Date: Tue, 30 Nov 2021 23:39:09 +1100 From: Dewayne Geraghty <dewayne@heuristicsystems.com.au> To: questions@freebsd.org Subject: Re: sendmail without root privs cannot bind. Message-ID: <fef4cc77-ffc2-e78a-06af-71a9dd57e73f@heuristicsystems.com.au> In-Reply-To: <2de7a896-60ac-3b96-4b1d-a9c276d19b74@qeng-ho.org> References: <ce474f25-25d9-5cc0-5225-b2d6e22124f9@heuristicsystems.com.au> <2de7a896-60ac-3b96-4b1d-a9c276d19b74@qeng-ho.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30/11/2021 7:53 pm, Arthur Chance wrote: > On 30/11/2021 08:42, Dewayne Geraghty wrote: >> Today I decided that it was time to move sendmail from root to an >> unprivileged user. >> >> Unfortunately I was blocked by >> Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 451 4.0.0 >> opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied (hold) >> Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): >> opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied >> Nov 30 16:48:19 b3 sm-mta[91296]: daemon ExtSSL4: problem creating SMTP >> socket >> Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 421 4.0.0 >> opendaemonsocket: daemon ExtSSL4: >> server SMTP socket wedged: exiting (hold) >> Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): >> opendaemonsocket: daemon ExtSSL4: server SMTP socket wedged: exiting >> >> which was disappointing. It almost appears as though the >> security.mac.portacl.rules isn't being processed, but it is because we >> also have named and apache running with unpriv'ed accounts. >> >> Does anyone have sendmail running without root? My magical >> rubber-chicken doesn't seem to be working... >> >> How did I get here... >> 1. Added define(`confTRUSTED_USER', `smmsp')dnl tos endmail.mc >> 2. changed permissions on /etc/mail /var/spool/mqueue ... to the same user >> 3. added uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587 to >> security.mac.portacl.rules >> 4. rebooted the box > It's probably me misunderstanding, but how did you ensure > security.mac.portacl.rules had those settings after the reboot? > Thanks Arthur. I'm unsure, but I manually stopped sendmail and set security.mac.portacl.rules, then restarted. Though I did verify security.mac.portacl.port_high which needed to be increased to catch 587. The problem remains elusive and I'm out of ideas. :(
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fef4cc77-ffc2-e78a-06af-71a9dd57e73f>