Date: Sat, 28 Jul 2007 15:29:52 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: Ernst de Haan <znerd@FreeBSD.org> Cc: freebsd-jail@FreeBSD.org Subject: Re: Mails from jails Message-ID: <20070728152952.zb7455nq4kkwwg0w@webmail.leidinger.net> In-Reply-To: <7CCDD6B6-B1CC-4BEB-B12B-163F6FB761DC@FreeBSD.org> References: <F3EEF171-8B44-47CC-AF0B-8012D8D3D362@FreeBSD.org> <20070727081952.wessjbs9vk00wk80@webmail.leidinger.net> <7CCDD6B6-B1CC-4BEB-B12B-163F6FB761DC@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Ernst de Haan <znerd@FreeBSD.org> (from Fri, 27 Jul 2007 =20 15:07:51 +0200): > Alexander, > > >> In my jails at home I configured sendmail with a smarthost =20 >> (respectively a msp for the submit.mc) and use >> sendmail_enable=3D"NO" >> sendmail_submit_enable=3D"YES" >> in rc.conf. > > But this means you are running sendmail in each and every jail, right? As a submission daemon (on port 5xx), but not as a MTA/MDA on port 25. > Isn't it better to keep the services per jail to a minimum, excluding > services that are not necessarily required? Now you have the > much-exploited sendmail daemon running in every jail. Are you concerned about local exploits, or remote exploits? Do you =20 need to connect to it via a (local) network connection, or is is ok to =20 deliver via piping data into the executable? If the later, you can do =20 sendmail_submit_enable=3D"NO" in all jails. I could disable several of =20 those locally, but 'm not concerned about this as I use the jails as =20 some kind of consolidation feature with the nice property of being =20 able to move a service which is hosted in a jail (one service per =20 jail) to a different server with a rsync. As some services want to =20 connect to a port instead of using a local sendmail, I have the submit =20 daemon enabled by default and was lazy so far to change this... > I haven't found a complete solution yet, but I would expect to be able > to run an (E)SMTP daemon in one jail, listening only to 127.0.0.x (not > on the external interface), allowing only connections from 127.0.0.255. > However, I just noticed in the rc.sendmail(8) man page that it > indicates this will not work: > http://www.freebsd.org/cgi/man.cgi?query=3Drc.sendmail&sektion=3D8 I have postfix running as my central smarthost/mailhub, and use =20 sendmail just as a way to deliver mails to it. I don't need to install =20 anything mail related into a jail (except for sendmail.cf and =20 submit.cf, but they are in my template). You don't even have to have =20 sendmail running as described above. > Then all the other jails could just run sSMTP, connecting to the ESMTP > service on the mail-jail, without AUTH (SASL) and SSL, just plain old > SMTP. For me sendmail as a client which conencts to my local postfix is safe =20 enough in my environment, no need to install additional software. >> My smarthost is postfix in another jail and it delivers via =20 >> TLS+sasl to a box with an official and static IP which is =20 >> responsible for the final delivery. > > So does the postfix daemon listen to an internal network address > (127.0.0.x)? If so, this comes pretty close to what I'm looking for. I have everything in 192.168.x.y on the NIC interface. So there's the =20 possibility to connect to a jail from a different system on the same =20 net. But as sendmail doesn't accept connections from somewhere else, =20 only ssh and the service of this jail is accessible. I would be =20 surprised if postfix is not able to bind to 127.0.0.x. Bye, Alexander. --=20 Measure twice, cut once. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070728152952.zb7455nq4kkwwg0w>