Mails from jails
Ernst de Haan
znerd at FreeBSD.org
Fri Jul 27 13:08:07 UTC 2007
Alexander,
> In my jails at home I configured sendmail with a smarthost
> (respectively a msp for the submit.mc) and use
> sendmail_enable="NO"
> sendmail_submit_enable="YES"
> in rc.conf.
But this means you are running sendmail in each and every jail, right?
Isn't it better to keep the services per jail to a minimum, excluding
services that are not necessarily required? Now you have the much-
exploited sendmail daemon running in every jail.
I haven't found a complete solution yet, but I would expect to be
able to run an (E)SMTP daemon in one jail, listening only to
127.0.0.x (not on the external interface), allowing only connections
from 127.0.0.255. However, I just noticed in the rc.sendmail(8) man
page that it indicates this will not work:
http://www.freebsd.org/cgi/man.cgi?query=rc.sendmail&sektion=8
Then all the other jails could just run sSMTP, connecting to the
ESMTP service on the mail-jail, without AUTH (SASL) and SSL, just
plain old SMTP.
> My smarthost is postfix in another jail and it delivers via TLS
> +sasl to a box with an official and static IP which is responsible
> for the final delivery.
So does the postfix daemon listen to an internal network address
(127.0.0.x)? If so, this comes pretty close to what I'm looking for.
Cheers,
Ernst
More information about the freebsd-jail
mailing list