Can't Create User Output File - Help Needed

[Mike McCandless]

I am running:
- RH8.0, spamassassin-2.31-16, procmail-3.22-7, postfix-1.1.11-5
(spamassassin, procmail, and postfix were all installed from RPMs)

I have researched this problem (searched Google and list archives) and
have not come up with the solution. I am anxious to get Postfix up and
running and this appears to be the last hurdle. I'm sure this is a file
permission problem, but after spending several hours trying to figure
this out, I'm hoping that someone with more experience will recognize
the problem right away. By the way, I have seen the suggestion to chmod
1777 /var/spool/mail and this did not eliminate the problem.

The problem I have is local mail delivery to /var/spool/mail/[username]
generates the following in my log file:

micky postfix/local[3312]: 9C91A3406A: to=<mic...@micky.prismbiz.com>,
relay=local, delay=9, status=bounced (can't create user output file)

This message is followed by another (I think generated by a bounce):

micky postfix/local[3312]: E582734069: to=<mic...@prismbiz.com>,
relay=local, delay=5, status=bounced (can't create user output file)

Interestingly enough, if I go into Pine and check mail, both of these
messages are in my inbox. The bounce message has the following delivery
error report:

Final-Recipient: rfc822; mic...@micky.prismbiz.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; can't create user output file

Also, if I comment out the mailbox_command (to not use Procmail and let
Postfix deliver mail), everything works fine. So, I am inclined to
believe that that the "bounce" is not from an invalid user problem.

++++++++++++++
postconf -n output:
++++++++++++++
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -m /etc/procmailrc
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maps_rbl_domains = relays.ordb.org, bl.spamcop.net
message_size_limit = 4000000
mydestination = $myhostname, localhost.$mydomain, $mydomain
mydomain = prismbiz.com
myhostname = micky.prismbiz.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-1.1.11/README_FILES
sample_directory = /usr/share/doc/postfix-1.1.11/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_mynetworks, reject_maps_rbl
transport_maps = hash:/etc/postfix/transport
virtual_maps = hash:/etc/postfix/virtual

+++++++++++++++++++
Selected Permissions
+++++++++++++++++++
/var/spool/mail: drwxrwxr-x 2 root mail 4096 Nov 25
20:16 /var/spool/mail
/var/spool/mail/michael: -rw-rw---- 1 michael mail 50384 Nov
25 20:16 /var/spool/mail/michael
/usr/bin/procmail: -rwxr-xr-x 1 root mail 97275 Jun 23
19:09 /usr/bin/procmail
/home/michael/procmail.log: -rw------- 1 michael [groupname]
424 Nov 25 19:49 /home/michael/procmail.log

The userid michael is a member of the mail group

+++++++++++++++++++
Snippet of /etc/procmailrc
+++++++++++++++++++
PATH="/usr/bin:$PATH:/usr/local/bin"
SHELL=/bin/sh

DROPPRIVS=yes

LOGFILE=$HOME/procmail.log

:0 fw
* < 256000
| /usr/bin/spamassassin -a

--------------------------------------------------------
Mike McCandless
mic...@prismbiz.com

[Stephen Bader]

I'm not exactly certain on this one, but I believe procmail must be SUID
root so that it can setuid to the invoking user. I know my procmail binary
is SUID root, and is owned by root:mail, and I haven't had any problems at
all using procmail/spamd/spamc.

-Steve

-------------------------------------------------------------------------
Stephen Bader JORSM Internet, Regional Internet Services
Systems Administrator 7 Area Codes in Chicagoland and NW Indiana
ste...@jorsm.com 100Mbps+ Connectivity, 56K-DS3, V.90, ISDN
(219) 322-2180 Quality Service, Affordable Prices
http://www.jorsm.com Serving Gov, Biz, Indivds Since 1995
-------------------------------------------------------------------------

[Mike McCandless]

Stephen, thanks for the reply. I have a feeling that SUID root would
work, but I only want to go there as a last resort. I actually have
Postfix running on another box (not exactly the same config I mentioned)
without SUID root and it's fine. That's part of the reason I'm so
puzzled by this.

[Russell Mosemann]

On Mon, 25 Nov 2002, Mike McCandless wrote:

> micky postfix/local[3312]: 9C91A3406A: to=<mic...@micky.prismbiz.com>,
> relay=local, delay=9, status=bounced (can't create user output file)

^^^^^
Procmail is not being used as the delivery agent. The postfix local
delivery agent is being used. I'm guessing that the LDA doesn't have the
privileges required to create a mailbox.

> Also, if I comment out the mailbox_command (to not use Procmail and let
> Postfix deliver mail), everything works fine.

Interesting.

> mailbox_command = /usr/bin/procmail -m /etc/procmailrc

Try mailbox_command = /usr/bin/procmail

> smtpd_client_restrictions = permit_mynetworks, reject_maps_rbl

You're pretty generous.

> +++++++++++++++++++
> Selected Permissions
> +++++++++++++++++++

You don't need any more or fewer permissions than the real user needs.

> +++++++++++++++++++
> Snippet of /etc/procmailrc
> +++++++++++++++++++

Get rid of the file until you have delivery working.

----
Russell Mosemann, Ph.D. * Computing Services * Concordia University, Nebraska
"How do they grow seedless grapefruit trees?"

[Mike McCandless]

I made the change you suggested:

> > mailbox_command = /usr/bin/procmail -m /etc/procmailrc
>
> Try mailbox_command = /usr/bin/procmail

Mail delivery now works fine. This is good news, but I'm hoping to
avoid a .procmailrc file for each user - that was the reason to switch
to the "global" one in /etc/procmailrc. Suggestions?

----- Original Message -----
From: "Russell Mosemann" <mo...@ns.cune.edu>
To: "Mike McCandless" <mic...@prismbiz.com>
Cc: <postfi...@postfix.org>
Sent: Monday, November 25, 2002 9:12 PM
Subject: Re: Can't Create User Output File - Help Needed

[Russell Mosemann]

On Mon, 25 Nov 2002, Mike McCandless wrote:

> Mail delivery now works fine.

Always start small.

> This is good news, but I'm hoping to
> avoid a .procmailrc file for each user - that was the reason to switch
> to the "global" one in /etc/procmailrc. Suggestions?

You need to learn to read the documentation. man procmail

If no rcfiles and no -p have been specified on the command
line, procmail will, prior to reading $HOME/.procmailrc,
interpret commands from /local/etc/procmailrc (if present).

----
Russell Mosemann, Ph.D. * Computing Services * Concordia University, Nebraska

"Gravity. It's not just a good idea. It's the law!"

[Russell Mosemann]

On Mon, 25 Nov 2002, Russell Mosemann wrote:

> You need to learn to read the documentation. man procmail
>
> If no rcfiles and no -p have been specified on the command
> line, procmail will, prior to reading $HOME/.procmailrc,
> interpret commands from /local/etc/procmailrc (if present).

The global directory will vary, of course, based on your configuration.

----
Russell Mosemann, Ph.D. * Computing Services * Concordia University, Nebraska

"If you've seen one shopping center, you've seen a mall!"

[Clifton Royston]

On Mon, Nov 25, 2002 at 09:29:01PM -0500, Mike McCandless wrote:
> I made the change you suggested:
>
> > > mailbox_command = /usr/bin/procmail -m /etc/procmailrc

-m /etc/procmailrc does something different from what you are
expecting. With -m, if I have unraveled it properly, the following
file is supposed to be a file where procmail will take on the identity
of the owner of the procmailrc. From man procmail:

"If the rcfile is an absolute path starting with /etc/procmailrcs/
without backward references (i.e. the parent directory cannot be
mentioned) procmail will, only if no security violations are found,
take on the identity of the owner of the rcfile (or symbolic link)."

> > Try mailbox_command = /usr/bin/procmail
>
> Mail delivery now works fine. This is good news, but I'm hoping to

> avoid a .procmailrc file for each user - that was the reason to switch
> to the "global" one in /etc/procmailrc. Suggestions?

procmail will always read the /etc/procmailrc file even when running
as the end user. It's part of its default configuration.

Just /usr/bin/procmail is all you need for the command.

-- Clifton

--
Clifton Royston -- LavaNet Systems Architect -- clif...@lava.net
"As for yourself, ... I am well disposed to hope you may hitherto have
escaped many Vices of your Country. But by what I have gathered from
your own Relation, and the Answers I have with much Pain wringed and
extorted from you, I cannot but conclude the Bulk of your Natives to be
the most pernicious Race of little odious Vermin that Nature ever
suffered to crawl upon the Surface of the Earth."
- Jonathan Swift, _Gulliver's Travels_

[Ralf Hildebrandt]

* Mike McCandless <mic...@prismbiz.com>:

> I made the change you suggested:
>
> > > mailbox_command = /usr/bin/procmail -m /etc/procmailrc
> >

> > Try mailbox_command = /usr/bin/procmail
>
> Mail delivery now works fine. This is good news, but I'm hoping to
> avoid a .procmailrc file for each user - that was the reason to switch
> to the "global" one in /etc/procmailrc. Suggestions?

procmail uses the global procmailrc in absence of a own porocmailrc
anyway...

--
Ralf Hildebrandt Ralf.Hil...@charite.de
Postfix Tips: http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
Programmer /n./ A red-eyed, mumbling mammal capable of conversing with
inanimate objects.