Re: chrooting Postfix+SASL+TLS
From: Alex Melkomukov (amelkomukov_at_flexpop.net)
Date: 07/27/04
- Previous message: Antonio Torres: "Re: Apache - reverse proxy with freebsd"
- In reply to: Eric W. Bates: "Re: chrooting Postfix+SASL+TLS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 26 Jul 2004 16:27:25 -0700 (PDT) To: "Eric W. Bates" <ericx_lists@vineyard.net>
Hi Eric,
I think I finally have it working! Thanks a bunch for the clues. I've
been at this for a bit, but I think I finally have the all the right
pieces in place.
I had tried running saslauthd with the "-m
/var/spool/postfix/var/state/saslauthd" option before, with no luck. I
even did the chown cyrus/chgrp mail commands on the
/var/spool/postfix/var/state/saslauthd directory for permissions, and was
still getting errors.
I even tried copying the needed SASL files into
the chrooted directory, but apparently it was not in the right location.
I ended up copying the liblogin*, libplain*, and smtpd.conf files (the
only ones I need) from the /usr/local/lib/sasl2 directory to the
/var/spool/postfix/usr/local/lib/sasl2 directory, and everything started
working.
To be complete, I also created the /var/spool/postfix/etc directory and
copied the 'aliases.db', 'hosts', 'localtime', 'resolv.conf', and
'services' files from the /etc directory. There may be a couple of other
things I had to do make it all work in chroot, but these were the 'major'
steps I needed to take to make it all work.
Again, thanks a bunch for the tips Eric.
Alex M.
On Mon, 26 Jul 2004, Eric W. Bates wrote:
> You can chroot most of the processes as usual; but if you chroot the
> smtpd component you have to make sure that all the SASL components are
> readable in the chroot'ed tree.
>
> I have not tried it; but that certainly includes the saslauthd socket
> (normally: /var/state/saslauthd/mux); and probably the SASL config for
> postfix (normally: /usr/local/lib/sasl2/smtpd.conf. I don't remember
> whether the sasl library is statically linked or not. If it isn't, you
> will have to compile smtpd with a link-path that it will be able to
> reach when chroot'ed.
>
> Alex Melkomukov wrote:
> > Hello all,
> >
> > I tried posting to the FreeBSD Questions list with no luck. I figured I
> > would try this list to see if anyone has an answer/pointers for me to work
> > with.
> >
> > posted message:
> >
> > Hi all,
> >
> > Has anyone successfully set up Postfix to run chrooted with saslauthd?
> > I've been trying to get this to work for several days now and have run
> > out of ideas.
> >
> > Everything works fine non-chrooted, but as soon as I run
> > postfix/smtpd chrooted, I get the following messages in maillog:
> >
> >
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: connect from yyy[999.999.999.999]
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: setting up TLS connection from
> > yyy[999.999.999.999]
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: TLS connection established from
> > yyy[999.999.999.99]: TLSv1 with cipher RC4-MD5 (128/128 bits)
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: SASL authentication
> > failure: cannot connect to saslauthd server: No such file or directory
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: yyy[999.999.999.999]:
> > SASL LOGIN authentication failed
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: warning: Read failed in
> > network_biopair_interop with errno=0: num_read=0, want_read=5
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: lost connection after AUTH from
> > yyy[999.999.999.999]
> > Jul 23 09:46:30 xxx postfix/smtpd[2472]: disconnect from
> > yyy[999.999.999.999]
> >
> >
> > Here is what I have installed:
> >
> > OS:
> >
> > FreeBSD 4.9-RELEASE
> >
> >
> >
> > ports installed:
> >
> > openssl-0.9.7d
> > cyrus-sasl-2.1.18
> > cyrus-sasl-saslauthd-2.1.18_1
> >
> >
> > postfix installed from source with TLS patch applied:
> >
> > postfix-2.1.3
> > pfixtls-0.8.18-2.1.3-0.9.7d
> >
> >
> > postfix chroot directory:
> >
> > /var/spool/postfix
> >
> >
> > saslauthd startup options:
> >
> > /usr/local/sbin/saslauthd -a getpwent -m
> > /var/spool/postfix/var/state/saslauthd
> >
> >
> > tls/sasl options in /etc/postfix/main.cf:
> >
> > # sasl config
> > #
> > broken_sasl_auth_clients = yes
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_local_domain =
> >
> > smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
> > smtpd_recipient_restrictions = permit_sasl_authenticated,
> > permit_mynetworks, reject_unauth_destination
> >
> > # tls config
> > #
> > smtp_use_tls = yes
> > smtpd_use_tls = yes
> > smtp_tls_note_starttls_offer = yes
> > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
> > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
> > smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
> > smtpd_tls_loglevel = 1
> > smtpd_tls_received_header = yes
> > smtpd_tls_session_cache_timeout = 3600s
> > tls_random_source = dev:/dev/urandom
> >
> >
> > I have tried all kinds of tips from my archive searches and still no luck.
> >
> > Can anyone give me any pointers/instructions on how to run postfix
> > chrooted with saslauthd using FreeBSD 4.9?
> >
> > any advice will be appreciated.
> >
> > thanks in advance,
> >
> > Alex M.
> >
> >
> > _______________________________________________
> > freebsd-isp@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Antonio Torres: "Re: Apache - reverse proxy with freebsd"
- In reply to: Eric W. Bates: "Re: chrooting Postfix+SASL+TLS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
