permission denied while connecting to amavisd-milter
Mark Martinec
Mark.Martinec+amavis at ijs.si
Sat Aug 18 02:00:12 CEST 2012
Igor,
> I'm trying to deploy amavisd-new-2.7.0-75.3 with postfix
> postfix-2.8.11-147.1 on openSuSE 12.1
>
> My problem is that amavisd-milter creates socket with rwxr-x-r-x rights and
> postfix cannot communicate with it. It complains that it cannot connect:
> Aug 14 13:46:53 mailserv postfix/smtpd[2758]: warning: connect to
> Milter service unix:/var/spool/amavis/amavisd-milter.sock: Permission
> denied
>
> I added postfix to `vscan' group and added write permission on socket file
> after that things work like expected, but when I restart amavisd service
> everything brakes again.
You are talking about a milter socket, as created by the Petr Rehor's
amavisd-milter program. According to the milter API docs (smfi_setconn),
the milter library obeys the current umask of the process:
https://www.milter.org/developers/api/smfi_setconn
Unix/local sockets should have their permissions set to 0600 (read/write
permission only for the socket's owner) or 0660 (read/write permission
for the socket's owner and group) which is useful if the sendmail
RunAsUser option is used. The permissions for a unix/local domain socket
are determined as usual by umask, which should be set to 007 or 077.
> Is there any option in amavisd-new that controls milter socket permissions?
You are talking now about the socket between amavisd-milter and amavisd,
talking AM.PDP protocol???
amavisd.conf-default :
# $unix_socketname = undef; # Unix socket to accept amavis helper protocol
# $unix_socket_mode = undef; # sets sockets protection (numeric mode), or undef
So setting something like
$unix_socket_mode = 0660;
would allow r+w to owner and group.
(but this has no effect on a milter socket as created
by the amavisd-milter program)
> I know that I can simply switch to IP socket and everything would work,
> but how should it be fixed correctly?
> Maybe my package is too old...
Your versions should be alright.
Using an IP socket on a loopback interface avoids such problems indeed:
http://sourceforge.net/mailarchive/forum.php?thread_name=20070917185448.820FF6F1C2%40alopias.GreenKey.net&forum_name=amavisd-
milter-users
> Or maybe I should run amavisd under posfix user?
Better not. It goes against Postfix security separation expectations.
Mark
More information about the amavis-users
mailing list