[FreeBSD] Need solutions for a chrooted Postfix & Cron

[FreeBSD] Need solutions for a chrooted Postfix & Cron - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: General discussion (/forum-11.html)
+--- Thread: [FreeBSD] Need solutions for a chrooted Postfix & Cron (/thread-10111.html)

[FreeBSD] Need solutions for a chrooted Postfix & Cron - BeNe - 03-22-2010 11:17 PM

I have some headaches today because of these problems Big Grin

1.) Postfix & chroot
I described the problem here in this Post --> http://www.isp-control.net/forum/thread-10039-post-77495.html#pid77495

Per default the master.cf for Postfix in FreeBSD isn´t chrooted.
But with our ispCP master.cf we do a chroot for the smtp services and create this Error:

Code:

Mar 16 14:31:39 root postfix/smtpd[74300]: connect from unknown[192.168.1.31]

Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: No such file or directory

Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: No such file or directory

Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication failure: Password verification failed

So there are two ways now - disable chroot OR create all needed steps to get postfix running in a chroot enviroment.

The problem in my test for a chrooted Postfix are:
-> Symlinks doesn´t work:

Code:

warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: Too many levels of symbolic links

-> Hardlink doesn´t work:

Code:

ln: /var/spool/postfix/usr/local/etc/sasldb2: Cross-device link

Becaus Hardlinks doesn´t work over a Partition

Code:

root# df

Filesystem  1K-blocks    Used    Avail Capacity  Mounted on

/dev/da0s1a    507630  272384   194636    58%    /

devfs               1       1        0   100%    /dev

/dev/da0s1e    507630      26   466994     0%    /tmp

/dev/da0s1f  73169582 2594798 64721218     4%    /usr

/dev/da0s1d   3026574  196064  2588386     7%    /var

linprocfs           4       4        0   100%    /usr/compat/linux/proc

I found this script inside the Postfix sources for a chroot-setup under FreeBSD:

Code:

umask 022

mkdir /var/spool/postfix/etc

chmod 755 /var/spool/postfix/etc

cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc

But copy the sasldb2 and the needed files listed in the script above every time manually into the chroot make no sense.

So i disabled the chroot the first time that all Mailservices works on a FreeBSD Machine. We should try to get Postfix back in chroot in the future, of course.

Can you / we life with that fact ? Security problems ?
The patch is appended at this Post.

2.) Cron
The Cron that comes with ispCP doesn´t work per default under FreeBSD!
During the make and setup we create a "cron.d" folder that has no effect under FreeBSD. *BSD uses /etc/periodics/ for daily/montly/... or the cron under /var/cron/tabs/$USER$

Code:

root# pwd && ls -l

/etc/periodic

total 8

drwxr-xr-x  2 root  wheel  1024 Nov 21 15:31 daily

drwxr-xr-x  2 root  wheel   512 Nov 21 15:31 monthly

drwxr-xr-x  2 root  wheel   512 Nov 21 15:31 security

drwxr-xr-x  2 root  wheel   512 Nov 21 15:31 weekly

FreeBSD has a crontab for root under /var/cron/tabs/root.
So we need to change the name for the Cron-File from "ispcp" to "root" and copy them under /var/cron/tabs/root.

Here is my working Version:

Code:

HELL=/bin/sh

PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin

HOME=/var/log

# Quota

@daily /usr/local/www/ispcp/engine/quota/ispcp-dsk-quota &>/var/log/ispcp/ispcp-dsk-quota.log

# Traffic

0,30    *       *       *       *  /usr/local/www/ispcp/engine/traffic/ispcp-srv-traff &>/var/log/ispcp/ispcp-srv-traff.log

0,30    *       *       *       *  /usr/local/www/ispcp/engine/traffic/ispcp-vrl-traff &>/var/log/ispcp/ispcp-vrl-traff.log

15,45    *       *       *       *  /usr/local/www/ispcp/engine/traffic/ispcp-vrl-traff-correction &>/var/log/ispcp/ispcp-vrl-traff-correction.log

# customer logs

@daily /usr/local/www/ispcp/engine/tools/ispcp-httpd-logs-mngr &>/var/log/ispcp/ispcp-httpd-logs-mngr.log

# Backup

@daily /usr/local/www/ispcp/engine/backup/ispcp-backup-all yes &>/var/log/ispcp/ispcp-backup-all-mngr.log

@daily /usr/local/www/ispcp/engine/backup/ispcp-backup-ispcp noreport &>/var/log/ispcp/ispcp-backup-ispcp-mngr.log

# Remove config backups older than seven days

@daily find /usr/local/etc/ispcp/*/backup/* -maxdepth 0 -type f -mtime +7 -print | egrep .*\.[0-9]+$' | xargs -r /bin/rm

# Remove Daemon Logs older than 14 days (except .gz files)

@daily find /var/log/ispcp/* -maxdepth 1 -type f -mtime +14 -print | egrep '.*\.gz$' | xargs -r /bin/rm

# AWStats

15      */6     *       *       *       /usr/local/www/ispcp/engine/awstats/awstats_updateall.pl now -awstatsprog=/usr/local/www/awstats/cgi-bin/awstats.pl > /dev/null 2>&1

# Rootkit Hunter

0       */12    *       *       *       /usr/local/bin/rkhunter --cronjob --createlogfile /var/log/rkhunter.log.root --display-logfile 1>/var/log/rkhunter.log 2>/dev/null

# Chkrootkit

0       */12    *       *       *       /usr/local/sbin/chkrootkit &> /var/log/chkrootkit.log

# Look for and purge old sessions every 30 minutes

0,30    *       *       *       *       /usr/local/bin/bash /usr/local/www/ispcp/engine/tools/ispcpphptemp.sh >/dev/null 2>&1

Comments ?
Can we do it this way ?

Greez BeNe

RE: [FreeBSD] Need solutions for a chrooted Postfix & Cron - rbtux - 03-22-2010 11:53 PM

(03-22-2010 11:17 PM)BeNe Wrote: -> Symlinks doesn´t work:

Code:

warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: Too many levels of symbolic links
-> Hardlink doesn´t work:

Code:

ln: /var/spool/postfix/usr/local/etc/sasldb2: Cross-device link
Becaus Hardlinks doesn´t work over a Partition

Try

mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2

RE: [FreeBSD] Need solutions for a chrooted Postfix & Cron - kilburn - 03-23-2010 12:13 AM

Quote:Try

mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2

+1 Should work (reason: you can not go from inside the chroot to the outside through a symlink, but you *can* access the chrooted files from the outside).

Quote:FreeBSD has a crontab for root under /var/cron/tabs/root.
So we need to change the name for the Cron-File from "ispcp" to "root" and copy them under /var/cron/tabs/root.

Directly copying files to /var/cron/tabs is not recommended. Additionally, /var/cron/tabs/root follows the "user crontab" format (you can not specify the user as which the command will be executed). Therefore, it would be better to use /etc/crontab (which is available in FreeBSD too). Now, what I don't know is if there's any command in there by default, so that if we replace the file something would be lost...

RE: [FreeBSD] Need solutions for a chrooted Postfix & Cron - BeNe - 03-23-2010 12:46 AM

Quote:Try

mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2

Of course! I understand - we go the other way Smile

I will try it.

Quote:Directly copying files to /var/cron/tabs is not recommended.

Correct! I did this on my Testmachine to see if this way *could* work.
In the Install-HowTo i used "crontab -e" and copy & paste.

Quote:Additionally, /var/cron/tabs/root follows the "user crontab" format (you can not specify the user as which the command will be executed).

I know about it, but the funny thing is that we only use "root" in the crons this time.
Yes - there is a /etc/crontab:

Code:

# /etc/crontab - root's crontab for FreeBSD

#

# $FreeBSD: src/etc/crontab,v 1.33.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $

#

SHELL=/bin/sh

PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin

#

#minute hour    mday    month   wday    who     command

#

*/5     *       *       *       *       root    /usr/libexec/atrun

#

# Save some entropy so that /dev/random can re-seed on boot.

*/11    *       *       *       *       operator /usr/libexec/save-entropy

#

# Rotate log files every hour, if necessary.

0       *       *       *       *       root    newsyslog

#

# Perform daily/weekly/monthly maintenance.

1       3       *       *       *       root    periodic daily

15      4       *       *       6       root    periodic weekly

30      5       1       *       *       root    periodic monthly

#

# Adjust the time zone if the CMOS clock keeps local time, as opposed to

# UTC time.  See adjkerntz(8) for details.

1,31    0-5     *       *       *       root    adjkerntz -a

So we should add our crons here ?

Greez BeNe

Ok, it works Smile

The trick is - you have to create two "/etc" folders!
/var/spool/postfix/etc for the system files

Code:

umask 022

mkdir /var/spool/postfix/etc

chmod 755 /var/spool/postfix/etc

cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc

/var/spool/postfix/usr/local/etc/ for the sasldb2

Code:

# mkdir -p /var/spool/postfix/usr/local/etc/

# mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2

# ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2

If i have only one of both etc-folder the sasldb2 isn´t found OR i get domain not found because of the missing resolv.conf

I´m a littebit confused now - but it works this way!
ispCP also updates the sasldb2 fine inside the chroot from extern.
But could that be with that etc-Folders ?

If so - we can create, copy and link this during the make install ?

Greez BeNe