Re: [spamdyke-users] SMTP auth. and access right to certificates for SMTPS (maybe bugs, but a workaround is found)

Mon, 28 Sep 2009 10:17:37 -0700 

The group permissions on your TLS certificate aren't working because 
your script explicitly sets the group to "nobody" when tcpserver 
starts.  Entries in /etc/groups only affects interactive logins, not 
daemon processes like tcpserver.  Try changing your script from this:
    -g `id -g nobody`
To this:
    -g `id -g qmaild`
You should then be able to change the file permissions back to their 
original settings.

-- Sam Clippinger

David Bo Jensen wrote:
> In my /etc/init.d/qmail I have
> ...
> rblsmtpd2="/usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf"
> ...
>  sh -c "start-stop-daemon --start --quiet --user qmaild \
>             --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \
>             --exec /usr/bin/tcpserver -- -R -H \
>             -u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 smtps 
> \
>             $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \
>             | $logger &"
>
>
> If I understand that rightfully it means that spamdyke will run as qmaild. 
> Next we 
> take a look /etc/spamdyke-smtps.conf
>
> log-level=verbose
> tls-level=smtps
> tls-certificate-file=/etc/ssl/certs/stunnel.pem
> filter-level=require-auth
> smtp-auth-level=ondemand
> smtp-auth-command=/usr/bin/chkpw /bin/true
> access-file=/etc/spam-relays
> local-domains-file=/etc/qmail/rcpthosts
> relay-level=normal
>
> Clearly qmaild must have read access to /etc/ssl/certs/stunnel.pem . First I 
> thought 
> I could ensure that with
>
> server:/etc/ssl/certs# ls -la stunnel.pem
>   
>>> -rw-r----- 1 root qmaild 2402 2009-09-23 10:03 stunnel.pem
>>>       
>
> server:/# grep qmaild /etc/group
> qmaild:x:1005:qmaild
>
> Where qmaild is a group with qmaild as member, but for one strange reason 
> this doen't 
> work. First when I changed it to:
>
> s# ls -la stunnel.pem
> -rw-r----- 1 qmaild qmaild 2402 2009-09-23 10:03 stunnel.pem
>
> It started to work. I think it is a bug because these keys and certificates 
> could be 
> used by sveral programs ex. pop3 running as another user where group access 
> could be 
> handy..
>
> Next for authentication /usr/bin/chkpw (chkpw is just a copy of 
> checkpassword) must 
> at least have suid set like this
>
> rwSr-x--- 1 root qmaild    38 2009-09-24 21:26 chkpw
>
> However it turned out that it would not work before I changed it to
>
> -rwsr-xr-x 1 root qmaild 12360 2009-09-26 20:47 /usr/bin/chkpw
>
> I don't understand why it is so, and I think it is abug 
>
> _______________________________________________
> spamdyke-users mailing list
> spamdyke-users@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>   
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Reply via email to