Re: [Dovecot] Sendmail + deliver; silent errors.
On 20 Mar 2010, at 01:48, Daryl Tester wrote: Timo Sirainen wrote: [Sendmail mailer arguments] Change the last line (Argv) to A=/opt/dovecot-1.2.9/libexec/dovecot/deliver -d $u ... Well, at least I updated the wiki now so that future people won't have this problem. :) To be fair, this was only a problem because I setuid'd the binary as root, which causes the extra permissions checking. The wiki page uses a non- root ID, which I couldn't get to work (the previously mentioned setgid() failure), but at least wouldn't have fallen over in this fashion. I skipped this thread too soon. The mailer flags a=... does include argv[0]. That tripped me up when I was first doing Sendmail, too. Cheers, Sabahattin smime.p7s Description: S/MIME cryptographic signature
Re: [Dovecot] Sendmail + deliver; silent errors.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 19 Mar 2010, Daryl Tester wrote:
You are using system users?
*) The setuid users listed in the wiki kept result in setgid()
What setuid users?
failures from deliver, so I've changed it to root:mail (mail being
sendmail's MDA group), with permissions as u+s,g+rx,o-rwx
When sendmail attempts delivery, I'm getting deferred: deliver
failed with EX_TEMP, but nothing recorded in the log files. I've
embarrassingly widened the permissions of /var/log/dovecot and the
I changed logging of deliver to syslog for this reason:
protocol lda {
[...]
# Log to syslog
log_path =
info_log_path =
syslog_facility = mail
}
===
My definition of local delivery on Debian is:
dnl -f $g -- sender
dnl -d $u -- destination user account name
dnl -m $h -- mailbox to deliver to (+detail part of address)
dnl -n-- don't create new mailbox
dnl -e-- exit code rather DSN
FEATURE(`local_procmail', `/etc/mail/smrsh/dovecot-deliver',
`/etc/mail/smrsh/dovecot-deliver -e -f $g -d $u')dnl
sendmail invokes deliver already as the system user, no setuid necessary.
regards,
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBS6M6vL+Vh58GPL/cAQLTWggAmTJR+hlg42revY2+DYLcYlvAYEYDZKmG
RjoEDYxl+jtj8PkeJjAsw18wT8awUzN79fkgIh6cNi1kh/VvsCdzobVDjlJ48k2K
uTOvFRHS04uQLmOpaWsl50LRmrEw4AtMzrE2NOYL7XVdfyR6uqOf4DtpdRZsyRnD
XAc/I9nUfmk6aol0P+wnxSFNuN8hoLgIVSKF50oIzuLE3MjJgxxea7YcL+QSx8rU
j6HV5GalFYHX+/JNgVj7QUNdxdkxqhO1djNM2jhg3Ob5pYT3PGidzPLFVa10vqC2
qlFPJrc7JibyEysEDMReUxesk0ogYLKef/ey7piIGk3g9JVoBgiDGg==
=9X3F
-END PGP SIGNATURE-
Re: [Dovecot] Sendmail + deliver; silent errors.
Steffen Kaiser wrote: You are using system users? I believe so. Running delivery from the command line as the sendmail user works as it should. *) The setuid users listed in the wiki kept result in setgid() What setuid users? Sorry, I typed a little hastily. setuid user's configuration - setting the deliver owner to vmail:vmail as listed in http://wiki.dovecot.org/LDA/Sendmail resulted in setgid(1002(vmail)) failed with euid=1002(vmail), gid=8(mail), egid=8(mail): Operation not permitted. When sendmail attempts delivery, I'm getting deferred: deliver failed with EX_TEMP, but nothing recorded in the log files. I've embarrassingly widened the permissions of /var/log/dovecot and the I changed logging of deliver to syslog for this reason: Fair enough, but I'm happy to tighten the permissions once I've got it working; I just have to get it working first. === My definition of local delivery on Debian is: dnl -f $g -- sender dnl -d $u -- destination user account name dnl -m $h -- mailbox to deliver to (+detail part of address) dnl -n-- don't create new mailbox dnl -e-- exit code rather DSN FEATURE(`local_procmail', `/etc/mail/smrsh/dovecot-deliver', `/etc/mail/smrsh/dovecot-deliver -e -f $g -d $u')dnl sendmail invokes deliver already as the system user, no setuid necessary. So sendmail and deliver are running as the same user ID? I'm not sure my mailer definition is an issue here - like I said, if I wrap the invocation in a shell script or use strace as a mailer (that's a first for me) it works correctly. For the record, I'm using: Mdovecot, P=/opt/dovecot-1.2.9/libexec/dovecot/deliver, F=lADFMPhnu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrFromL, T=DNS/RFC822/X-Unix, A=deliver -d $u #Mdovecot, P=/tmp/strace, F=lADFMPhnu9, # S=EnvFromL/HdrFromL, R=EnvToL/HdrFromL, # T=DNS/RFC822/X-Unix, # A=strace -o /tmp/strace.log /opt/dovecot-1.2.9/libexec/dovecot/deliver -d $u -- Regards, Daryl Tester Member of the Amalgamated Australian Association Against Apostrophe Abuse. (formerly the 6A's - no, wait ...).
Re: [Dovecot] Sendmail + deliver; silent errors.
Daryl Tester wrote: When sendmail attempts delivery, I'm getting deferred: deliver failed with EX_TEMP, but nothing recorded in the log files. Gnargh, found it. After adding an freopen() to deliver to capture stderr (because sendmail sure as heck wasn't), deliver was reporting stat(deliver) failed: No such file or directory. Mdovecot, P=/opt/dovecot-1.2.9/libexec/dovecot/deliver, F=lADFMPhnu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrFromL, T=DNS/RFC822/X-Unix, A=deliver -d $u Change the last line (Argv) to A=/opt/dovecot-1.2.9/libexec/dovecot/deliver -d $u sets argv[0] to the full path of the binary so the permissions check in deliver succeeds. Which in hindsight explains why it worked with a wrapper script or strace; they both would have set the full path automatically. I can't believe I've spent most of an afternoon on this. hangs head in shame -- Regards, Daryl Tester Member of the Amalgamated Australian Association Against Apostrophe Abuse. (formerly the 6A's - no, wait ...).
Re: [Dovecot] Sendmail + deliver; silent errors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 19 Mar 2010, Daryl Tester wrote: I can't believe I've spent most of an afternoon on this. hangs head in shame Well, there are things worse :-) Regards, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBS6OGLL+Vh58GPL/cAQLpuwgAn0IF+cFC48TThxzyDAaAqQYa4ZpBXA7d ftBB8EEK4/CdyT247E4h0YttQ29VNIaeXfjFvgH6Wyvz+fRIUOmqqkvHxvttDUkU S5u/ncnHHeH85xB2lRlqhKI6DrvgdgpRAPycRxbIhxnDaKkeovZtumtZAk9ISCuv xDAsPLSIEEhALxcOKAX5242BU/FGxwDMlXIu1BrdOk/F2iwwVTBZEaatODDUuSyj oQGlrvfpIyh5RauKo1IOC5/UfI05sQ2IfZonhbJt8IJd5WnXthgBRD7vTQ9etIgT DwXERonJ68HY8WYOcc9KdwTUOa9VoTC5tXCnwM/OUSaxX6VTPaAzmA== =xYp3 -END PGP SIGNATURE-
Re: [Dovecot] Sendmail + deliver; silent errors.
On Fri, 2010-03-19 at 21:48 +1030, Daryl Tester wrote: Mdovecot, P=/opt/dovecot-1.2.9/libexec/dovecot/deliver, F=lADFMPhnu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrFromL, T=DNS/RFC822/X-Unix, A=deliver -d $u Change the last line (Argv) to A=/opt/dovecot-1.2.9/libexec/dovecot/deliver -d $u .. I can't believe I've spent most of an afternoon on this. hangs head in shame Well, at least I updated the wiki now so that future people won't have this problem. :) signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Sendmail + deliver; silent errors.
Timo Sirainen wrote: [Sendmail mailer arguments] Change the last line (Argv) to A=/opt/dovecot-1.2.9/libexec/dovecot/deliver -d $u ... Well, at least I updated the wiki now so that future people won't have this problem. :) To be fair, this was only a problem because I setuid'd the binary as root, which causes the extra permissions checking. The wiki page uses a non- root ID, which I couldn't get to work (the previously mentioned setgid() failure), but at least wouldn't have fallen over in this fashion. Cheers! -- Regards, Daryl Tester Member of the Amalgamated Australian Association Against Apostrophe Abuse. (formerly the 6A's - no, wait ...).
