[FreeBSD] Need solutions for a chrooted Postfix & Cron - BeNe - 03-22-2010 11:17 PM
I have some headaches today because of these problems
1.) Postfix & chroot
I described the problem here in this Post --> http://www.isp-control.net/forum/thread-10039-post-77495.html#pid77495
Per default the master.cf for Postfix in FreeBSD isn´t chrooted.
But with our ispCP master.cf we do a chroot for the smtp services and create this Error:
Code:
Mar 16 14:31:39 root postfix/smtpd[74300]: connect from unknown[192.168.1.31]
Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: No such file or directory
Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: No such file or directory
Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication failure: Password verification failed
So there are two ways now - disable chroot OR create all needed steps to get postfix running in a chroot enviroment.
The problem in my test for a chrooted Postfix are:
-> Symlinks doesn´t work:
Code:
warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: Too many levels of symbolic links
-> Hardlink doesn´t work:
Code:
ln: /var/spool/postfix/usr/local/etc/sasldb2: Cross-device link
Becaus Hardlinks doesn´t work over a Partition
Code:
root# df
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/da0s1a 507630 272384 194636 58% /
devfs 1 1 0 100% /dev
/dev/da0s1e 507630 26 466994 0% /tmp
/dev/da0s1f 73169582 2594798 64721218 4% /usr
/dev/da0s1d 3026574 196064 2588386 7% /var
linprocfs 4 4 0 100% /usr/compat/linux/proc
I found this script inside the Postfix sources for a chroot-setup under FreeBSD:
Code:
umask 022
mkdir /var/spool/postfix/etc
chmod 755 /var/spool/postfix/etc
cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc
But copy the sasldb2 and the needed files listed in the script above every time manually into the chroot make no sense.
So i disabled the chroot the first time that all Mailservices works on a FreeBSD Machine. We should try to get Postfix back in chroot in the future, of course.
Can you / we life with that fact ? Security problems ?
The patch is appended at this Post.
2.) Cron
The Cron that comes with ispCP doesn´t work per default under FreeBSD!
During the make and setup we create a "cron.d" folder that has no effect under FreeBSD. *BSD uses /etc/periodics/ for daily/montly/... or the cron under /var/cron/tabs/$USER$
Code:
root# pwd && ls -l
/etc/periodic
total 8
drwxr-xr-x 2 root wheel 1024 Nov 21 15:31 daily
drwxr-xr-x 2 root wheel 512 Nov 21 15:31 monthly
drwxr-xr-x 2 root wheel 512 Nov 21 15:31 security
drwxr-xr-x 2 root wheel 512 Nov 21 15:31 weekly
FreeBSD has a crontab for root under /var/cron/tabs/root.
So we need to change the name for the Cron-File from "ispcp" to "root" and copy them under /var/cron/tabs/root.
Here is my working Version:
Code:
HELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
HOME=/var/log
# Quota
@daily /usr/local/www/ispcp/engine/quota/ispcp-dsk-quota &>/var/log/ispcp/ispcp-dsk-quota.log
# Traffic
0,30 * * * * /usr/local/www/ispcp/engine/traffic/ispcp-srv-traff &>/var/log/ispcp/ispcp-srv-traff.log
0,30 * * * * /usr/local/www/ispcp/engine/traffic/ispcp-vrl-traff &>/var/log/ispcp/ispcp-vrl-traff.log
15,45 * * * * /usr/local/www/ispcp/engine/traffic/ispcp-vrl-traff-correction &>/var/log/ispcp/ispcp-vrl-traff-correction.log
# customer logs
@daily /usr/local/www/ispcp/engine/tools/ispcp-httpd-logs-mngr &>/var/log/ispcp/ispcp-httpd-logs-mngr.log
# Backup
@daily /usr/local/www/ispcp/engine/backup/ispcp-backup-all yes &>/var/log/ispcp/ispcp-backup-all-mngr.log
@daily /usr/local/www/ispcp/engine/backup/ispcp-backup-ispcp noreport &>/var/log/ispcp/ispcp-backup-ispcp-mngr.log
# Remove config backups older than seven days
@daily find /usr/local/etc/ispcp/*/backup/* -maxdepth 0 -type f -mtime +7 -print | egrep .*\.[0-9]+$' | xargs -r /bin/rm
# Remove Daemon Logs older than 14 days (except .gz files)
@daily find /var/log/ispcp/* -maxdepth 1 -type f -mtime +14 -print | egrep '.*\.gz$' | xargs -r /bin/rm
# AWStats
15 */6 * * * /usr/local/www/ispcp/engine/awstats/awstats_updateall.pl now -awstatsprog=/usr/local/www/awstats/cgi-bin/awstats.pl > /dev/null 2>&1
# Rootkit Hunter
0 */12 * * * /usr/local/bin/rkhunter --cronjob --createlogfile /var/log/rkhunter.log.root --display-logfile 1>/var/log/rkhunter.log 2>/dev/null
# Chkrootkit
0 */12 * * * /usr/local/sbin/chkrootkit &> /var/log/chkrootkit.log
# Look for and purge old sessions every 30 minutes
0,30 * * * * /usr/local/bin/bash /usr/local/www/ispcp/engine/tools/ispcpphptemp.sh >/dev/null 2>&1
Comments ?
Can we do it this way ?
Greez BeNe
RE: [FreeBSD] Need solutions for a chrooted Postfix & Cron - rbtux - 03-22-2010 11:53 PM
(03-22-2010 11:17 PM)BeNe Wrote: -> Symlinks doesn´t work:
Code:
warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: Too many levels of symbolic links
-> Hardlink doesn´t work:
Code:
ln: /var/spool/postfix/usr/local/etc/sasldb2: Cross-device link
Becaus Hardlinks doesn´t work over a Partition
Try
mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2
RE: [FreeBSD] Need solutions for a chrooted Postfix & Cron - kilburn - 03-23-2010 12:13 AM
Quote:Try
mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2
+1 Should work (reason: you can not go from inside the chroot to the outside through a symlink, but you *can* access the chrooted files from the outside).
Quote:FreeBSD has a crontab for root under /var/cron/tabs/root.
So we need to change the name for the Cron-File from "ispcp" to "root" and copy them under /var/cron/tabs/root.
Directly copying files to /var/cron/tabs is not recommended. Additionally, /var/cron/tabs/root follows the "user crontab" format (you can not specify the user as which the command will be executed). Therefore, it would be better to use /etc/crontab (which is available in FreeBSD too). Now, what I don't know is if there's any command in there by default, so that if we replace the file something would be lost...
RE: [FreeBSD] Need solutions for a chrooted Postfix & Cron - BeNe - 03-23-2010 12:46 AM
Quote:Try
mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2
Of course! I understand - we go the other way
I will try it.
Quote:Directly copying files to /var/cron/tabs is not recommended.
Correct! I did this on my Testmachine to see if this way *could* work.
In the Install-HowTo i used "crontab -e" and copy & paste.
Quote:Additionally, /var/cron/tabs/root follows the "user crontab" format (you can not specify the user as which the command will be executed).
I know about it, but the funny thing is that we only use "root" in the crons this time.
Yes - there is a /etc/crontab:
Code:
# /etc/crontab - root's crontab for FreeBSD
#
# $FreeBSD: src/etc/crontab,v 1.33.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
#
#minute hour mday month wday who command
#
*/5 * * * * root /usr/libexec/atrun
#
# Save some entropy so that /dev/random can re-seed on boot.
*/11 * * * * operator /usr/libexec/save-entropy
#
# Rotate log files every hour, if necessary.
0 * * * * root newsyslog
#
# Perform daily/weekly/monthly maintenance.
1 3 * * * root periodic daily
15 4 * * 6 root periodic weekly
30 5 1 * * root periodic monthly
#
# Adjust the time zone if the CMOS clock keeps local time, as opposed to
# UTC time. See adjkerntz(8) for details.
1,31 0-5 * * * root adjkerntz -a
So we should add our crons here ?
Greez BeNe
Ok, it works
The trick is - you have to create two "/etc" folders!
/var/spool/postfix/etc for the system files
Code:
umask 022
mkdir /var/spool/postfix/etc
chmod 755 /var/spool/postfix/etc
cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc
/var/spool/postfix/usr/local/etc/ for the sasldb2
Code:
# mkdir -p /var/spool/postfix/usr/local/etc/
# mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
# ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2
If i have only one of both etc-folder the sasldb2 isn´t found OR i get domain not found because of the missing resolv.conf
I´m a littebit confused now - but it works this way!
ispCP also updates the sasldb2 fine inside the chroot from extern.
But could that be with that etc-Folders ?
If so - we can create, copy and link this during the make install ?
Greez BeNe
|