[CentOS] Sendmail with TLS, permission problem

Tue Aug 12 09:44:27 UTC 2008
Ian Forde <ian at duckland.org>

On Tue, 2008-08-12 at 02:42 -0700, Ian Forde wrote:
> On Tue, 2008-08-12 at 12:38 +0300, Jussi Hirvi wrote:
> > Ralph Angenendt (ra+centos at br-online.de) kirjoitteli (12.8.2008 12:21):
> > >> Thanks for quick reply. That didn't help yet. The error message in maillog
> > >> is still the same: "sendmail.pem unsafe: Permission denied". The directory
> > >> perms are now: 
> > >> [root at mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs
> > >> drwxr-xr-x 24 root root  4096 Mar 29  2007 /
> > >> drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc
> > >> drwxr-xr-x  5 root root  4096 Aug 12 12:14 /etc/mail
> > >> dr-x------  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs
> > > 
> > > IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too
> > > wide still.
> > 
> > On another machine (Fecore Core 3, Sendmail 8.13) the /etc/mail perms are
> > 755 too, and it works - thoug there is no SMTP-AUTH on that machine.
> > 
> > I tried it, but the error message in maillog persists after Sendmail
> > restart. The perms are now:
> > 
> > [root at mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs
> > drwxr-xr-x 24 root root  4096 Mar 29  2007 /
> > drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc
> > drwx------  5 root root  4096 Aug 12 12:37 /etc/mail
> > dr-x------  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs
> > [root at mail mail]# ls -l /etc/mail/certs/
> > total 1924
> > -rw------- 1 mail mail    1371 Aug 11 12:15 cacert.pem
> > -rw------- 1 mail mail     963 Aug 11 12:15 cakey.pem
> > -rw-r--r-- 1 root root 1952422 Aug 11 14:26 revoke.crl
> > -rw------- 1 mail mail    2258 Aug 11 12:16 sendmail.pem
> > 
> > I cannot help thinking that this is *not* actually about the permissions -
> > it must be about something else.
> 
> In addition to doing 'chmod u-w sendmail.pem', change the ownership to
> root:root on all of those files... sendmail drops privs down to smmsp by
> default...

and change the ownership on the certs dir to root:root while you're
there... you're okay with 755 perms on /etc/mail, as long as it's
root:root.  Basically, stick with the stock permissions and you should
be fine...

	-I