In my /etc/init.d/qmail I have ... rblsmtpd2="/usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf" ... sh -c "start-stop-daemon --start --quiet --user qmaild \ --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ --exec /usr/bin/tcpserver -- -R -H \ -u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 smtps \ $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ | $logger &"
If I understand that rightfully it means that spamdyke will run as qmaild. Next we take a look /etc/spamdyke-smtps.conf log-level=verbose tls-level=smtps tls-certificate-file=/etc/ssl/certs/stunnel.pem filter-level=require-auth smtp-auth-level=ondemand smtp-auth-command=/usr/bin/chkpw /bin/true access-file=/etc/spam-relays local-domains-file=/etc/qmail/rcpthosts relay-level=normal Clearly qmaild must have read access to /etc/ssl/certs/stunnel.pem . First I thought I could ensure that with server:/etc/ssl/certs# ls -la stunnel.pem >> -rw-r----- 1 root qmaild 2402 2009-09-23 10:03 stunnel.pem server:/# grep qmaild /etc/group qmaild:x:1005:qmaild Where qmaild is a group with qmaild as member, but for one strange reason this doen't work. First when I changed it to: s# ls -la stunnel.pem -rw-r----- 1 qmaild qmaild 2402 2009-09-23 10:03 stunnel.pem It started to work. I think it is a bug because these keys and certificates could be used by sveral programs ex. pop3 running as another user where group access could be handy.. Next for authentication /usr/bin/chkpw (chkpw is just a copy of checkpassword) must at least have suid set like this rwSr-x--- 1 root qmaild 38 2009-09-24 21:26 chkpw However it turned out that it would not work before I changed it to -rwsr-xr-x 1 root qmaild 12360 2009-09-26 20:47 /usr/bin/chkpw I don't understand why it is so, and I think it is abug _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users