Sendmail and Jails

David Robillard david.robillard at gmail.com
Mon Mar 27 15:44:31 UTC 2006


------------------------------

Message: 23
Date: Sat, 25 Mar 2006 19:32:01 -0500
From: Anish Mistry <mistry.7 at osu.edu>
Subject: Re: Sendmail and Jails
To: freebsd-questions at freebsd.org
Cc: Jack Stone <antennex at hotmail.com>
Message-ID: <200603251932.11154.mistry.7 at osu.edu>
Content-Type: text/plain; charset="iso-8859-1"

On Saturday 25 March 2006 18:42, Jack Stone wrote:
> I have been setting up jails on various production servers on
> FBSD-6.0 & 4.11.
>
> I was wondering how/where to configure & avoid the port conficts
> for sendmail as follows:
>
> - main host - all sendmail services in & out (or at least out)
> - jail - just outgoing services
>
> I gather I will need to configure one or the other on a non-std
> port as both will try to grab the same ports: 25 & 587
>
> Any tips appreciated.

Hi Jack,

Since all jails and the main host have their own IP address, it is
quite easy to do the setup you ask for. The idea here is to tell
sendmail(8) on which IP it should bind to. No need to fuss around with
ports or anything like that :o)

For the sake of example, let's say we have this:

main.host.com: 192.168.1.1
jail.host.com: 192.168.1.2

On the main host, make sure you have

sendmail_enable="YES"

in /etc/rc.conf. This will tell sendmail to run and listen for outside requests.
Next, edit the /etc/mail/`uname -n`.mc file (make sure the uname(1)
command is enclosed in back-ticks).

sudo vi /etc/mail/`uname -n`.mc

Include whatever sendmail(8) MC macro configuration you need and make
sure you have this line which tells sendmail(8) to listen on
192.168.1.1 on TCP port 25.

DAEMON_OPTIONS(`Port=25, Addr=192.168.1.1, Name=MTA, Family=inet')dnl

Save the `uname -n`.mc file and restart sendmail:

cd /etc/mail
sudo make install restart

Make sure you check /var/log/maillog for any errors.

Now for the jails, you only have to configure sendmail in whatever way
you need and have this

sendmail_enable="NO"

in /etc/rc.conf. This tells sendmail to process mail only if it is
originating from the localhost. I would recommend configuring each
jails as a sendmail null client to your main host. For example:

OSTYPE(`freebsd6')dnl
FEATURE(`nullclient', `main.host.com')dnl

Which will cause all jails to "punt" their mail directly to your
main.host.com machine.

If you're not sure about which ports are opened by sendmail in the
main host or the jails, run the sockstat(1) command.

Also, sendmail relies on DNS for everything, so make sure your DNS
systems is on par with the various hostnames you use. Otherwise,
you'll end up with long boot time and a whole bunch of broken mail
problems.

Finally, make sure you upgrade sendmail to version 8.13.6 because
previous versions contain a vulnerability. Install port mail/sendmail.
(this is my sendmail configuration in make.conf)

sudo vi /etc/make.conf

NO_SENDMAIL= true

SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf

.if ${.CURDIR:M*/mail/sendmail}
SENDMAIL_WITHOUT_IPV6=yes \
SENDMAIL_WITHOUT_NIS=yes \
SENDMAIL_WITH_TLS=yes \
SENDMAIL_WITH_SMTPS=yes \
SENDMAIL_WITH_SASL=yes \
SENDMAIL_WITH_SASL2=yes \
SENDMAIL_WITH_LDAP=yes \
SENDMAIL_WITH_BERKELEYDB_VER=42 \
SENDMAIL_WITH_SOCKETMAP=yes \
# SENDMAIL_WITH_CYRUSLOOKUP=no \
SENDMAIL_WITH_PICKY_HELO_CHECK=yes \
SENDMAIL_WITH_SHARED_MILTER=yes
.endif

cd /usr/ports/mail/sendmail
sudo make install
sudo make mailer.conf
sudo make clean

Check if you're using the right one:

sendmail -bt -d0.1 < /dev/null

Let me know if you need more assistance. Of course, YMMV.

Cheers,

David


--
David Robillard
UNIX systems admin, CISSP


More information about the freebsd-questions mailing list