jailkit howto - mail in a chroot jail

Jailkit howto - mail in a chroot jail

Objectives

We want to run mail delivery (procmail) and pickup (imap) in a chroot jail. This is useful for users that have a jailed shell account (or no shell account at all). If you don't do this, a user might read files in for example /etc/ trough imap by setting a symlink to /etc/ from the users home directory. Or the user could run any script on the regular system using a .procmailrc

Assumptions

Assume the account on machine mailserver is for user mike in group mike, and the jail is /home/jail.

Mail delivery in the jail

Jailkit >0.5 contains a utility jk_procmailwrapper. In Jailkit 0.5 this utility will only block procmail for jailed users, but from 0.6 on, this utility will chroot() to the jail, drop privileges and execute the real procmail. For normal users it will simlpy drop privileges and execute procmail on the real system. procmail can be installed in the jail using jk_init

jk_init -v -j /home/mail procmail

Note that the jk_init.ini file in the Jailkit tarball has defaults for Debian and Ubuntu. If you use jk_init on other operating systems you may need to use a different jk_init.ini file, or update the file locations in jk_init.ini yourself.

On the real system, procmail runs with some additional priveleges, it can for example create a mailbox in /var/mail. The jailed procmail should be installed without any additional permissions, because that could be a possible security issue. So you will have to create a mailbox for every user in the jail, and make them own it!

mkdir /home/jail/var mkdir /home/jail/var/mail touch /home/jail/var/mail/mike chown mike:mike /home/jail/var/mail/mike chmod 0600 /home/jail/var/mail/mike

jk_procmailwrapper needs a jail/etc/passwd and jail/etc/group just like jk_chrootsh does. jk_jailuser can do that for a regular account. Suppose 'mike' is an existing account:

jk_jailuser -m -j /home/jail mike

Now we have to make the mail server use jk_procmailwrapper instead of procmail. We also need to make sure that users cannot circumvent this by crafting a specific .forward file. We therefore disable the .forward file. Here are examples for exim and for postfix:

Postfix

Postfix is a well designed and very secure SMTP server. In /etc/postfix/main.cf change the mailbox command to

mailbox_command = /usr/sbin/jk_procmailwrapper
allow_mail_to_commands = alias
allow_mail_to_files = alias

Exim

In /etc/exim/exim.conf you have to change the procmail_pipe and disable the .forward file by uncommenting userforward.

procmail_pipe:
  driver = pipe
  command = "/usr/sbin/jk_procmailwrapper"
  return_path_add
  delivery_date_add
  envelope_to_add
  suffix = ""

#userforward:
#  driver = forwardfile
#  file_transport = address_file
#  pipe_transport = address_pipe
#  reply_transport = address_reply
#  no_verify
#  check_ancestor
#  check_local_user
#  file = .forward
#  modemask = 002
#  filter

Mail pickup (imap)

For mail pickup there is no need for any jailkit utilities. There are several imap daemons that can do a chroot() call themselves.

Dovecot

Dovecot can do a chroot, and automatically detect the /./ in the home directory.

In the dovecot config file change these options:

login_chroot = yes
valid_chroot_dirs = /home/jail
mbox_locks = fcntl flock
mbox_read_dotlock = no

This is an excellent setup and works without a problem!

UW mail utilities - not confirmed yet

UW-imapd can do a chroot, but it is tricky (or impossible?!?) to configure. The WU people do not recommend it, because a wrong configured jail can be a security problem (see man jailkit). However, because jk_check, jk_init and jk_cp test for this problem, the jail is a good idea for jailkit users. If it wasn't a good imap server I would not recommend anybody to use this server.

The UW people claim that no user should change a default parameter, because that would be "a risk". They force you to add the line "I accept the risk" to the config file. The /etc/c-client.cf should (but it doesn't work for me) look like:

I accept the risk
set chroot-server

I cannot get this to work!

Testing the setup

Send a jailed user an email, and watch the logfiles if anything does go wrong. Create a .forward file with some command in there, and watch if it gets executed (it should not). Create a .procmailrc file and try to create a mailbox in /tmp/ on the real system (this should not work, only in the jail you should be able to create mailboxes). Create a symlink from your homedir to /etc/ and start an imap client. You should not see the real /etc/, but the jail /etc/.