From nobody Tue Nov 30 08:53:12 2021 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3B54518C7992 for ; Tue, 30 Nov 2021 08:53:20 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from mailout.qeng-ho.org (mailout.qeng-ho.org [217.155.128.244]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4J3GG80pp6z4X6M for ; Tue, 30 Nov 2021 08:53:20 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from [IPV6:2a02:8010:64c9:1::2] (unknown [IPv6:2a02:8010:64c9:1::2]) by mailout.qeng-ho.org (Postfix) with ESMTP id 1052826C43; Tue, 30 Nov 2021 08:53:12 +0000 (GMT) Message-ID: <2de7a896-60ac-3b96-4b1d-a9c276d19b74@qeng-ho.org> Date: Tue, 30 Nov 2021 08:53:12 +0000 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0 Subject: Re: sendmail without root privs cannot bind. Content-Language: en-GB To: Dewayne Geraghty , "freebsd-questions@freebsd.org" References: From: Arthur Chance In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4J3GG80pp6z4X6M X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N On 30/11/2021 08:42, Dewayne Geraghty wrote: > Today I decided that it was time to move sendmail from root to an > unprivileged user. > > Unfortunately I was blocked by > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 451 4.0.0 > opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied (hold) > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): > opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied > Nov 30 16:48:19 b3 sm-mta[91296]: daemon ExtSSL4: problem creating SMTP > socket > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 421 4.0.0 > opendaemonsocket: daemon ExtSSL4: > server SMTP socket wedged: exiting (hold) > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): > opendaemonsocket: daemon ExtSSL4: server SMTP socket wedged: exiting > > which was disappointing.  It almost appears as though the > security.mac.portacl.rules isn't being processed, but it is because we > also have named and apache running with unpriv'ed accounts. > > Does anyone have sendmail running without root?  My magical > rubber-chicken doesn't seem to be working... > > How did I get here... > 1. Added define(`confTRUSTED_USER', `smmsp')dnl tos endmail.mc > 2. changed permissions on /etc/mail /var/spool/mqueue ... to the same user > 3. added uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587 to  > security.mac.portacl.rules > 4. rebooted the box It's probably me misunderstanding, but how did you ensure security.mac.portacl.rules had those settings after the reboot? > 5. The failed daemon port happens to be > DAEMON_OPTIONS(`Name=ExtSSL4,Addr=10.0.7.91, Port=465, children=14, > M=Eaps, DeliveryMode=q') is one of 4 ports that we use for email, and > fails on other ports when its commented out.  Interestingly when port 25 > was first in the DAEMON_OPTIONS list, it doesn't fail, but I can't be > sure it was successful either. > > I chose smmsp as the user simply because it had the uid 25. > > Sendmail has been running within a jailed environment as root for a few > years.  The host is FreeBSD 12.2Stable from June 2021. > > I'd welcome any suggestions. > Regards, Dewayne. > -- Nothing teaches one not to try to stamp out burning thermite quite like real-life experience. — James Davis Nicoll