2

I have FreeBSD 10.2 and I'm using several Jails, one of them has Postfix installed.

I want my other jails and my host system to use the local Postfix installation in the Jail. They should use sendmail to submit their mails to the Postfix Jail.

What would be the proper setup in the other Jails and the Host?

I already can send mails from within the Postfix jail and the host.

In the Host I have set in /etc/mail/mailertable:

xxx.yy  smtp:mail.xxx.yy
*.xxx.yy    smtp:mail.xxx.yy

I also have a /etc/mail/sendmail.mc (which I'm not sure if I will really need it and if it's correct though) in the host:

include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
OSTYPE(freebsd6)dnl
DOMAIN(generic)dnl
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')dnl
FEATURE(blacklist_recipients)dnl
FEATURE(local_lmtp)dnl
FEATURE(mailertable, `hash -o /etc/mail/mailertable')dnl
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')dnl
define(`SMART_HOST', `[10.0.0.3]')dnl
define(`MAIL_HUB', `[10.0.0.3]')dnl
MASQUERADE_AS(`xxx.yy')dnl
FEATURE(`masquerade_envelope')dnl
GENERICS_DOMAIN(host.xxx.yy HOST)dnl
FEATURE(genericstable)dnl
define(`confCW_FILE', `-o /etc/mail/local-host-names')dnl
DAEMON_OPTIONS(`Name=IPv4, Family=inet')dnl
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl
define(`confNO_RCPT_ACTION', `add-to-undisclosed')dnl
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')dnl
define(`confDONT_PROBE_INTERFACES',`True')dnl
define(`confDEF_CHAR_SET',`ISO-8859-1')dnl
MAILER(local)dnl
MAILER(smtp)dml

In the jails I have set sendmail_enable="NO" in rc.conf

However, when I try to send an email from a jail I get:

Jan  5 12:54:52 push sendmail[83676]: u05BsqB6083676: from=root, size=55, class=0, nrcpts=1, msgid=<201601051154.u05BsqB6083676@push.xxx.yy>, relay=root@localhost
Jan  5 12:54:52 push sm-mta[83677]: STARTTLS=server, relay=push [10.0.0.12], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jan  5 12:54:52 push sendmail[83676]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256
Jan  5 12:54:52 push sm-mta[83677]: u05Bsq42083677: from=<root@push.xxx.yy>, size=404, class=0, nrcpts=1, msgid=<201601051154.u05BsqB6083676@push.xxx.yy>, proto=ESMTP, daemon=Daemon0, relay=push [10.0.0.12]
Jan  5 12:54:52 push sendmail[83676]: u05BsqB6083676: to=mail@xxx.yy, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30055, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (u05Bsq42083677 Message accepted for delivery)
Jan  5 12:54:52 push sm-mta[83679]: u05Bsq42083677: to=<mail@xxx.yy>, ctladdr=<root@push.xxx.yy> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=30404, relay=mail.xxx.yy. [XX.XX.XX.XX], dsn=4.0.0, stat=Deferred: Connection refused by mail.xxx.yy.

In the Postfix jail I don't get any logs about this.

basbebe
  • 313
  • 2
  • 16
  • change your mailertable entry from `*.xxx.yy smtp:mail.xxx.yy` to `.xxx.yy smtp:mail.xxx.yy` [It is a minor loosely related configuration bug] – AnFi Jan 05 '16 at 15:11

2 Answers2

0

In your postfix jail, use sockstat to verify that postfix is listening where you expect it to be:

[root@postfix /]# sockstat | grep :25
root     master     1947  13 tcp4   172.16.15.58:25       *:*

In this case, you can see that postfix in this jail is listening on IP address 172.16.15.58, port 25. Now you just need to configure the host and other jails to forward their messages to postfix.

Sendmail is overkill for such as task, use ssmtp instead. Configuration is very easy:

# cat /usr/local/etc/ssmtp/ssmtp.conf | grep -v ^#
root=matt@example.com
mailhub=172.16.15.58

and then disable sendmail entirely:

sysrc sendmail_enable=NONE
Matt Simerson
  • 409
  • 3
  • 9
  • sSMTP has been unmaintained since 2019: https://wiki.debian.org/sSMTP – basbebe Mar 28 '22 at 05:02
  • So it appears. The link you offer is to the debian port of ssmtp. The FreeBSD port which I referenced is still maintained and almost as importantly, it works well. – Matt Simerson Mar 28 '22 at 16:39
  • The Debian source is what is being referenced by the ports system: https://www.freshports.org/mail/ssmtp/ There is also the info that the port currently doesn’t have a maintainer. – basbebe Mar 28 '22 at 18:02
0

Fix your Postfix jail. Not having logs is an error in itself.

Also your log says Connection refused by mail.xxx.yy -- so your relay setup seems to be working but you cannot connect to Postfix. Maybe it does not bind to the right IP?

mschuett
  • 3,146
  • 21
  • 21
  • I get logs by Postfix, just not about these mails from jails. What would I set / how do I check what IPs Postfix binds to? – basbebe Jan 05 '16 at 12:08
  • Postfix uses `inet_interfaces = all` by default, basically meaning bind to 0.0.0.0. -- This does not work in a FreeBSD jail, so use `inet_interfaces = 10.0.0.x` instead. – mschuett Jan 05 '16 at 12:25
  • I changes `inet_interfaces ` to a specific IPv4 and IPv6 address but the situation hasn't changed… – basbebe Jan 05 '16 at 13:28
  • also could it be that sendmail in the jail tries to reach the postfix jail via it's external IP address ([XX.XX.XX.XX])? Why so? Maybe then it could be a firewall problem. But I don't get why it wouldn't connect directly… – basbebe Jan 05 '16 at 13:42
  • You wrote in your mailertable `smtp:mail.xxx.yy`. -- I assume that resolves to an external address? For troubleshooting you could try to override DNS resolution via /etc/hosts, but for a clean setup I would advise to run postfix on both internal and external IPs (then you can also have different restrictions on internal and external mail). – mschuett Jan 05 '16 at 14:11
  • yes, mail.xxx.yy should resolve to an external address. the `net_interfaces` are now configured to one internal IPv4 address and one external IPv6 address. Without the mailertable in my host I had mx errors. – basbebe Jan 05 '16 at 16:14
  • So, does it work now? – mschuett Jan 06 '16 at 14:09
  • 1
    thanks for asking. I wasn't able to get it running. But I found out about SSMTP and decided to use that since it worked right away like a charm… – basbebe Jan 06 '16 at 14:49