Quoting Ernst de Haan <[EMAIL PROTECTED]> (from Fri, 27 Jul 2007
15:07:51 +0200):
Alexander,
In my jails at home I configured sendmail with a smarthost
(respectively a msp for the submit.mc) and use
sendmail_enable="NO"
sendmail_submit_enable="YES"
in rc.conf.
But this means you are running sendmail in each and every jail, right?
As a submission daemon (on port 5xx), but not as a MTA/MDA on port 25.
Isn't it better to keep the services per jail to a minimum, excluding
services that are not necessarily required? Now you have the
much-exploited sendmail daemon running in every jail.
Are you concerned about local exploits, or remote exploits? Do you
need to connect to it via a (local) network connection, or is is ok to
deliver via piping data into the executable? If the later, you can do
sendmail_submit_enable="NO" in all jails. I could disable several of
those locally, but 'm not concerned about this as I use the jails as
some kind of consolidation feature with the nice property of being
able to move a service which is hosted in a jail (one service per
jail) to a different server with a rsync. As some services want to
connect to a port instead of using a local sendmail, I have the submit
daemon enabled by default and was lazy so far to change this...
I haven't found a complete solution yet, but I would expect to be able
to run an (E)SMTP daemon in one jail, listening only to 127.0.0.x (not
on the external interface), allowing only connections from 127.0.0.255.
However, I just noticed in the rc.sendmail(8) man page that it
indicates this will not work:
http://www.freebsd.org/cgi/man.cgi?query=rc.sendmail&sektion=8
I have postfix running as my central smarthost/mailhub, and use
sendmail just as a way to deliver mails to it. I don't need to install
anything mail related into a jail (except for sendmail.cf and
submit.cf, but they are in my template). You don't even have to have
sendmail running as described above.
Then all the other jails could just run sSMTP, connecting to the ESMTP
service on the mail-jail, without AUTH (SASL) and SSL, just plain old
SMTP.
For me sendmail as a client which conencts to my local postfix is safe
enough in my environment, no need to install additional software.
My smarthost is postfix in another jail and it delivers via
TLS+sasl to a box with an official and static IP which is
responsible for the final delivery.
So does the postfix daemon listen to an internal network address
(127.0.0.x)? If so, this comes pretty close to what I'm looking for.
I have everything in 192.168.x.y on the NIC interface. So there's the
possibility to connect to a jail from a different system on the same
net. But as sendmail doesn't accept connections from somewhere else,
only ssh and the service of this jail is accessible. I would be
surprised if postfix is not able to bind to 127.0.0.x.
Bye,
Alexander.
--
Measure twice, cut once.
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
