Date: Tue, 30 Nov 2021 19:42:18 +1100 From: Dewayne Geraghty <dewayne@heuristicsystems.com.au> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: sendmail without root privs cannot bind. Message-ID: <ce474f25-25d9-5cc0-5225-b2d6e22124f9@heuristicsystems.com.au>
next in thread | raw e-mail | index | archive | help
Today I decided that it was time to move sendmail from root to an unprivileged user. Unfortunately I was blocked by Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 451 4.0.0 opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied (hold) Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied Nov 30 16:48:19 b3 sm-mta[91296]: daemon ExtSSL4: problem creating SMTP socket Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 421 4.0.0 opendaemonsocket: daemon ExtSSL4: server SMTP socket wedged: exiting (hold) Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): opendaemonsocket: daemon ExtSSL4: server SMTP socket wedged: exiting which was disappointing. It almost appears as though the security.mac.portacl.rules isn't being processed, but it is because we also have named and apache running with unpriv'ed accounts. Does anyone have sendmail running without root? My magical rubber-chicken doesn't seem to be working... How did I get here... 1. Added define(`confTRUSTED_USER', `smmsp')dnl tos endmail.mc 2. changed permissions on /etc/mail /var/spool/mqueue ... to the same user 3. added uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587 to security.mac.portacl.rules 4. rebooted the box 5. The failed daemon port happens to be DAEMON_OPTIONS(`Name=ExtSSL4,Addr=10.0.7.91, Port=465, children=14, M=Eaps, DeliveryMode=q') is one of 4 ports that we use for email, and fails on other ports when its commented out. Interestingly when port 25 was first in the DAEMON_OPTIONS list, it doesn't fail, but I can't be sure it was successful either. I chose smmsp as the user simply because it had the uid 25. Sendmail has been running within a jailed environment as root for a few years. The host is FreeBSD 12.2Stable from June 2021. I'd welcome any suggestions. Regards, Dewayne.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ce474f25-25d9-5cc0-5225-b2d6e22124f9>