Le mardi 04 juillet 2006 à 17:39 +0300, Timo Sirainen a écrit :

On Tue, 2006-07-04 at 11:33 +0200, Dominique Feyer wrote:

...

I just install RC1 + Plugin cmusieve (cvs), the sieve script is compiled and the sive lib seems OK. But in my log I have sendmail qui with signal 11 when I try to send a mail with "redirect" or "vacation" ?

I remember hearing this before too. Did you ask about it before too? :)

Yes I have this problem one week before with some delivery problem (setuid).

Now with RC1, I can have deliver setuid, so I can use my virtual user/group (postgres) with LDA. And just for this thanks, this is perfect.

Anyway, I can't really think of why it would crash. What if you change the sendmail_path to /bin/true, does it still crash? (ie. is the crash because of the sendmail binary or is it Dovecot's forked process that crashes before starting the binary?)

I try with /bin/true, no error in the log, so I think this is a sendmail problem. I use the lateste postfix stable package for Debian Sarge ... that's a strange problem.

If it really is crashing inside /usr/lib/sendmail, there's really nothing that I can do about it.

Thanks for everything, your work on dovecot is really nice.

...

Any possibilitie to use a external SMTP server ?

No.

-- Dominique Feyer Administrateur Système Ch. de la Colline 5bis CH-1007 Lausanne dfeyer@net4all.ch

I add a wrapper to sendmail, with strace output.

I try to send a mail as root, without any problem.

If I try with LDA (deliver setuid, owner root), sendmail do a segfault when trying to check the ulimit for the virtual user (sendmail.346_as_virtual_users at line 326, the same line in file sendmail.718_as_root, line 326).

Now we can use the deliver setuid, to have one virtual user per domain or account, but it's not possible to use cmusieve plugin with this configuration.

Do you have any workaround for this "bug" ?

Thanks

Le mercredi 05 juillet 2006 à 13:29 +0200, Dominique Feyer a écrit :

Attached is the full strace output of deliver (strace.lda)

On line 255, I have:

waitpid(0, [{WIFSIGNALED(s) && WTERMSIG(s) == SIGSEGV}], 0) = 29859 --- SIGCHLD (Child exited) @ 0 (0) ---

I'm not a specialist of strace. But 29859 is the sendmail process for sending redirect and/or vacation ?

I work last night on this problem and found nothing. Sendmail (postfix) can send any mail without any problem. He crash (with signal 11) only when deliver launch it.

Le mardi 04 juillet 2006 à 17:18 +0200, Dominique Feyer a écrit :

...

Le mardi 04 juillet 2006 à 17:39 +0300, Timo Sirainen a écrit :

...

On Tue, 2006-07-04 at 11:33 +0200, Dominique Feyer wrote:

...

I just install RC1 + Plugin cmusieve (cvs), the sieve script is compiled and the sive lib seems OK. But in my log I have sendmail qui with signal 11 when I try to send a mail with "redirect" or "vacation" ?

I remember hearing this before too. Did you ask about it before too? :)

Yes I have this problem one week before with some delivery problem (setuid).

Now with RC1, I can have deliver setuid, so I can use my virtual user/group (postgres) with LDA. And just for this thanks, this is perfect.

...

Anyway, I can't really think of why it would crash. What if you change the sendmail_path to /bin/true, does it still crash? (ie. is the crash because of the sendmail binary or is it Dovecot's forked process that crashes before starting the binary?)

I try with /bin/true, no error in the log, so I think this is a sendmail problem. I use the lateste postfix stable package for Debian Sarge ... that's a strange problem.

...

If it really is crashing inside /usr/lib/sendmail, there's really nothing that I can do about it.

Thanks for everything, your work on dovecot is really nice.

...

...

Any possibilitie to use a external SMTP server ?

No.

...

-- Dominique Feyer Administrateur Système Ch. de la Colline 5bis CH-1007 Lausanne dfeyer@net4all.ch

After many new test, i solve thi problem ;-)

This was a setuid and pam problem, so no bug from LDA or Dovecot.

Thanks,

Le mercredi 05 juillet 2006 à 18:24 +0200, Dominique Feyer a écrit :

After a lot of test last night and today, I'm sure that sendmail (the postfix comptatibility command, not sure for the orginal sendmail binary) cann't run with a virtual user.

The process must check limits for this user (pam) and crash if it found nothing.

This is a big problem for our service.

we have one UID/GID per domain and we need sieve filtering.

I do some test with a sendmail wrapper that return always 0, and the sieve library seems to work well.

So if anyone as a idea, ... my head is empty of new idea ...

Thanks,

Le mercredi 05 juillet 2006 à 16:20 +0200, Dominique Feyer a écrit :

...

I add a wrapper to sendmail, with strace output.

I try to send a mail as root, without any problem.

If I try with LDA (deliver setuid, owner root), sendmail do a segfault when trying to check the ulimit for the virtual user (sendmail.346_as_virtual_users at line 326, the same line in file sendmail.718_as_root, line 326).

Now we can use the deliver setuid, to have one virtual user per domain or account, but it's not possible to use cmusieve plugin with this configuration.

Do you have any workaround for this "bug" ?

Thanks

Le mercredi 05 juillet 2006 à 13:29 +0200, Dominique Feyer a écrit :

...

Attached is the full strace output of deliver (strace.lda)

On line 255, I have:

waitpid(0, [{WIFSIGNALED(s) && WTERMSIG(s) == SIGSEGV}], 0) = 29859 --- SIGCHLD (Child exited) @ 0 (0) ---

I'm not a specialist of strace. But 29859 is the sendmail process for sending redirect and/or vacation ?

I work last night on this problem and found nothing. Sendmail (postfix) can send any mail without any problem. He crash (with signal 11) only when deliver launch it.

Le mardi 04 juillet 2006 à 17:18 +0200, Dominique Feyer a écrit :

...

Le mardi 04 juillet 2006 à 17:39 +0300, Timo Sirainen a écrit :

...

On Tue, 2006-07-04 at 11:33 +0200, Dominique Feyer wrote:

...

I just install RC1 + Plugin cmusieve (cvs), the sieve script is compiled and the sive lib seems OK. But in my log I have sendmail qui with signal 11 when I try to send a mail with "redirect" or "vacation" ?

I remember hearing this before too. Did you ask about it before too? :)

Yes I have this problem one week before with some delivery problem (setuid).

Now with RC1, I can have deliver setuid, so I can use my virtual user/group (postgres) with LDA. And just for this thanks, this is perfect.

...

Anyway, I can't really think of why it would crash. What if you change the sendmail_path to /bin/true, does it still crash? (ie. is the crash because of the sendmail binary or is it Dovecot's forked process that crashes before starting the binary?)

I try with /bin/true, no error in the log, so I think this is a sendmail problem. I use the lateste postfix stable package for Debian Sarge ... that's a strange problem.

...

If it really is crashing inside /usr/lib/sendmail, there's really nothing that I can do about it.

Thanks for everything, your work on dovecot is really nice.

...

...

Any possibilitie to use a external SMTP server ?

No.

...

-- Dominique Feyer Administrateur Système Ch. de la Colline 5bis CH-1007 Lausanne dfeyer@net4all.ch

If the deliver is setuid/setgid, the sendmail binary must be setuid/setgid too. Without this sendmail try to check limits.conf (pam) for the virtual user. For the system the virtual user doesn't exist and sendmail crash with a segfault (signal 11)

Before that, I try to do a wrapper in bash to lauch sendmail with sudo (more configurable than setgid), but a virtual user can't use sudo. You must configure pam to have this virtual user in linux too.

Sendmail as setgid binary is not a really good solution for security, but it's the only solution I found.

On a lots of system sendmail is setgid, but not on debian.

Le jeudi 06 juillet 2006 à 19:48 +0800, Timothy White a écrit :

On 7/6/06, Dominique Feyer dfeyer@net4all.ch wrote:

...

After many new test, i solve thi problem ;-)

This was a setuid and pam problem, so no bug from LDA or Dovecot.

Just for the archives, and encase someone else hits this problem, would you care to share the solution?

Thanks

Tim

Dominique Feyer Administrateur Système Ch. de la Colline 5bis CH-1007 Lausanne dfeyer@net4all.ch

On Thu, 6 Jul 2006, Dominique Feyer wrote:

Just add (for the archives :-) this problematic binary reported is not "sendmail", but the sendmail-wrapper of postfix :-)

there is this sentence in one of the mails: (the postfix comptatibility command, not sure for the orginal sendmail binary).

Real sendmail is setgid and uses its own smmsp group in Debian Sarge. (No setuid).

If the deliver is setuid/setgid, the sendmail binary must be setuid/setgid too. Without this sendmail try to check limits.conf (pam) for the virtual user. For the system the virtual user doesn't exist and sendmail crash with a segfault (signal 11)

Before that, I try to do a wrapper in bash to lauch sendmail with sudo (more configurable than setgid), but a virtual user can't use sudo. You must configure pam to have this virtual user in linux too.

Sendmail as setgid binary is not a really good solution for security, but it's the only solution I found.

On a lots of system sendmail is setgid, but not on debian.

Le jeudi 06 juillet 2006 à 19:48 +0800, Timothy White a écrit :

...

On 7/6/06, Dominique Feyer dfeyer@net4all.ch wrote:

...

After many new test, i solve thi problem ;-)

This was a setuid and pam problem, so no bug from LDA or Dovecot.

Just for the archives, and encase someone else hits this problem, would you care to share the solution?

Thanks

Tim

-- Steffen Kaiser