Date: Wed, 1 Dec 2021 14:38:57 +1100 From: Dewayne Geraghty <dewayne@heuristicsystems.com.au> To: "questions@FreeBSD.org" <questions@freebsd.org> Subject: Re: sendmail without root privs cannot bind. Message-ID: <e8aec8ba-c787-82db-166f-6206dfb665d8@heuristicsystems.com.au> In-Reply-To: <CA%2Bg%2BBvhBR3OHK92BNN_jcNA5ofXDBDq65=O=aTgXB25hHsG4AA@mail.gmail.com> References: <ce474f25-25d9-5cc0-5225-b2d6e22124f9@heuristicsystems.com.au> <2de7a896-60ac-3b96-4b1d-a9c276d19b74@qeng-ho.org> <fef4cc77-ffc2-e78a-06af-71a9dd57e73f@heuristicsystems.com.au> <CA%2Bg%2BBvh%2BdzEszgriRQ0mcQoko%2Bkt3GO8CMiVyvxQT0sabzH8tA@mail.gmail.com> <CA%2Bg%2BBvhBR3OHK92BNN_jcNA5ofXDBDq65=O=aTgXB25hHsG4AA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/12/2021 1:17 pm, Olivier Nicole wrote: > Dewayne, > >>> Thanks Arthur. I'm unsure, but I manually stopped sendmail and set >>> security.mac.portacl.rules, then restarted. Though I did verify >>> security.mac.portacl.port_high which needed to be increased to catch >>> 587. The problem remains elusive and I'm out of ideas. :( >> >> Maybe it would help if you could provide the running configuration for >> all the security.mac.portal. >> >> Also, you should not need a reboot, restarting sendmail should be enough. > Sorry, I should have posted to FreeBSD list, not to you. > > And also, I think that Apache and named start as root and only change > user after they bound to their respective ports. > > And I think that security.mac.portacl.port_high should be 1023, so I > don't see a need to "increase it to 587". > > Best regards, > > Olivier Hi Oliver. Its been too long since I started to setup machines without privs that I don't recall which applications drop privs. My setups has been stable for a few years, apart from updates :) To your questions - I'd previously set security.mac.portacl.port_high to 446, so in my case I did need to increase. ;) # sysctl security.mac.portacl security.mac.portacl.rules: uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587,uid:53:udp:53,uid:53:tcp:53,uid:53:tcp:153,uid:80:tcp:80,uid:80:tcp:443 security.mac.portacl.port_high: 588 security.mac.portacl.autoport_exempt: 1 security.mac.portacl.suser_exempt: 1 security.mac.portacl.enabled: 1 Sendmail's RELEASE_NOTES suggest that running as non-root is possible, though perhaps only as a relay, over port 25? Kind regards, Dewayne
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e8aec8ba-c787-82db-166f-6206dfb665d8>