Sendmail - RunAsUser=sendmail:mail/What files to i have to change
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
So this is the deal. All my mail is sitting in mqueue with these priveledges
ls -ld /var/spool/mqueue
drwxr-xr-x 2 mail mail 4096 Jan 15 19:14 /var/spool/mqueue
It must actually move the mail to /var/spool/mail/. I guess it cant for some reason.
Moving mail from mqueue to mail should be done by the MTA, not by hand :-] So, what was sendmail's uid again, wasnt it "sendmail" and it's gid "mail"? If that's the case, and "ls -ld /var/spool/mqueue" turns up as uid and gid "mail" then sendmail can't use the mqueue if the permissions are set to 0750 (groupid 5; read and executable, not writable). (But why isnt the mqueue uid/gid "sendmail.mail"?)
M4 works like "m4 configfile.mc > processed_config.cf", and the procmail.mc is a part of the sendmail.mc I guess. But how do you update your sendmail.cf if you can't use m4? Mailconf? (Linuxconf), then use "mailconf --generatecf" and itll update /etc/sendmail.cf. Linuxconf is quite retarded, but if you add custom .cf's in /etc/mail/mailconf itll process those in override mode.
Well i found out why m4 screwed things up. Since i changed all permissions to mail.mail, its didnt like it. I changed everything back to root.root, then m4. So now my mail is the way it used to be. I will try the S flag thing in the sendmail.mc. Then run the m4 compile and then chown the stuff back to mail.mail.
How was i doing the changes b4. I was just editing sendmail.cf. I just changed stuff like privacy option/trusted user/.....
Ill update with my results by end of day. My mail server is in use right now and I cant rush myself.
OHHH!!! Its not over yet. ALmost.
The MODIFY_MAILER_FLAGS(`LOCAL', `-S') fixed the gid thang. New error is:
procmail Insufficient privileges to deliver to "user"
I have searched google and someone said use add o for mailer.
MODIFY_MAILER_FLAGS(`LOCAL', `o -S')
I tried both of these and no good. even when sendmail works with root. I add the o and nothing works.
I did chown root:mail /var/spool/mqueue and no more error. I send mail from an internet account to my box and it doesnt get rejected. I look in maillog and no errors. It just doesnt transfer it to /var/spool/mail. Its not in mqueue either. I dont know where the hell it is.
Currently /var/spool/mail is owned by mail:mail. made it root.mail and still nothing.
Actually from chown root:mail /var/spool/mqueue,im getting Can't create transcript file
Now I know why people use microsoft. Its not at twisted as this crap. These damn faq and docs from google are junk and do me no good. There isnt one single article that explains the process. They all assume your a guru. Know why the hell would a guru be reading articles
<Yoda>Ok, ok. Learn anger, to control, Luke, or drawn to the M$ side, you will be...</Yoda>
Ok, let's go back a bit please, cuz by now youve chowned stuff back and from, and Ive lost track.
Who does sendmail RunAs now? (sendmail)
Who does procmail run as now? (mail?)
Who does pop3 run as now? (mail?)
What's the owner/write permissions on /var/spool/mqueue? (0775, hopefully)
What does "sendmail -bp" (check mail queue) say?, and ls -al /var/spool/mqueue?
What's the write permissions on /var/spool/mail?
What does ls -al /var/spool/mail show as uid/gid?
The "Cant..transcript" is because the user sendmail runs as, has no permissions to write to the mqueue. For testing you could try making mqueue and mail 0777, but thats WORLD READABLE so not recommended (but for testing functionality and tcp wrappers in place and no daemon listening on the outside IP address it s could do for a few moments testing IMO). Basically all mail related daemons should run under the same user id or group id to be able to read/write mqueue and mail, but each users mailspool should only have a single group id.
If youre getting fed up, I could show up in #linux on irc.box.sk, sometime later (much later) this day.
2)Who does procmail run as now?
Have no idea
l ls -al /usr/bin/procmail
-rwxr-xr-x 1 root mail 63484 Jan 6 2001 /usr/bin/procmail
3)Who does pop3 run as now?
4)What's the owner/write permissions on /var/spool/mqueue? (0775, hopefully)
drwxr-xr-x 2 mail mail 4096 Jan 16 22:16 /var/spool/mqueue
5)What does "sendmail -bp" (check mail queue) say?, and ls -al /var/spool/mqueue?
/var/spool/mqueue is empty
ls -al /var/spool/mqueue
drwxr-xr-x 2 mail mail 4096 Jan 16 22:16 .
drwxr-xr-x 13 root root 4096 Jan 14 15:25 ..
6)What's the write permissions on /var/spool/mail?
ls -ld /var/spool/mail
drwxrwxr-x 2 mail mail 4096 Jan 17 07:36 /var/spool/mail
7)What does ls -al /var/spool/mail show as uid/gid?
ls -al /var/spool/mail
drwxrwxr-x 2 mail mail 4096 Jan 17 07:36 .
drwxr-xr-x 13 root root 4096 Jan 14 15:25 ..
-rw------- 1 forumkid mail 0 Jan 17 07:35 me
With this setup i Get these errors in maillog.
Jan 17 07:39:32 mail procmail: Insufficient privileges to deliver to "me"
Jan 17 07:39:32 mail sendmail: g0HCdSn05888: to=<me>, ctladdr=<me> (5
05/505), delay=00:00:01, xdelay=00:00:00, mailer=local, pri=30157, dsn=5.0.0, stat=Insufficient permission
Jan 17 07:39:32 mail sendmail: g0HCdSn05888: g0HCdWn05890: DSN: Insufficient permission
sendmail: /usr/sbin/sendmail /etc/sendmail.cf /usr/lib/sendmail /usr/share/man/man8/sendmail.8.gz
ls -l /usr/sbin/sendmail
-r-sr-xr-x 1 root root 417828 Mar 3 2001 /usr/sbin/sendmail
ls -l /etc/sendmail.cf
-rw-r--r-- 1 mail mail 46300 Jan 17 07:33 /etc/sendmail.cf
ls -l /usr/lib/sendmail
lrwxrwxrwx 1 root root 16 Jan 14 15:22 /usr/lib/sendmail -> ../sbin/sendmail
Not sure if this helps
I give up. Im going to assume the RunAsUser option isnt really more secure that just running sendmail as root. I think its rudiculous that I have searched everywhere and come up empty handed.
Is is worth this hassle. Is running sendmail with RunAsUser option really more secure??
Thanks for all your help. I owe you more than a few cold ones.