Date: Mon, 26 Jul 2004 16:27:25 -0700 (PDT) From: Alex Melkomukov <amelkomukov@flexpop.net> To: "Eric W. Bates" <ericx_lists@vineyard.net> Cc: freebsd-isp@freebsd.org Subject: Re: chrooting Postfix+SASL+TLS Message-ID: <Pine.BSI.4.10.10407261606500.11014-100000@pdx-s02.navi.net> In-Reply-To: <4105733C.1080305@vineyard.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Eric, I think I finally have it working! Thanks a bunch for the clues. I've been at this for a bit, but I think I finally have the all the right pieces in place. I had tried running saslauthd with the "-m /var/spool/postfix/var/state/saslauthd" option before, with no luck. I even did the chown cyrus/chgrp mail commands on the /var/spool/postfix/var/state/saslauthd directory for permissions, and was still getting errors. I even tried copying the needed SASL files into the chrooted directory, but apparently it was not in the right location. I ended up copying the liblogin*, libplain*, and smtpd.conf files (the only ones I need) from the /usr/local/lib/sasl2 directory to the /var/spool/postfix/usr/local/lib/sasl2 directory, and everything started working. To be complete, I also created the /var/spool/postfix/etc directory and copied the 'aliases.db', 'hosts', 'localtime', 'resolv.conf', and 'services' files from the /etc directory. There may be a couple of other things I had to do make it all work in chroot, but these were the 'major' steps I needed to take to make it all work. Again, thanks a bunch for the tips Eric. Alex M. On Mon, 26 Jul 2004, Eric W. Bates wrote: > You can chroot most of the processes as usual; but if you chroot the > smtpd component you have to make sure that all the SASL components are > readable in the chroot'ed tree. > > I have not tried it; but that certainly includes the saslauthd socket > (normally: /var/state/saslauthd/mux); and probably the SASL config for > postfix (normally: /usr/local/lib/sasl2/smtpd.conf. I don't remember > whether the sasl library is statically linked or not. If it isn't, you > will have to compile smtpd with a link-path that it will be able to > reach when chroot'ed. > > Alex Melkomukov wrote: > > Hello all, > > > > I tried posting to the FreeBSD Questions list with no luck. I figured I > > would try this list to see if anyone has an answer/pointers for me to work > > with. > > > > posted message: > > > > Hi all, > > > > Has anyone successfully set up Postfix to run chrooted with saslauthd? > > I've been trying to get this to work for several days now and have run > > out of ideas. > > > > Everything works fine non-chrooted, but as soon as I run > > postfix/smtpd chrooted, I get the following messages in maillog: > > > > > > Jul 23 09:46:30 xxx postfix/smtpd[2472]: connect from yyy[999.999.999.999] > > Jul 23 09:46:30 xxx postfix/smtpd[2472]: setting up TLS connection from > > yyy[999.999.999.999] > > Jul 23 09:46:30 xxx postfix/smtpd[2472]: TLS connection established from > > yyy[999.999.999.99]: TLSv1 with cipher RC4-MD5 (128/128 bits) > > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: SASL authentication > > failure: cannot connect to saslauthd server: No such file or directory > > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: yyy[999.999.999.999]: > > SASL LOGIN authentication failed > > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: Read failed in > > network_biopair_interop with errno=0: num_read=0, want_read=5 > > Jul 23 09:46:30 xxx postfix/smtpd[2472]: lost connection after AUTH from > > yyy[999.999.999.999] > > Jul 23 09:46:30 xxx postfix/smtpd[2472]: disconnect from > > yyy[999.999.999.999] > > > > > > Here is what I have installed: > > > > OS: > > > > FreeBSD 4.9-RELEASE > > > > > > > > ports installed: > > > > openssl-0.9.7d > > cyrus-sasl-2.1.18 > > cyrus-sasl-saslauthd-2.1.18_1 > > > > > > postfix installed from source with TLS patch applied: > > > > postfix-2.1.3 > > pfixtls-0.8.18-2.1.3-0.9.7d > > > > > > postfix chroot directory: > > > > /var/spool/postfix > > > > > > saslauthd startup options: > > > > /usr/local/sbin/saslauthd -a getpwent -m > > /var/spool/postfix/var/state/saslauthd > > > > > > tls/sasl options in /etc/postfix/main.cf: > > > > # sasl config > > # > > broken_sasl_auth_clients = yes > > smtpd_sasl_auth_enable = yes > > smtpd_sasl_local_domain = > > > > smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks > > smtpd_recipient_restrictions = permit_sasl_authenticated, > > permit_mynetworks, reject_unauth_destination > > > > # tls config > > # > > smtp_use_tls = yes > > smtpd_use_tls = yes > > smtp_tls_note_starttls_offer = yes > > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem > > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem > > smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem > > smtpd_tls_loglevel = 1 > > smtpd_tls_received_header = yes > > smtpd_tls_session_cache_timeout = 3600s > > tls_random_source = dev:/dev/urandom > > > > > > I have tried all kinds of tips from my archive searches and still no luck. > > > > Can anyone give me any pointers/instructions on how to run postfix > > chrooted with saslauthd using FreeBSD 4.9? > > > > any advice will be appreciated. > > > > thanks in advance, > > > > Alex M. > > > > > > _______________________________________________ > > freebsd-isp@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.10.10407261606500.11014-100000>