From nobody Tue Nov 30 08:42:18 2021 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1920218C3ED4 for ; Tue, 30 Nov 2021 08:44:48 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4J3G4F5wstz4TfV for ; Tue, 30 Nov 2021 08:44:45 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id 1AU8gnCD011185 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 30 Nov 2021 19:42:50 +1100 (AEDT) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1638261770; x=1638866571; bh=2xOCstqbf01Jd9NJH1umQOr+P3Cc+jL47CX/utK1a1E=; h=Message-ID:Date:To:From:Subject; b=GtZGwy+hbIYDVC/xB/Zk4/RDTrn8P3kyg8gKye5G13UeFGP61ft0LL4mgqKbRQzWO MEAbkjfcNPNO1UXBP3g8veT4EIjrQhX6jXWRPooV14ZeKMF+ajZjmdUh31QeyTHqdh eEIhbYWDEYgWwhL1tpVSgPwx22KlLa83yaoQQMvvt/Gn1JhT+24sX X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Message-ID: Date: Tue, 30 Nov 2021 19:42:18 +1100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:91.0) Gecko/20100101 Thunderbird/91.1.2 Content-Language: en-GB To: "freebsd-questions@freebsd.org" From: Dewayne Geraghty Subject: sendmail without root privs cannot bind. Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4J3G4F5wstz4TfV X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=heuristicsystems.com.au header.s=hsa header.b=GtZGwy+h; dmarc=none; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au X-Spamd-Result: default: False [-4.68 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[heuristicsystems.com.au:s=hsa]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[heuristicsystems.com.au:dkim]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_SPAM_MEDIUM(0.52)[0.518]; DMARC_NA(0.00)[heuristicsystems.com.au]; RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from]; DKIM_TRACE(0.00)[heuristicsystems.com.au:+]; NEURAL_HAM_SHORT(-1.00)[-0.999]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Today I decided that it was time to move sendmail from root to an unprivileged user. Unfortunately I was blocked by Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 451 4.0.0 opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied (hold) Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied Nov 30 16:48:19 b3 sm-mta[91296]: daemon ExtSSL4: problem creating SMTP socket Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 421 4.0.0 opendaemonsocket: daemon ExtSSL4: server SMTP socket wedged: exiting (hold) Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): opendaemonsocket: daemon ExtSSL4: server SMTP socket wedged: exiting which was disappointing.  It almost appears as though the security.mac.portacl.rules isn't being processed, but it is because we also have named and apache running with unpriv'ed accounts. Does anyone have sendmail running without root?  My magical rubber-chicken doesn't seem to be working... How did I get here... 1. Added define(`confTRUSTED_USER', `smmsp')dnl tos endmail.mc 2. changed permissions on /etc/mail /var/spool/mqueue ... to the same user 3. added uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587 to  security.mac.portacl.rules 4. rebooted the box 5. The failed daemon port happens to be DAEMON_OPTIONS(`Name=ExtSSL4,Addr=10.0.7.91, Port=465, children=14, M=Eaps, DeliveryMode=q') is one of 4 ports that we use for email, and fails on other ports when its commented out.  Interestingly when port 25 was first in the DAEMON_OPTIONS list, it doesn't fail, but I can't be sure it was successful either. I chose smmsp as the user simply because it had the uid 25. Sendmail has been running within a jailed environment as root for a few years.  The host is FreeBSD 12.2Stable from June 2021. I'd welcome any suggestions. Regards, Dewayne.