From owner-freebsd-jail@FreeBSD.ORG Sat Jul 28 13:32:13 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C49C016A419; Sat, 28 Jul 2007 13:32:13 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 69ACE13C457; Sat, 28 Jul 2007 13:32:13 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5734B.dip.t-dialin.net [84.165.115.75]) by redbull.bpaserver.net (Postfix) with ESMTP id 20C012E173; Sat, 28 Jul 2007 15:32:06 +0200 (CEST) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 1BE8A5B4D87; Sat, 28 Jul 2007 15:29:53 +0200 (CEST) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l6SDTqlH059363; Sat, 28 Jul 2007 15:29:52 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from proxy.Leidinger.net (proxy.Leidinger.net [192.168.1.103]) by webmail.leidinger.net (Horde MIME library) with HTTP; Sat, 28 Jul 2007 15:29:52 +0200 Message-ID: <20070728152952.zb7455nq4kkwwg0w@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Sat, 28 Jul 2007 15:29:52 +0200 From: Alexander Leidinger To: Ernst de Haan References: <20070727081952.wessjbs9vk00wk80@webmail.leidinger.net> <7CCDD6B6-B1CC-4BEB-B12B-163F6FB761DC@FreeBSD.org> In-Reply-To: <7CCDD6B6-B1CC-4BEB-B12B-163F6FB761DC@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.3, required 8, BAYES_00 -15.00, DKIM_POLICY_SIGNSOME 0.00, J_CHICKENPOX_34 0.60, RDNS_DYNAMIC 0.10) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@FreeBSD.org Subject: Re: Mails from jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jul 2007 13:32:13 -0000 Quoting Ernst de Haan (from Fri, 27 Jul 2007 =20 15:07:51 +0200): > Alexander, > > >> In my jails at home I configured sendmail with a smarthost =20 >> (respectively a msp for the submit.mc) and use >> sendmail_enable=3D"NO" >> sendmail_submit_enable=3D"YES" >> in rc.conf. > > But this means you are running sendmail in each and every jail, right? As a submission daemon (on port 5xx), but not as a MTA/MDA on port 25. > Isn't it better to keep the services per jail to a minimum, excluding > services that are not necessarily required? Now you have the > much-exploited sendmail daemon running in every jail. Are you concerned about local exploits, or remote exploits? Do you =20 need to connect to it via a (local) network connection, or is is ok to =20 deliver via piping data into the executable? If the later, you can do =20 sendmail_submit_enable=3D"NO" in all jails. I could disable several of =20 those locally, but 'm not concerned about this as I use the jails as =20 some kind of consolidation feature with the nice property of being =20 able to move a service which is hosted in a jail (one service per =20 jail) to a different server with a rsync. As some services want to =20 connect to a port instead of using a local sendmail, I have the submit =20 daemon enabled by default and was lazy so far to change this... > I haven't found a complete solution yet, but I would expect to be able > to run an (E)SMTP daemon in one jail, listening only to 127.0.0.x (not > on the external interface), allowing only connections from 127.0.0.255. > However, I just noticed in the rc.sendmail(8) man page that it > indicates this will not work: > http://www.freebsd.org/cgi/man.cgi?query=3Drc.sendmail&sektion=3D8 I have postfix running as my central smarthost/mailhub, and use =20 sendmail just as a way to deliver mails to it. I don't need to install =20 anything mail related into a jail (except for sendmail.cf and =20 submit.cf, but they are in my template). You don't even have to have =20 sendmail running as described above. > Then all the other jails could just run sSMTP, connecting to the ESMTP > service on the mail-jail, without AUTH (SASL) and SSL, just plain old > SMTP. For me sendmail as a client which conencts to my local postfix is safe =20 enough in my environment, no need to install additional software. >> My smarthost is postfix in another jail and it delivers via =20 >> TLS+sasl to a box with an official and static IP which is =20 >> responsible for the final delivery. > > So does the postfix daemon listen to an internal network address > (127.0.0.x)? If so, this comes pretty close to what I'm looking for. I have everything in 192.168.x.y on the NIC interface. So there's the =20 possibility to connect to a jail from a different system on the same =20 net. But as sendmail doesn't accept connections from somewhere else, =20 only ssh and the service of this jail is accessible. I would be =20 surprised if postfix is not able to bind to 127.0.0.x. Bye, Alexander. --=20 Measure twice, cut once. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137