Re: sendmail without root privs cannot bind.

From: Dewayne Geraghty <dewayne_at_heuristicsystems.com.au>
Date: Wed, 01 Dec 2021 03:38:57 UTC
On 1/12/2021 1:17 pm, Olivier Nicole wrote:
> Dewayne,
>
>>> Thanks Arthur.  I'm unsure, but I manually stopped sendmail and set
>>> security.mac.portacl.rules, then restarted.  Though I did verify
>>> security.mac.portacl.port_high which needed to be increased to catch
>>> 587.  The problem remains elusive and I'm out of ideas.  :(
>>
>> Maybe it would help if you could provide the running configuration for
>> all the security.mac.portal.
>>
>> Also, you should not need a reboot, restarting sendmail should be enough.
> Sorry, I should have posted to FreeBSD list, not to you.
>
> And also, I think that Apache and named start as root and only change
> user after they bound to their respective ports.
>
> And I think that security.mac.portacl.port_high should be 1023, so I
> don't see a need to "increase it to 587".
>
> Best regards,
>
> Olivier
Hi Oliver.  Its been too long since I started to setup machines without
privs that I don't recall which applications drop privs.   My setups has
been stable for a few years, apart from updates :)

To your questions - I'd previously set security.mac.portacl.port_high to
446, so in my case I did need to increase.   ;)

# sysctl security.mac.portacl
security.mac.portacl.rules:
uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587,uid:53:udp:53,uid:53:tcp:53,uid:53:tcp:153,uid:80:tcp:80,uid:80:tcp:443
security.mac.portacl.port_high: 588
security.mac.portacl.autoport_exempt: 1
security.mac.portacl.suser_exempt: 1
security.mac.portacl.enabled: 1

Sendmail's RELEASE_NOTES suggest that running as non-root is possible,
though perhaps only as a relay, over port 25?
Kind regards, Dewayne