permission denied while connecting to amavisd-milter

Mark Martinec Mark.Martinec+amavis at ijs.si
Sat Aug 18 02:00:12 CEST 2012


Igor,

> I'm trying to deploy amavisd-new-2.7.0-75.3 with postfix
> postfix-2.8.11-147.1 on openSuSE 12.1
> 
> My problem is that amavisd-milter creates socket with rwxr-x-r-x rights and
> postfix cannot communicate with it.  It complains that it cannot connect:
> Aug 14 13:46:53 mailserv postfix/smtpd[2758]: warning: connect to
> Milter service unix:/var/spool/amavis/amavisd-milter.sock: Permission
> denied
> 
> I added postfix to `vscan' group and added write permission on socket file
> after that things work like expected, but when I restart amavisd service
> everything brakes again.

You are talking about a milter socket, as created by the Petr Rehor's
amavisd-milter program. According to the milter API docs (smfi_setconn),
the milter library obeys the current umask of the process:

https://www.milter.org/developers/api/smfi_setconn

  Unix/local sockets should have their permissions set to 0600 (read/write
  permission only for the socket's owner) or 0660 (read/write permission
  for the socket's owner and group) which is useful if the sendmail
  RunAsUser option is used. The permissions for a unix/local domain socket
  are determined as usual by umask, which should be set to 007 or 077.


> Is there any option in amavisd-new that controls milter socket permissions?

You are talking now about the socket between amavisd-milter and amavisd,
talking AM.PDP protocol??? 

amavisd.conf-default :
# $unix_socketname  = undef; # Unix socket to accept amavis helper protocol
# $unix_socket_mode = undef; # sets sockets protection (numeric mode), or undef

So setting something like
  $unix_socket_mode = 0660;
would allow r+w to owner and group.

(but this has no effect on a milter socket as created
by the amavisd-milter program)

> I know that I can simply switch to IP socket and everything would work,
> but how should it be fixed correctly?
> Maybe my package is too old...

Your versions should be alright.
Using an IP socket on a loopback interface avoids such problems indeed:

  http://sourceforge.net/mailarchive/forum.php?thread_name=20070917185448.820FF6F1C2%40alopias.GreenKey.net&forum_name=amavisd-
milter-users

> Or maybe I should run amavisd under posfix user?

Better not. It goes against Postfix security separation expectations.

  Mark


More information about the amavis-users mailing list