Trying to set up a mail server under CentOS7 - having done this with CentOS5 and CentOS6 over the last decade with no issues and reliable service, it was time to upgrade (?) to CentOS7. Shouldn't be a problem, right?
Getting to grips with systemd has been challenging - to say the least.
So a brief overview of what I am trying to set up:
postfix / amavisd-new / spamassassin / clamav so we can receive mail and deal with the major rubbish that gets thrown at any open port 25 smtp service.
no problems installing each of the above and their configuration files. Just as an aside, there are many recipes for this combo of packages - none of which work as advertised. There was a time when one could safely follow a how-to guide and have things working - I have regularly used the CentOS wiki guides - however they have become stale and what worked fine for 5 & 6 DO NOT WORK for CentOS7 - mainly due to systemd and firewalld
So we have:
systemctl status postfix.service ● postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2016-10-26 18:13:25 EDT; 1 weeks 5 days ago Main PID: 2762 (master) CGroup: /system.slice/postfix.service ├─ 2762 /usr/libexec/postfix/master -w ├─ 2782 qmgr -l -t unix -u └─25274 pickup -l -t unix -u
systemctl status spamassassin.service ● spamassassin.service - Spamassassin daemon Loaded: loaded (/usr/lib/systemd/system/spamassassin.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2016-11-08 05:18:04 EST; 50min ago Process: 27412 ExecStart=/usr/bin/spamd --pidfile /var/run/spamd.pid $SPAMDOPTIONS (code=exited, status=0/SUCCESS) Process: 27410 ExecStartPre=/sbin/portrelease spamd (code=exited, status=0/SUCCESS) Main PID: 27417 (/usr/bin/spamd ) CGroup: /system.slice/spamassassin.service ├─27417 /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m5 -H ├─27418 spamd child └─27419 spamd child
systemctl status amavisd.service ● amavisd.service - Amavisd-new is an interface between MTA and content checkers. Loaded: loaded (/usr/lib/systemd/system/amavisd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2016-11-08 05:18:05 EST; 50min ago Docs: http://www.ijs.si/software/amavisd/#doc Process: 27426 ExecStart=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf (code=exited, status=0/SUCCESS) Main PID: 27427 (/usr/sbin/amavi) CGroup: /system.slice/amavisd.service ├─27427 /usr/sbin/amavisd (master) ├─27479 /usr/sbin/amavisd (ch1-avail) └─27480 /usr/sbin/amavisd (ch1-avail)
but for the life of me, I cannot get clamd@amavisd to stay up.
It always comes up and then dies after about 1 second :
systemctl status clamd@amavisd.service ● clamd@amavisd.service - clamd scanner (amavisd) daemon Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled; vendor preset: disabled) Active: inactive (dead) since Tue 2016-11-08 05:18:13 EST; 34min ago Process: 27421 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/%i.conf (code=exited, status=0/SUCCESS) Main PID: 27421 (code=exited, status=0/SUCCESS)
Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: OLE2 support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: PDF support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: SWF support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: HTML support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: XMLDOCS support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: HWP3 support enabled. Nov 08 05:18:11 media.xxxx.xxx clamd[27481]: Self checking every 600 seconds. Nov 08 05:18:13 media.xxxx.xxx clamd[27481]: Pid file removed. Nov 08 05:18:13 media.xxxx.xxx clamd[27481]: --- Stopped at Tue Nov 8 05:18:13 2016 Nov 08 05:18:13 media.xxxx.xxx clamd[27481]: Socket file removed.
I can run the clamd service manually just fine and everything works - i.e.
/usr/sbin/clamd -c /etc/clamd.d/amavisd.conf –nofork=yes
returns a functioning service - thus my config files must be okay
but try it with systemd and you hit a brick wall - nothing in any logs to give me a clue why it comes up and then closes down
After many days of google chasing, I have found a number of folk hitting the same issue, yet none of these have posted anything resembling a solution, most have had other issues that were in error.
If there is anyone that has this combo of services working under CentOS7 and can shed any insight on why I cannot get this service to actually run, it would be very much appreciated.
TIA Rob
On 11/08/2016 03:24 AM, Rob Kampen wrote:
If there is anyone that has this combo of services working under CentOS7 and can shed any insight on why I cannot get this service to actually run, it would be very much appreciated.
When setting up a clamd service, you should need to enable the service, create the configuration file, and typically set up /etc/tmpfiles.d/clamd-<service>.conf. That file should have one line:
d /run/clamd.<service> 0700 daemon daemon -
...or whatever user you use for clamd. If you don't have the proper tmpfiles setup, the run directory won't exist or won't have the correct owner, and either standard permissions or SELinux may deny the process access to the run directory.
On 09/11/16 11:48, Gordon Messmer wrote:
On 11/08/2016 03:24 AM, Rob Kampen wrote:
If there is anyone that has this combo of services working under CentOS7 and can shed any insight on why I cannot get this service to actually run, it would be very much appreciated.
When setting up a clamd service, you should need to enable the service, create the configuration file, and typically set up /etc/tmpfiles.d/clamd-<service>.conf. That file should have one line:
d /run/clamd.<service> 0700 daemon daemon -
...or whatever user you use for clamd. If you don't have the proper tmpfiles setup, the run directory won't exist or won't have the correct owner, and either standard permissions or SELinux may deny the process access to the run directory.
so I have /etc/tmpfiles.d/clamd.amavisd.conf with content d /var/run/clamd.amavisd 0755 amavis amavis -
the process owner name and group name are amavis this is not quite what you specified - which should it be?
My real head scratch problem is that running clamd from a cli works perfectly. Trying to get systemd (via systemctl start clamd@amavisd.service) brings it up but after 1 second removes the pid file and shuts down. set up clamd via the service file to use --debug and get nothing helpful Trying to debug this systemd stuff seems impossible
Thanks Rob
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 11/09/2016 02:07 AM, Rob Kampen wrote:
so I have /etc/tmpfiles.d/clamd.amavisd.conf with content d /var/run/clamd.amavisd 0755 amavis amavis -
the process owner name and group name are amavis this is not quite what you specified - which should it be?
If "User" is set to amavis in the clamd configuration, that looks fine.
My real head scratch problem is that running clamd from a cli works perfectly. Trying to get systemd (via systemctl start clamd@amavisd.service) brings it up but after 1 second removes the pid file and shuts down. set up clamd via the service file to use --debug and get nothing helpful Trying to debug this systemd stuff seems impossible
systemd starts processes in the correct SELinux context, while running it from the shell does not. So my first guess would be that it's an SELinux issue. Use "setenforce" to put the system in permissive mode to see if that's the case. If so, "grep AVC /var/log/audit/audit.log" for more info.
On 11/11/16 13:36, Gordon Messmer wrote:
On 11/09/2016 02:07 AM, Rob Kampen wrote:
so I have /etc/tmpfiles.d/clamd.amavisd.conf with content d /var/run/clamd.amavisd 0755 amavis amavis -
the process owner name and group name are amavis this is not quite what you specified - which should it be?
If "User" is set to amavis in the clamd configuration, that looks fine.
My real head scratch problem is that running clamd from a cli works perfectly. Trying to get systemd (via systemctl start clamd@amavisd.service) brings it up but after 1 second removes the pid file and shuts down. set up clamd via the service file to use --debug and get nothing helpful Trying to debug this systemd stuff seems impossible
systemd starts processes in the correct SELinux context, while running it from the shell does not. So my first guess would be that it's an SELinux issue. Use "setenforce" to put the system in permissive mode to see if that's the case. If so, "grep AVC /var/log/audit/audit.log" for more info.
Tried this - set it to permissive and tried the systemctl start clamd@amavisd.service and got exactly the same result - tried a number of times - no messages in the logs to indicate a problem - just after the final start up message of :-
Self checking every 600 seconds.
after one second we get
Pid file removed. Stopped at Fri Nov 11 04:35:49 2016 Socket file removed.
So not selinux. Thanks for the idea - I was unaware that systemd is selinux aware and friendly. I'll keep looking .....
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 11/11/16 13:36, Gordon Messmer wrote:
On 11/09/2016 02:07 AM, Rob Kampen wrote:
so I have /etc/tmpfiles.d/clamd.amavisd.conf with content d /var/run/clamd.amavisd 0755 amavis amavis -
the process owner name and group name are amavis this is not quite what you specified - which should it be?
If "User" is set to amavis in the clamd configuration, that looks fine.
My real head scratch problem is that running clamd from a cli works perfectly. Trying to get systemd (via systemctl start clamd@amavisd.service) brings it up but after 1 second removes the pid file and shuts down. set up clamd via the service file to use --debug and get nothing helpful Trying to debug this systemd stuff seems impossible
systemd starts processes in the correct SELinux context, while running it from the shell does not. So my first guess would be that it's an SELinux issue. Use "setenforce" to put the system in permissive mode to see if that's the case. If so, "grep AVC /var/log/audit/audit.log" for more info.
Another random thought When I invoke from the CLI - there is a -nofork=yes as a part of the invocation. When systemd tries to do the invocation via the ExecStart line - the original clamd@.service file had this --nofork=yes also, the problem was that this just caused an abend of the start up with the message:
/usr/sbin/clamd: unrecognized option `--nofork=yes' ERROR: Unknown option passed ERROR: Can't parse command line options
and a look at the clamd man shows no such parameter - thus I removed it. I wonder if this is the issue? Not sure what I can or how I can test. Will keep playing
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 11/11/2016 02:39 AM, Rob Kampen wrote:
When I invoke from the CLI - there is a -nofork=yes as a part of the invocation. When systemd tries to do the invocation via the ExecStart line - the original clamd@.service file had this --nofork=yes also, the problem was that this just caused an abend of the start up with the message:
Not on my system, it doesn't:
$ grep Exec /usr/lib/systemd/system/clamd@.service ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --foreground=yes $ rpm -qf /usr/lib/systemd/system/clamd@.service clamav-server-systemd-0.99.2-1.el7.noarch
/usr/sbin/clamd: unrecognized option `--nofork=yes' ERROR: Unknown option passed ERROR: Can't parse command line options
and a look at the clamd man shows no such parameter - thus I removed it. I wonder if this is the issue? Not sure what I can or how I can test.
Yeah, it might be worth removing the package and reinstalling it. You shouldn't need to modify the provided systemd service file.
CentOS 7 and my experience with clamav 99.2 from epel repository:
instead of --nofork you need --foreground=yes
nofork parameter is definitly outdated. See man clamd.conf and https://www.centos.org/forums/viewtopic.php?t=58763 with the necessary changes in /etc/systemd/system/multi-user.target.wants/clamd.service
Best regards
On 12/11/16 16:46, Gordon Messmer wrote:
On 11/11/2016 02:39 AM, Rob Kampen wrote:
When I invoke from the CLI - there is a -nofork=yes as a part of the invocation. When systemd tries to do the invocation via the ExecStart line - the original clamd@.service file had this --nofork=yes also, the problem was that this just caused an abend of the start up with the message:
Not on my system, it doesn't:
$ grep Exec /usr/lib/systemd/system/clamd@.service ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --foreground=yes $ rpm -qf /usr/lib/systemd/system/clamd@.service clamav-server-systemd-0.99.2-1.el7.noarch
/usr/sbin/clamd: unrecognized option `--nofork=yes' ERROR: Unknown option passed ERROR: Can't parse command line options
and a look at the clamd man shows no such parameter - thus I removed it. I wonder if this is the issue? Not sure what I can or how I can test.
Yeah, it might be worth removing the package and reinstalling it. You shouldn't need to modify the provided systemd service file.
this looks like the issue. doing the rpm -qf /usr/lib/systemd/system/clamd@.service gave no owner?? So I tried a reinstall and it informed me the package clamav-server-systemd-0.99.2-1.el7.noarch was not installed - no idea where the systemd service file came from. So I installed it and it now appears to run.
thanks so much for your assistance - progress finally being made!
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Gordon Messmer -
Helmut Drodofsky -
Rob Kampen