From owner-freebsd-hackers@FreeBSD.ORG Sun Aug 27 04:47:02 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E827B16A4DD for ; Sun, 27 Aug 2006 04:47:02 +0000 (UTC) (envelope-from mwm-keyword-freebsdhackers2.e313df@mired.org) Received: from mired.org (vpn.mired.org [66.92.153.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 5CC6643D49 for ; Sun, 27 Aug 2006 04:47:02 +0000 (GMT) (envelope-from mwm-keyword-freebsdhackers2.e313df@mired.org) Received: (qmail 7662 invoked by uid 1001); 27 Aug 2006 04:46:51 -0000 Received: by bhuda.mired.org (tmda-sendmail, from uid 1001); Sun, 27 Aug 2006 00:46:51 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17649.9146.307818.780974@bhuda.mired.org> Date: Sun, 27 Aug 2006 00:46:50 -0400 To: Dirk Engling In-Reply-To: <20060827052733.F16322@erdgeist.org> References: <44F0E38F.5030809@erdgeist.org> <17648.59470.572563.377998@bhuda.mired.org> <20060827052733.F16322@erdgeist.org> X-Mailer: VM 7.17 under 21.4 (patch 19) "Constant Variable" XEmacs Lucid X-Primary-Address: mwm@mired.org X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`; h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) From: Mike Meyer Cc: hackers@freebsd.org Subject: Re: jails, cron and sendmail X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Aug 2006 04:47:03 -0000 In <20060827052733.F16322@erdgeist.org>, Dirk Engling typed: > On Sat, 26 Aug 2006, Mike Meyer wrote: > > Except some of the things run from cron want to send mail all on their > > own, so fixing cron won't solve your problem. > > Why are you running cron inside the jails at all? Are you letting your > > users run it? If not, can you disable it, and instead run scripts from > > your real crontab that do the appropriate thigns in each jail? > It's not me, it's the OS running cron to do its periodic checks, per > default. That's just a default. You can can change it by adding cron_enable="NO" to /etc/rc.conf in each jail. So maybe the question should be "Why haven't your turned off cron in the jails?" > Daniel Gerzo already pointed out, how to solve that. By checking periodic.conf? That doesn't prevent cron from sending mail; that just turns off the periodic scripts that cron launches, some of which also send mail. > Still: FreeBSD's /etc/ assumes and provides a working mail subsystem in > its default configuration. That exposes sendmail to the publicly visible > IP address. Shutting the mail sub system off causes trouble. In order: right, wrong and right. The default configuration doesn't expose sendmail to the publicly visible IP addres. The daemon it runs only listens for connections to the localhost address. > I hope, that describes my motivation to bring up the topic. Well, it's a bit ambiguous. If your concern is that the default configuration exposes sendmail on a public IP address, you're wrong. If your concern is that default sendmail is exposed in jails, then you need to fix that when you set up the jail. There are tools around for setting up jails for a variety of uses, but I don't think any are bundled with the system. If your concern is that shutting off a subsystem can break things - I'd say that's a *good* thing. One of the things that make Unix powerful is that it assumes the user knows what they are doing. If you've installed another mail package (there are a number of them in the ports tree), then you want to turn off sendmail. If the system assumed that you then no longer had a working mail system and shut down everything that tried to send mail, it would be wrong. Given the choice between a system that does exactly what I tell it to, and one that second guesses me, makes changes behind my back, and makes setting things up the way I want a PITA, I know which one I want. http://www.mired.org/consulting.html Independent Network/Unix/Perforce consultant, email for more information.