-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 19 Aug 2016, ben@indietorrent.org wrote:
On 2016-08-19 12:17, ben@indietorrent.org wrote:
Aha! Clearly, the vmail user cannot read from nor write to /tmp. (Why that is, I have no idea, as the /tmp directory's permissions certainly
Do you have SELinux active? See almost at the end of http://wiki2.dovecot.org/WhyDoesItNotWork?highlight=%28selinux%29
allow for both; maybe Dovecot implements this as a security measure.)
No. Dovecot does not implement anything like that. Do you chroot ?
This prompted me to change all references to /tmp in the pipe script to ~/tmp, and create this directory:
$ whoami vmail $ mkdir ~/tmp && chmod 770 ~/tmp $ /bin/bash /usr/local/bin/sa-learn-pipe.sh --ham < /var/vmail/gtube.txt
No errors this time (at least not on the console).
But I do get this in /var/log/mail.err:
Aug 19 12:04:24 example.com dovecot: lda(sa-training@example.com): Fatal: Can't open delivery mail as raw: Permission denied
I'm not sure how to interpret this message. Where is permission being denied? More importantly, what's the fix?
Thanks for any hints!
-Ben
Apologies for the rapid-fire replies here.
The strace output that I'm capturing in the pipe script pinpointed the problem:
open("/root/~/tmp/sendmail-msg-26272.txt", O_RDONLY) = -1 EACCES (Permission denied)
Er, '/root/~/tmp/' ??
There seems to be some expansion occurring that assumes the root user, despite executing the pipe script as the vmail user, so I changed all references to ~/tmp in the pipe script to /var/vmail/tmp and permission is no longer denied.
But, now dovecot-lda is core-dumping. Here is the strace output:
So, I'm back to where I was with this problem two years ago.
At that time, I gave-up, because I couldn't invest the time required to compile the latest versions of Dovecot and all plugins from scratch in an effort to prove that the bug exists in the latest source.
"Dovecot always logs a detailed error message if something goes wrong. If it doesn't, it's considered a bug and will be fixed." - http://wiki2.dovecot.org/Logging
I'm happy to help identify the root-cause, but I need some guidance here.
First: check the SELinux thing. Second: Do you run in a chrooted environment? Third: Enclose all your script with logging, e.g.:
#!/bin/bash ( date echo "$@" id id -a echo environment env set # check for chroot echo stat / stat / echo /proc/1/mountinfo awk '$5=="/" {print}' </proc/1/mountinfo echo /proc/$$/mountinfo awk '$5=="/" {print}' </proc/$$/mountinfo # enable bash tracing set -vx
... # old script ) >> /var/tmp/antispam.$$.log 2>&1
Make sure /var/tmp/antispam.$$.log is writeable, maybe create a new directory with owner vmail. Make sure you have 2>&1 at the end. Your log misses all the error messages. Also, you will now have a log file for each run of the script.
To check for chroot: stat / should print inode 2, but any mountpoint has inode 2. /proc/$$/mountinfo displays the physical information of a mount, if both differ, the current process is chrooted. "1" should be the init process.
In your script:
for opt; do if [[ "$*" =~ .*ham.* ]]
This makes no sense, either use for loop and test "$opt" here, or do not use for, but use "$*"; .*ham.* should be quoted anyway.
cat<&0 >> /tmp/sendmail-msg-$$.txt Well, if for any reason this file exists, .. cat - >/tmp/sendmail-msg-$$.txt
/usr/lib/dovecot/deliver -d "sa-training@example.com" -m "Training.$mode" You've already scraped the message from stdin into a file, so add: < /tmp/sendmail-msg-$$.txt
About the '-p' switch present in the strace-variant: Please scan the mailing list for the status of it, IMHO, there had been lots of trouble in certain cases.
The strace variant should use -oLogfile.strace.$$.log in order to separate the output of the command and strace logging.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBV7qnd3z1H7kL/d9rAQJXWQf9E/ucaEXMy10IE5f7JY3tbZVlROGrz+wk 5rA0/Xe/aFwgNvCzyTX+MV7BblHH//aDwlNs3L4P+bZatCjAVCmoDdQ/WDZ7wr51 mBq/vOjcullnzz8NHv2+gQgRCKhGGd8M+mVjGUlyK6jXEFjwAaivEnRA86AudZi4 ybK0CZKw+Pg+VzDcfGjvO4PHZWAxvbqktqVOUhQwEL/+A/CZ7FNSsBuuZug42TGK tmghQmAKuwY96djSV/vFax8J8WyVnGKBVLpONP9iMllGkZ7MHGacpfm0MSgsIgPv DTTdjdk1P6FIQ615rp6BRg0JKaTn7COC6YxMnuaNtlXJ2t/M5zoCNA== =/xgA -----END PGP SIGNATURE-----