Solved How to send an email from inside a jail?

Situation:
FreeBSD 14.1, small server, no desktop.
On the host I use a sendmail server (MTA) for email. I also send emails that goes to root to my private email address: like "daily security run output" messages.
There is a jail with a web server. Inside the jail there is only dma (DragonFly Mail Agend) form FreeBSD installed. The jail communicate with the host about nat rules and IPFW firewall: ping, port 80 and 443 works.
Problem:
I can not send email from the jail to the outside. I do not want receive emails inside the jail, but want send also messages to my private email address. Or get anyway the messages inside the jail for root and webmaster to outside to the host and send it then automatic to my private email address, so I now what's going on inside the jail and not only from the host.
I had try to configure dma with the settings from Handbook and port 25. Sending an test email starts, but then I get curious errors in maillog. I remember port 25 is used on the host, and the same port for host and jail can not be used at the same time
Question:
How to send an email from inside a jail, when on the host is also an email service used?
Is there any concept or instruction to configure that?
How get a sysadmin information's from, maybe a lot of jails, without connect to every of them and look inside?

Thanks for your advice!
 
I get curious errors in maillog
Is there some national security issue or why you did not share them with us? Not only your errors are curious we are too. Also reading and understanding error messages is the usual way how to resolve problems, after all other methods fail.
same port for host and jail can not be used at the same time
Depends on configuration, but your dma as client would use some random free port to connect to your sendmail on port 25 where it is listening.

You may find following somewhat tangentially useful http://www.catb.org/~esr/faqs/smart-questions.html
 
Sorry for my bad English: another word for "curious" are curiously or strange. It is not "longing to know". I would say: the error message does not make sense. It say the server would be blacklisted, but that is not the fact: "505 5.7.1 == Message Not Delivered: message sender blocked by receiving server". I have tested it.
The Questions still are:
How to send an email from inside a jail port 25, when on the host is also an email service used, SMTP port 25?
Is there any concept or instruction to configure that?
How get a sysadmin information's from, maybe a lot of jails, without connect to every of them and look inside?
 
cat /etc/mail/mailer.conf
Code:
# $FreeBSD$
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
# If dma(8) is installed, an example mailer.conf that uses dma(8) instead can
# can be found in /usr/share/examples/dma.
#
sendmail    /usr/libexec/sendmail/sendmail
mailq        /usr/libexec/sendmail/sendmail
newaliases    /usr/libexec/sendmail/sendmail
hoststat    /usr/libexec/sendmail/sendmail
purgestat    /usr/libexec/sendmail/sendmail
 
Sorry for my bad English: another word for "curious" are curiously or strange. It is not "longing to know". I would say: the error message does not make sense. It say the server would be blacklisted, but that is not the fact: "505 5.7.1 == Message Not Delivered: message sender blocked by receiving server". I have tested it.
The Questions still are:
How to send an email from inside a jail port 25, when on the host is also an email service used, SMTP port 25?
Is there any concept or instruction to configure that?
How get a sysadmin information's from, maybe a lot of jails, without connect to every of them and look inside?
Please just copy and paste your configuration and log files here, it will be easier.

We need:
- dma conf from jail
- sendmail conf from host
- maillog log files from both

Also
ifconfig
and
sockstat -4l
outpout from both could be useful.
 
Thanks for trying to help me. First some info
Jail /etc/mail/mailer.conf
sendmail /usr/libexec/dma
mailq /usr/libexec/dma
newaliases /usr/libexec/dma
rmail /usr/libexec/dma
#
hoststat /usr/libexec/dma
purgestat /usr/libexec/dma
one of the error of maillog inside the jail was:
using smarthost (smtp.alice.de:25)
trying remote delivery to smtp.alice.de [91.136.8.184] pref 0
remote delivery deferred: SSL handshake failed fatally: error:0A00010B:SSL routines::wrong version number
But now I think I solved it. I have ask Google AI Gemini :) "How to send an email from inside a freebsd jail with DragonFly Mail Agent and sendmail runing on the host?" The Answer in short:
To send an email from a FreeBSD jail using DragonFly Mail Agent (DMA) with sendmail running on the host, you'll need to configure DMA to use the host's sendmail as its SMTP server. Here are the steps involved:
If DMA is not already installed, you can install it using the package manager:
$ pkg install dma
Create a DMA configuration file. For example, you can create a file named dma.rc in your jail's home directory.
In the dma.rc file, add the following lines:
smtpserver = "localhost"
smtpport = 25 error
This tells DMA to use the localhost (i.e., the host's sendmail) as the SMTP server on port 25.
Configure sendmail on the host:
If necessary, configure sendmail on the host to allow connections from the jail. This typically involves adding the jail's IP address or network to the accept_clients list in sendmail's configuration file (sendmail.cf).
Test DMA:
To test if DMA is configured correctly, you can send a test email from the jail using the DMA command:
$ dma -s "Test Email" -r your_email@example.com -t recipient_email@example.com -m "This is a test email sent from a FreeBSD jail using DMA."
The answer is wrong, but give the right idea: Rather than dma.rc, the configuration file for dma is /etc/dma.conf. And there are no variables of smtpserver smtpport. But I have set inside /etc/dma.conf
SMARTHOST 127.0.0.1
PORT 25
and test it:
echo this is a test | mail -v -s testing-email root@"hostdomain.tld"
Then I get the test email line to root on the host and also from there at home.

I don't know if the alias for dma is working.
I write in /etc/mail/aliases
root: root@"hostdomain.tld"
but I don't get the "daily run output" from inside the jail. I don't know how the "daily run output" will created and from whom?
 
Rather than dma.rc, the configuration file for dma is /etc/dma.conf.
No, for systemwide configuration it is /etc/dma/dma.conf. You can see it mentioned here: https://docs.freebsd.org/en/books/handbook/mail/#configuring-dragonfly-mail-agent

I'm surprised it works.

About this part:
using smarthost (smtp.alice.de:25)
trying remote delivery to smtp.alice.de [91.136.8.184] pref 0
remote delivery deferred: SSL handshake failed fatally: error:0A00010B:SSL routines::wrong version number
Could you please confirm: Is smtp.alice.de your host?
The SSL error makes me think dma is trying to connect with SSL to a service that does not support it.

Actually from my understanding port 25 is used for plaintext connection + STARTTLS in the SMTP transaction. This is called explicit TLS.

Implicit TLS is the encapsulation of the whole connection in an encrypted tunnel (like HTTPS). This is usually on port 465 (SMTPS), as you can see in the corresponding example from the handbook: https://docs.freebsd.org/en/books/handbook/mail/#configuring-fastmail-dma

So you are probably missing the STARTTLS directive in your dma.conf file.

I don't know how the "daily run output" will created and from whom?
It is created by the periodic process, configured in /etc/periodic/, started by the cron process. You can find the corresponding commands in the system crontab: /etc/crontab.
 
No, for systemwide configuration it is /etc/dma/dma.conf.
That means ~/dma.rc is also possible for the user?
smtp.alice.de is the SMTP address from my internet provider, not my host.
IMAP imap.alice.de port 993 SSL/TLS
SMTP smtp.alice.de port 25 STARTTLS
The solution for the test mail was: sending the email from jail to the host via localhost IP (jail has an other localhost IP). And on the host the sendmail aliases is configured to send the root email to my email address of the provider (Telefónica telecommunications provider) with my eMail from them.
That works. I have also found the periodic script: /etc/periodic/daily/450.status-security Running this script by hand, inside the jail, I get the status email after some time, at my email client at home ./450.status-security.

But it doesn't work automatically. Why?
I have restart the cron job service cron restart and configured in /etc/periodic.conf
...
# 450.status-security
daily_status_security_enable="YES" # Security check
# See also "Security options" below for more options
daily_status_security_inline="NO" # Run inline ?
#daily_status_security_output="root" # user or /file
daily_status_security_output="root@<hostdomain.tld>" # send it to host
<..> not shown because security reasons.
inside the jail>/etc/crontab file is written
...

# Perform daily/weekly/monthly maintenance.
1 3 * * * root periodic daily
15 4 * * 6 root periodic weekly
30 5 1 * * root periodic monthly
#
Does maintenance not work inside a jail?
 
Periodic jobs work the same way on the host and in jails.

Jails are just like another host really.

So your aliases, dma.conf and so on should be the same in the host and in the jails if you are not running your own relay server.
 
Situation:
FreeBSD 14.1, small server, no desktop.
On the host I use a sendmail server (MTA) for email. I also send emails that goes to root to my private email address: like "daily security run output" messages.
There is a jail with a web server. Inside the jail there is only dma (DragonFly Mail Agend) form FreeBSD installed. The jail communicate with the host about nat rules and IPFW firewall: ping, port 80 and 443 works.
[ snip ]
My setup is a bit different, I have several physical servers with various services running in jails. Base jail is minimal and I have mail server running in its own jail. The problem, however, was the same - getting periodic mail into common place. Logically, mails should be delivered into some mailbox, with some easy to understand way to distinguish the source.

My changes to installed config files are minor, thus (I believe) easy to replicate. In any jail but the one running mail server, the host itself as well, root mails are forwarded to my real mail address. In /etc/mail/aliases, I changed one line
# root: me@my.domain

to

root: me@realdomain.tld

This way, all periodic mails are forwarded to my real mailbox. As I am requiring authentication for locally hosted domains, my periodic mails should not originate from some address in realdomain.tld. Additionally, jails names are like jail.realdomain.tld, while there is no record for jail.realdomain.tld in DNS, which is not useful when jail IP is private one (192.168.x.y and similar). But I have mail.realdomain.tld defined in DNS, this points to my mailserver jail, and this name is neither locally hosted mail domain nor virtually hosted. So, I settled using simple masquerade in /etc/dma/dma.conf file, one line added near the end of file:

MASQUERADE jailname@mail.realdomain.tld

That's it. With this two small changes to two config files in all hosts and all but mail jails, now I have all periodic mails from all hosts and all jails delivered into one location, one mailbox, where I can review them with my standard mail client. Far more convenient than going into all the jails and use 'mail' to see them :)
 
Back
Top