Date: Tue, 30 Nov 2021 08:53:12 +0000 From: Arthur Chance <freebsd@qeng-ho.org> To: Dewayne Geraghty <dewayne@heuristicsystems.com.au>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: sendmail without root privs cannot bind. Message-ID: <2de7a896-60ac-3b96-4b1d-a9c276d19b74@qeng-ho.org> In-Reply-To: <ce474f25-25d9-5cc0-5225-b2d6e22124f9@heuristicsystems.com.au> References: <ce474f25-25d9-5cc0-5225-b2d6e22124f9@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30/11/2021 08:42, Dewayne Geraghty wrote: > Today I decided that it was time to move sendmail from root to an > unprivileged user. > > Unfortunately I was blocked by > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 451 4.0.0 > opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied (hold) > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): > opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied > Nov 30 16:48:19 b3 sm-mta[91296]: daemon ExtSSL4: problem creating SMTP > socket > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 421 4.0.0 > opendaemonsocket: daemon ExtSSL4: > server SMTP socket wedged: exiting (hold) > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): > opendaemonsocket: daemon ExtSSL4: server SMTP socket wedged: exiting > > which was disappointing. It almost appears as though the > security.mac.portacl.rules isn't being processed, but it is because we > also have named and apache running with unpriv'ed accounts. > > Does anyone have sendmail running without root? My magical > rubber-chicken doesn't seem to be working... > > How did I get here... > 1. Added define(`confTRUSTED_USER', `smmsp')dnl tos endmail.mc > 2. changed permissions on /etc/mail /var/spool/mqueue ... to the same user > 3. added uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587 to > security.mac.portacl.rules > 4. rebooted the box It's probably me misunderstanding, but how did you ensure security.mac.portacl.rules had those settings after the reboot? > 5. The failed daemon port happens to be > DAEMON_OPTIONS(`Name=ExtSSL4,Addr=10.0.7.91, Port=465, children=14, > M=Eaps, DeliveryMode=q') is one of 4 ports that we use for email, and > fails on other ports when its commented out. Interestingly when port 25 > was first in the DAEMON_OPTIONS list, it doesn't fail, but I can't be > sure it was successful either. > > I chose smmsp as the user simply because it had the uid 25. > > Sendmail has been running within a jailed environment as root for a few > years. The host is FreeBSD 12.2Stable from June 2021. > > I'd welcome any suggestions. > Regards, Dewayne. > -- Nothing teaches one not to try to stamp out burning thermite quite like real-life experience. — James Davis Nicoll
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2de7a896-60ac-3b96-4b1d-a9c276d19b74>