hardensuse <-> procmail
Hi ! Does the hardensuse script something wich make the mails in /var/spool/mail set to chmod 600 ? Sometimes I see in /var/log/warn: procmail[20002]: Insufficient privileges to deliver to "root" or similar. chmod 660 "by hand" -> /var/log/mail: procmail[22902]: Enforcing stricter permissions on "/var/spool/mail/root" Where can can I reset this behavior or is there a solution? Thanks for assistance. -- Walter Krohe, wk@u2me.de Schwabstrasse 20, D-73760 Ostfildern voice +49 711 3428 926, fax +49 711 3428 928
Dear Walter,
Hi ! Does the hardensuse script something wich make the mails in /var/spool/mail set to chmod 600 ?
Sometimes I see in /var/log/warn: procmail[20002]: Insufficient privileges to deliver to "root" or similar.
chmod 660 "by hand" -> /var/log/mail: procmail[22902]: Enforcing stricter permissions on "/var/spool/mail/root"
Where can can I reset this behavior or is there a solution? Thanks for assistance.
The most convenient and reasonable solution for this problem doesn't even touch its origin. Forward mail sent to root to a dedicated, unpriviliged account. Reading mails as root is definitely not a bright idea. Use /etc/aliases near the end of the file for this purpose, and don't forget newaliases. :-) Thanks, Roman. -- _ _ | Roman Drahtmüller "The best way to pay for a | CC University of Freiburg lovely moment is to enjoy it." | email: draht@uni-freiburg.de - Richard Bach | - -
Forward mail sent to root to a dedicated, unpriviliged account.
Yes, I forward all "root"-mail to an unpriviliged account. "root"-Account is only an example. The same problem exists with ALL other local accounts, like my "wk". Hints? -- Walter Krohe, wk@u2me.de Schwabstrasse 20, D-73760 Ostfildern voice +49 711 3428 926, fax +49 711 3428 928
Walter Krohe wrote:
Forward mail sent to root to a dedicated, unpriviliged account. Yes, I forward all "root"-mail to an unpriviliged account. "root"-Account is only an example. The same problem exists with ALL other local accounts, like my "wk". Hints?
Well, are you running AMaViS ? :-) Quoting from the new BUGS file (not yet in CVS, as I'm just back from LinuxTag ...): * depending on your system, subprocess is run as the UID of the local receipient (not 'root'). Calling your local delivery program (usually procmail) then might have insufficient privileges to deliver it any further. FIX: set an "o"-flag in /etc/sendmail.cf Mlocal, P=/usr/sbin/scanmails, F=olsDFMAw5:/|@SPfhn, S=10/30, R=20/40, T=DNS/RFC822/X-Unix, A=scanmails -Y -a $h -d $u Hint: This usually happens on SuSE Linux >=6.0 Hint: If this still does not work, *remove* the "o" *and* the "S" flag! Please note that I'm running a different AMaViS setup (AMaViS is not called via Mlocal, but via Mamavis, which is called by an patched Rule Set 0). If it's still does not work, I'll look into my mail archive, as I did some research on that some month ago ... HTH best regards, Rainer Link -- Rainer Link | Member of Virus Help Munich (www.vhm.haitec.de) rainer@w3.to | Member of AMaViS Development Team (dev.amavis.org) rainer.w3.to | Maintainer FAQ "antivirus for Linux" (av-linux.w3.to)
Well, are you running AMaViS ? :-)
Yes ;-)
FIX: set an "o"-flag in /etc/sendmail.cf
Mlocal, P=/usr/sbin/scanmails, F=olsDFMAw5:/|@SPfhn, S=10/30,
I chagend it. I'll see what happens. Thanx. -- Walter Krohe, wk@u2me.de Schwabstrasse 20, D-73760 Ostfildern voice +49 711 3428 926, fax +49 711 3428 928
Well, are you running AMaViS ? :-)
Yes.
FIX: set an "o"-flag in /etc/sendmail.cf
Mlocal, P=/usr/sbin/scanmails, F=olsDFMAw5:/|@SPfhn, S=10/30,
No difference. --cut-- Jul 2 09:20:55 wk-net procmail[10768]: Insufficient privileges to deliver to "wk" --cut-- Next:
Hint: If this still does not work, *remove* the "o" *and* the "S" flag!
No difference. Same output as upper quote.
System: SuSE 6.3, sendmail-8.9.3-42, AMaViS 0.2.0-pre6, procmail-3.13.1-12
I wonder why procmail forces the rights of the files in /var/spool/mail to 600
instead of 660.
--cut--
Jun 30 17:49:58 wk-net scanmails[22823]: execution started
Jun 30 17:50:18 wk-net procmail[22902]: Enforcing stricter permissions on
"/var/
spool/mail/wk"
Jun 30 17:50:18 wk-net scanmails[22906]: terminating
Jun 30 17:50:18 wk-net sendmail[22814]: RAA22813: to= If it's still does not work, I'll look into my mail archive, as I did
some research on that some month ago ... It would be very nice if you find time to tell an other workarround.
--
Walter Krohe, wk@u2me.de
Schwabstrasse 20, D-73760 Ostfildern
voice +49 711 3428 926, fax +49 711 3428 928
Walter Krohe wrote: Hi!
Well, are you running AMaViS ? :-) Yes. FIX: set an "o"-flag in /etc/sendmail.cf Mlocal, P=/usr/sbin/scanmails, F=olsDFMAw5:/|@SPfhn, S=10/30, No difference. --cut-- Jul 2 09:20:55 wk-net procmail[10768]: Insufficient privileges to deliver to "wk" --cut-- Next: Hint: If this still does not work, *remove* the "o" *and* the "S" flag! No difference. Same output as upper quote. System: SuSE 6.3, sendmail-8.9.3-42, AMaViS 0.2.0-pre6, procmail-3.13.1-12
That's strange. It seems that in some cases it works, in some not ?! See http://x75.deja.com/[ST_rn=ps]/getdoc.xp?AN=629806029&search=thread&CONTEXT=962548838.1276510370&HIT_CONTEXT=962548838.1276510370&HIT_NUM=7&hitnum=7 (sorry for that long URL). Anyway, did you restart sendmail after changing the /etc/sendmail.cf? And btw, I would recommend to use at least 0.2.0-pre6-clm-rl-8 (dev.amavis.org) or the stuff in CVS (cvsweb.amavis.org) :-)
If it's still does not work, I'll look into my mail archive, as I did some research on that some month ago ...
It would be very nice if you find time to tell an other workarround. I'll dig in my mail archives and forward that stuff then directly to you.
best regards, Rainer Link -- Rainer Link | Member of Virus Help Munich (www.vhm.haitec.de) rainer@w3.to | Member of AMaViS Development Team (dev.amavis.org) rainer.w3.to | Linux/Unix Anti Virus project (lavp.sourceforge.net)
Rainer Link wrote:
Jul 2 09:20:55 wk-net procmail[10768]: Insufficient privileges to deliver to "wk" --cut-- Next:
Hint: If this still does not work, *remove* the "o" *and* the "S" flag! No difference. Same output as upper quote. System: SuSE 6.3, sendmail-8.9.3-42, AMaViS 0.2.0-pre6, procmail-3.13.1-12
That's strange. It seems that in some cases it works, in some not ?! See Ok, next try :-)
System: SuSE 6.2, sendmail 8.9.3, AMaViS 0.2.0-pre6-clm-rl-8-04-07-2000 [*] (uh, it's time for either clm-rl-9 or 0.2.1 *g*) I've added the "o" flag and removed the "S"-flag, so on my system it looks like this: Mlocal, P=/usr/sbin/scanmails, F=olsDFMAw5:/|@qPfhn9, S=10/30, R=20/40 T=DNS/RFC822/X-Unix, A=scanmails -Y -a $h -d $u This worked for me. Only one exception: delivery to root is not possible, but imho "root" should be always an alias to an user account, so this does not hurd me ;-) HTH best regards, Rainer Link [*] CVS (anon): cvs.amavis.org CVSWeb: cvsweb.amavis.org tar.gz: http://www.cn.is.fh-furtwangen.de/~link/security/amavis-patch.php3#latest_so... (the BUGS file in CVS is the latest, but that's the only difference between CVS and tar.gz right now) -- Rainer Link | Student of Computer Networking rainer@w3.to | University of Applied Sciences, Furtwangen, Germany rainer.w3.to | http://www.computer-networking.de/
Ok, next try :-)
It works !
Mlocal, P=/usr/sbin/scanmails, F=olsDFMAw5:/|@qPfhn9, S=10/30, R=20/40 T=DNS/RFC822/X-Unix, A=scanmails -Y -a $h -d $u
There was the -Y parameter not set. Maybe it wasn't in an earlier AMaVIS install docu. -- Walter Krohe, wk@u2me.de Schwabstrasse 20, D-73760 Ostfildern voice +49 711 3428 926, fax +49 711 3428 928
Walter Krohe wrote: Hi!
Ok, next try :-) It works !
Great :-) If you tried the latest stuff in CVS, please report to me if it worked.
Mlocal, P=/usr/sbin/scanmails, F=olsDFMAw5:/|@qPfhn9, S=10/30, R=20/40 T=DNS/RFC822/X-Unix, A=scanmails -Y -a $h -d $u
There was the -Y parameter not set. Maybe it wasn't in an earlier AMaVIS install docu.
Uh? Are you sure? Look at http://satan.oih.rwth-aachen.de/AMaViS/amavis.html#modsendmail - this page hasn't changed for ages ;-( Anyway, I think it's time to create an amavis-users@lists.sourceforge.net :-) (stuff is getting off-topic here) best regards, Rainer Link -- Rainer Link | Student of Computer Networking rainer@w3.to | University of Applied Sciences, Furtwangen, Germany rainer.w3.to | http://www.computer-networking.de/
On Son, 02 Jul 2000, Walter Krohe wrote:
Well, are you running AMaViS ? :-) Yes. No difference. Same output as upper quote. System: SuSE 6.3, sendmail-8.9.3-42, AMaViS 0.2.0-pre6, procmail-3.13.1-12
did you ever tried "inflex" - i prefer this solution... Greetings, Joerg Henner. -- LinuxHaus Stuttgart | Tel.: +49 (7 11) 2 85 19 05 Jörg Henner & Adrian Reyer, Datentechnik GbR | D2: +49 (1 72) 7 35 31 09 | Fax: +49 (7 11) 5 78 06 92 Linux, Netzwerke, Webhosting & Support | http://lihas.de
Joerg Henner wrote:
No difference. Same output as upper quote. System: SuSE 6.3, sendmail-8.9.3-42, AMaViS 0.2.0-pre6, procmail-3.13.1-12
did you ever tried "inflex" - i prefer this solution...
Well, inflex is *very* similar to AMaViS. Quote from inflex: This program was created with the assistance of looking at AmaVis. Afaik there's a commercial version, if this is an infringement to GPL, I don't know and I don't care. Everyone can look at the source and can choose, which product he prefers most and fits best for his purposes. Inflex supports blocking of files, AMaViS supports nearly all anti virus products and more MTAs. But I had a look at inflex some time ago, so things may have changed. I would recommend to use AMaViS-Perl, but, well, I'm biased ;-) Anyway, several tools for blocking certain files or virus scanning at the mail server do exist, see: http://lavp.sourceforge.net/av-linux_e.txt (the file name is rather misleading now, because it isn't limited to Linux anymore). best regards, Rainer Link -- Rainer Link | Member of Virus Help Munich (www.vhm.haitec.de) rainer@w3.to | Member of AMaViS Development Team (dev.amavis.org) rainer.w3.to | Linux/Unix Anti Virus project (lavp.sourceforge.net)
participants (4)
-
Joerg Henner -
Rainer Link -
Roman Drahtmueller -
Walter Krohe