Socketbox/Compatibility

#!/bin/sh
exec env SKBOX_DIRECTORY_ROOT=/run/socketbox-conf LD_PRELOAD=/path/to/libsocketbox-preload.so /usr/lib/postfix/sbin/master.distrib "$@"

Upon further testing, it appears that you might also need to do this on /usr/lib/postfix/sbin/smtpd.

Reverse DNS lookups on incoming connections might not work, though I don't know whether this is a Postfix bug or if my mail server container is configured incorrectly. Needs further internal testing.

Not yet tested:

• Ports 465 or 587 Works.
• Actually trying to send an email (only tested EHLO/MAIL FROM/RCPT TO) Works on port 25 (MTA->MTA) and port 465 (implicit TLS submission). Port 587 (STARTTLS submission) not tested, though the result might be similar to the port 25 case.
• chroot=y in master.cf

import socket
my_socket = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
my_socket.bind("/path/to/unix/domain/socket")
while True:
    a, addr = my_socket.accept()
    # do something with (a, addr)

(Note that this normally fails with OSError if socketbox-preload is not used.)

Also tested to work (using fe8f::x:y:y) with whatever web server Synapse (the Matrix homeserver) is using, though it seems to throw an exception if you attempt to send a Unix domain socket as a connection; set environment variable SKBOX_STEALTH_MODE=1 as a workaround.

Not yet tested:

• socket.create_server(('fe8f::x:y:y', ...), ...)

Tested with version 12.19.0 with server.listen({fd: +process.env.WHATEVER}), which did not work. As an alternative, the core functionality of socketbox can be implemented in Node.js directly:

const net = require('net');
const http = require('http');
var appOne = http.createServer(/* (req, res) => ... */);
var appTwo = http.createServer(/* (req, res) => ... */);
var appDefault = http.createServer(/* (req, res) => ... */);

var mapping = {
    "@2001:db8::1": appOne,
    "@2001:db8::2": appTwo
};

var masterServer = net.createServer(s => {
    let key = "@" + s.localAddress;
    if (mapping.hasOwnProperty(key)) {
        mapping[key].emit("connection", s);
    } else {
        appDefault.emit("connection", s);
    }
});

masterServer.listen({host: "::", port: 80}); /* Alternatively call Node.js from Python using an inherited AF_INET[6] listening socket, perhaps using the IPV6_TRANSPARENT + TPROXY trick to arbitrarily select IPs and port numbers. */

See TCP Battleships.

TCP listening sockets created with ctrtool ns_open_file also work with fd:, regardless of network namespace; see Universal Relay.

Run this modified version of HAProxy with the following Python script:

import socket, os

s = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
s.bind("/run/socketbox/haproxy_dgram.sock.tmp")

# os.chown("/run/socketbox/haproxy_dgram.sock.tmp", 0, [gid of socketbox group]) # only if /run/socketbox is not set-gid
os.chmod("/run/socketbox/haproxy_dgram.sock.tmp", 0o660)
os.rename("/run/socketbox/haproxy_dgram.sock.tmp", "/run/socketbox/haproxy_dgram.sock")

s.set_inheritable(True)
os.environ["SKBOX_HAPROXY_DGRAM_SOCK"] = str(s.fileno())

os.execv("/usr/local/bin/haproxy", ["haproxy", "--", "/etc/haproxy/haproxy.conf"])

and use bind sockpair@${SKBOX_HAPROXY_DGRAM_SOCK} in haproxy.conf.

Now that ctrtool ns_open_file can open Unix dgram sockets (requires experimental nsof_special branch), you could use that instead of the above script, using bind sockpair@${CTRTOOL_NS_OPEN_FILE_FD_0}. This still requires the custom version of HAProxy that I maintain as above.