On Tue, 2008-08-12 at 02:42 -0700, Ian Forde wrote:
On Tue, 2008-08-12 at 12:38 +0300, Jussi Hirvi wrote:
Ralph Angenendt (ra+centos@br-online.de) kirjoitteli (12.8.2008 12:21):
Thanks for quick reply. That didn't help yet. The error message in maillog is still the same: "sendmail.pem unsafe: Permission denied". The directory perms are now: [root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwxr-xr-x 5 root root 4096 Aug 12 12:14 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too wide still.
On another machine (Fecore Core 3, Sendmail 8.13) the /etc/mail perms are 755 too, and it works - thoug there is no SMTP-AUTH on that machine.
I tried it, but the error message in maillog persists after Sendmail restart. The perms are now:
[root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwx------ 5 root root 4096 Aug 12 12:37 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs [root@mail mail]# ls -l /etc/mail/certs/ total 1924 -rw------- 1 mail mail 1371 Aug 11 12:15 cacert.pem -rw------- 1 mail mail 963 Aug 11 12:15 cakey.pem -rw-r--r-- 1 root root 1952422 Aug 11 14:26 revoke.crl -rw------- 1 mail mail 2258 Aug 11 12:16 sendmail.pem
I cannot help thinking that this is *not* actually about the permissions - it must be about something else.
In addition to doing 'chmod u-w sendmail.pem', change the ownership to root:root on all of those files... sendmail drops privs down to smmsp by default...
and change the ownership on the certs dir to root:root while you're there... you're okay with 755 perms on /etc/mail, as long as it's root:root. Basically, stick with the stock permissions and you should be fine...
-I