Mailfilter FreeBSD Jail

From WTFwiki
Revision as of 20:10, 14 February 2007 by Jontow (talk | contribs) (a few more notes for safety)
Jump to navigation Jump to search

Background

FreeBSD's jail(8) has some extraordinary side-effects when used in conjunction with
postfix as a mailserver. It gives you the ability to run many mailservers that are
logically separated on the same machine, in fact sharing resources like OpenBSD's spamd
and even the underlying software (including postfix, amavisd-new, etc). You can also
set this up in such a fashion as to keep separate config files for each jail. That is
the way that will be documented here.


Requirements

  • FreeBSD (recommended: 6.2-RELEASE or newer)
  • a full /usr/src and /usr/obj tree built already with whatever custom options in make.conf
  • enough disk space for multiple installs of the OS to co-exist on the same partition(s)
  • enough RAM to delegate to many running instances of child software.
  • postfix (recommended: 2.3.5 or newer) (/usr/ports/mail/postfix)
  • amavisd-new (recommended: 2.4.4 or newer) (/usr/ports/security/amavisd-new)
  • ClamAV (recommended: 0.90 or newer) (/usr/ports/security/clamav)
  • SpamAssassin (recommended: 3.1.7 or newer) (/usr/ports/mail/p5-Mail-SpamAssassin)
  • And, of course.. the dependencies of all the above-mentioned software.
  • You may also want an IMAP or POP3 daemon of choice. This was done with dovecot in mind.


Setup

I make heavy use of nullfs when deploying jails.
For instance, I have the following mounts defined per jail so far:

  • /usr/local as /var/jail/domain.com/usr/local.ext
  • /var/db/pkg as /var/jail/domain.com/var/db/pkg

I also use symbolic links like a madman to tie it all together, as such:

 # cd /var/jail/domain.com/usr/local
 # mkdir etc
 # ln -s ../local.ext/bin bin 
 # ln -s ../local.ext/include include
 # ln -s ../local.ext/info info
 # ln -s ../local.ext/lib lib
 # ln -s ../local.ext/libdata libdata
 # ln -s ../local.ext/libexec libexec
 # ln -s ../local.ext/man man
 # ln -s ../local.ext/sbin sbin
 # ln -s ../local.ext/share share
 # ln -s ../local.ext/var var
 # ln -s ../local.ext/www www

It is important that you follow the scheme above or the links won't dereference correctly inside the jail.

This makes sure that all software installed to the host machine is available on the jail(s).
Please be aware you'll have to keep synchronizing /usr/local/etc with a reasonable copy from
the host once in a while during upgrades, etc; it will not have its own sample installed
because it isn't part of the port/package at all.