Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Jun 2018 09:48:52 -0500
From:      Valeri Galtsev <galtsev@kicp.uchicago.edu>
To:        freebsd-questions@freebsd.org
Subject:   Re: Posfix and Amavisd-new in FreeBSD jail
Message-ID:  <944fff0f-6064-ccbb-a36b-f11752aaf2f7@kicp.uchicago.edu>
In-Reply-To: <4c9d4c7bcb994b1e086ae55ebd0f64b3.squirrel@webmail.harte-lyne.ca>
References:  <4c9d4c7bcb994b1e086ae55ebd0f64b3.squirrel@webmail.harte-lyne.ca>

next in thread | previous in thread | raw e-mail | index | archive | help


On 06/28/18 08:35, James B. Byrne via freebsd-questions wrote:
> Dose anyone on the list run Postfix with amavisd inside a FreeBSD
> jail? 

On larger servers I switched to maia (to the contrary to what I said 
earlier, one can configure and run it, not not only the way port 
maintainer has it, Thanks to port maintainer !!). One of the servers 
fully running in jail may at some point get passed to the project owner 
to [co]-administer it, for this reason it has 
postfix+clamav+spamassassin+amavisd

> I am running into this problem:
> 
> /usr/local/sbin/amavisd[42231]: (!)DENIED ACCESS from IP 127.0.32.1,
> policy bank ''

In my case jail has localhost IP 127.0.0.1, but I set jails "by the 
book", I do not use any scripts like ezjail... jail doesn't need to talk 
to localhos of host system. You may want to go though

/usr/local/etc/amavisd.conf
/usr/local/etc/postfix/master.cf
( and maybe /usr/local/etc/postfix/main.cf, depending on how you have 
amavis harnessed in postfix)

and change localhost's IP referenced in their configurations to 127.0.32.1

(like in master.cf:

smtp      inet  n       -       n       -       -       smtpd
         -o content_filter=smtp-amavis:[127.0.32.1]:10024
)

check that that IP is covered in amavis access control list in 
/usr/local/etc/amavisd.conf:

@inet_acl = qw( 127.0.0.0/8 [::1] ... )

and you can test them one at a time from shell in that jail by

telnet 127.0.32.1 10024

and do all SMTP commands, see where you are thrown out.

I hope, this helps.

Valeri

> 
> The cloned lo interface used by the jail is assigned address 127.0.32.1:
> 
> lo2: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> 	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
> 	inet 127.0.32.1 netmask 0xffffffff
> 	inet6 ::32 prefixlen 128
> 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> 	groups: lo
> 
> The postfix and amavisd configuration files refer only to 127.0.0.1
> 
> The hosts file contains this:
> 
> ::1               localhost localhost.harte-lyne.ca
> 127.0.0.1         localhost localhost.harte-lyne.ca
> 
> Does anyone have this working properly inside a jail.  What do I need
> to do to get it to work?
> 
> 
> 

-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?944fff0f-6064-ccbb-a36b-f11752aaf2f7>