Re: chrooting Postfix+SASL+TLS

From: Eric W. Bates (ericx_lists_at_vineyard.net)
Date: 07/26/04

  • Next message: Antonio Torres: "Re: Apache - reverse proxy with freebsd" 
    Date: Mon, 26 Jul 2004 17:10:20 -0400
To: Alex Melkomukov <amelkomukov@flexpop.net>

    You can chroot most of the processes as usual; but if you chroot the
    smtpd component you have to make sure that all the SASL components are
    readable in the chroot'ed tree.

    I have not tried it; but that certainly includes the saslauthd socket
    (normally: /var/state/saslauthd/mux); and probably the SASL config for
    postfix (normally: /usr/local/lib/sasl2/smtpd.conf. I don't remember
    whether the sasl library is statically linked or not. If it isn't, you
    will have to compile smtpd with a link-path that it will be able to
    reach when chroot'ed.

    Alex Melkomukov wrote:
    > Hello all,
    >
    > I tried posting to the FreeBSD Questions list with no luck. I figured I
    > would try this list to see if anyone has an answer/pointers for me to work
    > with.
    >
    > posted message:
    >
    > Hi all,
    >
    > Has anyone successfully set up Postfix to run chrooted with saslauthd?
    > I've been trying to get this to work for several days now and have run
    > out of ideas.
    >
    > Everything works fine non-chrooted, but as soon as I run
    > postfix/smtpd chrooted, I get the following messages in maillog:
    >
    >
    > Jul 23 09:46:30 xxx postfix/smtpd[2472]: connect from yyy[999.999.999.999]
    > Jul 23 09:46:30 xxx postfix/smtpd[2472]: setting up TLS connection from
    > yyy[999.999.999.999]
    > Jul 23 09:46:30 xxx postfix/smtpd[2472]: TLS connection established from
    > yyy[999.999.999.99]: TLSv1 with cipher RC4-MD5 (128/128 bits)
    > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: SASL authentication
    > failure: cannot connect to saslauthd server: No such file or directory
    > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: yyy[999.999.999.999]:
    > SASL LOGIN authentication failed
    > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: Read failed in
    > network_biopair_interop with errno=0: num_read=0, want_read=5
    > Jul 23 09:46:30 xxx postfix/smtpd[2472]: lost connection after AUTH from
    > yyy[999.999.999.999]
    > Jul 23 09:46:30 xxx postfix/smtpd[2472]: disconnect from
    > yyy[999.999.999.999]
    >
    >
    > Here is what I have installed:
    >
    > OS:
    >
    > FreeBSD 4.9-RELEASE
    >
    >
    >
    > ports installed:
    >
    > openssl-0.9.7d
    > cyrus-sasl-2.1.18
    > cyrus-sasl-saslauthd-2.1.18_1
    >
    >
    > postfix installed from source with TLS patch applied:
    >
    > postfix-2.1.3
    > pfixtls-0.8.18-2.1.3-0.9.7d
    >
    >
    > postfix chroot directory:
    >
    > /var/spool/postfix
    >
    >
    > saslauthd startup options:
    >
    > /usr/local/sbin/saslauthd -a getpwent -m
    > /var/spool/postfix/var/state/saslauthd
    >
    >
    > tls/sasl options in /etc/postfix/main.cf:
    >
    > # sasl config
    > #
    > broken_sasl_auth_clients = yes
    > smtpd_sasl_auth_enable = yes
    > smtpd_sasl_local_domain =
    >
    > smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
    > smtpd_recipient_restrictions = permit_sasl_authenticated,
    > permit_mynetworks, reject_unauth_destination
    >
    > # tls config
    > #
    > smtp_use_tls = yes
    > smtpd_use_tls = yes
    > smtp_tls_note_starttls_offer = yes
    > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
    > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
    > smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
    > smtpd_tls_loglevel = 1
    > smtpd_tls_received_header = yes
    > smtpd_tls_session_cache_timeout = 3600s
    > tls_random_source = dev:/dev/urandom
    >
    >
    > I have tried all kinds of tips from my archive searches and still no luck.
    >
    > Can anyone give me any pointers/instructions on how to run postfix
    > chrooted with saslauthd using FreeBSD 4.9?
    >
    > any advice will be appreciated.
    >
    > thanks in advance,
    >
    > Alex M.
    >
    >
    > _______________________________________________
    > freebsd-isp@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
    _______________________________________________
    freebsd-isp@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

  • Next message: Antonio Torres: "Re: Apache - reverse proxy with freebsd"

    Relevant Pages

    • chrooting Postfix+SASL+TLS
      ... Has anyone successfully set up Postfix to run chrooted with saslauthd? ... postfix chroot directory: ...
      (freebsd-questions)
    • Re: Sarge - postfix/saslauthd issues
      ... >The first problem is is that Postfix can't connect to the saslauthd ... The reason appears to be because it is running in a chroot ... >postfix or whatever the postfix user is, is a part of the sasl group). ... /var/run/saslauthd and the directory inside the postfix chroot. ...
      (Debian-User)
    • Re: chrooting Postfix+SASL+TLS
      ... I even tried copying the needed SASL files into ... things I had to do make it all work in chroot, ... thanks a bunch for the tips Eric. ... > Alex Melkomukov wrote: ...
      (freebsd-isp)
    • Re: postfix authenticated smtp mysteriously no longer works
      ... I had to upgrade the sasl library ... I'm running the latest postfix port on FreeBSD6 and it was ... error about can not contact the saslauthd daemon. ... cleanup unix n - y - 0 cleanup ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Postfix with Cyrus SASL
      ... > Yes, you need to install saslauthd, however, if you checked the ... > available or read man saslauthd. ... as I did select the SASL option when I built postfix and I have sasl ...
      (freebsd-questions)