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by mx1.freebsd.org (Postfix) with ESMTP id 2C63413C45D for ; Fri, 27 Jul 2007 13:08:07 +0000 (UTC) (envelope-from znerd@FreeBSD.org) Received: from [192.168.2.100] (dsl-083-247-122-068.solcon.nl [83.247.122.68]) by spaceymail-a4.g.dreamhost.com (Postfix) with ESMTP id 5E090161806; Fri, 27 Jul 2007 06:08:06 -0700 (PDT) In-Reply-To: <20070727081952.wessjbs9vk00wk80@webmail.leidinger.net> References: <20070727081952.wessjbs9vk00wk80@webmail.leidinger.net> Mime-Version: 1.0 (Apple Message framework v752.3) X-Priority: 3 (Normal) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <7CCDD6B6-B1CC-4BEB-B12B-163F6FB761DC@FreeBSD.org> Content-Transfer-Encoding: 7bit From: Ernst de Haan Date: Fri, 27 Jul 2007 15:07:51 +0200 To: Alexander Leidinger X-Mailer: Apple Mail (2.752.3) Cc: freebsd-jail@FreeBSD.org Subject: Re: Mails from jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jul 2007 13:08:07 -0000 Alexander, > In my jails at home I configured sendmail with a smarthost > (respectively a msp for the submit.mc) and use > sendmail_enable="NO" > sendmail_submit_enable="YES" > in rc.conf. But this means you are running sendmail in each and every jail, right? Isn't it better to keep the services per jail to a minimum, excluding services that are not necessarily required? Now you have the much- exploited sendmail daemon running in every jail. I haven't found a complete solution yet, but I would expect to be able to run an (E)SMTP daemon in one jail, listening only to 127.0.0.x (not on the external interface), allowing only connections from 127.0.0.255. However, I just noticed in the rc.sendmail(8) man page that it indicates this will not work: http://www.freebsd.org/cgi/man.cgi?query=rc.sendmail&sektion=8 Then all the other jails could just run sSMTP, connecting to the ESMTP service on the mail-jail, without AUTH (SASL) and SSL, just plain old SMTP. > My smarthost is postfix in another jail and it delivers via TLS > +sasl to a box with an official and static IP which is responsible > for the final delivery. So does the postfix daemon listen to an internal network address (127.0.0.x)? If so, this comes pretty close to what I'm looking for. Cheers, Ernst From owner-freebsd-jail@FreeBSD.ORG Sat Jul 28 13:32:13 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C49C016A419; Sat, 28 Jul 2007 13:32:13 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 69ACE13C457; Sat, 28 Jul 2007 13:32:13 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5734B.dip.t-dialin.net [84.165.115.75]) by redbull.bpaserver.net (Postfix) with ESMTP id 20C012E173; Sat, 28 Jul 2007 15:32:06 +0200 (CEST) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 1BE8A5B4D87; Sat, 28 Jul 2007 15:29:53 +0200 (CEST) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l6SDTqlH059363; Sat, 28 Jul 2007 15:29:52 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from proxy.Leidinger.net (proxy.Leidinger.net [192.168.1.103]) by webmail.leidinger.net (Horde MIME library) with HTTP; Sat, 28 Jul 2007 15:29:52 +0200 Message-ID: <20070728152952.zb7455nq4kkwwg0w@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Sat, 28 Jul 2007 15:29:52 +0200 From: Alexander Leidinger To: Ernst de Haan References: <20070727081952.wessjbs9vk00wk80@webmail.leidinger.net> <7CCDD6B6-B1CC-4BEB-B12B-163F6FB761DC@FreeBSD.org> In-Reply-To: <7CCDD6B6-B1CC-4BEB-B12B-163F6FB761DC@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.3, required 8, BAYES_00 -15.00, DKIM_POLICY_SIGNSOME 0.00, J_CHICKENPOX_34 0.60, RDNS_DYNAMIC 0.10) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@FreeBSD.org Subject: Re: Mails from jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2007 13:32:13 -0000 Quoting Ernst de Haan (from Fri, 27 Jul 2007 =20 15:07:51 +0200): > Alexander, > > >> In my jails at home I configured sendmail with a smarthost =20 >> (respectively a msp for the submit.mc) and use >> sendmail_enable=3D"NO" >> sendmail_submit_enable=3D"YES" >> in rc.conf. > > But this means you are running sendmail in each and every jail, right? As a submission daemon (on port 5xx), but not as a MTA/MDA on port 25. > Isn't it better to keep the services per jail to a minimum, excluding > services that are not necessarily required? Now you have the > much-exploited sendmail daemon running in every jail. Are you concerned about local exploits, or remote exploits? Do you =20 need to connect to it via a (local) network connection, or is is ok to =20 deliver via piping data into the executable? If the later, you can do =20 sendmail_submit_enable=3D"NO" in all jails. I could disable several of =20 those locally, but 'm not concerned about this as I use the jails as =20 some kind of consolidation feature with the nice property of being =20 able to move a service which is hosted in a jail (one service per =20 jail) to a different server with a rsync. As some services want to =20 connect to a port instead of using a local sendmail, I have the submit =20 daemon enabled by default and was lazy so far to change this... > I haven't found a complete solution yet, but I would expect to be able > to run an (E)SMTP daemon in one jail, listening only to 127.0.0.x (not > on the external interface), allowing only connections from 127.0.0.255. > However, I just noticed in the rc.sendmail(8) man page that it > indicates this will not work: > http://www.freebsd.org/cgi/man.cgi?query=3Drc.sendmail&sektion=3D8 I have postfix running as my central smarthost/mailhub, and use =20 sendmail just as a way to deliver mails to it. I don't need to install =20 anything mail related into a jail (except for sendmail.cf and =20 submit.cf, but they are in my template). You don't even have to have =20 sendmail running as described above. > Then all the other jails could just run sSMTP, connecting to the ESMTP > service on the mail-jail, without AUTH (SASL) and SSL, just plain old > SMTP. For me sendmail as a client which conencts to my local postfix is safe =20 enough in my environment, no need to install additional software. >> My smarthost is postfix in another jail and it delivers via =20 >> TLS+sasl to a box with an official and static IP which is =20 >> responsible for the final delivery. > > So does the postfix daemon listen to an internal network address > (127.0.0.x)? If so, this comes pretty close to what I'm looking for. I have everything in 192.168.x.y on the NIC interface. So there's the =20 possibility to connect to a jail from a different system on the same =20 net. But as sendmail doesn't accept connections from somewhere else, =20 only ssh and the service of this jail is accessible. I would be =20 surprised if postfix is not able to bind to 127.0.0.x. Bye, Alexander. --=20 Measure twice, cut once. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-jail@FreeBSD.ORG Sat Jul 28 17:22:53 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CE4816A419 for ; Sat, 28 Jul 2007 17:22:53 +0000 (UTC) (envelope-from albinootje@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.230]) by mx1.freebsd.org (Postfix) with ESMTP id 37ABC13C428 for ; Sat, 28 Jul 2007 17:22:53 +0000 (UTC) (envelope-from albinootje@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so892635wxd for ; Sat, 28 Jul 2007 10:22:52 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=Wb40SS0/pzmyCg2SZRcuCkBj72XsFu+Eypy5kbebXToeqhQ1CGWP+YbRsIXGedfWflqQa5BZg9aU0BKmEUNQclVFPymQQCXqHymJORdE5YQoWLE8i9gBCpslq/K4qYJXzctY+9JFnxgEoeEiWVzQMIr/ffGhC5cCOJCY1sIHC9E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=mVNaEfQODiUe8gWjR7rijAHoMwBQzRUGFs2ZZ3AFJc/BKQYdhOREIMGna7a3XhLWz3Vvpt5WOwVOfVpJ8vemvwwCCaVSETVDlma5WNsZcTWCHfCbd3iYeT9Eh3zkc4bukA0N91qhB96JzzgeJzqFXQRH9zfj/q1KHqXV+9zXP20= Received: by 10.70.42.16 with SMTP id p16mr7070007wxp.1185641764579; Sat, 28 Jul 2007 09:56:04 -0700 (PDT) Received: from ?192.168.0.120? ( [217.19.30.147]) by mx.google.com with ESMTPS id i33sm1604704wxd.2007.07.28.09.56.02 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 28 Jul 2007 09:56:03 -0700 (PDT) Message-ID: <46AB751C.6080603@gmail.com> Date: Sat, 28 Jul 2007 18:55:56 +0200 From: albinootje User-Agent: Thunderbird 2.0.0.5 (X11/20070716) MIME-Version: 1.0 To: Alexander Leidinger References: <20070727081952.wessjbs9vk00wk80@webmail.leidinger.net> <7CCDD6B6-B1CC-4BEB-B12B-163F6FB761DC@FreeBSD.org> <20070728152952.zb7455nq4kkwwg0w@webmail.leidinger.net> In-Reply-To: <20070728152952.zb7455nq4kkwwg0w@webmail.leidinger.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org, Ernst de Haan Subject: Re: Mails from jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2007 17:22:53 -0000 Alexander Leidinger wrote: > I have everything in 192.168.x.y on the NIC interface. So there's the > possibility to connect to a jail from a different system on the same > net. But as sendmail doesn't accept connections from somewhere else, > only ssh and the service of this jail is accessible. I would be > surprised if postfix is not able to bind to 127.0.0.x. personally i remove sendmail (and exim) wherever i can and replace it with postfix, i really like syntax and simplicity of a postfix install and configuration you can bind postfix to a certain ip-address (or "localhost" for that matter) with the option (in main.cf) inet_interfaces =