ssmtp not working from inside jail

M

Moe

Hi,

So, first a quick overview of my setup:
I'm running FreeBSD 7.2. I used ezjail to create a jail for an apache webserver.I am using PF for my firewall and have logging enabled as well as using the keyword "log" in all of my block,pass statements. I am running BIND for dns resolution inside my jail. I only have one nic, so have a cloned interface (lo1), which I have my jail's IP assigned to. In my pf.conf I have "set skip on 1o0".
I have sendmail disabled on both my host and my jail and I am using ssmtp to forward mail. Everything is working fine except I can't get ssmtp to work from inside my jail. I can hit my webserver from the external interface and DNS resolves inside my jail.
When I try to test ssmtp from inside my jail, I do not see the packets attempt to transverse my external interface (they are not logged as passed or blocked), but it does pass in and out of the internal interface.
In verbose mode I see this error:
Code: 
# echo "testing mail service from my apache jail" | mail -v root root... Connecting to [127.0.0.1] via relay... root... Deferred: Connection refused by [127.0.0.1]
If I try to telnet from inside the jail to 127.0.0.1 I get the following error:
Code: 
127.0.0.1:25: Non-recoverable failure in name resolution

ssmtp works fine outside the jail. In the jail, I have tried changing the values of:
Code: 
root=
mailhub=
rewriteDomain=
hostname=
but that doesn't make any difference. What am I missing here? I will gladly provide more information, but I'm not really sure what's needed.
Thank you in advance for any help!

Moe
 
If you really have set skip on 1o0 that would explain something.

P.S. read up on the formatting tags. The way you used them made parts of your post invisible. Preview your posts before submitting.
 
My apologies for my ignorance. This is my first attempt at setting up a UNIX system. Are you saying that I need to remove the "set skip on 1o0" and write all my pass rules for that interface as well?
 
What does [cmd=]ifconfig lo0[/cmd] inside the jail tell you?
 
Moe said:
My apologies for my ignorance. This is my first attempt at setting up a UNIX system. Are you saying that I need to remove the "set skip on 1o0" and write all my pass rules for that interface as well?
Click to expand...

It's lo0 not 1o0, the first is with a lowercase L the second with a 1 (one).
 
yeah, typo, sorry.

from inside the jail:

Code: 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
 
This means 127.0.0.1 isn't available in your jail. Hence the error message when you try to connect to it.
 
Yes, that is the entire output. There is more, of course, if I don't specify just that interface.
So, how can I make it available? Or how do I fix this? Is there a way to tell ssmtp to ingnore that interface? I would rather it used lo1 like everything else. I have to admit I don't quite get it. Most of what I have read so far suggests I shouldn't really mess with lo0. I can see other applications' packets transverse lo0 - they don't seem to mind it's not available to the jail...
Thanks for your help guys!
 
The loopback address is usually put there by a directive in /etc/defaults/rc.conf:

Code: 
ifconfig_lo0="inet 127.0.0.1"	# default loopback device configuration.

I don't know if that's how it usually works inside a jail.
 
There was no rc.conf inside my jail by default. I created one so I could kill off sendmail. I added:
Code: 
ifconfig_lo0="inet 127.0.0.1"

and rebooted. Inside my jail, ifconfig has never shown an IP address for fxp0 or lo0, only for lo1. The same is still true after reboot:

Code: 
www# ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:02:55:f3:bb:b1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet 10.0.0.1 netmask 0xffffff00 
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204

I am also still getting the same errors.
 
You can't set lo0 or use 127.0.0.1 inside a jail. These days it may be possible by using VIMAGE but I haven't played with it myself.

You should make double sure all daemons on the host are bound to 127.0.0.1 (lo0) and/or the host's IP address. Inside a jail all daemons/services should be bound to the jail's IP address. I've never needed access to lo0 inside a jail. Check your services on the host and inside the jails with sockstat(1).
 
ok, sockstat from within the jail show everything bound to the jail IP (10.0.0.1). sockstat on my host shows the following. BIND is listening on the jail IP in order to provide DNS resolution for it. Output from sockstat:
Code: 
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
bind     named      1398  3  dgram  -> /var/run/logpriv
bind     named      1398  20 tcp4   10.0.0.1:53           *:*
bind     named      1398  21 tcp4   127.0.0.1:953         *:*
bind     named      1398  22 tcp6   ::1:953               *:*
bind     named      1398  512udp4   10.0.0.1:53           *:*
root     sshd       1251  3  tcp4   public IP     public IP
root     sshd       1251  8  stream /tmp/ssh-z8viYkvylT/agent.1251
root     syslogd    1084  4  dgram  /var/run/log
root     syslogd    1084  5  dgram  /var/run/logpriv
root     syslogd    1084  6  udp4   10.0.0.1:514          *:*
root     sshd       859   3  tcp6   *:22                  *:*
root     sshd       859   4  tcp4   *:22                  *:*
root     syslogd    689   4  dgram  /var/run/log
root     syslogd    689   5  dgram  /var/run/logpriv
root     syslogd    689   6  dgram  /var/run/log
root     syslogd    689   7  dgram  /var/named/var/run/log
root     syslogd    689   8  udp6   *:514                 *:*
root     syslogd    689   9  udp4   *:514                 *:*
root     devd       631   4  stream /var/run/devd.pipe
_pflogd  pflogd     388   5  stream -> ??
root     pflogd     383   4  stream -> ??

As far as I can tell this looks ok too? I mean syslogd is bound to both ie it's running as root both inside and outside the jail...

Any ideas?
 
I'm starting to get the impression that ssmtp won't work from inside a jail. Can anyone confirm that they have gotten this to work?

thanks!
 
The telnet error you pasted in your first post looks like invalid syntax. The usage is:
Code: 
telnet <address> <port>

Not:
Code: 
telnet <address>:<port>

What happens if you telnet to the SMTP server and port?
 
Hm, good one ..

Code: 
$ telnet 127.0.0.1:25 
127.0.0.1:25: hostname nor servname provided, or not known

Similar enough.
 
Good to know, thanks.

Code: 
telnet 127.0.0.1 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host

Keep in mind, I installed the ssmtp port both inside and outside my jail. On the host itself it works fine. Inside the jail it tries to use 127.0.0.1 as the relay. ssmtp doesn't run as a deamon. It just sends mail when invoked. I've tried changing the values for the jails ssmtp conf file but that doesn't make any difference.

Does the ssmtp port work inside a jail?

thanks everybody.
 
Yup, it does work inside a jail. The problem is not with ssmtp, but with your jail's network configuration. If telnet can't establish the SMTP connection, there's no way ssmtp or any other SMTP client will be able to.

From within a jail 127.0.0.1 is not the host. It is the jail. You're effectively running ssmtp inside your jail and telling it to relay to itself. Configure it to connect to your host's IP address and it should work. Again, test with telnet to confirm network functionality.

As a side note, I'm not sure your cloning of the loopback interface is a good idea. The norm is to bind an IP alias to your NIC and give the jail that IP address.
 
ok, so that's what I can't figure out how to do. How do I configure it to NOT try 127.0.0.1. I have tried all different values for these parameters in the ssmtp.conf file (in the jail):

Code: 
root=
mailhub=
rewriteDomain=
hostname=

but it doesn't seem to make any difference to ssmtp, it always tries 127.0.0.1 first. I can even see DNS packets go by when it resolves the mailhub= (if I use the FQDN of my ISP's mail server).
?

With regards to cloning the interface, I have found conflicting advice. This seems to works for everything (else), so I would prefer not to have to change it unless I have to.

thanks!
 
As stated earlier, I have tried changing the value of
Code: 
mailhub=
to no avail. I tried again using my jail's IP, my host's IP and the IP of my ISP's smtp server. In each case ssmtp attempts to connect to 127.0.0.1 first.
I noticed the same behavior with nslookup until I edited the resolv.conf file to point to the jail's IP. In this case however, there doesn't seem to be a way to point ssmtp away from 127.0.0.1.
Feels like I'm missing something really obvious here, but I can't figure out what it is....
 
Moe said:
I tried again using my jail's IP, my host's IP and the IP of my ISP's smtp server. In each case ssmtp attempts to connect to 127.0.0.1 first.
Click to expand...
And if you telnet to these from inside the jail?
 
I had this same issue, but figured out I haven't done the following within the jail. Actually I did but got overwritten after 10.3-RELEASE to 11.0-RELEASE.

Code: 
sendmail        /usr/local/sbin/ssmtp
send-mail       /usr/local/sbin/ssmtp
mailq           /usr/libexec/sendmail/sendmail
newaliases      /usr/libexec/sendmail/sendmail
hoststat        /usr/libexec/sendmail/sendmail
purgestat       /usr/libexec/sendmail/sendmail

as per

https://www.freebsd.org/doc/handbook/mail-changingmta.html#mail-disable-sendmail
 
You must log in or register to reply here.
Back
Top