Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Jul 2004 16:27:25 -0700 (PDT)
From:      Alex Melkomukov <amelkomukov@flexpop.net>
To:        "Eric W. Bates" <ericx_lists@vineyard.net>
Cc:        freebsd-isp@freebsd.org
Subject:   Re: chrooting Postfix+SASL+TLS
Message-ID:  <Pine.BSI.4.10.10407261606500.11014-100000@pdx-s02.navi.net>
In-Reply-To: <4105733C.1080305@vineyard.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi Eric,

I think I finally have it working!  Thanks a bunch for the clues.  I've
been at this for a bit, but I think I finally have the all the right
pieces in place.

I had tried running saslauthd with the "-m
/var/spool/postfix/var/state/saslauthd" option before, with no luck.  I
even did the chown cyrus/chgrp mail commands on the
/var/spool/postfix/var/state/saslauthd directory for permissions, and was
still getting errors.  

I even tried copying the needed SASL files into
the chrooted directory, but apparently it was not in the right location.
I ended up copying the liblogin*, libplain*, and smtpd.conf files (the
only ones I need) from the /usr/local/lib/sasl2 directory to the
/var/spool/postfix/usr/local/lib/sasl2 directory, and everything started
working.

To be complete, I also created the /var/spool/postfix/etc directory and
copied the 'aliases.db', 'hosts', 'localtime', 'resolv.conf', and
'services' files from the /etc directory.  There may be a couple of other
things I had to do make it all work in chroot, but these were the 'major'
steps I needed to take to make it all work.

Again, thanks a bunch for the tips Eric.

Alex M.

On Mon, 26 Jul 2004, Eric W. Bates wrote:

> You can chroot most of the processes as usual; but if you chroot the 
> smtpd component you have to make sure that all the SASL components are 
> readable in the chroot'ed tree.
> 
> I have not tried it; but that certainly includes the saslauthd socket 
> (normally: /var/state/saslauthd/mux); and probably the SASL config for 
> postfix (normally: /usr/local/lib/sasl2/smtpd.conf.  I don't remember 
> whether the sasl library is statically linked or not.  If it isn't, you 
> will have to compile smtpd with a link-path that it will be able to 
> reach when chroot'ed.
> 
> Alex Melkomukov wrote:
> > Hello all,
> > 
> > I tried posting to the FreeBSD Questions list with no luck.  I figured I
> > would try this list to see if anyone has an answer/pointers for me to work
> > with.
> > 
> > posted message:
> > 
> > Hi all,
> > 
> > Has anyone successfully set up Postfix to run chrooted with saslauthd?
> > I've been trying to get this to work for several days now and have run
> > out of ideas.
> > 
> > Everything works fine non-chrooted, but as soon as I run
> > postfix/smtpd chrooted, I get the following messages in maillog:
> > 
> > 
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: connect from yyy[999.999.999.999]
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: setting up TLS connection from
> > yyy[999.999.999.999]
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: TLS connection established from
> > yyy[999.999.999.99]: TLSv1 with cipher RC4-MD5 (128/128 bits)
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: SASL authentication
> > failure: cannot connect to saslauthd server: No such file or directory
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: yyy[999.999.999.999]:
> > SASL LOGIN authentication failed
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: Read failed in
> > network_biopair_interop with errno=0: num_read=0, want_read=5
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: lost connection after AUTH from
> > yyy[999.999.999.999]
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: disconnect from
> > yyy[999.999.999.999]
> > 
> > 
> > Here is what I have installed:
> > 
> > OS:
> > 
> > FreeBSD 4.9-RELEASE
> > 
> > 
> > 
> > ports installed:
> > 
> > openssl-0.9.7d
> > cyrus-sasl-2.1.18
> > cyrus-sasl-saslauthd-2.1.18_1
> > 
> > 
> > postfix installed from source with TLS patch applied:
> > 
> > postfix-2.1.3
> > pfixtls-0.8.18-2.1.3-0.9.7d
> > 
> > 
> > postfix chroot directory:
> > 
> > /var/spool/postfix
> > 
> > 
> > saslauthd startup options:
> > 
> > /usr/local/sbin/saslauthd -a getpwent -m
> > /var/spool/postfix/var/state/saslauthd
> > 
> > 
> > tls/sasl options in /etc/postfix/main.cf:
> > 
> > # sasl config
> > #
> > broken_sasl_auth_clients = yes
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_local_domain =
> > 
> > smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
> > smtpd_recipient_restrictions = permit_sasl_authenticated,
> > permit_mynetworks, reject_unauth_destination
> > 
> > # tls config
> > #
> > smtp_use_tls = yes
> > smtpd_use_tls = yes
> > smtp_tls_note_starttls_offer = yes
> > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
> > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
> > smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
> > smtpd_tls_loglevel = 1
> > smtpd_tls_received_header = yes
> > smtpd_tls_session_cache_timeout = 3600s
> > tls_random_source = dev:/dev/urandom
> > 
> > 
> > I have tried all kinds of tips from my archive searches and still no luck.
> > 
> > Can anyone give me any pointers/instructions on how to run postfix
> > chrooted with saslauthd using FreeBSD 4.9?
> > 
> > any advice will be appreciated.
> > 
> > thanks in advance,
> > 
> > Alex M.
> > 
> > 
> > _______________________________________________
> > freebsd-isp@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
> 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.10.10407261606500.11014-100000>