Jailkit howto - mail in a chroot jail
We want to run mail delivery (procmail) and pickup (imap) in a chroot jail. This is useful for users that have a jailed shell account (or no shell account at all). If you don't do this, a user might read files in for example /etc/ trough imap by setting a symlink to /etc/ from the users home directory. Or the user could run any script on the regular system using a .procmailrc
Assume the account on machine mailserver is for user mike in group mike, and the jail is /home/jail.
Mail delivery in the jail
Jailkit >0.5 contains a utility jk_procmailwrapper. In Jailkit 0.5 this utility will only block procmail for jailed users, but from 0.6 on, this utility will chroot() to the jail, drop privileges and execute the real procmail. For normal users it will simlpy drop privileges and execute procmail on the real system. procmail can be installed in the jail using jk_initjk_init -v -j /home/mail procmail
Note that the jk_init.ini file in the Jailkit tarball has defaults for Debian and Ubuntu. If you use jk_init on other operating systems you may need to use a different jk_init.ini file, or update the file locations in jk_init.ini yourself.
On the real system, procmail runs with some additional priveleges, it can for example create a mailbox in /var/mail. The jailed procmail should be installed without any additional permissions, because that could be a possible security issue. So you will have to create a mailbox for every user in the jail, and make them own it!mkdir /home/jail/var mkdir /home/jail/var/mail touch /home/jail/var/mail/mike chown mike:mike /home/jail/var/mail/mike chmod 0600 /home/jail/var/mail/mike
jk_procmailwrapper needs a jail/etc/passwd and jail/etc/group just like jk_chrootsh does. jk_jailuser can do that for a regular account. Suppose 'mike' is an existing account:jk_jailuser -m -j /home/jail mike
Now we have to make the mail server use jk_procmailwrapper instead of procmail. We also need to make sure that users cannot circumvent this by crafting a specific .forward file. We therefore disable the .forward file. Here are examples for exim and for postfix:
PostfixPostfix is a well designed and very secure SMTP server. In /etc/postfix/main.cf change the mailbox command to
mailbox_command = /usr/sbin/jk_procmailwrapper allow_mail_to_commands = alias allow_mail_to_files = alias
EximIn /etc/exim/exim.conf you have to change the procmail_pipe and disable the .forward file by uncommenting userforward.
procmail_pipe: driver = pipe command = "/usr/sbin/jk_procmailwrapper" return_path_add delivery_date_add envelope_to_add suffix = "" #userforward: # driver = forwardfile # file_transport = address_file # pipe_transport = address_pipe # reply_transport = address_reply # no_verify # check_ancestor # check_local_user # file = .forward # modemask = 002 # filter
Mail pickup (imap)
For mail pickup there is no need for any jailkit utilities. There are several imap daemons that can do a chroot() call themselves.
Dovecot can do a chroot, and automatically detect the /./ in the home directory.
In the dovecot config file change these options:
login_chroot = yes valid_chroot_dirs = /home/jail mbox_locks = fcntl flock mbox_read_dotlock = no
This is an excellent setup and works without a problem!
UW mail utilities - not confirmed yet
UW-imapd can do a chroot, but it is tricky (or impossible?!?) to configure. The WU people do not recommend it, because a wrong configured jail can be a security problem (see man jailkit). However, because jk_check, jk_init and jk_cp test for this problem, the jail is a good idea for jailkit users. If it wasn't a good imap server I would not recommend anybody to use this server.
The UW people claim that no user should change a default parameter, because that would be "a risk". They force you to add the line "I accept the risk" to the config file. The /etc/c-client.cf should (but it doesn't work for me) look like:
I accept the risk set chroot-server
I cannot get this to work!
Testing the setup
Send a jailed user an email, and watch the logfiles if anything does go wrong. Create a .forward file with some command in there, and watch if it gets executed (it should not). Create a .procmailrc file and try to create a mailbox in /tmp/ on the real system (this should not work, only in the jail you should be able to create mailboxes). Create a symlink from your homedir to /etc/ and start an imap client. You should not see the real /etc/, but the jail /etc/.