On 2016-08-22 03:19, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 19 Aug 2016, ben@indietorrent.org wrote:
On 2016-08-19 12:17, ben@indietorrent.org wrote:
Aha! Clearly, the vmail user cannot read from nor write to /tmp. (Why that is, I have no idea, as the /tmp directory's permissions certainly
Thank you very much for taking the time to investigate my use-case and help me work through this, Steffen. I really appreciate it.
Do you have SELinux active? See almost at the end of http://wiki2.dovecot.org/WhyDoesItNotWork?highlight=%28selinux%29
No.
# apparmor_status The program 'apparmor_status' is currently not installed. You can install it by typing: apt install apparmor
# sestatus The program 'sestatus' is currently not installed. You can install it by typing: apt install policycoreutils
allow for both; maybe Dovecot implements this as a security measure.)
No. Dovecot does not implement anything like that. Do you chroot ?
No. Certainly not intentionally, anyway.
The strace output that I'm capturing in the pipe script pinpointed the problem:
open("/root/~/tmp/sendmail-msg-26272.txt", O_RDONLY) = -1 EACCES (Permission denied)
Er, '/root/~/tmp/' ??
I know. It's weird. Presumably, Bash is responsible for this "unusual" expansion. The raw script source has ~/tmp, so why would Bash prepend it with "/root/", especially when the script is executed as the "vmail" user? Perhaps it's academic at this point, because I've changed all paths to be absolute and they are now resolved correctly.
First: check the SELinux thing. Second: Do you run in a chrooted environment? Third: Enclose all your script with logging, e.g.:
#!/bin/bash ( date echo "$@" id id -a echo environment env set # check for chroot echo stat / stat / echo /proc/1/mountinfo awk '$5=="/" {print}'
... # old script ) >> /var/tmp/antispam.$$.log 2>&1
Make sure /var/tmp/antispam.$$.log is writeable, maybe create a new directory with owner vmail. Make sure you have 2>&1 at the end. Your log misses all the error messages. Also, you will now have a log file for each run of the script.
To check for chroot: stat / should print inode 2, but any mountpoint has inode 2. /proc/$$/mountinfo displays the physical information of a mount, if both differ, the current process is chrooted. "1" should be the init process.
In your script:
for opt; do if [[ "$*" =~ .*ham.* ]]
This makes no sense, either use for loop and test "$opt" here, or do not use for, but use "$*"; .*ham.* should be quoted anyway.
Nice catch. I am by no means a Bash wizard, and I cobbled this together 3-4 years ago. I have no idea what I was thinking at the time.
I removed the "for" loop, leaving only the regex check, and it seems to work as intended. (FWIW, if I add quotes around the test expression, e.g., ".*ham.*", a match is never found and the check fails.)
cat<&0 >> /tmp/sendmail-msg-$$.txt Well, if for any reason this file exists, .. cat - >/tmp/sendmail-msg-$$.txt
/usr/lib/dovecot/deliver -d "sa-training@example.com" -m "Training.$mode" You've already scraped the message from stdin into a file, so add: < /tmp/sendmail-msg-$$.txt
Yes, but I uncomment that line only for debugging purposes. Normally, I do not take the interim step of saving the message contents to disk, in which case I want dovecot-lda to read from stdin.
About the '-p' switch present in the strace-variant: Please scan the mailing list for the status of it, IMHO, there had been lots of trouble in certain cases.
The strace variant should use -oLogfile.strace.$$.log in order to separate the output of the command and strace logging.
- -- Steffen Kaiser
Good to know; I have made that adjustment, too.
Bash issues aside, I've taken a step back and attempted to make the reproducible test-case as simple as possible, whittling-down the script to only the following, and dovecot-lda still segfaults:
I've added a couple of things to Dovecot's configuration, but they don't make any difference:
# Required for "vmail" user to be able to call dovecot-lda/deliver. # See: http://wiki.dovecot.org/LDA ("Logging" section) service config { unix_listener config { mode = 0600 user = vmail group = vmail } }
protocol lda { # Enable logging for dovecot-lda. info_log_path = /var/log/dovecot-lda.log log_path = /var/log/dovecot-lda-errors.log mail_plugins = sieve quota }
Yet, nothing is logged to either of these files when the pipe script is called.
The permissions on these files look reasonable to me:
-rw-rw---- 1 vmail vmail 0 Aug 23 12:02 dovecot-lda-errors.log -rw-rw---- 1 vmail vmail 0 Aug 23 12:01 dovecot-lda.log
Here is my current "doveconf -n" output:
At this point, this seems obvious, but the problem is definitely with using dovecot-lda to send the mail.
If I simply write the contents of the spam/ham message to disk in the pipe script, it works fine. But that approach feels "hackish" to me, as it doesn't account for sieve, quota, etc. And I want the delivery to be logged.
Again, this works fine:
# su vmail $ /usr/lib/dovecot/deliver -d "sa-training@example.org" -m "Training.HAM" -p /var/vmail/gtube.txt
Here's the output from the logging that we added:
Does anything jump-out?
Thanks again for all your help with this!
--Ben
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBV7qnd3z1H7kL/d9rAQJXWQf9E/ucaEXMy10IE5f7JY3tbZVlROGrz+wk 5rA0/Xe/aFwgNvCzyTX+MV7BblHH//aDwlNs3L4P+bZatCjAVCmoDdQ/WDZ7wr51 mBq/vOjcullnzz8NHv2+gQgRCKhGGd8M+mVjGUlyK6jXEFjwAaivEnRA86AudZi4 ybK0CZKw+Pg+VzDcfGjvO4PHZWAxvbqktqVOUhQwEL/+A/CZ7FNSsBuuZug42TGK tmghQmAKuwY96djSV/vFax8J8WyVnGKBVLpONP9iMllGkZ7MHGacpfm0MSgsIgPv DTTdjdk1P6FIQ615rp6BRg0JKaTn7COC6YxMnuaNtlXJ2t/M5zoCNA== =/xgA -----END PGP SIGNATURE-----