Re: Permissions error when sending to mailing list after upgrade to v.7.3.0
On 17.08.2023 21:32, Reio Remma wrote:
On 17.08.2023 19:43, Thomas Bohl wrote:
Interesting. Which man page please? I can't see it mentioned in
smtpd.conf nor forward man pages.
The forward man pages says:
A .forward file contains a list of expansion values, as described in
aliases(5).
So it is in aliases 5.
http://man.openbsd.org/aliases.5
...
|command
Pipe the message to command on its standard input. The command is run
under the privileges of the daemon's unprivileged account.
I've now found two ways to get mlmmj working.
.forward file method fails with the lmtp action that I've been
successfully using thus far because it tries to pass it to mlmmj as
'smtpd' user:
action deliver_mlmmj lmtp "/var/run/dovecot/lmtp" rcpt-to virtual
userbase
.forward file method starts working if I replace lmtp with expand-only -
mail is passed to mlmmj as the user from userbase not as 'smtpd' user:
action deliver_mlmmj expand-only virtual userbase
Using the mda action passing mail to mlmmj works both with and without
the .forward file, both ways delivered as the user from userbase:
action deliver_mlmmj mda "/usr/bin/mlmmj-receive -L
/var/vmail/mlmmj/%{rcpt.domain}/%{rcpt.user}/" virtual
userbase
Re: Permissions error when sending to mailing list after upgrade to v.7.3.0
On 17.08.2023 19:43, Thomas Bohl wrote: Interesting. Which man page please? I can't see it mentioned in smtpd.conf nor forward man pages. The forward man pages says: A .forward file contains a list of expansion values, as described in aliases(5). So it is in aliases 5. http://man.openbsd.org/aliases.5 ... |command Pipe the message to command on its standard input. The command is run under the privileges of the daemon's unprivileged account. I'm really curious how it managed to work before... With smtpd:smtpd on mlmmj directories I'm getting: lookup: match "l...@domain.com" as MAILADDR in table proc:recipients -> true rule #2 matched: match from any for domain domains rcpt-to recipients action deliver_lmtp lookup: lookup "l...@domain.com" as ALIAS in table proc:virtuals -> "23" expand: 0x55727bc76760: expand_insert() called for username:23[parent=(nil), rule=(nil)] expand: 0x55727bc76760: inserted node 0x55727bd82e20 expand: 0x55727bd81028: expand_insert() called for username:23[parent=0x55727bc79e60, rule=0x55727bc7a930, dispatcher=0x55727bc7aa00] expand: 0x55727bd81028: inserted node 0x55727bd83380 expand: 0x55727bc76760: clearing expand tree expand: 0x55727bc76760: freeing expand tree debug: aliases_virtual_get: 'l...@domain.com' resolved to 1 nodes expand: lka_expand: username: 23 [depth=1, sameuser=0] lookup: lookup "23@" as ALIAS in table proc:virtuals -> none lookup: lookup "23" as ALIAS in table proc:virtuals -> none lookup: lookup "23" as USERINFO in table proc:userinfo -> "5000:5000:/var/vmail/mlmmj/domain.com/list" mproc: lka -> parent : 4376 IMSG_LKA_OPEN_FORWARD warn: smtpd: /var/vmail/mlmmj/domain.com/list/.forward: unsecure file mproc: parent -> lka : 4376 IMSG_LKA_OPEN_FORWARD imsg: lka <- parent: IMSG_LKA_OPEN_FORWARD (len=4376) expand: ~/.forward failed for user 23 mproc: lka -> dispatcher : 54 IMSG_SMTP_EXPAND_RCPT expand: 0x55727bd81028: clearing expand tree imsg: dispatcher <- lka: IMSG_SMTP_EXPAND_RCPT (len=54) smtp: 0x562572625500: >>> 524 5.2.4 Mailing list expansion problem: mproc: dispatcher -> lka : 98 IMSG_REPORT_SMTP_PROTOCOL_SERVER mproc: dispatcher -> lka : 62 IMSG_??? (132) fe30c5bd1dd8f509 smtp failed-command command="RCPT TO:" result="524 5.2.4 Mailing list expansion problem: "
Re: Permissions error when sending to mailing list after upgrade to v.7.3.0
Am 16.08.2023 um 16:58 schrieb Reio Remma: On 15.08.2023 10:49, Thomas Bohl wrote: You where already pretty close when you got this line though: warn: smtpd: /var/vmail/mlmmj/domain/listname/.forward: unsecure file There was probably just wrong write permissions for the group. ...on the home directory. I changed permissions from 0700 vmail:vmail to 0750 vmail:smtpd and coaxed a new error out of mlmmj: /usr/bin/mlmmj-receive[114552]: mlmmj-receive.c:112: Have to invoke either as root or as the user owning listdir Invoked with uid = [997] So it seems OpenSMTPD is trying to deliver with uid 997 (which is 'smtpd' user on the system), ignoring the uid/git from userinfo table. That is what the man page says it does (running a command from the .forward file as smtpd). Since the man page of 6.8.0 said the same thing I don't know what changed. I assume you are using a Linux port. Maybe it behaved different from the what was descried. I don't have a Linux test system at hand to play around. So this is just a guess. But maybe you could use sudo to change the user back to vmail. |sudo -g /vmail -u vmail //usr/bin/mlmmj-receive -L /var/vmail/mlmmj/domain/list/
Re: Permissions error when sending to mailing list after upgrade to v.7.3.0
On 15.08.2023 10:49, Thomas Bohl wrote: You where already pretty close when you got this line though: warn: smtpd: /var/vmail/mlmmj/domain/listname/.forward: unsecure file There was probably just wrong write permissions for the group. ...on the home directory. I changed permissions from 0700 vmail:vmail to 0750 vmail:smtpd and coaxed a new error out of mlmmj: /usr/bin/mlmmj-receive[114552]: mlmmj-receive.c:112: Have to invoke either as root or as the user owning listdir Invoked with uid = [997] So it seems OpenSMTPD is trying to deliver with uid 997 (which is 'smtpd' user on the system), ignoring the uid/git from userinfo table. v 6.8.0: lookup: lookup "3" as USERINFO in table proc:userinfo -> "5000:5000:/var/vmail/domain/user" debug: smtpd: forking mda for session eba6bc20bdd7e6b8: 3 as 3 lookup: lookup "23" as USERINFO in table proc:userinfo -> "5000:5000:/var/vmail/mlmmj/domain/list" debug: smtpd: forking mda for session 358aa0231bcacbe7: 23 as 23 v 7.3.0: lookup: lookup "3" as USERINFO in table proc:userinfo -> "5000:5000:/var/vmail/domain/user" debug: smtpd: forking mda for session 8ed13ca11c1e1c09: 3 as smtpd lookup: lookup "23" as USERINFO in table proc:userinfo -> "5000:5000:/var/vmail/mlmmj/domain/list" debug: smtpd: forking mda for session 8ed13c9dff53f513: 23 as smtpd Delivery to a regular user most likely succeeds because it's done over LMTP.
Re: Permissions error when sending to mailing list after upgrade to v.7.3.0
You where already pretty close when you got this line though: warn: smtpd: /var/vmail/mlmmj/domain/listname/.forward: unsecure file There was probably just wrong write permissions for the group. ...on the home directory.
Re: Permissions error when sending to mailing list after upgrade to v.7.3.0
It must be owned by the user who makes the delivery. Is vmail or mlmmj a system user? man forward ... Permissions on the .forward file are very strict and expansion is rejected if the file is group or world-writable; if the home directory is group writeable; or if the file is not owned by the user. I've been using mlmmj with this in the .forward file: |/usr/bin/mlmmj-receive -L /var/vmail/mlmmj/domain/list/ Permissions 0700 and 0600 on /var/vmail/mlmmj and vmail:vmail user/group. man aliases ... |command Pipe the message to command on its standard input. The command is run under the privileges of the daemon's unprivileged account. Sounds to me that smtpd needs reading rights. Something like /var/vmail/mlmmj/domain/listname/.forward 640 vmail:smtpd You where already pretty close when you got this line though: warn: smtpd: /var/vmail/mlmmj/domain/listname/.forward: unsecure file There was probably just wrong write permissions for the group.
Re: Permissions error when sending to mailing list after upgrade to v.7.3.0
On 15.08.2023 08:25, Thomas Bohl wrote: Hello, I just found that my mailing lists have stopped working after the upgrade with the following error: /usr/bin/mlmmj-receive[102515]: mlmmj-receive.c:122: Could not stat /var/vmail/mlmmj/domain/listname/: Permission denied I recall reading the delivery user was changed at some point. Was it delivered by root before? Only mails to root where delivered as root. But that possibility was removed for security reasons. What user/permissions should I give the directory now? It must be owned by the user who makes the delivery. Is vmail or mlmmj a system user? man forward ... Permissions on the .forward file are very strict and expansion is rejected if the file is group or world-writable; if the home directory is group writeable; or if the file is not owned by the user. I've been using mlmmj with this in the .forward file: |/usr/bin/mlmmj-receive -L /var/vmail/mlmmj/domain/list/ Permissions 0700 and 0600 on /var/vmail/mlmmj and vmail:vmail user/group. These worked with v6.8.0.
Re: Permissions error when sending to mailing list after upgrade to v.7.3.0
Hello, I just found that my mailing lists have stopped working after the upgrade with the following error: /usr/bin/mlmmj-receive[102515]: mlmmj-receive.c:122: Could not stat /var/vmail/mlmmj/domain/listname/: Permission denied I recall reading the delivery user was changed at some point. Was it delivered by root before? Only mails to root where delivered as root. But that possibility was removed for security reasons. What user/permissions should I give the directory now? It must be owned by the user who makes the delivery. Is vmail or mlmmj a system user? man forward ... Permissions on the .forward file are very strict and expansion is rejected if the file is group or world-writable; if the home directory is group writeable; or if the file is not owned by the user.
Re: Permissions error when sending to mailing list after upgrade to v.7.3.0
On 14.08.2023 11:29, Reio Remma wrote: Hello! I just found that my mailing lists have stopped working after the upgrade with the following error: /usr/bin/mlmmj-receive[102515]: mlmmj-receive.c:122: Could not stat /var/vmail/mlmmj/domain/listname/: Permission denied I recall reading the delivery user was changed at some point. Was it delivered by root before? What user/permissions should I give the directory now? After changing /var/vmail/mlmmj ownership to smtpd:smtpd I'm getting a new error: warn: smtpd: /var/vmail/mlmmj/domain/listname/.forward: unsecure file 1dd7ff441affc273 smtp failed-command command="RCPT TO:" result="424 4.2.4 Mailing list expansion problem: " The actual .forward file has 0400 permissions. Reio
