[Dovecot] Sendmail + deliver; silent errors.
Hi all.
I've got a bit of a peculiar issue here. I'm running dovecot 1.2.9 on an Ubuntu 9.10 box using Sendmail 8.14.3. I've set up Sendmail similar to http://wiki.dovecot.org/LDA/Sendmail except that
*) dovecot's deliver is configured as my default local mailer, so some of the flags for the Mailer definition had to be adjusted accordingly.
*) The setuid users listed in the wiki kept result in setgid() failures from deliver, so I've changed it to root:mail (mail being sendmail's MDA group), with permissions as u+s,g+rx,o-rwx
When sendmail attempts delivery, I'm getting "deferred: deliver failed with EX_TEMP", but nothing recorded in the log files. I've embarrassingly widened the permissions of /var/log/dovecot and the files contained within to read/write everyone, just to ensure that whomever it's running as has access, but the log files aren't updated.
The peculiar thing kicks in when I attempt to debug this. So far I have (amongst other things):
*) Run deliver from the command line logged in as "mail".
*) written a shell wrapper script to be able to confirm things like the user ID that was invoking deliver.
*) both in the shell script, and as an mailer definition in sendmail, strace'd (using a setuid root binary) deliver to capture what it was doing.
Whenever I do any of the above, deliver works perfectly, and appears to log correctly. It only appears to bork when no-one is watching it, which is quite frustrating when trying to fix it.
Help?
Configuration of dovecot follows:
# 1.2.9: /etc/opt/dovecot-1.2.9/dovecot.conf # OS: Linux 2.6.31-14-server x86_64 Ubuntu 9.10 ext3 base_dir: /var/run/dovecot-1.2.9/ log_path: /var/log/dovecot/dovecot.log info_log_path: /var/log/dovecot/dovecot-info.log protocols: pop3 imap imaps ssl: no disable_plaintext_auth: no login_dir: /var/run/dovecot-1.2.9//login login_executable(default): /opt/dovecot-1.2.9/libexec/dovecot/imap-login login_executable(imap): /opt/dovecot-1.2.9/libexec/dovecot/imap-login login_executable(pop3): /opt/dovecot-1.2.9/libexec/dovecot/pop3-login mail_uid: vmail mail_gid: vmail mail_location: maildir:/vmail/spool/%u:LAYOUT=fs mail_executable(default): /opt/dovecot-1.2.9/libexec/dovecot/imap mail_executable(imap): /opt/dovecot-1.2.9/libexec/dovecot/imap mail_executable(pop3): /opt/dovecot-1.2.9/libexec/dovecot/pop3 mail_plugin_dir(default): /opt/dovecot-1.2.9/lib/dovecot/imap mail_plugin_dir(imap): /opt/dovecot-1.2.9/lib/dovecot/imap mail_plugin_dir(pop3): /opt/dovecot-1.2.9/lib/dovecot/pop3 lda: postmaster_address: postmaster@handcraftedcomputers.com.au auth_socket_path: /var/run/dovecot-1.2.9/auth-master auth default: verbose: yes passdb: driver: passwd-file args: /vmail/auth/passwd userdb: driver: static args: uid=vmail gid=vmail socket: type: listen master: path: /var/run/dovecot-1.2.9/auth-master mode: 384 user: vmail group: vmail
-- Regards, Daryl Tester
Member of the Amalgamated Australian Association Against Apostrophe Abuse. (formerly the 6A's - no, wait ...).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 19 Mar 2010, Daryl Tester wrote:
You are using system users?
*) The setuid users listed in the wiki kept result in setgid()
What setuid users?
failures from deliver, so I've changed it to root:mail (mail being sendmail's MDA group), with permissions as u+s,g+rx,o-rwx
When sendmail attempts delivery, I'm getting "deferred: deliver failed with EX_TEMP", but nothing recorded in the log files. I've embarrassingly widened the permissions of /var/log/dovecot and the
I changed logging of deliver to syslog for this reason: protocol lda { [...] # Log to syslog log_path = info_log_path = syslog_facility = mail }
=======
My definition of local delivery on Debian is:
dnl -f $g -- sender
dnl -d $u -- destination user account name
dnl -m $h -- mailbox to deliver to (+detail part of address)
dnl -n -- don't create new mailbox
dnl -e -- exit code rather DSN
FEATURE(local_procmail', /etc/mail/smrsh/dovecot-deliver',
`/etc/mail/smrsh/dovecot-deliver -e -f $g -d $u')dnl
sendmail invokes deliver already as the system user, no setuid necessary.
regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBS6M6vL+Vh58GPL/cAQLTWggAmTJR+hlg42revY2+DYLcYlvAYEYDZKmG RjoEDYxl+jtj8PkeJjAsw18wT8awUzN79fkgIh6cNi1kh/VvsCdzobVDjlJ48k2K uTOvFRHS04uQLmOpaWsl50LRmrEw4AtMzrE2NOYL7XVdfyR6uqOf4DtpdRZsyRnD XAc/I9nUfmk6aol0P+wnxSFNuN8hoLgIVSKF50oIzuLE3MjJgxxea7YcL+QSx8rU j6HV5GalFYHX+/JNgVj7QUNdxdkxqhO1djNM2jhg3Ob5pYT3PGidzPLFVa10vqC2 qlFPJrc7JibyEysEDMReUxesk0ogYLKef/ey7piIGk3g9JVoBgiDGg== =9X3F -----END PGP SIGNATURE-----
Steffen Kaiser wrote:
You are using system users?
I believe so. Running delivery from the command line as the sendmail user works as it should.
*) The setuid users listed in the wiki kept result in setgid()
What setuid users?
Sorry, I typed a little hastily. "setuid user's configuration" - setting the deliver owner to "vmail:vmail" as listed in http://wiki.dovecot.org/LDA/Sendmail resulted in "setgid(1002(vmail)) failed with euid=1002(vmail), gid=8(mail), egid=8(mail): Operation not permitted".
When sendmail attempts delivery, I'm getting "deferred: deliver failed with EX_TEMP", but nothing recorded in the log files. I've embarrassingly widened the permissions of /var/log/dovecot and the
I changed logging of deliver to syslog for this reason:
Fair enough, but I'm happy to tighten the permissions once I've got it working; I just have to get it working first.
=======
My definition of local delivery on Debian is:
dnl -f $g -- sender dnl -d $u -- destination user account name dnl -m $h -- mailbox to deliver to (+detail part of address) dnl -n -- don't create new mailbox dnl -e -- exit code rather DSN FEATURE(
local_procmail',/etc/mail/smrsh/dovecot-deliver', `/etc/mail/smrsh/dovecot-deliver -e -f $g -d $u')dnlsendmail invokes deliver already as the system user, no setuid necessary.
So sendmail and deliver are running as the same user ID?
I'm not sure my mailer definition is an issue here - like I said, if I wrap the invocation in a shell script or use strace as a mailer (that's a first for me) it works correctly. For the record, I'm using:
Mdovecot, P=/opt/dovecot-1.2.9/libexec/dovecot/deliver, F=lADFMPhnu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrFromL, T=DNS/RFC822/X-Unix, A=deliver -d $u
#Mdovecot, P=/tmp/strace, F=lADFMPhnu9, # S=EnvFromL/HdrFromL, R=EnvToL/HdrFromL, # T=DNS/RFC822/X-Unix, # A=strace -o /tmp/strace.log /opt/dovecot-1.2.9/libexec/dovecot/deliver -d $u
-- Regards, Daryl Tester
Member of the Amalgamated Australian Association Against Apostrophe Abuse. (formerly the 6A's - no, wait ...).
Daryl Tester wrote:
When sendmail attempts delivery, I'm getting "deferred: deliver failed with EX_TEMP", but nothing recorded in the log files.
Gnargh, found it. After adding an freopen() to deliver to capture stderr (because sendmail sure as heck wasn't), deliver was reporting "stat(deliver) failed: No such file or directory".
Mdovecot, P=/opt/dovecot-1.2.9/libexec/dovecot/deliver, F=lADFMPhnu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrFromL, T=DNS/RFC822/X-Unix, A=deliver -d $u
Change the last line ("Argv") to
A=/opt/dovecot-1.2.9/libexec/dovecot/deliver -d $u
sets argv[0] to the full path of the binary so the permissions check in deliver succeeds. Which in hindsight explains why it worked with a wrapper script or strace; they both would have set the full path automatically.
I can't believe I've spent most of an afternoon on this. <hangs head in shame>
-- Regards, Daryl Tester
Member of the Amalgamated Australian Association Against Apostrophe Abuse. (formerly the 6A's - no, wait ...).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 19 Mar 2010, Daryl Tester wrote:
I can't believe I've spent most of an afternoon on this. <hangs head in shame>
Well, there are things worse :-)
Regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBS6OGLL+Vh58GPL/cAQLpuwgAn0IF+cFC48TThxzyDAaAqQYa4ZpBXA7d ftBB8EEK4/CdyT247E4h0YttQ29VNIaeXfjFvgH6Wyvz+fRIUOmqqkvHxvttDUkU S5u/ncnHHeH85xB2lRlqhKI6DrvgdgpRAPycRxbIhxnDaKkeovZtumtZAk9ISCuv xDAsPLSIEEhALxcOKAX5242BU/FGxwDMlXIu1BrdOk/F2iwwVTBZEaatODDUuSyj oQGlrvfpIyh5RauKo1IOC5/UfI05sQ2IfZonhbJt8IJd5WnXthgBRD7vTQ9etIgT DwXERonJ68HY8WYOcc9KdwTUOa9VoTC5tXCnwM/OUSaxX6VTPaAzmA== =xYp3 -----END PGP SIGNATURE-----
On Fri, 2010-03-19 at 21:48 +1030, Daryl Tester wrote:
Mdovecot, P=/opt/dovecot-1.2.9/libexec/dovecot/deliver, F=lADFMPhnu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrFromL, T=DNS/RFC822/X-Unix, A=deliver -d $u
Change the last line ("Argv") to
A=/opt/dovecot-1.2.9/libexec/dovecot/deliver -d $u .. I can't believe I've spent most of an afternoon on this. <hangs head in shame>
Well, at least I updated the wiki now so that future people won't have this problem. :)
Timo Sirainen wrote:
[Sendmail mailer arguments]
Change the last line ("Argv") to
A=/opt/dovecot-1.2.9/libexec/dovecot/deliver -d $u
...
Well, at least I updated the wiki now so that future people won't have this problem. :)
To be fair, this was only a problem because I setuid'd the binary as root, which causes the extra permissions checking. The wiki page uses a non- root ID, which I couldn't get to work (the previously mentioned setgid() failure), but at least wouldn't have fallen over in this fashion.
Cheers!
-- Regards, Daryl Tester
Member of the Amalgamated Australian Association Against Apostrophe Abuse. (formerly the 6A's - no, wait ...).
On 20 Mar 2010, at 01:48, Daryl Tester wrote: Timo Sirainen wrote:
[Sendmail mailer arguments] Change the last line ("Argv") to
A=/opt/dovecot-1.2.9/libexec/dovecot/deliver -d $u
...
Well, at least I updated the wiki now so that future people won't have this problem. :)
To be fair, this was only a problem because I setuid'd the binary as root, which causes the extra permissions checking. The wiki page uses a non- root ID, which I couldn't get to work (the previously mentioned setgid() failure), but at least wouldn't have fallen over in this fashion.
I skipped this thread too soon. The mailer flags "a=..." does include argv[0]. That tripped me up when I was first doing Sendmail, too.
Cheers, Sabahattin
participants (4)
-
Daryl Tester
-
Sabahattin Gucukoglu
-
Steffen Kaiser
-
Timo Sirainen