github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1661] fetchmail.profile fails when local delivery to port 25 is needed (netfilter doesn't work) #1122

New issue
Closed
opened 2026-05-05 07:29:48 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 07:29:48 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Nov 28, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1661

The command firejail --net=vnet0 --profile=/etc/firejail/fetchmail.profile fetchmail -v myemailacct results in a fetchmail error:

fetchmail: connection to localhost:smtp [::1/25] failed: Connection refused.

Some fetchmail configs need to talk to a local SMTP server; others don't, which was perhaps the assumption in the design of fetchmail.profile. I've tried to fix it by introducing fetchmail.local:

netfilter /etc/firejail/fetchmail.net
whitelist ${HOME}/.netrc

and fetchmail.net:

-A INPUT  -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

Same error results. Note that there are no current profiles that pass a file argument to the netfilter option, so in case it's a misuse in my fetchmail.local, I have also tried including --netfilter=/etc/firejail/fetchmail.net on the CLI, and still fails to connect.

Also note that I'm still asked for a password despite whitelisting ${HOME}/.netrc (which is blacklisted in /etc/firejail/disable-common.inc). This seems to suggest that the include /etc/firejail/fetchmail.local may be losing precedence by appearing at the top of the fetchmail.profile.

I also confirm that I have a default firejail.conf (thus restricted-network is no). It's worth pointing out that vnet0 is a tor middlebox in this case (this project). But also note that the tor middlebox is designed to allow local traffic.

/cc @chiraag-nataraj @SpotComms

Originally created by @ghost on GitHub (Nov 28, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1661 The command `firejail --net=vnet0 --profile=/etc/firejail/fetchmail.profile fetchmail -v myemailacct` results in a fetchmail error: ``` fetchmail: connection to localhost:smtp [::1/25] failed: Connection refused. ``` Some fetchmail configs need to talk to a local SMTP server; others don't, which was perhaps the assumption in the design of `fetchmail.profile`. I've tried to fix it by introducing `fetchmail.local`: ``` netfilter /etc/firejail/fetchmail.net whitelist ${HOME}/.netrc ``` and `fetchmail.net`: ``` -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT ``` Same error results. Note that there are no current profiles that pass a file argument to the `netfilter` option, so in case it's a misuse in my `fetchmail.local`, I have also tried including `--netfilter=/etc/firejail/fetchmail.net` on the CLI, and still fails to connect. Also note that I'm still asked for a password despite whitelisting `${HOME}/.netrc` (which is blacklisted in `/etc/firejail/disable-common.inc`). This seems to suggest that the `include /etc/firejail/fetchmail.local` may be losing precedence by appearing at the top of the `fetchmail.profile`. I also confirm that I have a default `firejail.conf` (thus _restricted-network_ is _no_). It's worth pointing out that `vnet0` is a tor middlebox in this case ([this project](https://github.com/Bylon/TOR_Middlebox)). But also note that the tor middlebox is designed to allow local traffic. /cc @chiraag-nataraj @SpotComms
gitea-mirror 2026-05-05 07:29:48 -06:00
gitea-mirror commented 2026-05-05 07:29:51 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Dec 2, 2017):

I think you are fighting the network namespace. When you do --net=vnet0, you move fetchmail in a new network namespace with a new loopback interface, and the server on local loopback remains in the regular system namespace. You cannot access the server from the new namespace.

Try without --net=veth0.

<!-- gh-comment-id:348693564 --> @netblue30 commented on GitHub (Dec 2, 2017): I think you are fighting the network namespace. When you do --net=vnet0, you move fetchmail in a new network namespace with a new loopback interface, and the server on local loopback remains in the regular system namespace. You cannot access the server from the new namespace. Try without --net=veth0.
gitea-mirror commented 2026-05-05 07:29:53 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 3, 2017):

@netblue30
Thanks, but that makes no difference. I already tested --net=enp0s25 (which is the default network device, and thus presumably the same as omitting the --net option), and still the netfilter seems to fail to allow local port 25 connections.

Also, my ignored whitelisting of /.netrc could be a clue, because if that's being ignored what else is? Maybe my netfilter is also being ignored.

<!-- gh-comment-id:348779886 --> @ghost commented on GitHub (Dec 3, 2017): @netblue30 Thanks, but that makes no difference. I already tested `--net=enp0s25` (which is the default network device, and thus presumably the same as omitting the `--net` option), and still the netfilter seems to fail to allow local port 25 connections. Also, my ignored whitelisting of `/.netrc` could be a clue, because if that's being ignored what else is? Maybe my netfilter is also being ignored.
gitea-mirror commented 2026-05-05 07:29:54 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Dec 4, 2017):

No, using the --net option always creates a new network namespace regardless of which interface you specify. Try it without using --net at all.

<!-- gh-comment-id:349034361 --> @chiraag-nataraj commented on GitHub (Dec 4, 2017): No, using the `--net` option always creates a new network namespace regardless of which interface you specify. Try it without using `--net` at all.
gitea-mirror commented 2026-05-05 07:29:56 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 6, 2017):

@chiraag-nataraj

Try it without using --net at all.

That works. Omitting a net namespace enables traffic from fetchmail to the local SMTP server over port 25. So it confirms what @netblue30 said, but problems remain:

  • There is still a need for traffic from a net namespace-confined fetchmail to the local SMTP server. This is because the namespace is needed to force all remote traffic over Tor. Also note that the trick of adding plugin "socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050" to .fetchmailrc does not work because .onion servers do not resolve. Hence the need for a net namespace (which for me is the driver for introducing firejail). How can we poke a hole in the firejail to bridge the LAN with the network namespace, ideally just for port 25?
  • The ~/.netrc file is still ultimately blocked by global options, despite whitelisting it in /etc/firejail/fetchmail.local. The only workaround specifically for fetchmail is to embed the passphrases in ~/.fetchmailrc instead, because that can be whitelisted (due to lack of global blacklisting). But that's a hack and only works specifically for fetchmail, not other apps that would have a legit reason to access ~/.netrc.

If it's deliberate for global options to block whitelists in localized profiles, then perhaps ~/.fetchmailrc should also be globally blacklisted (as it can contain passwords).

BTW, if the netfilter option is useless in combination with the --net= option, then isn't it a defect that firejail even attempts to execute? Shouldn't it terminate with an error?

<!-- gh-comment-id:349678857 --> @ghost commented on GitHub (Dec 6, 2017): @chiraag-nataraj > Try it without using --net at all. That works. Omitting a net namespace enables traffic from fetchmail to the local SMTP server over port 25. So it confirms what @netblue30 said, but problems remain: * There is still a need for traffic from a net namespace-confined fetchmail to the local SMTP server. This is because the namespace is needed to force all remote traffic over Tor. Also note that the trick of adding `plugin "socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050"` to `.fetchmailrc` does not work because `.onion` servers do not resolve. Hence the need for a net namespace (which for me is the driver for introducing firejail). How can we poke a hole in the firejail to bridge the LAN with the network namespace, ideally just for port 25? * The `~/.netrc` file is still ultimately blocked by global options, despite whitelisting it in `/etc/firejail/fetchmail.local`. The only workaround specifically for fetchmail is to embed the passphrases in `~/.fetchmailrc` instead, because that can be whitelisted (due to lack of global blacklisting). But that's a hack and only works specifically for fetchmail, not other apps that would have a legit reason to access `~/.netrc`. If it's deliberate for global options to block whitelists in localized profiles, then perhaps `~/.fetchmailrc` should also be globally blacklisted (as it can contain passwords). BTW, if the _netfilter_ option is useless in combination with the _--net=_ option, then isn't it a defect that firejail even attempts to execute? Shouldn't it terminate with an error?
gitea-mirror commented 2026-05-05 07:29:58 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Dec 9, 2017):

regarding your second point:

The ~/.netrc file is still ultimately blocked by global options, despite whitelisting it in /etc/firejail/fetchmail.local.

add noblacklist ${HOME}/.netrc to fetchmail.local and try it again

<!-- gh-comment-id:350410654 --> @smitsohu commented on GitHub (Dec 9, 2017): regarding your second point: > The ~/.netrc file is still ultimately blocked by global options, despite whitelisting it in /etc/firejail/fetchmail.local. add `noblacklist ${HOME}/.netrc` to fetchmail.local and try it again
gitea-mirror commented 2026-05-05 07:30:00 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 9, 2017):

@smitsohu

add noblacklist ${HOME}/.netrc to fetchmail.local and try it again

Thanks, that worked.

<!-- gh-comment-id:350500987 --> @ghost commented on GitHub (Dec 9, 2017): @smitsohu > add noblacklist ${HOME}/.netrc to fetchmail.local and try it again Thanks, that worked.
gitea-mirror commented 2026-05-05 07:30:02 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Dec 11, 2017):

perhaps ~/.fetchmailrc should also be globally blacklisted (as it can contain passwords).

@libBletchley Thanks for pointing this out, it is now fixed on mainline

<!-- gh-comment-id:350788085 --> @smitsohu commented on GitHub (Dec 11, 2017): > perhaps ~/.fetchmailrc should also be globally blacklisted (as it can contain passwords). @libBletchley Thanks for pointing this out, it is now fixed on mainline
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1122
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?