opensmtpd chroot success ;)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

opensmtpd chroot success ;)

ramrunner
Hey list!
a) opensmtpd kicks ass! thanks!
b) i managed to chroot it (didn't find that on any list though) so
here is a short descr.
   i have the following setup.
   a chrooted sshd running on a high port that auths some jailed users.
   i wanted to make the smtpd  that runs outside the chroot to deliver
mails inside, but
   stuck in a procmailrc hell. so i figured why not to chroot the whole smtpd?
c) files you need in the chroot: /etc/hosts /etc/resolv.conf
/etc/mail/ /etc/mail.rc (for the mail command)
   and binaries: procmail , smtpd , smtpctl, sendmail (and mutt for me )
   also in libexec: libexec/smtpd/ , libexec/lockspool , libexec/mail.local .

what do you think of the setup idea?
also if you want a how-to along with some scripts that keep binaries
up-to-date in the chroot
i will be happy to post.
Thanks :)
DsP

Reply | Threaded
Open this post in threaded view
|

Re: opensmtpd chroot success ;)

Gilles Chehade-7
  On 10/9/2010 9:11 PM, ramrunner wrote:
> Hey list!
> a) opensmtpd kicks ass! thanks!
> b) i managed to chroot it (didn't find that on any list though) so
> here is a short descr.
>     i have the following setup.
>     a chrooted sshd running on a high port that auths some jailed users.
>     i wanted to make the smtpd  that runs outside the chroot to deliver
> mails inside, but
>     stuck in a procmailrc hell. so i figured why not to chroot the whole smtpd?
Just for the record, there's not a lot of benefit from chrooting the
whole smtpd
as all processes that are exposed to user input are chrooted. The only
processes
that are not chrooted are those who open mailbox/maildirs/external mda
or that
do lookups.

> c) files you need in the chroot: /etc/hosts /etc/resolv.conf
> /etc/mail/ /etc/mail.rc (for the mail command)
>     and binaries: procmail , smtpd , smtpctl, sendmail (and mutt for me )
>     also in libexec: libexec/smtpd/ , libexec/lockspool , libexec/mail.local .
>
> what do you think of the setup idea?
Not much outside of the fun and educational factor ;-)

Gilles