Sendmail (and friends) Jail setup..

[osx-addict]

Hi all..

I'm slowly trudging my way through with getting FreeBSD up and running on my server with lots of help from you all..

Anyway, I've got Sendmail running and checking for spam/virus care of one of the pages I ran across.. All is working well (except mail delivery which is going to mbox files instead of imap-- still working that one). Anyway, I want to put Sendmail (and friends) + Dovecot inside a jail. Honk suggested fetching the base image files from the FreeBSD ftp server instead of building the world as suggested in the handbook.. So, below are the steps I *think* I need to do in order to get Sendmail and friends working inside a jail:

1. mkdir /usr/jails/sendmail
2. download base package from here
3. setenv DESTDIR /usr/jails/sendmail
4. issue "sh install.sh" to install the base package from above
5. up host systems's /etc/rc.conf to enable the jail -- add the following:

   jail_www_hostname="smtp.example.org"
   jail_www_ip="your.jail.ip.here"
   jail_www_rootdir="/usr/jails/sendmail"
   jail_www_devfs_enable="YES"

6. Copy /etc/rc.conf to /usr/jails/sendmail/etc and update to remove any host rc items (setup of fxp0, jail enable stuff added above, disable ssh probably,etc)
7. mount /usr/ports and /usr/src using devfs mounts inside the jails -- probably r/w for now
8. start the jail using "/etc/rc.d/jails start sendmail"
9. jexec jid tcsh (substitute jid with the id returned by "jls")
10. follow the majority of the directions found here to install SpamAssasin, spamassassin-milter, ClamAV, config Sendmail, setup autoboot for these items within the jail -- make sure you update the jail's /etc/rc.conf not the hosts.
11. Follow the steps found here to get DoveCot running in the jail
12. Once all installation items are done, make sure to remove the /usr/src and /usr/ports devfs mounts from the jail.
13. Make sure the host does not startup services (e.g. Sendmail) on its own as the Jail should be doing that now -- check w/ "netstat -a"

Does that sound about right? Am I missing anything or is there a better way to achieve the same end results?

 

[osx-addict]

Just to reply to myself.. I found a tutorial that seems to cover most of what I'm after above.. While it doesn't directly cover a Sendmail jail, it does show how to create jail bases, and specific service jails for web,etc.

http://www.joomlawebserver.com/freebsd/index.php

I believe that tutorial is for an older version (6.2) of FreeBSD but very much still relevant.. Anyway, just passing this along..

 

[Mel_Flynn]

What's wrong with the jail(8) manpage? I'm not entirely sure why someone would advise to download the distribution packages. You can easily build from source and this is actually smarter to do if you ever plan to upgrade your host system.
Lots of people will advise you to use ezjail, I'm not one of them, since the ammount of features that got into it, it's more work configuring ezjail then installing a new jail. That set aside, having installed a jail from source at least once is a good learning experience of how host and jail relate to eachother, how the build system can help you and how to keep host and jail in sync with eachother.
The latter is not a prerequisite for a good working jail, but, the intent of most jails is to provide services for the big bad ugly world out there, so you do want your jails to have the latest security patches.
Also, once you understand the steps in jail(8), you are better equipped to troubleshoot issues with jail management software, like ezjail.

 

[osx-addict]

Nothing is wrong with the jail manpage.. I'm new to FreeBSD and wanted something that was a bit more global in nature that would show both the jail & host sides and typical setup/usage. I've learned a lot over the past several days and still had to ping people here on the boards for some questions that I just didn't find obvious answers for. (I've got another thread in the firewall forum you can read if you like).. Anyway, I'm much more comfortable with things now and am not using ezjail at all..