Re: sendmail without root privs cannot bind.
- Reply: Dewayne Geraghty : "Re: sendmail without root privs cannot bind."
- In reply to: Dewayne Geraghty : "sendmail without root privs cannot bind."
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 30 Nov 2021 08:53:12 UTC
On 30/11/2021 08:42, Dewayne Geraghty wrote: > Today I decided that it was time to move sendmail from root to an > unprivileged user. > > Unfortunately I was blocked by > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 451 4.0.0 > opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied (hold) > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): > opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied > Nov 30 16:48:19 b3 sm-mta[91296]: daemon ExtSSL4: problem creating SMTP > socket > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 421 4.0.0 > opendaemonsocket: daemon ExtSSL4: > server SMTP socket wedged: exiting (hold) > Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp): > opendaemonsocket: daemon ExtSSL4: server SMTP socket wedged: exiting > > which was disappointing. It almost appears as though the > security.mac.portacl.rules isn't being processed, but it is because we > also have named and apache running with unpriv'ed accounts. > > Does anyone have sendmail running without root? My magical > rubber-chicken doesn't seem to be working... > > How did I get here... > 1. Added define(`confTRUSTED_USER', `smmsp')dnl tos endmail.mc > 2. changed permissions on /etc/mail /var/spool/mqueue ... to the same user > 3. added uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587 to > security.mac.portacl.rules > 4. rebooted the box It's probably me misunderstanding, but how did you ensure security.mac.portacl.rules had those settings after the reboot? > 5. The failed daemon port happens to be > DAEMON_OPTIONS(`Name=ExtSSL4,Addr=10.0.7.91, Port=465, children=14, > M=Eaps, DeliveryMode=q') is one of 4 ports that we use for email, and > fails on other ports when its commented out. Interestingly when port 25 > was first in the DAEMON_OPTIONS list, it doesn't fail, but I can't be > sure it was successful either. > > I chose smmsp as the user simply because it had the uid 25. > > Sendmail has been running within a jailed environment as root for a few > years. The host is FreeBSD 12.2Stable from June 2021. > > I'd welcome any suggestions. > Regards, Dewayne. > -- Nothing teaches one not to try to stamp out burning thermite quite like real-life experience. — James Davis Nicoll