Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Replacing sendmail with postfix for local mail in FreeBSD
630 views
Skip to first unread message
Jorge Luis Gonzalez
Feb 10, 2012, 3:42:16 PM2/10/12
to
I'm posting this to the postfix list rather than the FreeBSD list
because I've found the level of expertise here to be almost
unsurpassed.
In trying to substitute postfix for sendmail on FreeBSD 8.0, I've come
across a problem with mail sent from the command line (including mail
from the syslogd daemon).
No matter what I do to disable the sendmail binary (using mailwrapper)
sendmail seems to grab port 25 on the localhost and any mail sent from
the command line that's destined
for a local account is shunted off, even while the mail reaches
procmail and is properly forwarded to gmail as per my recipe.
After going through all the steps of disabling sendmail in rc.conf and
setting up mainwrapper I am getting the following error:
[satyr ~]$ mail -s test jorge
test
.
[satyr ~]$ WARNING: RunAsUser for MSP ignored, check group ids
(egid=1002, want=25)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
Here's the corresponding logfile entry, which seems pretty clearly to
point to the (presumably) disabled sendmail:
satyr# tail /var/log/maillog
Feb 9 09:16:00 satyr sendmail[63415]: NOQUEUE: SYSERR(jorge): can not
chdir(/var/spool/clientmqueue/): Permission denied
Here are the permissions and owners of the queue:
satyr# ls -ld /var/spool/clientmqueue/
drwxrwx--- 2 smmsp smmsp 512 Feb 9 06:57 /var/spool/clientmqueue/
I then ran across the following sendmail README on FreeBSD:
[...]
As of sendmail 8.12, in order to improve security, the sendmail binary no
longer needs to be set-user-ID root. Instead, a set-group-ID binary
accepts command line mail and relays it to a full mail transfer agent via
SMTP. A group writable client mail queue (/var/spool/clientmqueue/ by
default) holds the mail if an MTA can not be contacted.
To accomplish this, under the default setup, an MTA must be listening on
localhost port 25. If the rc.conf sendmail_enable option is set to "NO",
a sendmail daemon will still be started and bound only to the localhost
interface in order to accept command line submitted mail (note that this
does not work inside jail(2) systems as jails do not allow binding to
just the localhost interface). If this is not a desirable solution, it
can be disabled using the sendmail_submit_enable rc.conf option. However,
if both sendmail_enable and sendmail_submit_enable are set to "NO"
[this is true in my case],
you must do one of two things for command line submitted mail:
1. Designate an alternative host for the submission agent to contact
by altering /etc/mail/freebsd.submit.mc (or setting SENDMAIL_SUBMIT_MC
in /etc/make.conf to an alternate .mc file) and using
'make install-submit-cf' in /etc/mail/. Change the FEATURE(msp) line
to FEATURE(msp, hostname) where hostname is the fully qualified hostname
of the alternative host.
Or:
2. Return to using a set-user-ID root sendmail binary by changing the
ownership and permissions on the sendmail binary and removing the
/etc/mail/submit.cf file:
chown root /usr/libexec/sendmail/sendmail
chmod 4755 /usr/libexec/sendmail/sendmail
rm /etc/mail/submit.cf
If you install from source, set the SENDMAIL_SET_USER_ID flag in
/etc/make.conf.
[...]
The first of the two suggestions isn't an option for me; I control
only this single mailserver. And I'm not quite sure about the
second: I'd rather avoid a set-user-ID root sendmail if possible. I
just want postfix to handle mail that comes from the command
line destined for localhost 25.
In case there's something I can do inside postfix so that it binds the
daemon to localhost 25 before the vestigal sendmail
gets there, here are my postfix settings:
[satyr ~]$ postconf -n
alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
allow_percent_hack = no
append_at_myorigin = yes
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
bounce_size_limit = 10000
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
default_destination_concurrency_limit = 10
default_privs = nobody
delay_warning_time = 1h
disable_vrfy_command = yes
fast_flush_domains = $relay_domains
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 2
local_recipient_maps = unix:passwd.byname, $alias_maps
luser_relay =
mail_name = $mydomain Mail Daemon
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/local/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 0
manpage_directory = /usr/local/man
maximal_queue_lifetime = 4h
message_size_limit = 102400000
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = jorge.cc
myhostname = satyr.jorge.cc
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
notify_classes = resource, software
recipient_delimiter = +
relay_domains = $mydestination
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_banner = $mail_name ESMTP
smtpd_client_restrictions = permit_mynetworks,
reject_rbl_client zen.spamhaus.org, reject_unknown_client_hostname,
reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
check_helo_access hash:$config_directory/helo_access,
reject_unauth_pipelining, reject_non_fqdn_hostname,
reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, reject_invalid_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unknown_address
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = no
swap_bangpath = no
tls_daemon_random_bytes = 32
tls_random_exchange_name = $data_directory/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
The weird thing is that sending mail with telnet through port 25
returns the postfix welcome and it's postfix that seems to accept the mail:
[jorge@satyr /etc/mail]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 jorge.cc Mail Daemon ESMTP
EHLO satyr.jorge.cc
250-satyr.jorge.cc
250-PIPELINING
250-SIZE 102400000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: jo...@jorge.cc
250 2.1.0 Ok
RCPT TO: jo...@jorge.cc
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as A1774108E2C
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
And here's the logfile:
Feb 10 14:59:50 satyr postfix/qmgr[72725]: 4CF3A108E32:
from=<jorge@localhost>, size=320, nrcpt=1 (queue active)
Feb 10 14:59:50 satyr sendmail[91511]: NOQUEUE: SYSERR(jorge): can not
chdir(/var/spool/clientmqueue/): Permission denied
The email isn't stacking up in any other queue that I can find.
The logfile goes on to record a seemingly successful procmail relay to gmail:
Feb 10 15:29:23 satyr postfix/smtpd[5845]: connect from satyr[69.55.232.70]
Feb 10 15:30:52 satyr postfix/smtpd[5845]: 61766108E39:
client=satyr[69.55.232.70]
Feb 10 15:31:08 satyr postfix/cleanup[6234]: 61766108E39:
message-id=<2012021020305...@satyr.jorge.cc>
Feb 10 15:31:08 satyr postfix/qmgr[72725]: 61766108E39:
from=<jo...@jorge.cc>, size=322, nrcpt=1 (queue active)
Feb 10 15:31:08 satyr postfix/smtp[6478]: setting up TLS connection to
gmail-smtp-in.l.google.com[74.125.45.26]:25
Feb 10 15:31:08 satyr postfix/smtp[6478]: certificate verification
failed for gmail-smtp-in.l.google.com[74.125.45.26]:25: untrusted
issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Feb 10 15:31:08 satyr postfix/smtp[6478]: Untrusted TLS connection
established to gmail-smtp-in.l.google.com[74.125.45.26]:25: TLSv1 with
cipher RC4-SHA (128/128 bits)
Feb 10 15:31:09 satyr postfix/smtp[6478]: 61766108E39:
to=<jlg....@gmail.com>,
relay=gmail-smtp-in.l.google.com[74.125.45.26]:25, delay=48,
delays=46/0.02/0.45/0.77, dsn=2.0.0, status=sent (250 2.0.0 OK
1328905874 s61si7054629yhn.36)
Feb 10 15:31:09 satyr postfix/qmgr[72725]: 61766108E39: removed
Feb 10 15:31:28 satyr postfix/smtpd[5845]: disconnect from satyr[69.55.232.70]
satyr#
I'm completely flummoxed by this. Ripping sendmail by the roots out
of FreeBSD may not be such a good idea so I've avoided that, though I
would have thought that mailwrapper and the rc.conf settings would
have accomplished essentially the same thing.
Thanks very much in advance for any help.
--
Jorge Luis González <JLG....@gmail.com>
http://people.umass.edu/jlg/
This email optimized for teletypes.
because I've found the level of expertise here to be almost
unsurpassed.
In trying to substitute postfix for sendmail on FreeBSD 8.0, I've come
across a problem with mail sent from the command line (including mail
from the syslogd daemon).
No matter what I do to disable the sendmail binary (using mailwrapper)
sendmail seems to grab port 25 on the localhost and any mail sent from
the command line that's destined
for a local account is shunted off, even while the mail reaches
procmail and is properly forwarded to gmail as per my recipe.
After going through all the steps of disabling sendmail in rc.conf and
setting up mainwrapper I am getting the following error:
[satyr ~]$ mail -s test jorge
test
.
[satyr ~]$ WARNING: RunAsUser for MSP ignored, check group ids
(egid=1002, want=25)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
Here's the corresponding logfile entry, which seems pretty clearly to
point to the (presumably) disabled sendmail:
satyr# tail /var/log/maillog
Feb 9 09:16:00 satyr sendmail[63415]: NOQUEUE: SYSERR(jorge): can not
chdir(/var/spool/clientmqueue/): Permission denied
Here are the permissions and owners of the queue:
satyr# ls -ld /var/spool/clientmqueue/
drwxrwx--- 2 smmsp smmsp 512 Feb 9 06:57 /var/spool/clientmqueue/
I then ran across the following sendmail README on FreeBSD:
[...]
As of sendmail 8.12, in order to improve security, the sendmail binary no
longer needs to be set-user-ID root. Instead, a set-group-ID binary
accepts command line mail and relays it to a full mail transfer agent via
SMTP. A group writable client mail queue (/var/spool/clientmqueue/ by
default) holds the mail if an MTA can not be contacted.
To accomplish this, under the default setup, an MTA must be listening on
localhost port 25. If the rc.conf sendmail_enable option is set to "NO",
a sendmail daemon will still be started and bound only to the localhost
interface in order to accept command line submitted mail (note that this
does not work inside jail(2) systems as jails do not allow binding to
just the localhost interface). If this is not a desirable solution, it
can be disabled using the sendmail_submit_enable rc.conf option. However,
if both sendmail_enable and sendmail_submit_enable are set to "NO"
[this is true in my case],
you must do one of two things for command line submitted mail:
1. Designate an alternative host for the submission agent to contact
by altering /etc/mail/freebsd.submit.mc (or setting SENDMAIL_SUBMIT_MC
in /etc/make.conf to an alternate .mc file) and using
'make install-submit-cf' in /etc/mail/. Change the FEATURE(msp) line
to FEATURE(msp, hostname) where hostname is the fully qualified hostname
of the alternative host.
Or:
2. Return to using a set-user-ID root sendmail binary by changing the
ownership and permissions on the sendmail binary and removing the
/etc/mail/submit.cf file:
chown root /usr/libexec/sendmail/sendmail
chmod 4755 /usr/libexec/sendmail/sendmail
rm /etc/mail/submit.cf
If you install from source, set the SENDMAIL_SET_USER_ID flag in
/etc/make.conf.
[...]
The first of the two suggestions isn't an option for me; I control
only this single mailserver. And I'm not quite sure about the
second: I'd rather avoid a set-user-ID root sendmail if possible. I
just want postfix to handle mail that comes from the command
line destined for localhost 25.
In case there's something I can do inside postfix so that it binds the
daemon to localhost 25 before the vestigal sendmail
gets there, here are my postfix settings:
[satyr ~]$ postconf -n
alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
allow_percent_hack = no
append_at_myorigin = yes
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
bounce_size_limit = 10000
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
default_destination_concurrency_limit = 10
default_privs = nobody
delay_warning_time = 1h
disable_vrfy_command = yes
fast_flush_domains = $relay_domains
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 2
local_recipient_maps = unix:passwd.byname, $alias_maps
luser_relay =
mail_name = $mydomain Mail Daemon
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/local/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 0
manpage_directory = /usr/local/man
maximal_queue_lifetime = 4h
message_size_limit = 102400000
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = jorge.cc
myhostname = satyr.jorge.cc
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
notify_classes = resource, software
recipient_delimiter = +
relay_domains = $mydestination
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_banner = $mail_name ESMTP
smtpd_client_restrictions = permit_mynetworks,
reject_rbl_client zen.spamhaus.org, reject_unknown_client_hostname,
reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
check_helo_access hash:$config_directory/helo_access,
reject_unauth_pipelining, reject_non_fqdn_hostname,
reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, reject_invalid_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unknown_address
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = no
swap_bangpath = no
tls_daemon_random_bytes = 32
tls_random_exchange_name = $data_directory/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
The weird thing is that sending mail with telnet through port 25
returns the postfix welcome and it's postfix that seems to accept the mail:
[jorge@satyr /etc/mail]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 jorge.cc Mail Daemon ESMTP
EHLO satyr.jorge.cc
250-satyr.jorge.cc
250-PIPELINING
250-SIZE 102400000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: jo...@jorge.cc
250 2.1.0 Ok
RCPT TO: jo...@jorge.cc
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as A1774108E2C
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
And here's the logfile:
Feb 10 14:59:50 satyr postfix/qmgr[72725]: 4CF3A108E32:
from=<jorge@localhost>, size=320, nrcpt=1 (queue active)
Feb 10 14:59:50 satyr sendmail[91511]: NOQUEUE: SYSERR(jorge): can not
chdir(/var/spool/clientmqueue/): Permission denied
The email isn't stacking up in any other queue that I can find.
The logfile goes on to record a seemingly successful procmail relay to gmail:
Feb 10 15:29:23 satyr postfix/smtpd[5845]: connect from satyr[69.55.232.70]
Feb 10 15:30:52 satyr postfix/smtpd[5845]: 61766108E39:
client=satyr[69.55.232.70]
Feb 10 15:31:08 satyr postfix/cleanup[6234]: 61766108E39:
message-id=<2012021020305...@satyr.jorge.cc>
Feb 10 15:31:08 satyr postfix/qmgr[72725]: 61766108E39:
from=<jo...@jorge.cc>, size=322, nrcpt=1 (queue active)
Feb 10 15:31:08 satyr postfix/smtp[6478]: setting up TLS connection to
gmail-smtp-in.l.google.com[74.125.45.26]:25
Feb 10 15:31:08 satyr postfix/smtp[6478]: certificate verification
failed for gmail-smtp-in.l.google.com[74.125.45.26]:25: untrusted
issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Feb 10 15:31:08 satyr postfix/smtp[6478]: Untrusted TLS connection
established to gmail-smtp-in.l.google.com[74.125.45.26]:25: TLSv1 with
cipher RC4-SHA (128/128 bits)
Feb 10 15:31:09 satyr postfix/smtp[6478]: 61766108E39:
to=<jlg....@gmail.com>,
relay=gmail-smtp-in.l.google.com[74.125.45.26]:25, delay=48,
delays=46/0.02/0.45/0.77, dsn=2.0.0, status=sent (250 2.0.0 OK
1328905874 s61si7054629yhn.36)
Feb 10 15:31:09 satyr postfix/qmgr[72725]: 61766108E39: removed
Feb 10 15:31:28 satyr postfix/smtpd[5845]: disconnect from satyr[69.55.232.70]
satyr#
I'm completely flummoxed by this. Ripping sendmail by the roots out
of FreeBSD may not be such a good idea so I've avoided that, though I
would have thought that mailwrapper and the rc.conf settings would
have accomplished essentially the same thing.
Thanks very much in advance for any help.
--
Jorge Luis González <JLG....@gmail.com>
http://people.umass.edu/jlg/
This email optimized for teletypes.
CSS
Feb 10, 2012, 3:50:38 PM2/10/12
to
On Feb 10, 2012, at 3:42 PM, Jorge Luis Gonzalez wrote:
> I'm posting this to the postfix list rather than the FreeBSD list
> because I've found the level of expertise here to be almost
> unsurpassed.
>
> In trying to substitute postfix for sendmail on FreeBSD 8.0, I've come
> across a problem with mail sent from the command line (including mail
> from the syslogd daemon).
> No matter what I do to disable the sendmail binary (using mailwrapper)
> sendmail seems to grab port 25 on the localhost and any mail sent from
> the command line that's destined
> for a local account is shunted off, even while the mail reaches
> procmail and is properly forwarded to gmail as per my recipe.
You should post the sendmail_* lines in /etc/rc.conf and the contents
of /etc/mail/mailer.conf.
What you're showing here really looks like you don't have
mailer.conf properly configured.
Thanks,
Charles
Jorge Luis Gonzalez
Feb 10, 2012, 4:26:53 PM2/10/12
to
On Fri, Feb 10, 2012 at 3:50 PM, CSS <c...@morefoo.com> wrote:
>
> On Feb 10, 2012, at 3:42 PM, Jorge Luis Gonzalez wrote:
>
>> I'm posting this to the postfix list rather than the FreeBSD list
>> because I've found the level of expertise here to be almost
>> unsurpassed.
>>
>> In trying to substitute postfix for sendmail on FreeBSD 8.0, I've come
>> across a problem with mail sent from the command line (including mail
>> from the syslogd daemon).
>> No matter what I do to disable the sendmail binary (using mailwrapper)
>> sendmail seems to grab port 25 on the localhost and any mail sent from
>> the command line that's destined
>> for a local account is shunted off, even while the mail reaches
>> procmail and is properly forwarded to gmail as per my recipe.
>
> Your logs don't indicate sendmail listening on port 25 at all.
>
> You should post the sendmail_* lines in /etc/rc.conf and the contents
> of /etc/mail/mailer.conf.
>
> What you're showing here really looks like you don't have
> mailer.conf properly configured.
>
> Thanks,
>
> Charles
Here are all the sendmail and postfix entries in rc.conf:
>
> On Feb 10, 2012, at 3:42 PM, Jorge Luis Gonzalez wrote:
>
>> I'm posting this to the postfix list rather than the FreeBSD list
>> because I've found the level of expertise here to be almost
>> unsurpassed.
>>
>> In trying to substitute postfix for sendmail on FreeBSD 8.0, I've come
>> across a problem with mail sent from the command line (including mail
>> from the syslogd daemon).
>> No matter what I do to disable the sendmail binary (using mailwrapper)
>> sendmail seems to grab port 25 on the localhost and any mail sent from
>> the command line that's destined
>> for a local account is shunted off, even while the mail reaches
>> procmail and is properly forwarded to gmail as per my recipe.
>
> Your logs don't indicate sendmail listening on port 25 at all.
>
> You should post the sendmail_* lines in /etc/rc.conf and the contents
> of /etc/mail/mailer.conf.
>
> What you're showing here really looks like you don't have
> mailer.conf properly configured.
>
> Thanks,
>
> Charles
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
postfix_enable="YES"
dovecot_enable="YES"
And here's /etc/mail/mailer.conf:
#
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
#
sendmail /usr/local/sbin/sendmail
send-mail /usr/local/sbin/sendmail
mailq /usr/local/sbin/sendmail
newaliases /usr/local/sbin/sendmail
Your correct that it's not sendmail listening on tcp 25; it's
postfix's master. But why the caution in the README that sendmail
will bind to 25 if "NO" is specified in rc.conf? And what's the queue
that fails with a permission block, clientmqueue, owned by smmsp?
satyr# netstat -a | egrep 'Proto|LISTEN'
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 satyr.smtp *.*
LISTEN
satyr# sockstat -46 | grep ':25'
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root master 25052 12 tcp4 69.55.232.70:25
*:*
satyr#
Jorge Luis Gonzalez
Feb 10, 2012, 6:14:43 PM2/10/12
to
>> Here are all the sendmail and postfix entries in rc.conf:
>>
>> sendmail_enable="NO"
>> sendmail_submit_enable="NO"
>> sendmail_outbound_enable="NO"
>> sendmail_msp_queue_enable="NO"
>> postfix_enable="YES"
>> dovecot_enable=YES
On Fri, Feb 10, 2012 at 4:44 PM, CSS <c...@morefoo.com> wrote:
>>
>> sendmail_enable="NO"
>> sendmail_submit_enable="NO"
>> sendmail_outbound_enable="NO"
>> sendmail_msp_queue_enable="NO"
>> postfix_enable="YES"
>> dovecot_enable=YES
>
> Drop all that and put in sendmail_enable="NONE"
>
> That will disable the client queue and all that other junk.
>
> When set to "NO", that just disables the main port 25 listener. Setting
> it to "NONE" kills everything and lets an alternate MTA handle everything.
>
> The handbook seems to contradict this, but in my experience, "NONE" works
> while setting all the individual sendmail_* stuff to "NO" generally
> doesn't.
>
> Charles
Thanks, Charles.
Setting 'sendmail_enable="NONE" (and removing the other entries) has
no effect on my system (FreeBSD 8.0).
I still get the following error from command-line maill:
[satyr ~]$ mail -s test jorge
test
.
[satyr ~]$ WARNING: RunAsUser for MSP ignored, check group id
(egid=1002, want=25) can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
Program mode requires special privileges, e.g., root or TrustedUser.
satyr# tail /var/log/maillog
Feb 9 09:16:00 satyr sendmail[63415]: NOQUEUE: SYSERR(jorge): can not
chdir(/var/spool/clientmqueue/): Permission denied
Here are the permissions and owners of the queue:
satyr# ls -ld /var/spool/clientmqueue/
drwxrwx--- 2 smmsp smmsp 512 Feb 9 06:57 /var/spool/clientmqueue/
clientmqueue is a sendmail queue. It seems that, at some point, even
Feb 9 09:16:00 satyr sendmail[63415]: NOQUEUE: SYSERR(jorge): can not
chdir(/var/spool/clientmqueue/): Permission denied
Here are the permissions and owners of the queue:
satyr# ls -ld /var/spool/clientmqueue/
drwxrwx--- 2 smmsp smmsp 512 Feb 9 06:57 /var/spool/clientmqueue/
though there's not a sendmail MTA listening on port 25, some vestige
of sendmail's MSP still directs the email toward clientmqueue and then
pulls out, leaving postfix to unsuccessfully try to drop it into
clientmqueue, which is owned by smmsp. smmsp is definitely a sendmail
user/group. The mail ordinarily sits in clientmqueue waiting to be
piped to the sendmail MTA. But, of course, I've disabled sendmail in
rc.conf and mailer.conf, and postfix has no facility for entering or
processing clientmqueue, so the mail is lost.
It looks like FreeBSD has the user over a barrel: the last troublesome
bits of sendmail's MSP appear to be ineradicable. You either live
with sendmail for local mail (postfix still works for Internet mail),
or you try to kill sendmail and lose the local messages. If anyone
has successfully gotten around this, I'd appreciate hearing how it was
done.
I did find this one explanatory post that offers a partial solution
that I may try:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Sep 2 06:02:43 PDT 2004
That's part of the workings of sendmail. /var/spool/clientmqueue is
the holding area used by the MSP (Mail Submission Protocol) sendmail
instance before it injects the messages into the main MTA (Mail
Transport Agent) sendmail instance.
You'll get the effect you see by not running any sendmail daemons:
unix mailers will send e-mail by piping the message into the stdin of
sendmail, and sendmail will save the message in
/var/spool/clientmqueue for safe keeping before trying to connect to
the MTA to get the message delivered. Normally there would be a
'queue runner' MSP sendmail instance which every half hour would retry
sending any message that couldn't be sent immediately. Each message
will generate a 'df' (message routing info) and 'qf' (message headers
and body) file. You can list out all of the messages and their status
by:
# mailq -v -Ac
A FreeBSD system basically assumes that it has e-mail connectivity
available to it: eg. any output from cron jobs will be e-mailed back
to the job's owner. There will also be the daily, weekly and monthly
periodic script output. You can modify /etc/periodic.conf to redirect
the periodic script output to log files rather than e-mail. See
periodic.conf(5).
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Jorge Luis Gonzalez <jlg....@gmail.com>
Wietse Venema
Feb 10, 2012, 7:11:20 PM2/10/12
to
Jorge Luis Gonzalez:
1) /usr/sbin/sendmail is a symlink to /usr/sbin/mailwrapper, like this:
lrwxr-xr-x 1 root wheel 21 Feb 17 2011 /usr/sbin/sendmail -> /usr/sbin/mailwrapper
AND
2) Your mail software invokes /usr/sbin/sendmail, instead of
invoking /usr/libexec/sendmail/sendmail.
What is the configuration of your mail software invokes sendmail?
Wietse
> #
> # Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
> #
> sendmail /usr/local/sbin/sendmail
> send-mail /usr/local/sbin/sendmail
> mailq /usr/local/sbin/sendmail
> newaliases /usr/local/sbin/sendmail
mailer.conf settings work only when:
> # Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
> #
> sendmail /usr/local/sbin/sendmail
> send-mail /usr/local/sbin/sendmail
> mailq /usr/local/sbin/sendmail
> newaliases /usr/local/sbin/sendmail
1) /usr/sbin/sendmail is a symlink to /usr/sbin/mailwrapper, like this:
lrwxr-xr-x 1 root wheel 21 Feb 17 2011 /usr/sbin/sendmail -> /usr/sbin/mailwrapper
AND
2) Your mail software invokes /usr/sbin/sendmail, instead of
invoking /usr/libexec/sendmail/sendmail.
What is the configuration of your mail software invokes sendmail?
Wietse
Jorge Luis Gonzalez
Feb 10, 2012, 7:44:01 PM2/10/12
to
On Fri, Feb 10, 2012 at 7:11 PM, Wietse Venema <wie...@porcupine.org> wrote:
> mailer.conf settings work only when:
>
> 1) /usr/sbin/sendmail is a symlink to /usr/sbin/mailwrapper, like this:
>
> lrwxr-xr-x 1 root wheel 21 Feb 17 2011 /usr/sbin/sendmail -> /usr/sbin/mailwrapper
Precisely what I have:
> mailer.conf settings work only when:
>
> 1) /usr/sbin/sendmail is a symlink to /usr/sbin/mailwrapper, like this:
>
> lrwxr-xr-x 1 root wheel 21 Feb 17 2011 /usr/sbin/sendmail -> /usr/sbin/mailwrapper
lrwxr-xr-x 1 root wheel 21 Feb 8 16:20 /usr/sbin/sendmail ->
/usr/sbin/mailwrapper
>
> AND
>
> 2) Your mail software invokes /usr/sbin/sendmail, instead of
> invoking /usr/libexec/sendmail/sendmail.
>
> What is the configuration of your mail software invokes sendmail?
Here's the relevant line from my mutt config. But mutt throws the
>
> AND
>
> 2) Your mail software invokes /usr/sbin/sendmail, instead of
> invoking /usr/libexec/sendmail/sendmail.
>
> What is the configuration of your mail software invokes sendmail?
same error that I get when sending from the command line: even though
there is no sendmail process running after a boot with
sendmail_enable="NONE" in rc.conf, something--doesn't it have to be
sendmail?--is trying to drop mail into an unwritable spool that is
owned by the sendmail MSP process.
set sendmail="/usr/sbin/sendmail -oem -oi"
WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
collect: Cannot write ./dfq1B0Ut0C054698 (bfcommit, uid=1002, gid=1002):
+Permission denied
queueup: cannot create queue file ./qfq1B0Ut0C054698, euid=1002, fd=-1, fp=0x0:
+Permission denied
At this point I'm going to try a full reinstall of postfix, though,
again, I think the crux of this is in the FreeBSD README:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Wietse
Wietse Venema
Feb 10, 2012, 8:17:06 PM2/10/12
to
Jorge Luis Gonzalez:
(it should complain about no mapping in /etc/mail/mailer.conf).
> > AND
> >
> > 2) Your mail software invokes /usr/sbin/sendmail, instead of
> > invoking /usr/libexec/sendmail/sendmail.
> >
> > What is the configuration of your mail software invokes sendmail?
>
> Here's the relevant line from my mutt config. But mutt throws the
...
What happens when you execute /usr/local/sbin/sendmail by hand?
Wietse
> lrwxr-xr-x 1 root wheel 21 Feb 8 16:20 /usr/sbin/sendmail ->
> /usr/sbin/mailwrapper
What happens when you execute /usr/sbin/mailwrapper by hand?
> /usr/sbin/mailwrapper
(it should complain about no mapping in /etc/mail/mailer.conf).
> > AND
> >
> > 2) Your mail software invokes /usr/sbin/sendmail, instead of
> > invoking /usr/libexec/sendmail/sendmail.
> >
> > What is the configuration of your mail software invokes sendmail?
>
> Here's the relevant line from my mutt config. But mutt throws the
> set sendmail="/usr/sbin/sendmail -oem -oi"
What happens when you execute /usr/sbin/sendmail by hand?
What happens when you execute /usr/local/sbin/sendmail by hand?
Wietse
Jorge Luis Gonzalez
Feb 10, 2012, 9:54:18 PM2/10/12
to
On Fri, Feb 10, 2012 at 8:17 PM, Wietse Venema <wie...@porcupine.org> wrote:
> What happens when you execute /usr/sbin/mailwrapper by hand?
> (it should complain about no mapping in /etc/mail/mailer.conf).
[jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
> What happens when you execute /usr/sbin/mailwrapper by hand?
> (it should complain about no mapping in /etc/mail/mailer.conf).
WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
collect: Cannot write ./dfq1B2W31I012233 (bfcommit, uid=1002,
gid=1002): Permission denied
queueup: cannot create queue file ./qfq1B2W31I012233, euid=1002,
fd=-1, fp=0x0: Permission denied
> What happens when you execute /usr/sbin/sendmail by hand?
WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
collect: Cannot write ./dfq1B2YS8x013588 (bfcommit, uid=1002,
gid=1002): Permission denied
queueup: cannot create queue file ./qfq1B2YS8x013588, euid=1002,
fd=-1, fp=0x0: Permission denied
> What happens when you execute /usr/local/sbin/sendmail by hand?
message; it returned me to the prompt:
[jorge@satyr ~]$ /usr/local/sbin/sendmail -oem -oi jorge < /etc/motd
[jorge@satyr ~]$
But the mail wasn't delivered. Here's what maillog recorded:
Feb 10 21:34:28 satyr sendmail[13588]: q1B2YS8x013588: SYSERR(jorge):
queueup: cannot create queue file ./qfq1B2YS8x013588, euid=1002,
fd=-1, fp=0x0: Permission denied
Feb 10 21:35:28 satyr postfix/pickup[87965]: E5530108E42: uid=1002 from=<jorge>
Feb 10 21:35:28 satyr postfix/cleanup[14662]: E5530108E42:
message-id=<2012021102352...@satyr.jorge.cc>
Feb 10 21:35:29 satyr postfix/qmgr[41317]: E5530108E42:
from=<jo...@jorge.cc>, size=1413, nrcpt=1 (queue active)
Feb 10 21:35:29 satyr postfix/smtp[14668]: E5530108E42:
to=<jo...@jorge.cc>, orig_to=<jorge>, relay=none, delay=0.17,
delays=0.15/0.02/0/0, dsn=5.4.6, status=bounced (mail for jorge.cc
loops back to myself)
Feb 10 21:35:29 satyr postfix/cleanup[14662]: 88C02108E43:
message-id=<2012021102352...@satyr.jorge.cc>
Feb 10 21:35:29 satyr postfix/bounce[14670]: E5530108E42: sender
non-delivery notification: 88C02108E43
Feb 10 21:35:29 satyr postfix/qmgr[41317]: 88C02108E43: from=<>,
size=3242, nrcpt=1 (queue active)
Feb 10 21:35:29 satyr postfix/qmgr[41317]: E5530108E42: removed
Feb 10 21:35:29 satyr postfix/smtp[14668]: 88C02108E43:
to=<jo...@jorge.cc>, relay=none, delay=0.17, delays=0.13/0.03/0/0,
dsn=5.4.6, status=bounced (mail for jorge.cc loops back to myself)
Feb 10 21:35:29 satyr postfix/qmgr[41317]: 88C02108E43: removed
Here are the contents of /var/spool after a fresh install of postfix:
drwxr-xr-x 2 root wheel 512 Feb 10 19:20 clientmqueue
drwxrwxr-x 2 uucp dialer 512 Feb 10 17:05 lock
drwxr-xr-x 2 root daemon 512 Jan 31 15:12 lpd
drwxr-xr-x 2 root daemon 512 Feb 8 06:59 mqueue
drwx------ 2 root daemon 512 Jan 31 15:12 opielocks
drwxr-xr-x 3 root daemon 512 Jan 31 15:12 output
drwxr-xr-x 16 root postfix 512 Feb 8 07:57 postfix
Note that clientmqueue is no longer owned by the sendmail MSP user and
group. Is this one of the results of the post-install scripts?
Thanks very much for your help.
Jorge
Jorge Luis Gonzalez
Feb 10, 2012, 10:07:46 PM2/10/12
to
On Fri, Feb 10, 2012 at 6:54 PM, Jim Long <ja...@umpquanet.com> wrote:
> I should add:
>
> On Fri, Feb 10, 2012 at 03:44:16PM -0800, Jim Long wrote:
> ...
>> (Now confirm that the sendmail processes are gone:)
>> # ps -auxww | grep [s]endmail
>> #
>> (Good, no output from ps | grep)
>> (Now try to start sendmail)
>> # cd /etc/mail
>> # make start
>> Starting:.
>> # ps -auxww | grep [s]endmail
>> #
>> (Good, no output; even after 'make start' there are no sendmail processess running.
>> 'make start' does nothing because of sendmail_enable="NONE" in /etc/rc.conf)
>
> Now shut down postfix, and confirm using 'ps' that no postfix
> processes are running. Then, start postfix and use 'ps' to confirm
> that it has started. Also, use 'sockstat -4l' to confirm which
> ports postfix is listening on. Hopefully postfix will now be
> able to bind to the ports that before might have been bound up by
> sendmail.
>
> Then,
>
>> At this point, go back and try your 'mail -s test jorge' example
>> and see if you've made any progress. Or try 'sockstat -4l' and
>> examine its output to see which programs are listening on which
>> ports.
>>
>> HTH,
>>
>> Jim
>>
satyr# ps -auxww | grep [s]endmail
grep: No match.
satyr# cd /etc/mail
satyr# make start
Starting:.
satyr# ps -auxww | grep [s]endmail
grep: No match.
satyr# postfix stop
postfix/postfix-script: stopping the Postfix mail system
satyr# ps -auxww | grep [p]ostfix
grep: No match.
satyr# postfix start
postfix/postfix-script: starting the Postfix mail system
satyr# sockstat -4l
69.55.232.70:25 *:*
At this point it seems obvious that postfix is bound to tcp 25, but an
attempt to send mail still chokes with the familiar error about an
unwritable queue.
satyr# ls -la /var/spool
total 18
drwxr-xr-x 9 root wheel 512 Feb 10 19:20 .
drwxr-xr-x 22 root wheel 512 Feb 10 17:05 ..
http://people.umass.edu/jlg/
> I should add:
>
> On Fri, Feb 10, 2012 at 03:44:16PM -0800, Jim Long wrote:
> ...
>> (Now confirm that the sendmail processes are gone:)
>> # ps -auxww | grep [s]endmail
>> #
>> (Good, no output from ps | grep)
>> (Now try to start sendmail)
>> # cd /etc/mail
>> # make start
>> Starting:.
>> # ps -auxww | grep [s]endmail
>> #
>> (Good, no output; even after 'make start' there are no sendmail processess running.
>> 'make start' does nothing because of sendmail_enable="NONE" in /etc/rc.conf)
>
> Now shut down postfix, and confirm using 'ps' that no postfix
> processes are running. Then, start postfix and use 'ps' to confirm
> that it has started. Also, use 'sockstat -4l' to confirm which
> ports postfix is listening on. Hopefully postfix will now be
> able to bind to the ports that before might have been bound up by
> sendmail.
>
> Then,
>
>> At this point, go back and try your 'mail -s test jorge' example
>> and see if you've made any progress. Or try 'sockstat -4l' and
>> examine its output to see which programs are listening on which
>> ports.
>>
>> HTH,
>>
>> Jim
>>
satyr# ps -auxww | grep [s]endmail
grep: No match.
satyr# cd /etc/mail
satyr# make start
Starting:.
satyr# ps -auxww | grep [s]endmail
grep: No match.
satyr# postfix stop
postfix/postfix-script: stopping the Postfix mail system
satyr# ps -auxww | grep [p]ostfix
grep: No match.
satyr# postfix start
postfix/postfix-script: starting the Postfix mail system
satyr# sockstat -4l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN
ADDRESS
root master 27901 12 tcp4
ADDRESS
69.55.232.70:25 *:*
At this point it seems obvious that postfix is bound to tcp 25, but an
attempt to send mail still chokes with the familiar error about an
unwritable queue.
satyr# ls -la /var/spool
total 18
drwxr-xr-x 9 root wheel 512 Feb 10 19:20 .
drwxr-xr-x 22 root wheel 512 Feb 10 17:05 ..
drwxr-xr-x 2 root wheel 512 Feb 10 19:20 clientmqueue
drwxrwxr-x 2 uucp dialer 512 Feb 10 17:05 lock
drwxr-xr-x 2 root daemon 512 Jan 31 15:12 lpd
drwxr-xr-x 2 root daemon 512 Feb 8 06:59 mqueue
drwx------ 2 root daemon 512 Jan 31 15:12 opielocks
drwxr-xr-x 3 root daemon 512 Jan 31 15:12 output
drwxr-xr-x 16 root postfix 512 Feb 8 07:57 postfix
satyr#
drwxrwxr-x 2 uucp dialer 512 Feb 10 17:05 lock
drwxr-xr-x 2 root daemon 512 Jan 31 15:12 lpd
drwxr-xr-x 2 root daemon 512 Feb 8 06:59 mqueue
drwx------ 2 root daemon 512 Jan 31 15:12 opielocks
drwxr-xr-x 3 root daemon 512 Jan 31 15:12 output
drwxr-xr-x 16 root postfix 512 Feb 8 07:57 postfix
http://people.umass.edu/jlg/
Wietse Venema
Feb 10, 2012, 10:15:11 PM2/10/12
to
Jorge Luis Gonzalez:
[ Charset ISO-8859-1 unsupported, converting... ]
Wietse
[ Charset ISO-8859-1 unsupported, converting... ]
> On Fri, Feb 10, 2012 at 8:17 PM, Wietse Venema <wie...@porcupine.org> wrote:
>
> > What happens when you execute /usr/sbin/mailwrapper by hand?
> > (it should complain about no mapping in /etc/mail/mailer.conf).
>
> [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
> WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
That is not right. Your mailwrapper program has been replaced.
>
> > What happens when you execute /usr/sbin/mailwrapper by hand?
> > (it should complain about no mapping in /etc/mail/mailer.conf).
>
> [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
> WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
Wietse
Wietse Venema
Feb 10, 2012, 10:18:23 PM2/10/12
to
Jorge Luis Gonzalez:
[ Charset ISO-8859-1 unsupported, converting... ]
> On Fri, Feb 10, 2012 at 8:17 PM, Wietse Venema <wie...@porcupine.org> wrote:
>
> > What happens when you execute /usr/sbin/mailwrapper by hand?
> > (it should complain about no mapping in /etc/mail/mailer.conf).
>
> [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
> WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
This means that YOU OVERWROTE /usr/sbin/mailwrapper with
[ Charset ISO-8859-1 unsupported, converting... ]
> On Fri, Feb 10, 2012 at 8:17 PM, Wietse Venema <wie...@porcupine.org> wrote:
>
> > What happens when you execute /usr/sbin/mailwrapper by hand?
> > (it should complain about no mapping in /etc/mail/mailer.conf).
>
> [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
> WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
a copy of the sendmail program.
/usr/sbin/mailwrapper should complain about no mapping in /etc/mail/mailer.conf,
like this:
$ /usr/sbin/mailwrapper
mailwrapper: no mapping in /etc/mail/mailer.conf
In your case, this program has been overwritten with sendmail.
This is why you get all the crap that you are experiencing.
Wietse
Jorge Luis Gonzalez
Feb 10, 2012, 10:29:43 PM2/10/12
to
On Fri, Feb 10, 2012 at 10:15 PM, Wietse Venema <wie...@porcupine.org> wrote:
>> > What happens when you execute /usr/sbin/mailwrapper by hand?
>> > (it should complain about no mapping in /etc/mail/mailer.conf).
>>
>> [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
>> WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
>
>> > What happens when you execute /usr/sbin/mailwrapper by hand?
>> > (it should complain about no mapping in /etc/mail/mailer.conf).
>>
>> [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
>> WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
>
> That is not right. Your mailwrapper program has been replaced.
>
You're quite right, I believe:
>
satyr# ls -l /usr/sbin/mailwrapper
lrwxr-xr-x 1 root wheel 30 Feb 8 10:36 /usr/sbin/mailwrapper ->
/usr/libexec/sendmail/sendmail
satyr# ls -l /usr/sbin/sendmail
lrwxr-xr-x 1 root wheel 21 Feb 8 16:20 /usr/sbin/sendmail ->
/usr/sbin/mailwrapper
How do I rectify this?
/usr/sbin/mailwrapper
Thanks very much,
Jorge
CSS
Feb 10, 2012, 10:46:43 PM2/10/12
to
On Feb 10, 2012, at 10:29 PM, Jorge Luis Gonzalez wrote:
> On Fri, Feb 10, 2012 at 10:15 PM, Wietse Venema <wie...@porcupine.org> wrote:
>>>> What happens when you execute /usr/sbin/mailwrapper by hand?
>>>> (it should complain about no mapping in /etc/mail/mailer.conf).
>>>
>>> [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
>>> WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
>>
>> That is not right. Your mailwrapper program has been replaced.
>>
>
> You're quite right, I believe:
>
> satyr# ls -l /usr/sbin/mailwrapper
> lrwxr-xr-x 1 root wheel 30 Feb 8 10:36 /usr/sbin/mailwrapper ->
> /usr/libexec/sendmail/sendmail
>
> satyr# ls -l /usr/sbin/sendmail
> lrwxr-xr-x 1 root wheel 21 Feb 8 16:20 /usr/sbin/sendmail ->
> /usr/sbin/mailwrapper
>
> How do I rectify this?
If you've got the src tree installed, it looks like you can pretty easily build and reinstall mailwrapper:
> On Fri, Feb 10, 2012 at 10:15 PM, Wietse Venema <wie...@porcupine.org> wrote:
>>>> What happens when you execute /usr/sbin/mailwrapper by hand?
>>>> (it should complain about no mapping in /etc/mail/mailer.conf).
>>>
>>> [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
>>> WARNING: RunAsUser for MSP ignored, check group ids (egid=1002, want=25)
>>
>> That is not right. Your mailwrapper program has been replaced.
>>
>
> You're quite right, I believe:
>
> satyr# ls -l /usr/sbin/mailwrapper
> lrwxr-xr-x 1 root wheel 30 Feb 8 10:36 /usr/sbin/mailwrapper ->
> /usr/libexec/sendmail/sendmail
>
> satyr# ls -l /usr/sbin/sendmail
> lrwxr-xr-x 1 root wheel 21 Feb 8 16:20 /usr/sbin/sendmail ->
> /usr/sbin/mailwrapper
>
> How do I rectify this?
cd /usr/src/usr.sbin/mailwrapper
make obj depend
make install
Pulling it out of the base distribution is probably kind of a pain, but if you've got the livefs cd/dvd you could easily grab it from there. Perms are basic, world read and execute, owner root:wheel.
Make sure you get rid of those symlinks first though.
Thanks,
Charles
Jerry
Feb 11, 2012, 7:00:04 AM2/11/12
to
On Fri, 10 Feb 2012 22:18:23 -0500 (EST)
Wietse Venema articulated:
> Jorge Luis Gonzalez:
> [ Charset ISO-8859-1 unsupported, converting... ]
> > On Fri, Feb 10, 2012 at 8:17 PM, Wietse Venema
source? The ports system would have done virtually all of the heavy
lifting for you. I have installed Postfix on several machines over the
years via the ports system and have never experienced the problems
that you seem to be having. By the way, you do need these in the
"/etc/rc.conf" file:
sendmail_enable="NO"
sendmail_msp_queue_enable="NO"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
postfix_enable="YES"
dovecot_enable="YES"
The dovecot line is only needed if using Dovecot. Otherwise it serves
no purpose.
If you install via ports, it will make most of the needed changes for
you. You will still need to manually configure the "/etc/rc.conf" file
however.
--
Jerry ✌
postfi...@seibercom.net
_____________________________________________________________________
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Wietse Venema articulated:
> Jorge Luis Gonzalez:
> [ Charset ISO-8859-1 unsupported, converting... ]
> > <wie...@porcupine.org> wrote:
> >
> > > What happens when you execute /usr/sbin/mailwrapper by hand?
> > > (it should complain about no mapping in /etc/mail/mailer.conf).
> >
> > [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
> > WARNING: RunAsUser for MSP ignored, check group ids (egid=1002,
> > want=25)
>
> >
> > > What happens when you execute /usr/sbin/mailwrapper by hand?
> > > (it should complain about no mapping in /etc/mail/mailer.conf).
> >
> > [jorge@satyr ~]$ /usr/sbin/mailwrapper -oem -oi jorge < /etc/motd
> > WARNING: RunAsUser for MSP ignored, check group ids (egid=1002,
> > want=25)
>
> This means that YOU OVERWROTE /usr/sbin/mailwrapper with
> a copy of the sendmail program.
>
> /usr/sbin/mailwrapper should complain about no mapping
> in /etc/mail/mailer.conf, like this:
>
> $ /usr/sbin/mailwrapper
> mailwrapper: no mapping in /etc/mail/mailer.conf
>
> In your case, this program has been overwritten with sendmail.
> This is why you get all the crap that you are experiencing.
>
> Wietse
Jorge, did you install Postfix via the FreeBSD ports system or from
> a copy of the sendmail program.
>
> /usr/sbin/mailwrapper should complain about no mapping
> in /etc/mail/mailer.conf, like this:
>
> $ /usr/sbin/mailwrapper
> mailwrapper: no mapping in /etc/mail/mailer.conf
>
> In your case, this program has been overwritten with sendmail.
> This is why you get all the crap that you are experiencing.
>
> Wietse
source? The ports system would have done virtually all of the heavy
lifting for you. I have installed Postfix on several machines over the
years via the ports system and have never experienced the problems
that you seem to be having. By the way, you do need these in the
"/etc/rc.conf" file:
sendmail_enable="NO"
sendmail_msp_queue_enable="NO"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
postfix_enable="YES"
dovecot_enable="YES"
The dovecot line is only needed if using Dovecot. Otherwise it serves
no purpose.
If you install via ports, it will make most of the needed changes for
you. You will still need to manually configure the "/etc/rc.conf" file
however.
--
Jerry ✌
postfi...@seibercom.net
_____________________________________________________________________
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Jorge Luis Gonzalez
Feb 11, 2012, 12:16:59 PM2/11/12
to
Thanks, Jerry.
Wietse discerned the problem pretty quickly. Even though I installed
from ports (twice), at some point I overwrote mailwrapper, probably
with the sendmail binary.
Jorge
Wietse discerned the problem pretty quickly. Even though I installed
from ports (twice), at some point I overwrote mailwrapper, probably
with the sendmail binary.
Jorge
Jerry
Feb 11, 2012, 12:45:09 PM2/11/12
to
On Sat, 11 Feb 2012 12:16:59 -0500
Jorge Luis Gonzalez articulated:
> Even though I installed from ports (twice), at some point I overwrote
> mailwrapper, probably with the sendmail binary.
That is what is so scary. There is no way you could accidentally do
that. The port will modify the wrapper if you give it permission to do
so; however, it will not do what you apparently accomplished. I am
wondering if you did not give the port permission to over write the
mailwrapper.
Jorge Luis Gonzalez articulated:
> Even though I installed from ports (twice), at some point I overwrote
> mailwrapper, probably with the sendmail binary.
that. The port will modify the wrapper if you give it permission to do
so; however, it will not do what you apparently accomplished. I am
wondering if you did not give the port permission to over write the
mailwrapper.
Bill Cole
Feb 11, 2012, 2:05:20 PM2/11/12
to
On 11 Feb 2012, at 12:45, Jerry wrote:
> On Sat, 11 Feb 2012 12:16:59 -0500
> Jorge Luis Gonzalez articulated:
>
>> Even though I installed from ports (twice), at some point I overwrote
>> mailwrapper, probably with the sendmail binary.
>
> That is what is so scary. There is no way you could accidentally do
> that.
+1 with some data:
> On Sat, 11 Feb 2012 12:16:59 -0500
> Jorge Luis Gonzalez articulated:
>
>> Even though I installed from ports (twice), at some point I overwrote
>> mailwrapper, probably with the sendmail binary.
>
> That is what is so scary. There is no way you could accidentally do
> that.
Across 42 instances that I administer of FreeBSD of the full 6.3-8.2
version range, including 32 and 64 bit, VMWare, Xen, jails, and bare
metal with varied histories and purposes and a mix of current and past
mail subsystems (including switching back and forth in some cases) (yes,
it's a mess, I know, I'm working on it...) I see none with a symlink for
/usr/sbin/mailwrapper and identical checksums for all versions of that
binary file from each unique release+platfom tuple, i.e. for systems
with matching 'uname -rp' output, the mailwrapper binaries match.
Shorter: in a messy environment where one might expect to see obscure
installation errors crop up with Postfix, I've never seen this.
That makes it a *scary* event because there is a history of unix
rootkits hiding themselves by inserting themselves into
backward-compatibility mechanisms like the one used for mail programs on
FreeBSD. When the linkage of such a mechanism is damaged in a way that
would work in some cases and would not stand out as wrong for most
admins, you have to start considering the possibility of a subtle and
sophisticated compromise.
> The port will modify the wrapper if you give it permission to do
> so; however, it will not do what you apparently accomplished. I am
> wondering if you did not give the port permission to over write the
> mailwrapper.
I could be misunderstanding you, but I think that's wrong. The
pkg-install script asks to modify mailer.conf but it does not modify
mailwrapper itself.
Jerry
Feb 11, 2012, 3:39:36 PM2/11/12
to
On Sat, 11 Feb 2012 14:05:20 -0500
Bill Cole articulated:
{snip}
> I could be misunderstanding you, but I think that's wrong. The
> pkg-install script asks to modify mailer.conf but it does not modify
> mailwrapper itself.
Sorry, that is what I meant to say.
Bill Cole articulated:
{snip}
> I could be misunderstanding you, but I think that's wrong. The
> pkg-install script asks to modify mailer.conf but it does not modify
> mailwrapper itself.
Benny Pedersen
Feb 13, 2012, 8:33:18 PM2/13/12
to
> I'm completely flummoxed by this. Ripping sendmail by the roots out
> of FreeBSD may not be such a good idea so I've avoided that,
> though I would have thought that mailwrapper and the rc.conf settings
> would have accomplished essentially the same thing.
commands
> Thanks very much in advance for any help.
0 new messages