chrooting Postfix+SASL+TLS
Eric W. Bates
ericx_lists at vineyard.net
Mon Jul 26 14:10:23 PDT 2004
You can chroot most of the processes as usual; but if you chroot the
smtpd component you have to make sure that all the SASL components are
readable in the chroot'ed tree.
I have not tried it; but that certainly includes the saslauthd socket
(normally: /var/state/saslauthd/mux); and probably the SASL config for
postfix (normally: /usr/local/lib/sasl2/smtpd.conf. I don't remember
whether the sasl library is statically linked or not. If it isn't, you
will have to compile smtpd with a link-path that it will be able to
reach when chroot'ed.
Alex Melkomukov wrote:
> Hello all,
>
> I tried posting to the FreeBSD Questions list with no luck. I figured I
> would try this list to see if anyone has an answer/pointers for me to work
> with.
>
> posted message:
>
> Hi all,
>
> Has anyone successfully set up Postfix to run chrooted with saslauthd?
> I've been trying to get this to work for several days now and have run
> out of ideas.
>
> Everything works fine non-chrooted, but as soon as I run
> postfix/smtpd chrooted, I get the following messages in maillog:
>
>
> Jul 23 09:46:30 xxx postfix/smtpd[2472]: connect from yyy[999.999.999.999]
> Jul 23 09:46:30 xxx postfix/smtpd[2472]: setting up TLS connection from
> yyy[999.999.999.999]
> Jul 23 09:46:30 xxx postfix/smtpd[2472]: TLS connection established from
> yyy[999.999.999.99]: TLSv1 with cipher RC4-MD5 (128/128 bits)
> Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: SASL authentication
> failure: cannot connect to saslauthd server: No such file or directory
> Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: yyy[999.999.999.999]:
> SASL LOGIN authentication failed
> Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: Read failed in
> network_biopair_interop with errno=0: num_read=0, want_read=5
> Jul 23 09:46:30 xxx postfix/smtpd[2472]: lost connection after AUTH from
> yyy[999.999.999.999]
> Jul 23 09:46:30 xxx postfix/smtpd[2472]: disconnect from
> yyy[999.999.999.999]
>
>
> Here is what I have installed:
>
> OS:
>
> FreeBSD 4.9-RELEASE
>
>
>
> ports installed:
>
> openssl-0.9.7d
> cyrus-sasl-2.1.18
> cyrus-sasl-saslauthd-2.1.18_1
>
>
> postfix installed from source with TLS patch applied:
>
> postfix-2.1.3
> pfixtls-0.8.18-2.1.3-0.9.7d
>
>
> postfix chroot directory:
>
> /var/spool/postfix
>
>
> saslauthd startup options:
>
> /usr/local/sbin/saslauthd -a getpwent -m
> /var/spool/postfix/var/state/saslauthd
>
>
> tls/sasl options in /etc/postfix/main.cf:
>
> # sasl config
> #
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
>
> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination
>
> # tls config
> #
> smtp_use_tls = yes
> smtpd_use_tls = yes
> smtp_tls_note_starttls_offer = yes
> smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
> smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
> smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
>
>
> I have tried all kinds of tips from my archive searches and still no luck.
>
> Can anyone give me any pointers/instructions on how to run postfix
> chrooted with saslauthd using FreeBSD 4.9?
>
> any advice will be appreciated.
>
> thanks in advance,
>
> Alex M.
>
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
More information about the freebsd-isp
mailing list