Re: sendmail without root privs cannot bind.

From: Dewayne Geraghty <dewayne_at_heuristicsystems.com.au>
Date: Tue, 30 Nov 2021 12:39:09 UTC
On 30/11/2021 7:53 pm, Arthur Chance wrote:
> On 30/11/2021 08:42, Dewayne Geraghty wrote:
>> Today I decided that it was time to move sendmail from root to an
>> unprivileged user.
>>
>> Unfortunately I was blocked by
>> Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 451 4.0.0
>> opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied (hold)
>> Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp):
>> opendaemonsocket: daemon ExtSSL4: cannot bind: Permission denied
>> Nov 30 16:48:19 b3 sm-mta[91296]: daemon ExtSSL4: problem creating SMTP
>> socket
>> Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: --- 421 4.0.0
>> opendaemonsocket: daemon ExtSSL4:
>> server SMTP socket wedged: exiting (hold)
>> Nov 30 16:48:19 b3 sm-mta[91296]: NOQUEUE: SYSERR(smmsp):
>> opendaemonsocket: daemon ExtSSL4: server SMTP socket wedged: exiting
>>
>> which was disappointing.  It almost appears as though the
>> security.mac.portacl.rules isn't being processed, but it is because we
>> also have named and apache running with unpriv'ed accounts.
>>
>> Does anyone have sendmail running without root?  My magical
>> rubber-chicken doesn't seem to be working...
>>
>> How did I get here...
>> 1. Added define(`confTRUSTED_USER', `smmsp')dnl tos endmail.mc
>> 2. changed permissions on /etc/mail /var/spool/mqueue ... to the same user
>> 3. added uid:25:tcp:25,uid:25:tcp:465,uid:25:tcp:587 to 
>> security.mac.portacl.rules
>> 4. rebooted the box
> It's probably me misunderstanding, but how did you ensure
> security.mac.portacl.rules had those settings after the reboot?
>
Thanks Arthur.  I'm unsure, but I manually stopped sendmail and set
security.mac.portacl.rules, then restarted.  Though I did verify
security.mac.portacl.port_high which needed to be increased to catch
587.  The problem remains elusive and I'm out of ideas.  :(