# ssmtp not working from inside jail



## Moe (Mar 18, 2010)

Hi,

So, first a quick overview of my setup:
I'm running FreeBSD 7.2. I used ezjail to create a jail for an apache webserver.I am using PF for my firewall and have logging enabled as well as using the keyword "log" in all of my block,pass statements. I am running BIND for dns resolution inside my jail. I only have one nic, so have a cloned interface (lo1), which I have my jail's IP assigned to. In my pf.conf I have "set skip on 1o0".
I have sendmail disabled on both my host and my jail and I am using ssmtp to forward mail. Everything is working fine except I can't get ssmtp to work from inside my jail. I can hit my webserver from the external interface and DNS resolves inside my jail.
When I try to test ssmtp from inside my jail, I do not see the packets attempt to transverse my external interface (they are not logged as passed or blocked), but it does pass in and out of the internal interface. 
In verbose mode I see this error:

```
# echo "testing mail service from my apache jail" | mail -v root root... Connecting to [127.0.0.1] via relay... root... Deferred: Connection refused by [127.0.0.1]
```
If I try to telnet from inside the jail to 127.0.0.1 I get the following error:

```
127.0.0.1:25: Non-recoverable failure in name resolution
```

ssmtp works fine outside the jail. In the jail, I have tried changing the values of:

```
root=
mailhub=
rewriteDomain=
hostname=
```
but that doesn't make any difference. What am I missing here? I will gladly provide more information, but I'm not really sure what's needed.
Thank you in advance for any help!

Moe


----------



## DutchDaemon (Mar 18, 2010)

If you really have set skip on 1o0 that would explain something.

P.S. read up on the formatting tags. The way you used them made parts of your post invisible. Preview your posts before submitting.


----------



## Moe (Mar 18, 2010)

My apologies for my ignorance. This is my first attempt at setting up a UNIX system. Are you saying that I need to remove the "set skip on 1o0" and write all my pass rules for that interface as well?


----------



## SirDice (Mar 18, 2010)

What does [cmd=]ifconfig lo0[/cmd] inside the jail tell you?


----------



## SirDice (Mar 18, 2010)

Moe said:
			
		

> My apologies for my ignorance. This is my first attempt at setting up a UNIX system. Are you saying that I need to remove the "set skip on 1o0" and write all my pass rules for that interface as well?



It's lo0 not 1o0, the first is with a lowercase L the second with a 1 (one).


----------



## Moe (Mar 18, 2010)

yeah, typo, sorry.

from inside the jail:


```
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
```


----------



## SirDice (Mar 18, 2010)

This means 127.0.0.1 isn't available in your jail. Hence the error message when you try to connect to it.


----------



## DutchDaemon (Mar 18, 2010)

Is that the entire output of [cmd=]ifconfig lo0[/cmd]?


----------



## Moe (Mar 18, 2010)

Yes, that is the entire output. There is more, of course, if I don't specify just that interface.
So, how can I make it available? Or how do I fix this? Is there a way to tell ssmtp to ingnore that interface? I would rather it used lo1 like everything else. I have to admit I don't quite get it. Most of what I have read so far suggests I shouldn't really mess with lo0. I can see other applications' packets transverse lo0 - they don't seem to mind it's not available to the jail... 
Thanks for your help guys!


----------



## DutchDaemon (Mar 18, 2010)

The loopback address is usually put there by a directive in /etc/defaults/rc.conf:


```
ifconfig_lo0="inet 127.0.0.1"	# default loopback device configuration.
```

I don't know if that's how it usually works inside a jail.


----------



## Moe (Mar 18, 2010)

There was no rc.conf inside my jail by default. I created one so I could kill off sendmail. I added:

```
ifconfig_lo0="inet 127.0.0.1"
```

and rebooted. Inside my jail, ifconfig has never shown an IP address for fxp0 or lo0, only for lo1. The same is still true after reboot:


```
www# ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:02:55:f3:bb:b1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet 10.0.0.1 netmask 0xffffff00 
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
```

I am also still getting the same errors.


----------



## SirDice (Mar 18, 2010)

You can't set lo0 or use 127.0.0.1 inside a jail. These days it may be possible by using VIMAGE but I haven't played with it myself.

You should make double sure all daemons on the host are bound to 127.0.0.1 (lo0) and/or the host's IP address. Inside a jail all daemons/services should be bound to the jail's IP address. I've never needed access to lo0 inside a jail. Check your services on the host and inside the jails with sockstat(1).


----------



## Moe (Mar 19, 2010)

ok, sockstat from within the jail show everything bound to the jail IP (10.0.0.1). sockstat on my host shows the following. BIND is listening on the jail IP in order to provide DNS resolution for it. Output from sockstat:

```
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
bind     named      1398  3  dgram  -> /var/run/logpriv
bind     named      1398  20 tcp4   10.0.0.1:53           *:*
bind     named      1398  21 tcp4   127.0.0.1:953         *:*
bind     named      1398  22 tcp6   ::1:953               *:*
bind     named      1398  512udp4   10.0.0.1:53           *:*
root     sshd       1251  3  tcp4   public IP     public IP
root     sshd       1251  8  stream /tmp/ssh-z8viYkvylT/agent.1251
root     syslogd    1084  4  dgram  /var/run/log
root     syslogd    1084  5  dgram  /var/run/logpriv
root     syslogd    1084  6  udp4   10.0.0.1:514          *:*
root     sshd       859   3  tcp6   *:22                  *:*
root     sshd       859   4  tcp4   *:22                  *:*
root     syslogd    689   4  dgram  /var/run/log
root     syslogd    689   5  dgram  /var/run/logpriv
root     syslogd    689   6  dgram  /var/run/log
root     syslogd    689   7  dgram  /var/named/var/run/log
root     syslogd    689   8  udp6   *:514                 *:*
root     syslogd    689   9  udp4   *:514                 *:*
root     devd       631   4  stream /var/run/devd.pipe
_pflogd  pflogd     388   5  stream -> ??
root     pflogd     383   4  stream -> ??
```

As far as I can tell this looks ok too? I mean syslogd is  bound to both ie it's running as root both inside and outside the jail...

Any ideas?


----------



## Moe (Mar 19, 2010)

I'm starting to get the impression that ssmtp won't work from inside a jail. Can anyone confirm that they have gotten this to work?

thanks!


----------



## aragon (Mar 20, 2010)

The telnet error you pasted in your first post looks like invalid syntax.  The usage is:

```
telnet <address> <port>
```

Not:

```
telnet <address>:<port>
```

What happens if you telnet to the SMTP server and port?


----------



## DutchDaemon (Mar 20, 2010)

Hm, good one ..


```
$ telnet 127.0.0.1:25 
127.0.0.1:25: hostname nor servname provided, or not known
```

Similar enough.


----------



## Moe (Mar 21, 2010)

Good to know, thanks. 


```
telnet 127.0.0.1 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host
```

Keep in mind, I installed the ssmtp port both inside and outside my jail. On the host itself it works fine. Inside the jail it tries to use 127.0.0.1 as the relay. ssmtp doesn't run as a deamon. It just sends mail when invoked. I've tried changing the values for the jails ssmtp conf file but that doesn't make any difference. 

Does the ssmtp port work inside a jail?

thanks everybody.


----------



## aragon (Mar 21, 2010)

Yup, it does work inside a jail.  The problem is not with ssmtp, but with your jail's network configuration.  If telnet can't establish the SMTP connection, there's no way ssmtp or any other SMTP client will be able to.

From within a jail 127.0.0.1 is not the host.  It is the jail.  You're effectively running ssmtp inside your jail and telling it to relay to itself.  Configure it to connect to your host's IP address and it should work.  Again, test with telnet to confirm network functionality.

As a side note, I'm not sure your cloning of the loopback interface is a good idea.  The norm is to bind an IP alias to your NIC and give the jail that IP address.


----------



## Moe (Mar 21, 2010)

ok, so that's what I can't figure out how to do. How do I configure it to NOT try 127.0.0.1. I have tried all different values for these parameters in the ssmtp.conf file (in the jail):


```
root=
mailhub=
rewriteDomain=
hostname=
```

but it doesn't seem to make any difference to ssmtp, it always tries 127.0.0.1 first. I can even see DNS packets go by when it resolves the mailhub= (if I use the FQDN of my ISP's mail server). 
?

With regards to cloning the interface, I have found conflicting advice. This seems to works for everything (else), so I would prefer not to have to change it unless I have to.

thanks!


----------



## aragon (Mar 21, 2010)

You need to set mailhub.


```
mailhub=<ip>[:<port>]
```

Default port is 25.


----------



## Moe (Mar 21, 2010)

As stated earlier, I have tried changing the value of 

```
mailhub=
```
to no avail. I tried again using my jail's IP, my host's IP and the IP of my ISP's smtp server. In each case ssmtp attempts to connect to 127.0.0.1 first.
I noticed the same behavior with nslookup until I edited the resolv.conf file to point to the jail's IP. In this case however, there doesn't seem to be a way to point ssmtp away from 127.0.0.1. 
Feels like I'm missing something really obvious here, but I can't figure out what it is....


----------



## aragon (Mar 21, 2010)

Moe said:
			
		

> I tried again using my jail's IP, my host's IP and the IP of my ISP's smtp server. In each case ssmtp attempts to connect to 127.0.0.1 first.


And if you telnet to these from inside the jail?


----------



## freebuser (Oct 15, 2016)

I had this same issue, but figured out I haven't done the following within the jail. Actually I did but got overwritten after 10.3-RELEASE to 11.0-RELEASE.


```
sendmail        /usr/local/sbin/ssmtp
send-mail       /usr/local/sbin/ssmtp
mailq           /usr/libexec/sendmail/sendmail
newaliases      /usr/libexec/sendmail/sendmail
hoststat        /usr/libexec/sendmail/sendmail
purgestat       /usr/libexec/sendmail/sendmail
```

as per

https://www.freebsd.org/doc/handbook/mail-changingmta.html#mail-disable-sendmail


----------

