Re: sendmail without root privs cannot bind.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 01 Dec 2021 03:38:57 UTC
On 1/12/2021 1:17 pm, Olivier Nicole wrote: > Dewayne, > >>> Thanks Arthur. I'm unsure, but I manually stopped sendmail and set >>> security.mac.portacl.rules, then restarted. Though I did verify >>> security.mac.portacl.port_high which needed to be increased to catch >>> 587. The problem remains elusive and I'm out of ideas. :( >> >> Maybe it would help if you could provide the running configuration for >> all the security.mac.portal. >> >> Also, you should not need a reboot, restarting sendmail should be enough. > Sorry, I should have posted to FreeBSD list, not to you. > > And also, I think that Apache and named start as root and only change > user after they bound to their respective ports. > > And I think that security.mac.portacl.port_high should be 1023, so I > don't see a need to "increase it to 587". > > Best regards, > > Olivier Hi Oliver. Its been too long since I started to setup machines without privs that I don't recall which applications drop privs. My setups has been stable for a few years, apart from updates :) To your questions - I'd previously set security.mac.portacl.port_high to 446, so in my case I did need to increase. ;) # sysctl security.mac.portacl security.mac.portacl.rules: uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587,uid:53:udp:53,uid:53:tcp:53,uid:53:tcp:153,uid:80:tcp:80,uid:80:tcp:443 security.mac.portacl.port_high: 588 security.mac.portacl.autoport_exempt: 1 security.mac.portacl.suser_exempt: 1 security.mac.portacl.enabled: 1 Sendmail's RELEASE_NOTES suggest that running as non-root is possible, though perhaps only as a relay, over port 25? Kind regards, Dewayne