[FreeBSD] Need solutions for a chrooted Postfix & Cron

[BeNe]

I have some headaches today because of these problems

1.) Postfix & chroot
I described the problem here in this Post --> http://www.isp-control.net/forum/thread-...l#pid77495

Per default the master.cf for Postfix in FreeBSD isn´t chrooted.
But with our ispCP master.cf we do a chroot for the smtp services and create this Error:

Code:

Mar 16 14:31:39 root postfix/smtpd[74300]: connect from unknown[192.168.1.31]
Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: No such file or directory
Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: No such file or directory
Mar 16 14:31:39 root postfix/smtpd[74300]: warning: SASL authentication failure: Password verification failed

So there are two ways now - disable chroot OR create all needed steps to get postfix running in a chroot enviroment.

The problem in my test for a chrooted Postfix are:
-> Symlinks doesn´t work:

Code:

warning: SASL authentication problem: unable to open Berkeley db /usr/local/etc/sasldb2: Too many levels of symbolic links

-> Hardlink doesn´t work:

Code:

ln: /var/spool/postfix/usr/local/etc/sasldb2: Cross-device link

Becaus Hardlinks doesn´t work over a Partition

Code:

root# df
Filesystem  1K-blocks    Used    Avail Capacity  Mounted on
/dev/da0s1a    507630  272384   194636    58%    /
devfs               1       1        0   100%    /dev
/dev/da0s1e    507630      26   466994     0%    /tmp
/dev/da0s1f  73169582 2594798 64721218     4%    /usr
/dev/da0s1d   3026574  196064  2588386     7%    /var
linprocfs           4       4        0   100%    /usr/compat/linux/proc

I found this script inside the Postfix sources for a chroot-setup under FreeBSD:

Code:

umask 022
mkdir /var/spool/postfix/etc
chmod 755 /var/spool/postfix/etc
cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc

But copy the sasldb2 and the needed files listed in the script above every time manually into the chroot make no sense.

So i disabled the chroot the first time that all Mailservices works on a FreeBSD Machine. We should try to get Postfix back in chroot in the future, of course.

Can you / we life with that fact ? Security problems ?
The patch is appended at this Post.

2.) Cron
The Cron that comes with ispCP doesn´t work per default under FreeBSD!
During the make and setup we create a "cron.d" folder that has no effect under FreeBSD. *BSD uses /etc/periodics/ for daily/montly/... or the cron under /var/cron/tabs/$USER$

Code:

root# pwd && ls -l
/etc/periodic
total 8
drwxr-xr-x  2 root  wheel  1024 Nov 21 15:31 daily
drwxr-xr-x  2 root  wheel   512 Nov 21 15:31 monthly
drwxr-xr-x  2 root  wheel   512 Nov 21 15:31 security
drwxr-xr-x  2 root  wheel   512 Nov 21 15:31 weekly

FreeBSD has a crontab for root under /var/cron/tabs/root.
So we need to change the name for the Cron-File from "ispcp" to "root" and copy them under /var/cron/tabs/root.

Here is my working Version:

Code:

HELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
HOME=/var/log

# Quota
@daily /usr/local/www/ispcp/engine/quota/ispcp-dsk-quota &>/var/log/ispcp/ispcp-dsk-quota.log

# Traffic
0,30    *       *       *       *  /usr/local/www/ispcp/engine/traffic/ispcp-srv-traff &>/var/log/ispcp/ispcp-srv-traff.log
0,30    *       *       *       *  /usr/local/www/ispcp/engine/traffic/ispcp-vrl-traff &>/var/log/ispcp/ispcp-vrl-traff.log
15,45    *       *       *       *  /usr/local/www/ispcp/engine/traffic/ispcp-vrl-traff-correction &>/var/log/ispcp/ispcp-vrl-traff-correction.log

# customer logs
@daily /usr/local/www/ispcp/engine/tools/ispcp-httpd-logs-mngr &>/var/log/ispcp/ispcp-httpd-logs-mngr.log

# Backup
@daily /usr/local/www/ispcp/engine/backup/ispcp-backup-all yes &>/var/log/ispcp/ispcp-backup-all-mngr.log
@daily /usr/local/www/ispcp/engine/backup/ispcp-backup-ispcp noreport &>/var/log/ispcp/ispcp-backup-ispcp-mngr.log

# Remove config backups older than seven days
@daily find /usr/local/etc/ispcp/*/backup/* -maxdepth 0 -type f -mtime +7 -print | egrep .*\.[0-9]+$' | xargs -r /bin/rm

# Remove Daemon Logs older than 14 days (except .gz files)
@daily find /var/log/ispcp/* -maxdepth 1 -type f -mtime +14 -print | egrep '.*\.gz$' | xargs -r /bin/rm

# AWStats
15      */6     *       *       *       /usr/local/www/ispcp/engine/awstats/awstats_updateall.pl now -awstatsprog=/usr/local/www/awstats/cgi-bin/awstats.pl > /dev/null 2>&1

# Rootkit Hunter
0       */12    *       *       *       /usr/local/bin/rkhunter --cronjob --createlogfile /var/log/rkhunter.log.root --display-logfile 1>/var/log/rkhunter.log 2>/dev/null

# Chkrootkit
0       */12    *       *       *       /usr/local/sbin/chkrootkit &> /var/log/chkrootkit.log

# Look for and purge old sessions every 30 minutes
0,30    *       *       *       *       /usr/local/bin/bash /usr/local/www/ispcp/engine/tools/ispcpphptemp.sh >/dev/null 2>&1

Comments ?
Can we do it this way ?

Greez BeNe