Date: Fri, 27 Jul 2007 08:19:52 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: Ernst de Haan <znerd@FreeBSD.org> Cc: freebsd-jail@FreeBSD.org Subject: Re: Mails from jails Message-ID: <20070727081952.wessjbs9vk00wk80@webmail.leidinger.net> In-Reply-To: <F3EEF171-8B44-47CC-AF0B-8012D8D3D362@FreeBSD.org> References: <F3EEF171-8B44-47CC-AF0B-8012D8D3D362@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Ernst de Haan <znerd@FreeBSD.org> (from Thu, 26 Jul 2007 =20 23:15:20 +0200): > I want to restrict my jail sandboxes to sending mail only. Could anyone > give me some advice? This is for a web-/applicationserver that needs to > be able to send mail, but should never be running any mail service on > external network interfaces. > > My preference is a minimalistic approach; I was thinking of creating > one specialized sandbox that only provides mail sending functionality > for the other sandboxes: > - make it listen for SMTP connections on the loopback device > (e.g. 127.0.0.5), only allowing incoming connections from > the other sandboxes (127.0.0.255); > - forward the mail to a 'real' SMTP server using mail/ssmtp, > via a secure (SSL) connection, with authentication; > > Does anyone have experience with such an approach? If so, what would > you use for the SMTP forwarding? Any advice? In my jails at home I configured sendmail with a smarthost =20 (respectively a msp for the submit.mc) and use sendmail_enable=3D"NO" sendmail_submit_enable=3D"YES" in rc.conf. My smarthost is postfix in another jail and it delivers via TLS+sasl =20 to a box with an official and static IP which is responsible for the =20 final delivery. Bye, Alexander. --=20 Fact is solidified opinion. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070727081952.wessjbs9vk00wk80>