The group permissions on your TLS certificate aren't working because your script explicitly sets the group to "nobody" when tcpserver starts. Entries in /etc/groups only affects interactive logins, not daemon processes like tcpserver. Try changing your script from this: -g `id -g nobody` To this: -g `id -g qmaild` You should then be able to change the file permissions back to their original settings.
-- Sam Clippinger David Bo Jensen wrote: > In my /etc/init.d/qmail I have > ... > rblsmtpd2="/usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf" > ... > sh -c "start-stop-daemon --start --quiet --user qmaild \ > --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ > --exec /usr/bin/tcpserver -- -R -H \ > -u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 smtps > \ > $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ > | $logger &" > > > If I understand that rightfully it means that spamdyke will run as qmaild. > Next we > take a look /etc/spamdyke-smtps.conf > > log-level=verbose > tls-level=smtps > tls-certificate-file=/etc/ssl/certs/stunnel.pem > filter-level=require-auth > smtp-auth-level=ondemand > smtp-auth-command=/usr/bin/chkpw /bin/true > access-file=/etc/spam-relays > local-domains-file=/etc/qmail/rcpthosts > relay-level=normal > > Clearly qmaild must have read access to /etc/ssl/certs/stunnel.pem . First I > thought > I could ensure that with > > server:/etc/ssl/certs# ls -la stunnel.pem > >>> -rw-r----- 1 root qmaild 2402 2009-09-23 10:03 stunnel.pem >>> > > server:/# grep qmaild /etc/group > qmaild:x:1005:qmaild > > Where qmaild is a group with qmaild as member, but for one strange reason > this doen't > work. First when I changed it to: > > s# ls -la stunnel.pem > -rw-r----- 1 qmaild qmaild 2402 2009-09-23 10:03 stunnel.pem > > It started to work. I think it is a bug because these keys and certificates > could be > used by sveral programs ex. pop3 running as another user where group access > could be > handy.. > > Next for authentication /usr/bin/chkpw (chkpw is just a copy of > checkpassword) must > at least have suid set like this > > rwSr-x--- 1 root qmaild 38 2009-09-24 21:26 chkpw > > However it turned out that it would not work before I changed it to > > -rwsr-xr-x 1 root qmaild 12360 2009-09-26 20:47 /usr/bin/chkpw > > I don't understand why it is so, and I think it is abug > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users