LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
LinkBack Search this Thread
Old 01-15-2002, 06:16 PM   #31
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30

Maybe you meant this.
ls -ld /var/spool/mail
drwxrwxr-x 2 mail mail 4096 Jan 15 19:09 /var/spool/mail
 
Old 01-15-2002, 06:21 PM   #32
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
So this is the deal. All my mail is sitting in mqueue with these priveledges
ls -ld /var/spool/mqueue
drwxr-xr-x 2 mail mail 4096 Jan 15 19:14 /var/spool/mqueue
It must actually move the mail to /var/spool/mail/. I guess it cant for some reason.
 
Old 01-15-2002, 06:41 PM   #33
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
/usr/share/sendmail-cf/mailer/procmail.m4
_DEFIFNOT(`PROCMAIL_MAILER_FLAGS', `SPhnu9')

I think this shows the S flag as being set. Is there a way to just rebuild this file. M4 loses all my changes to sendmail.cf and just messes stuff up.
 
Old 01-16-2002, 01:45 AM   #34
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Moving mail from mqueue to mail should be done by the MTA, not by hand :-] So, what was sendmail's uid again, wasnt it "sendmail" and it's gid "mail"? If that's the case, and "ls -ld /var/spool/mqueue" turns up as uid and gid "mail" then sendmail can't use the mqueue if the permissions are set to 0750 (groupid 5; read and executable, not writable). (But why isnt the mqueue uid/gid "sendmail.mail"?)

M4 works like "m4 configfile.mc > processed_config.cf", and the procmail.mc is a part of the sendmail.mc I guess. But how do you update your sendmail.cf if you can't use m4? Mailconf? (Linuxconf), then use "mailconf --generatecf" and itll update /etc/sendmail.cf. Linuxconf is quite retarded, but if you add custom .cf's in /etc/mail/mailconf itll process those in override mode.
 
Old 01-16-2002, 07:59 AM   #35
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Hi,
Well i found out why m4 screwed things up. Since i changed all permissions to mail.mail, its didnt like it. I changed everything back to root.root, then m4. So now my mail is the way it used to be. I will try the S flag thing in the sendmail.mc. Then run the m4 compile and then chown the stuff back to mail.mail.

How was i doing the changes b4. I was just editing sendmail.cf. I just changed stuff like privacy option/trusted user/.....

Ill update with my results by end of day. My mail server is in use right now and I cant rush myself.

Cross your fingers.....
THanks as always
 
Old 01-16-2002, 11:47 AM   #36
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Good luck!

If this works out it would be greatly appreciated if you could take the time to post your directives, kinda FAQ-like, would be very usefull. ..
 
Old 01-16-2002, 05:26 PM   #37
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
OHHH!!! Its not over yet. ALmost.
The MODIFY_MAILER_FLAGS(`LOCAL', `-S') fixed the gid thang. New error is:
procmail Insufficient privileges to deliver to "user"

I have searched google and someone said use add o for mailer.
MODIFY_MAILER_FLAGS(`LOCAL', `o-S')
MODIFY_MAILER_FLAGS(`LOCAL', `o -S')
I tried both of these and no good. even when sendmail works with root. I add the o and nothing works.



Thanks
 
Old 01-16-2002, 06:06 PM   #38
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
even tried this:
Add the o flag and remove the S flag in the Mlocal, F= section.

Before
Mlocal, P=/usr/sbin/scanmails, F=lsDFMAw5:/|@qSPfhn9, S=10/30,
After
Mlocal, P=/usr/sbin/scanmails, F=olsDFMAw5:/|@qPfhn9, S=10/30,



Id have to say that sendmail is screwing me all up.
 
Old 01-16-2002, 07:21 PM   #39
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
I cant seem to understand why i cant find any info. I must be the only person making my servers secure.

Can i possibly be the only person?
 
Old 01-16-2002, 08:30 PM   #40
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
I did chown root:mail /var/spool/mqueue and no more error. I send mail from an internet account to my box and it doesnt get rejected. I look in maillog and no errors. It just doesnt transfer it to /var/spool/mail. Its not in mqueue either. I dont know where the hell it is.
Currently /var/spool/mail is owned by mail:mail. made it root.mail and still nothing.

Any ideas.
 
Old 01-16-2002, 08:42 PM   #41
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Actually from chown root:mail /var/spool/mqueue,im getting Can't create transcript file

Now I know why people use microsoft. Its not at twisted as this crap. These damn faq and docs from google are junk and do me no good. There isnt one single article that explains the process. They all assume your a guru. Know why the hell would a guru be reading articles
 
Old 01-17-2002, 02:03 AM   #42
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
<Yoda>Ok, ok. Learn anger, to control, Luke, or drawn to the M$ side, you will be...</Yoda>

Ok, let's go back a bit please, cuz by now youve chowned stuff back and from, and Ive lost track.

Who does sendmail RunAs now? (sendmail)
Who does procmail run as now? (mail?)
Who does pop3 run as now? (mail?)
What's the owner/write permissions on /var/spool/mqueue? (0775, hopefully)
What does "sendmail -bp" (check mail queue) say?, and ls -al /var/spool/mqueue?
What's the write permissions on /var/spool/mail?
What does ls -al /var/spool/mail show as uid/gid?

The "Cant..transcript" is because the user sendmail runs as, has no permissions to write to the mqueue. For testing you could try making mqueue and mail 0777, but thats WORLD READABLE so not recommended (but for testing functionality and tcp wrappers in place and no daemon listening on the outside IP address it s could do for a few moments testing IMO). Basically all mail related daemons should run under the same user id or group id to be able to read/write mqueue and mail, but each users mailspool should only have a single group id.

If youre getting fed up, I could show up in #linux on irc.box.sk, sometime later (much later) this day.
 
Old 01-17-2002, 06:48 AM   #43
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
1)Who does sendmail RunAs now?
mail

2)Who does procmail run as now?
Have no idea
l ls -al /usr/bin/procmail
-rwxr-xr-x 1 root mail 63484 Jan 6 2001 /usr/bin/procmail


3)Who does pop3 run as now?
Not sure.

4)What's the owner/write permissions on /var/spool/mqueue? (0775, hopefully)
drwxr-xr-x 2 mail mail 4096 Jan 16 22:16 /var/spool/mqueue

5)What does "sendmail -bp" (check mail queue) say?, and ls -al /var/spool/mqueue?
sendmail -bp
/var/spool/mqueue is empty
ls -al /var/spool/mqueue
total 8
drwxr-xr-x 2 mail mail 4096 Jan 16 22:16 .
drwxr-xr-x 13 root root 4096 Jan 14 15:25 ..

6)What's the write permissions on /var/spool/mail?
ls -ld /var/spool/mail
drwxrwxr-x 2 mail mail 4096 Jan 17 07:36 /var/spool/mail

7)What does ls -al /var/spool/mail show as uid/gid?
ls -al /var/spool/mail
total 8
drwxrwxr-x 2 mail mail 4096 Jan 17 07:36 .
drwxr-xr-x 13 root root 4096 Jan 14 15:25 ..
-rw------- 1 forumkid mail 0 Jan 17 07:35 me

With this setup i Get these errors in maillog.
Jan 17 07:39:32 mail procmail[5891]: Insufficient privileges to deliver to "me"
Jan 17 07:39:32 mail sendmail[5890]: g0HCdSn05888: to=<me>, ctladdr=<me> (5
05/505), delay=00:00:01, xdelay=00:00:00, mailer=local, pri=30157, dsn=5.0.0, stat=Insufficient permission
Jan 17 07:39:32 mail sendmail[5890]: g0HCdSn05888: g0HCdWn05890: DSN: Insufficient permission


FYI:
whereis sendmail
sendmail: /usr/sbin/sendmail /etc/sendmail.cf /usr/lib/sendmail /usr/share/man/man8/sendmail.8.gz
ls -l /usr/sbin/sendmail
-r-sr-xr-x 1 root root 417828 Mar 3 2001 /usr/sbin/sendmail
ls -l /etc/sendmail.cf
-rw-r--r-- 1 mail mail 46300 Jan 17 07:33 /etc/sendmail.cf
ls -l /usr/lib/sendmail
lrwxrwxrwx 1 root root 16 Jan 14 15:22 /usr/lib/sendmail -> ../sbin/sendmail
Not sure if this helps
 
Old 01-17-2002, 02:29 PM   #44
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
I even tried making usr/sbin/sendmail owned by mail. If everything is owned by mail, what could it be complaining about?

But i did change back to the original.
 
Old 01-17-2002, 07:12 PM   #45
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Hey unSpawn,
I give up. Im going to assume the RunAsUser option isnt really more secure that just running sendmail as root. I think its rudiculous that I have searched everywhere and come up empty handed.

Is is worth this hassle. Is running sendmail with RunAsUser option really more secure??

Thanks for all your help. I owe you more than a few cold ones.

 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to make Sendmail forward all incoming mail to localhost port 26 (Domino mail) speedgelb Linux - Software 3 09-27-2013 10:18 AM
sendmail error Fetching mail could not lock /var/spool/mail/username sukhdev50 Linux - Networking 0 05-04-2005 03:41 AM
How to Attach files using 'Mail' or 'SendMail' Harlin Linux - Networking 2 02-19-2005 08:48 AM
Change sendmail by lotus domino for root mail cgillard Linux - Networking 1 06-16-2004 02:33 AM
Sendmail Error while sendmail mail palavsachin27 Linux - Networking 1 01-22-2003 04:14 PM


All times are GMT -5. The time now is 11:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration