Date: Mon, 26 Jul 2004 17:10:20 -0400 From: "Eric W. Bates" <ericx_lists@vineyard.net> To: Alex Melkomukov <amelkomukov@flexpop.net> Cc: freebsd-isp@freebsd.org Subject: Re: chrooting Postfix+SASL+TLS Message-ID: <4105733C.1080305@vineyard.net> In-Reply-To: <Pine.BSI.4.10.10407261114580.26960-100000@pdx-s02.navi.net> References: <Pine.BSI.4.10.10407261114580.26960-100000@pdx-s02.navi.net>
next in thread | previous in thread | raw e-mail | index | archive | help
You can chroot most of the processes as usual; but if you chroot the smtpd component you have to make sure that all the SASL components are readable in the chroot'ed tree. I have not tried it; but that certainly includes the saslauthd socket (normally: /var/state/saslauthd/mux); and probably the SASL config for postfix (normally: /usr/local/lib/sasl2/smtpd.conf. I don't remember whether the sasl library is statically linked or not. If it isn't, you will have to compile smtpd with a link-path that it will be able to reach when chroot'ed. Alex Melkomukov wrote: > Hello all, > > I tried posting to the FreeBSD Questions list with no luck. I figured I > would try this list to see if anyone has an answer/pointers for me to work > with. > > posted message: > > Hi all, > > Has anyone successfully set up Postfix to run chrooted with saslauthd? > I've been trying to get this to work for several days now and have run > out of ideas. > > Everything works fine non-chrooted, but as soon as I run > postfix/smtpd chrooted, I get the following messages in maillog: > > > Jul 23 09:46:30 xxx postfix/smtpd[2472]: connect from yyy[999.999.999.999] > Jul 23 09:46:30 xxx postfix/smtpd[2472]: setting up TLS connection from > yyy[999.999.999.999] > Jul 23 09:46:30 xxx postfix/smtpd[2472]: TLS connection established from > yyy[999.999.999.99]: TLSv1 with cipher RC4-MD5 (128/128 bits) > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: SASL authentication > failure: cannot connect to saslauthd server: No such file or directory > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: yyy[999.999.999.999]: > SASL LOGIN authentication failed > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: Read failed in > network_biopair_interop with errno=0: num_read=0, want_read=5 > Jul 23 09:46:30 xxx postfix/smtpd[2472]: lost connection after AUTH from > yyy[999.999.999.999] > Jul 23 09:46:30 xxx postfix/smtpd[2472]: disconnect from > yyy[999.999.999.999] > > > Here is what I have installed: > > OS: > > FreeBSD 4.9-RELEASE > > > > ports installed: > > openssl-0.9.7d > cyrus-sasl-2.1.18 > cyrus-sasl-saslauthd-2.1.18_1 > > > postfix installed from source with TLS patch applied: > > postfix-2.1.3 > pfixtls-0.8.18-2.1.3-0.9.7d > > > postfix chroot directory: > > /var/spool/postfix > > > saslauthd startup options: > > /usr/local/sbin/saslauthd -a getpwent -m > /var/spool/postfix/var/state/saslauthd > > > tls/sasl options in /etc/postfix/main.cf: > > # sasl config > # > broken_sasl_auth_clients = yes > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = > > smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks > smtpd_recipient_restrictions = permit_sasl_authenticated, > permit_mynetworks, reject_unauth_destination > > # tls config > # > smtp_use_tls = yes > smtpd_use_tls = yes > smtp_tls_note_starttls_offer = yes > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem > smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_session_cache_timeout = 3600s > tls_random_source = dev:/dev/urandom > > > I have tried all kinds of tips from my archive searches and still no luck. > > Can anyone give me any pointers/instructions on how to run postfix > chrooted with saslauthd using FreeBSD 4.9? > > any advice will be appreciated. > > thanks in advance, > > Alex M. > > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4105733C.1080305>