Date: Thu, 23 Dec 2021 09:56:39 +0000 From: Francesco Toscan <f.toscan@hotmail.it> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: sendmail without root privs cannot bind. Message-ID: <PA4PR01MB7248C59AE5EAA53CEE0442FFFF7E9@PA4PR01MB7248.eurprd01.prod.exchangelabs.com> In-Reply-To: <ce474f25-25d9-5cc0-5225-b2d6e22124f9@heuristicsystems.com.au> References: <ce474f25-25d9-5cc0-5225-b2d6e22124f9@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Dewayne Geraghty <dewayne@heuristicsystems.com.au> wrote:=0A= =0A= > Today I decided that it was time to move sendmail from root to an=0A= > unprivileged user.=0A= =0A= ...=0A= =0A= > Does anyone have sendmail running without root? My magical=0A= > rubber-chicken doesn't seem to be working...=0A= =0A= ...=0A= > 1. Added define(`confTRUSTED_USER', `smmsp')dnl tos endmail.mc=0A= =0A= Last time I had a "working" non-root sendmail setup (well...kinda =0A= working) I relied on RunAsUser.=0A= Since there are many moving parts, I had to relax permissions =0A= on queue directories, drop .forward files, forget about :include .=0A= =0A= It was very tricky and I didn't really liked it. Sendmail textbook=0A= discourages this practice. If I recall correctly, RunAsUser can't =0A= make sendmail run as $user in daemon mode. You have to =0A= run it so by hand.=0A= Btw, on FreeBSD sendmail is compiled with support to setreuid(2) and=0A= the program drops privileges as soon as it can: mucking with =0A= franken-sendmail I felt I was actually lowering the overall security.=0A= =0A= > 3. added uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587 to=0A= > security.mac.portacl.rules=0A= =0A= That should allow binding, but raise debuglevel, at lease -d2.9 and=0A= investigate opened file descriptors.=0A= Maybe some sendmail guru may chime in?=0A= =0A= > Sendmail has been running within a jailed environment as root for a few= =0A= > years. The host is FreeBSD 12.2Stable from June 2021.=0A= =0A= That's how I ended. I used to run several "specialized" sendmail =0A= instances in different jails, exposing the minimum set of features =0A= needed for the task (ie: receive mail; content filtering; local delivery; s= end=0A= mail outside).=0A= =0A= =0A= Good luck,=0A= f=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PA4PR01MB7248C59AE5EAA53CEE0442FFFF7E9>