Hello, list,
I have a problem with Sendmail configuration.
I'm building (on CentOS 5) a "dual-MTA" setup with amavisd-new (as specified in amavisd-new documentation, file README.sendmail-dual).
So far so good. But when I tried to add server SMTP-AUTH and TLS, I get a strange, permission-related error, and STARTTLS will not start.
In my .mc conf, the Sendmail user is now the usual - mail:mail define(`confDEF_USER_ID', ``8:12'')dnl ...though when I have cleared this problem, I'm going to add a definition for a non-privileged Sendmail user like this (for the receiving Sendmail daemon): define(`confRUN_AS_USER', `smmsp:smmsp')dnl
Ok, when I try to start Sendmail, I get this in the maillog:
Aug 11 15:25:24 mail sm-mta-tx[12782]: starting daemon (8.13.8): SMTP+queueing@00:01:00 Aug 11 15:25:24 mail sm-mta-rx[12785]: starting daemon (8.13.8): SMTP+persistent-queueing@00:00:01 Aug 11 15:25:24 mail sm-mta-rx[12785]: STARTTLS=server: file /etc/mail/certs/sendmail.pem unsafe: Permission denied
This is strange, because the permissions should be ok - right?
[root@mail ~]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwxr-xr-x 5 root root 4096 Aug 11 15:44 /etc/mail dr-xr-xr-x 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
[root@mail ~]# ls -l /etc/mail/certs -rw------- 1 mail mail 1371 Aug 11 12:15 cacert.pem -rw------- 1 mail mail 963 Aug 11 12:15 cakey.pem -rw-r--r-- 1 root root 1952422 Aug 11 14:26 revoke.crl -rw------- 1 mail mail 2258 Aug 11 12:16 sendmail.pem
Any ideas, what I should check next?
This might be a Sendmail bug - it resembles this Debian bug, which also gives a "unsafe - no permission" error as a symptom.
http://www.mail-archive.com/debian-bugs-closed@lists.debian.org/msg01560.htm l
. Jussi Hirvi
-- Jussi Hirvi * Green Spot Topeliuksenkatu 15 C * 00250 Helsinki * Finland Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms) jussi.hirvi@greenspot.fi * http://www.greenspot.fi
Jussi Hirvi wrote:
Aug 11 15:25:24 mail sm-mta-rx[12785]: STARTTLS=server: file /etc/mail/certs/sendmail.pem unsafe: Permission denied
dr-xr-xr-x 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
^^^
Even allowing group to read there and enter there might be too much.
Ralph
Ralph Angenendt (ra+centos@br-online.de) kirjoitteli (12.8.2008 11:24):
Jussi Hirvi wrote:
Aug 11 15:25:24 mail sm-mta-rx[12785]: STARTTLS=server: file /etc/mail/certs/sendmail.pem unsafe: Permission denied
dr-xr-xr-x 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
^^^
Even allowing group to read there and enter there might be too much.
Thanks for quick reply. That didn't help yet. The error message in maillog is still the same: "sendmail.pem unsafe: Permission denied". The directory perms are now: [root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwxr-xr-x 5 root root 4096 Aug 12 12:14 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
- Jussi
-- Jussi Hirvi * Green Spot Topeliuksenkatu 15 C * 00250 Helsinki * Finland Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms) jussi.hirvi@greenspot.fi * http://www.greenspot.fi
Jussi Hirvi wrote:
Ralph Angenendt (ra+centos@br-online.de) kirjoitteli (12.8.2008 11:24):
dr-xr-xr-x 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
^^^
Even allowing group to read there and enter there might be too much.
Thanks for quick reply. That didn't help yet. The error message in maillog is still the same: "sendmail.pem unsafe: Permission denied". The directory perms are now: [root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwxr-xr-x 5 root root 4096 Aug 12 12:14 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too wide still.
Ralph
Ralph Angenendt (ra+centos@br-online.de) kirjoitteli (12.8.2008 12:21):
Thanks for quick reply. That didn't help yet. The error message in maillog is still the same: "sendmail.pem unsafe: Permission denied". The directory perms are now: [root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwxr-xr-x 5 root root 4096 Aug 12 12:14 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too wide still.
On another machine (Fecore Core 3, Sendmail 8.13) the /etc/mail perms are 755 too, and it works - thoug there is no SMTP-AUTH on that machine.
I tried it, but the error message in maillog persists after Sendmail restart. The perms are now:
[root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwx------ 5 root root 4096 Aug 12 12:37 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs [root@mail mail]# ls -l /etc/mail/certs/ total 1924 -rw------- 1 mail mail 1371 Aug 11 12:15 cacert.pem -rw------- 1 mail mail 963 Aug 11 12:15 cakey.pem -rw-r--r-- 1 root root 1952422 Aug 11 14:26 revoke.crl -rw------- 1 mail mail 2258 Aug 11 12:16 sendmail.pem
I cannot help thinking that this is *not* actually about the permissions - it must be about something else.
- Jussi
-- Jussi Hirvi * Green Spot Topeliuksenkatu 15 C * 00250 Helsinki * Finland Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms) jussi.hirvi@greenspot.fi * http://www.greenspot.fi
On Tue, 2008-08-12 at 12:38 +0300, Jussi Hirvi wrote:
Ralph Angenendt (ra+centos@br-online.de) kirjoitteli (12.8.2008 12:21):
Thanks for quick reply. That didn't help yet. The error message in maillog is still the same: "sendmail.pem unsafe: Permission denied". The directory perms are now: [root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwxr-xr-x 5 root root 4096 Aug 12 12:14 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too wide still.
On another machine (Fecore Core 3, Sendmail 8.13) the /etc/mail perms are 755 too, and it works - thoug there is no SMTP-AUTH on that machine.
I tried it, but the error message in maillog persists after Sendmail restart. The perms are now:
[root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwx------ 5 root root 4096 Aug 12 12:37 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs [root@mail mail]# ls -l /etc/mail/certs/ total 1924 -rw------- 1 mail mail 1371 Aug 11 12:15 cacert.pem -rw------- 1 mail mail 963 Aug 11 12:15 cakey.pem -rw-r--r-- 1 root root 1952422 Aug 11 14:26 revoke.crl -rw------- 1 mail mail 2258 Aug 11 12:16 sendmail.pem
I cannot help thinking that this is *not* actually about the permissions - it must be about something else.
In addition to doing 'chmod u-w sendmail.pem', change the ownership to root:root on all of those files... sendmail drops privs down to smmsp by default...
-I
On Tue, 2008-08-12 at 02:42 -0700, Ian Forde wrote:
On Tue, 2008-08-12 at 12:38 +0300, Jussi Hirvi wrote:
Ralph Angenendt (ra+centos@br-online.de) kirjoitteli (12.8.2008 12:21):
Thanks for quick reply. That didn't help yet. The error message in maillog is still the same: "sendmail.pem unsafe: Permission denied". The directory perms are now: [root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwxr-xr-x 5 root root 4096 Aug 12 12:14 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too wide still.
On another machine (Fecore Core 3, Sendmail 8.13) the /etc/mail perms are 755 too, and it works - thoug there is no SMTP-AUTH on that machine.
I tried it, but the error message in maillog persists after Sendmail restart. The perms are now:
[root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwx------ 5 root root 4096 Aug 12 12:37 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs [root@mail mail]# ls -l /etc/mail/certs/ total 1924 -rw------- 1 mail mail 1371 Aug 11 12:15 cacert.pem -rw------- 1 mail mail 963 Aug 11 12:15 cakey.pem -rw-r--r-- 1 root root 1952422 Aug 11 14:26 revoke.crl -rw------- 1 mail mail 2258 Aug 11 12:16 sendmail.pem
I cannot help thinking that this is *not* actually about the permissions - it must be about something else.
In addition to doing 'chmod u-w sendmail.pem', change the ownership to root:root on all of those files... sendmail drops privs down to smmsp by default...
and change the ownership on the certs dir to root:root while you're there... you're okay with 755 perms on /etc/mail, as long as it's root:root. Basically, stick with the stock permissions and you should be fine...
-I
Ian Forde (ian@duckland.org) kirjoitteli (12.8.2008 12:44):
and change the ownership on the certs dir to root:root while you're there... you're okay with 755 perms on /etc/mail, as long as it's root:root. Basically, stick with the stock permissions and you should be fine...
Damn it, Ian - changing ownership to root solved it. :-) I thought I had tried it already.
Thanks a million!
- Jussi
-- Jussi Hirvi * Green Spot Topeliuksenkatu 15 C * 00250 Helsinki * Finland Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms) jussi.hirvi@greenspot.fi * http://www.greenspot.fi
Now I stumble on another problem (not fatal). I think it's only relevant to dual-MTA setups (separate Sendmail daemons for receiving and transmitting mail).
I don't find a way to enable STARTTLS (for the receiving sm-daemon) while at the same time running the receiving daemon with the unprivileged user smmsp. That is, I cannot use
define(`confRUN_AS_USER', `smmsp:smmsp')dnl
in my thishost-rx.mc.
If someone knows a solution to this, please let me know. Otherwise I will just sacrifice the extra security provided by smmsp, and run the receiving Sendmail with the default user policy (started as root, confDEF_USER_ID is mail:mail).
- Jussi
-- Jussi Hirvi * Green Spot Topeliuksenkatu 15 C * 00250 Helsinki * Finland Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms) jussi.hirvi@greenspot.fi * http://www.greenspot.fi
On Tue, 2008-08-12 at 11:21 +0200, Ralph Angenendt wrote:
Jussi Hirvi wrote:
Ralph Angenendt (ra+centos@br-online.de) kirjoitteli (12.8.2008 11:24):
dr-xr-xr-x 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
^^^
Even allowing group to read there and enter there might be too much.
Thanks for quick reply. That didn't help yet. The error message in maillog is still the same: "sendmail.pem unsafe: Permission denied". The directory perms are now: [root@mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs drwxr-xr-x 24 root root 4096 Mar 29 2007 / drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc drwxr-xr-x 5 root root 4096 Aug 12 12:14 /etc/mail dr-x------ 2 mail mail 4096 Aug 11 14:42 /etc/mail/certs
IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too
do 'chmod u-w /etc/mail/certs/sendmail.pem' and see if it works... my certs are in /etc/pki/tls/certs with perms set to 755 on the dirs on the way down and everything works fine...
-I
Here's more info about my Sendmail. It's the current version from the CentOS 5 repositories.
[root@mail mail]# sendmail -d0.1 Version 8.13.8 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT
- Jussi
-- Jussi Hirvi * Green Spot Topeliuksenkatu 15 C * 00250 Helsinki * Finland Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms) jussi.hirvi@greenspot.fi * http://www.greenspot.fi
Ralph Angenendt wrote on Tue, 12 Aug 2008 11:21:33 +0200:
IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too wide still.
Don't think so, these are the default permissions in CentOS 4, can't check on 5 as I moved to postfix on 5. The certs directory needs to be owned by root.root and the files as well.
Kai
-
Ian Forde -
Jussi Hirvi -
Kai Schaetzl -
Ralph Angenendt