Mails from jails
Alexander at Leidinger.net
Sat Jul 28 13:32:13 UTC 2007
Quoting Ernst de Haan <znerd at FreeBSD.org> (from Fri, 27 Jul 2007
>> In my jails at home I configured sendmail with a smarthost
>> (respectively a msp for the submit.mc) and use
>> in rc.conf.
> But this means you are running sendmail in each and every jail, right?
As a submission daemon (on port 5xx), but not as a MTA/MDA on port 25.
> Isn't it better to keep the services per jail to a minimum, excluding
> services that are not necessarily required? Now you have the
> much-exploited sendmail daemon running in every jail.
Are you concerned about local exploits, or remote exploits? Do you
need to connect to it via a (local) network connection, or is is ok to
deliver via piping data into the executable? If the later, you can do
sendmail_submit_enable="NO" in all jails. I could disable several of
those locally, but 'm not concerned about this as I use the jails as
some kind of consolidation feature with the nice property of being
able to move a service which is hosted in a jail (one service per
jail) to a different server with a rsync. As some services want to
connect to a port instead of using a local sendmail, I have the submit
daemon enabled by default and was lazy so far to change this...
> I haven't found a complete solution yet, but I would expect to be able
> to run an (E)SMTP daemon in one jail, listening only to 127.0.0.x (not
> on the external interface), allowing only connections from 127.0.0.255.
> However, I just noticed in the rc.sendmail(8) man page that it
> indicates this will not work:
I have postfix running as my central smarthost/mailhub, and use
sendmail just as a way to deliver mails to it. I don't need to install
anything mail related into a jail (except for sendmail.cf and
submit.cf, but they are in my template). You don't even have to have
sendmail running as described above.
> Then all the other jails could just run sSMTP, connecting to the ESMTP
> service on the mail-jail, without AUTH (SASL) and SSL, just plain old
For me sendmail as a client which conencts to my local postfix is safe
enough in my environment, no need to install additional software.
>> My smarthost is postfix in another jail and it delivers via
>> TLS+sasl to a box with an official and static IP which is
>> responsible for the final delivery.
> So does the postfix daemon listen to an internal network address
> (127.0.0.x)? If so, this comes pretty close to what I'm looking for.
I have everything in 192.168.x.y on the NIC interface. So there's the
possibility to connect to a jail from a different system on the same
net. But as sendmail doesn't accept connections from somewhere else,
only ssh and the service of this jail is accessible. I would be
surprised if postfix is not able to bind to 127.0.0.x.
Measure twice, cut once.
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
More information about the freebsd-jail