[FreeBSD] Need solutions for a chrooted Postfix & Cron

[BeNe]

I have some headaches today because of these problems

1.) Postfix & chroot
I described the problem here in this Post --> http://www.isp-control.net/forum/thread-...l#pid77495

Per default the master.cf for Postfix in FreeBSD isn´t chrooted.
But with our ispCP master.cf we do a chroot for the smtp services and create this Error:

Code:

Mar 16 14:31:39 root postfix/smtpd[74300]: connect from unknown[192.168.1.31]
Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: No such file or directory
Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: No such file or directory
Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication failure: Password verification failed

So there are two ways now - disable chroot OR create all needed steps to get postfix running in a chroot enviroment.

The problem in my test for a chrooted Postfix are:
-> Symlinks doesn´t work:

Code:

warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: Too many levels of symbolic links

-> Hardlink doesn´t work:

Code:

ln: /var/spool/postfix/usr/local/etc/sasldb2: Cross-device link

Becaus Hardlinks doesn´t work over a Partition

Code:

root# df
Filesystem  1K-blocks    Used    Avail Capacity  Mounted on
/dev/da0s1a    507630  272384   194636    58%    /
devfs               1       1        0   100%    /dev
/dev/da0s1e    507630      26   466994     0%    /tmp
/dev/da0s1f  73169582 2594798 64721218     4%    /usr
/dev/da0s1d   3026574  196064  2588386     7%    /var
linprocfs           4       4        0   100%    /usr/compat/linux/proc

I found this script inside the Postfix sources for a chroot-setup under FreeBSD:

Code:

umask 022
mkdir /var/spool/postfix/etc
chmod 755 /var/spool/postfix/etc
cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc

But copy the sasldb2 and the needed files listed in the script above every time manually into the chroot make no sense.

So i disabled the chroot the first time that all Mailservices works on a FreeBSD Machine. We should try to get Postfix back in chroot in the future, of course.

Can you / we life with that fact ? Security problems ?
The patch is appended at this Post.

2.) Cron
The Cron that comes with ispCP doesn´t work per default under FreeBSD!
During the make and setup we create a "cron.d" folder that has no effect under FreeBSD. *BSD uses /etc/periodics/ for daily/montly/... or the cron under /var/cron/tabs/$USER$

Code:

root# pwd && ls -l
/etc/periodic
total 8
drwxr-xr-x  2 root  wheel  1024 Nov 21 15:31 daily
drwxr-xr-x  2 root  wheel   512 Nov 21 15:31 monthly
drwxr-xr-x  2 root  wheel   512 Nov 21 15:31 security
drwxr-xr-x  2 root  wheel   512 Nov 21 15:31 weekly

FreeBSD has a crontab for root under /var/cron/tabs/root.
So we need to change the name for the Cron-File from "ispcp" to "root" and copy them under /var/cron/tabs/root.

Here is my working Version:

Code:

HELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
HOME=/var/log

# Quota
@daily /usr/local/www/ispcp/engine/quota/ispcp-dsk-quota &>/var/log/ispcp/ispcp-dsk-quota.log

# Traffic
0,30    *       *       *       *  /usr/local/www/ispcp/engine/traffic/ispcp-srv-traff &>/var/log/ispcp/ispcp-srv-traff.log
0,30    *       *       *       *  /usr/local/www/ispcp/engine/traffic/ispcp-vrl-traff &>/var/log/ispcp/ispcp-vrl-traff.log
15,45    *       *       *       *  /usr/local/www/ispcp/engine/traffic/ispcp-vrl-traff-correction &>/var/log/ispcp/ispcp-vrl-traff-correction.log

# customer logs
@daily /usr/local/www/ispcp/engine/tools/ispcp-httpd-logs-mngr &>/var/log/ispcp/ispcp-httpd-logs-mngr.log

# Backup
@daily /usr/local/www/ispcp/engine/backup/ispcp-backup-all yes &>/var/log/ispcp/ispcp-backup-all-mngr.log
@daily /usr/local/www/ispcp/engine/backup/ispcp-backup-ispcp noreport &>/var/log/ispcp/ispcp-backup-ispcp-mngr.log

# Remove config backups older than seven days
@daily find /usr/local/etc/ispcp/*/backup/* -maxdepth 0 -type f -mtime +7 -print | egrep .*\.[0-9]+$' | xargs -r /bin/rm

# Remove Daemon Logs older than 14 days (except .gz files)
@daily find /var/log/ispcp/* -maxdepth 1 -type f -mtime +14 -print | egrep '.*\.gz$' | xargs -r /bin/rm

# AWStats
15      */6     *       *       *       /usr/local/www/ispcp/engine/awstats/awstats_updateall.pl now -awstatsprog=/usr/local/www/awstats/cgi-bin/awstats.pl > /dev/null 2>&1

# Rootkit Hunter
0       */12    *       *       *       /usr/local/bin/rkhunter --cronjob --createlogfile /var/log/rkhunter.log.root --display-logfile 1>/var/log/rkhunter.log 2>/dev/null

# Chkrootkit
0       */12    *       *       *       /usr/local/sbin/chkrootkit &> /var/log/chkrootkit.log

# Look for and purge old sessions every 30 minutes
0,30    *       *       *       *       /usr/local/bin/bash /usr/local/www/ispcp/engine/tools/ispcpphptemp.sh >/dev/null 2>&1

Comments ?
Can we do it this way ?

Greez BeNe

[rbtux]

(03-22-2010 11:17 PM)BeNe Wrote:  -> Symlinks doesn´t work:

Code:

warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: Too many levels of symbolic links

-> Hardlink doesn´t work:

Code:

ln: /var/spool/postfix/usr/local/etc/sasldb2: Cross-device link

Becaus Hardlinks doesn´t work over a Partition

Try

mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2

[kilburn]

Quote:Try

mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2

+1 Should work (reason: you can not go from inside the chroot to the outside through a symlink, but you *can* access the chrooted files from the outside).

Quote:FreeBSD has a crontab for root under /var/cron/tabs/root.
So we need to change the name for the Cron-File from "ispcp" to "root" and copy them under /var/cron/tabs/root.

Directly copying files to /var/cron/tabs is not recommended. Additionally, /var/cron/tabs/root follows the "user crontab" format (you can not specify the user as which the command will be executed). Therefore, it would be better to use /etc/crontab (which is available in FreeBSD too). Now, what I don't know is if there's any command in there by default, so that if we replace the file something would be lost...

[BeNe]

Quote:Try

mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2

Of course! I understand - we go the other way
I will try it.

Quote:Directly copying files to /var/cron/tabs is not recommended.

Correct! I did this on my Testmachine to see if this way *could* work.
In the Install-HowTo i used "crontab -e" and copy & paste.

Quote:Additionally, /var/cron/tabs/root follows the "user crontab" format (you can not specify the user as which the command will be executed).

I know about it, but the funny thing is that we only use "root" in the crons this time.
Yes - there is a /etc/crontab:

Code:

# /etc/crontab - root's crontab for FreeBSD
#
# $FreeBSD: src/etc/crontab,v 1.33.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
#
#minute hour    mday    month   wday    who     command
#
*/5     *       *       *       *       root    /usr/libexec/atrun
#
# Save some entropy so that /dev/random can re-seed on boot.
*/11    *       *       *       *       operator /usr/libexec/save-entropy
#
# Rotate log files every hour, if necessary.
0       *       *       *       *       root    newsyslog
#
# Perform daily/weekly/monthly maintenance.
1       3       *       *       *       root    periodic daily
15      4       *       *       6       root    periodic weekly
30      5       1       *       *       root    periodic monthly
#
# Adjust the time zone if the CMOS clock keeps local time, as opposed to
# UTC time.  See adjkerntz(8) for details.
1,31    0-5     *       *       *       root    adjkerntz -a

So we should add our crons here ?

Greez BeNe

---

Ok, it works

The trick is - you have to create two "/etc" folders!
/var/spool/postfix/etc for the system files

Code:

umask 022
mkdir /var/spool/postfix/etc
chmod 755 /var/spool/postfix/etc
cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc

/var/spool/postfix/usr/local/etc/ for the sasldb2

Code:

# mkdir -p /var/spool/postfix/usr/local/etc/
# mv /usr/local/etc/sasldb2 /var/spool/postfix/usr/local/etc/sasldb2
# ln -s /var/spool/postfix/usr/local/etc/sasldb2 /usr/local/etc/sasldb2

If i have only one of both etc-folder the sasldb2 isn´t found OR i get domain not found because of the missing resolv.conf

I´m a littebit confused now - but it works this way!
ispCP also updates the sasldb2 fine inside the chroot from extern.
But could that be with that etc-Folders ?

If so - we can create, copy and link this during the make install ?

Greez BeNe