Problem using amavisd 2.9.and sendmail on Centos 7

Matthias Weigel matthias.weigel at maweos.de
Thu May 14 17:15:02 CEST 2015


Hi Daniela,

did you set $daemon_chroot_dir in amavisd.conf?
This should not be set.
What is $daemon_user and $daemon_group ?


What is the output of
getenforce


What is the output of
grep -i runasuser /etc/mail/*cf


Any messages in /var/log/audit/audit.log when the problem occurs?


Seems that i am out of ideas now. You seem to be able to use sendmail
from the amavis user (test see below), but the same command within
amavis has permission problems?


I guess
chmod 777 /var/spool/clientmqueue
will fix the problem, but is not a good idea...

Maybe try to put the amavis user in group smmsp ?


Best Regards

Matthias



Am 14.05.2015 um 16:31 schrieb bortolotti:
> Hi Matthias,
> here it is our output:
> 
> ----------------------------------------------
> [root at postman ~]# sudo -u amavis -s /usr/sbin/sendmail -v -Ac -i
> bortolotti at bo.infn.it < /tmp/ciao
> bortolotti at bo.infn.it... Connecting to [127.0.0.1] via relay...
> 220 bo.infn.it ESMTP server; Thu, 14 May 2015 16:16:03 +0200
>>>> EHLO postman.bo.infn.it
> 250-postman.bo.infn.it Hello localhost [127.0.0.1], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE 100000000
> 250-DSN
> 250-ETRN
> 250-AUTH GSSAPI
> 250-STARTTLS
> 250-DELIVERBY
> 250 HELP
>>>> STARTTLS
> 220 2.0.0 Ready to start TLS
>>>> EHLO postman.bo.infn.it
> 250-postman.bo.infn.it Hello localhost [127.0.0.1], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE 100000000
> 250-DSN
> 250-ETRN
> 250-AUTH GSSAPI PLAIN LOGIN
> 250-DELIVERBY
> 250 HELP
>>>> MAIL From:<amavis at postman.bo.infn.it> SIZE=5
> AUTH=amavis at postman.bo.infn.it
> 250 2.1.0 <amavis at postman.bo.infn.it>... Sender ok
>>>> RCPT To:<bortolotti at bo.infn.it>
>>>> DATA
> 250 2.1.5 <bortolotti at bo.infn.it>... Recipient ok
> 354 Enter mail, end with "." on a line by itself
>>>> .
> 250 2.0.0 t4EEG3B0009078 Message accepted for delivery
> bortolotti at bo.infn.it... Sent (t4EEG3B0009078 Message accepted for
> delivery)
> Closing connection to [127.0.0.1]
>>>> QUIT
> 221 2.0.0 postman.bo.infn.it closing connection
> --------------------------------------------------------------
> [root at postman ~]# mount | grep nosuid
> proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
> sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
> devtmpfs on /dev type devtmpfs
> (rw,nosuid,size=1449904k,nr_inodes=362476,mode=755)
> securityfs on /sys/kernel/security type securityfs
> (rw,nosuid,nodev,noexec,relatime)
> tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
> devpts on /dev/pts type devpts
> (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
> tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
> tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,mode=755)
> cgroup on /sys/fs/cgroup/systemd type cgroup
> (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
> 
> pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
> cgroup on /sys/fs/cgroup/cpuset type cgroup
> (rw,nosuid,nodev,noexec,relatime,cpuset)
> cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup
> (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
> cgroup on /sys/fs/cgroup/memory type cgroup
> (rw,nosuid,nodev,noexec,relatime,memory)
> cgroup on /sys/fs/cgroup/devices type cgroup
> (rw,nosuid,nodev,noexec,relatime,devices)
> cgroup on /sys/fs/cgroup/freezer type cgroup
> (rw,nosuid,nodev,noexec,relatime,freezer)
> cgroup on /sys/fs/cgroup/net_cls type cgroup
> (rw,nosuid,nodev,noexec,relatime,net_cls)
> cgroup on /sys/fs/cgroup/blkio type cgroup
> (rw,nosuid,nodev,noexec,relatime,blkio)
> cgroup on /sys/fs/cgroup/perf_event type cgroup
> (rw,nosuid,nodev,noexec,relatime,perf_event)
> cgroup on /sys/fs/cgroup/hugetlb type cgroup
> (rw,nosuid,nodev,noexec,relatime,hugetlb)
> ----------------------------------------------------------------
> cat /proc/sys/fs/protected_symlinks
> 1
> 
> 
> We changed the option on protected_symbolinks but unsuccessfully.
> After reboot the value returned to 1.
> 
> What can we do ?
> 
> Best regards
> Daniela Bortolotti
> 
> 
> 
> On 05/14/2015 03:19 PM, Matthias Weigel wrote:
>> Hi Daniela,
>>
>> this looks all o.k.
>>
>> Can you send me the output of this command:
>> sudo -u amavis -s /usr/sbin/sendmail -v -Ac -i  bortolotti at bo.infn.it <
>> /tmp/ciao
>>
>> Do you by any chance use chroot in amavis?
>>
>> Did you mount any filesystem sendmail uses, with "nosuid" option?
>> mount | grep nosuid
>>
>>
>> Does your problem change, if you disable "protected_symlinks"?
>> cat /proc/sys/fs/protected_symlinks
>> echo 0 > /proc/sys/fs/protected_symlinks
>>
>>
>>
>>
>>
>> Best Regards
>>
>> Matthias
>>
>> Am 14.05.2015 um 14:30 schrieb Daniela Bortolotti:
>>> Hi Matthias,
>>> I check out permission on files and dir, these are the output:
>>>
>>> ----------------------------------------------------------------------
>>>
>>> [root at postman ~]# ls -lisa /usr/sbin/sendmail*
>>> 1057121   0 lrwxrwxrwx  1 root root      21 May 11 15:16
>>> /usr/sbin/sendmail -> /etc/alternatives/mta
>>> 1058798 244 -rwxr-xr-x  1 root root  247848 Jun 10  2014
>>> /usr/sbin/sendmail.postfix
>>> 1057108 820 -rwxr-sr-x. 1 root smmsp 836840 Jun  9  2014
>>> /usr/sbin/sendmail.sendmail
>>> [root at postman ~]# ls -lisa /etc/alternatives/mta
>>> 131748 0 lrwxrwxrwx 1 root root 27 May 11 15:16 /etc/alternatives/mta ->
>>> /usr/sbin/sendmail.sendmail
>>>
>>> -----------------------------------------------------------------------
>>>
>>> ls -lisa /etc/mail
>>> total 620
>>> 131604   4 drwxr-xr-x.  4 root root   4096 May 13 17:07 .
>>> 131073  12 drwxr-xr-x. 82 root root  12288 May 13 16:44 ..
>>> 131782   4 -rw-r--r--   1 root root   1011 May 13 17:07 access
>>> 131763  12 -rw-r-----.  1 root root  12288 May 13 17:08 access.db
>>> 131736   4 -rw-r--r--.  1 root root    603 Apr 20 11:43 access.orig
>>> 131767   0 -rw-r--r--.  1 root root      0 May 13 16:16 aliasesdb-stamp
>>> 131732   4 -rw-r--r--.  1 root root    233 Jan 27  2014 domaintable
>>> 131765   8 -rw-r-----.  1 root root  12288 Apr 14 16:06 domaintable.db
>>> 131734   8 -rw-r--r--.  1 root root   5584 Jun  9  2014 helpfile
>>> 131781   4 drwxr-xr-x.  2 root root   4096 Apr 20 11:50 listelocali
>>> 132773   4 -rw-r--r--   1 root root    162 May 13 17:05 local-host-names
>>> 131737   4 -rw-r--r--.  1 root root    997 Jan 27  2014 mailertable
>>> 131766   8 -rw-r-----.  1 root root  12288 Apr 14 16:06 mailertable.db
>>> 131738   4 -rwxr-xr-x.  1 root root   2700 Jan 27  2014 make
>>> 131711   4 -rw-r--r--.  1 root root     92 Jan 27  2014 Makefile
>>> 132772   4 -rw-r--r--   1 root root   3408 May  7 11:45 postino.mc
>>> 131573  64 -rw-r--r--   1 root root  61475 May  8 08:39 sendmail.cf
>>> 132763  60 -rw-r--r--   1 root root  61432 May  6 09:45 sendmail.cf.AMDB
>>> 131308  60 -rw-r--r--   1 root root  61398 May  7 15:59 sendmail.cf.bak
>>> 132761   4 -rw-r--r--   1 root root   3888 May  8 08:39 sendmail.mc
>>> 131601   4 -rw-r--r--   1 root root   3753 May  6 09:43 sendmail.mc.AMDB
>>> 131735   8 -rw-r--r--.  1 root root   7306 Jan 27  2014 sendmail.mc.orig
>>> 131606   4 drwxr-xr-x.  4 root root   4096 Apr 21 15:10 spamassassin
>>> 131741  40 -rw-r--r--   1 root root  40724 May  6 14:15 submit.cf
>>> 132770  44 -rw-r--r--   1 root root  41680 May  6 14:08 submit.cf.AMDB
>>> 131740  40 -rw-r--r--   1 root root  40737 May  6 14:14 submit.cf.bak
>>> 132774   4 -rw-r--r--   1 root root   1041 May  6 14:14 submit.mc
>>> 132738   4 -rw-r--r--   1 root root   1041 May  6 14:08 submit.mc.AMDB
>>> 132778   4 -rw-r--r--   1 root root    134 May  8 08:38 trusted-users
>>> 131730   4 -rw-r--r--   1 root root    127 May  8 08:37
>>> trusted-users.orig
>>> 131731  60 -rw-r--r--.  1 root root  61024 May 12 11:56 userdb
>>> 131768 116 -rw-r-----.  1 root root 118784 May 12 11:56 userdb.db
>>> 131743   4 -rw-r--r--.  1 root root   1847 Jan 27  2014 virtusertable
>>> 131762   8 -rw-r-----.  1 root root  12288 Apr 14 16:06 virtusertable.db
>>> [root at postman ~]#
>>>
>>> ----------------------------------------------------------------------
>>>
>>> [root at postman ~]# sendmail -v -d44.4 -bv
>>> safefile(/etc/mail/sendmail.cf, uid=0, gid=0, flags=6000, mode=400):
>>> safedirpath(/etc/mail, uid=0, gid=0, flags=6000, level=0, offset=0):
>>>      [dir /etc/mail] OK
>>>      [uid 0, nlink 1, stat 100644, mode 400]     OK
>>> safefile(/etc/mail/local-host-names, uid=0, gid=0, flags=6580,
>>> mode=400):
>>> safedirpath(/etc/mail, uid=0, gid=0, flags=6580, level=0, offset=0):
>>>      [dir /etc/mail] OK
>>>      [uid 0, nlink 1, stat 100644, mode 400]     OK
>>> safefile(/etc/mail/relay-domains, uid=0, gid=0, flags=6580, mode=400):
>>> safedirpath(/etc/mail, uid=0, gid=0, flags=6580, level=0, offset=0):
>>>      [dir /etc/mail] OK
>>>      No such file or directory
>>> safefile(/etc/mail/trusted-users, uid=0, gid=0, flags=6580, mode=400):
>>> safedirpath(/etc/mail, uid=0, gid=0, flags=6580, level=0, offset=0):
>>>      [dir /etc/mail] OK
>>>      [uid 0, nlink 1, stat 100644, mode 400]     OK
>>> safefile(/var/run/spamass-milter/spamass-milter.sock, uid=0, gid=0,
>>> flags=42302, mode=600):
>>> safedirpath(/var/run/spamass-milter, uid=0, gid=0, flags=42302, level=0,
>>> offset=0):
>>> safedirpath(/var/../run, uid=0, gid=0, flags=42302, level=1, offset=5):
>>>      [dir /var/../run] OK
>>>      [dir /var/run/spamass-milter] OK
>>>      [uid 994, nlink 1, stat 140755, mode 600]     OK
>>> safefile(/var/run/amavisd/amavisd-milter.sock, uid=0, gid=0,
>>> flags=42302, mode=600):
>>> safedirpath(/var/run/amavisd, uid=0, gid=0, flags=42302, level=0,
>>> offset=0):
>>> safedirpath(/var/../run, uid=0, gid=0, flags=42302, level=1, offset=5):
>>>      [dir /var/../run] OK
>>>      [dir /var/run/amavisd] OK
>>>      [uid 996, nlink 1, stat 140755, mode 600]     OK
>>> safefile(/etc/mail/service.switch, uid=0, gid=0, flags=6480, mode=400):
>>> safedirpath(/etc/mail, uid=0, gid=0, flags=6580, level=0, offset=0):
>>>      [dir /etc/mail] OK
>>>      No such file or directory
>>> safefile(/etc/mail/service.switch, uid=0, gid=0, flags=6480, mode=400):
>>> safedirpath(/etc/mail, uid=0, gid=0, flags=6580, level=0, offset=0):
>>>      [dir /etc/mail] OK
>>>      No such file or directory
>>> safedirpath(/var/spool/mqueue/, uid=0, gid=0, flags=4, level=0,
>>> offset=0):
>>>      [dir /var/spool/mqueue/] OK
>>> safedirpath(./q00, uid=0, gid=0, flags=4, level=0, offset=0):
>>>      [dir ./q00] OK
>>> safedirpath(./q02, uid=0, gid=0, flags=4, level=0, offset=0):
>>>      [dir ./q02] OK
>>> safedirpath(./q01, uid=0, gid=0, flags=4, level=0, offset=0):
>>>      [dir ./q01] OK
>>> safefile(/etc/mail/userdb.db, uid=0, gid=0, flags=584, mode=400):
>>> safedirpath(/etc/mail, uid=0, gid=0, flags=584, level=0, offset=0):
>>>      [dir /etc/mail] OK
>>>      [uid 0, nlink 1, stat 100640, mode 400]     OK
>>> Recipient names must be specified
>>>
>>> --------------------------------------------------------------------
>>> Amavis account login is :
>>> amavis:x:996:995:User for amavisd-new:/var/spool/amavisd:/sbin/nologin
>>>
>>> Best regards
>>> Daniela Bortolotti
>>>
>>>
>>>
>>> On 05/13/2015 07:56 PM, Matthias Weigel wrote:
>>>> Hi Daniela,
>>>>
>>>> for the sendmail commandline test, please try it as the amavis user,
>>>> not
>>>> as root.
>>>>
>>>> Also please check the permissions of the sendmail program: it has to be
>>>> setgid:
>>>> ls -lisa /usr/sbin/sendmail*
>>>> ls -lisa /etc/alternatives/mta
>>>>
>>>> and
>>>> ls -lisa /etc/mail
>>>>
>>>> To check dir permissions by sendmail itself use
>>>> sendmail -v -d44.4 -bv
>>>>
>>>>
>>>>
>>>> Best Regards
>>>>
>>>> Matthias
>>>>
>>>>
>>>> Am 13.05.2015 um 17:47 schrieb bortolotti:
>>>>> Hi Matthias,
>>>>> here it is our output:
>>>>>
>>>>> ------------------------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>> sendmail -v bortolotti at bo.infn.it < /tmp/ciao
>>>>> bortolotti at bo.infn.it... Connecting to [127.0.0.1] via relay...
>>>>> 220 bo.infn.it ESMTP server; Wed, 13 May 2015 17:19:49 +0200
>>>>>>>> EHLO postman.bo.infn.it
>>>>> 250-postman.bo.infn.it Hello localhost [127.0.0.1], pleased to meet
>>>>> you
>>>>> 250-ENHANCEDSTATUSCODES
>>>>> 250-PIPELINING
>>>>> 250-8BITMIME
>>>>> 250-SIZE 100000000
>>>>> 250-DSN
>>>>> 250-ETRN
>>>>> 250-AUTH GSSAPI
>>>>> 250-STARTTLS
>>>>> 250-DELIVERBY
>>>>> 250 HELP
>>>>>>>> STARTTLS
>>>>> 220 2.0.0 Ready to start TLS
>>>>>>>> EHLO postman.bo.infn.it
>>>>> 250-postman.bo.infn.it Hello localhost [127.0.0.1], pleased to meet
>>>>> you
>>>>> 250-ENHANCEDSTATUSCODES
>>>>> 250-PIPELINING
>>>>> 250-8BITMIME
>>>>> 250-SIZE 100000000
>>>>> 250-DSN
>>>>> 250-ETRN
>>>>> 250-AUTH GSSAPI PLAIN LOGIN
>>>>> 250-DELIVERBY
>>>>> 250 HELP
>>>>>>>> MAIL From:<root at postman.bo.infn.it> SIZE=5
>>>>>>>> AUTH=root at postman.bo.infn.it
>>>>> 250 2.1.0 <root at postman.bo.infn.it>... Sender ok
>>>>>>>> RCPT To:<bortolotti at bo.infn.it>
>>>>>>>> DATA
>>>>> 250 2.1.5 <bortolotti at bo.infn.it>... Recipient ok
>>>>> 354 Enter mail, end with "." on a line by itself
>>>>>>>> .
>>>>> 250 2.0.0 t4DFJnkZ006299 Message accepted for delivery
>>>>> bortolotti at bo.infn.it... Sent (t4DFJnkZ006299 Message accepted for
>>>>> delivery)
>>>>> Closing connection to [127.0.0.1]
>>>>>>>> QUIT
>>>>> 221 2.0.0 postman.bo.infn.it closing connection
>>>>> ----------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> When a I use amavisd-release command the output is:
>>>>>
>>>>> amavisd-release virus-m0fUPazhnpfA
>>>>> 451 4.5.0 Failed to submit a message: exit 78, id=rel-k47A8FCsKcSV
>>>>>
>>>>> And maillog file:
>>>>> May 13 17:21:58 postman amavis[6279]: (rel-0frn5zAtV38Y) Quarantined
>>>>> message release (miscategorized): m0fUPazhnpfA
>>>>> <Antonella.Monducci at bo.infn.it> -> <monducci at bo.infn.it>
>>>>> May 13 17:21:59 postman sendmail[6309]: NOQUEUE: SYSERR(amavis):
>>>>> can not
>>>>> chdir(/var/spool/clientmqueue/): Permission denied
>>>>>
>>>>>
>>>>> -----------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Our submit.mc is standard, we modified only sendmail.mc
>>>>>
>>>>>    dnl # amavis milter definitions 9-3-2015
>>>>> INPUT_MAIL_FILTER(`amavis-milter',
>>>>> `S=local:/var/run/amavisd/amavisd-milter.sock, F=T,
>>>>> T=S:10m;R:10m;E:10m')
>>>>>
>>>>> -----------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> In our amavisd.conf setup we define these rules:
>>>>> $unix_socketname = "$MYHOME/amavisd.sock";
>>>>> $notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f
>>>>> ${sender} -- ${recipient}';
>>>>>
>>>>> but don't receive notifications.
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Where is the mistake?
>>>>>
>>>>> Thank a lot.
>>>>>
>>>>> Best Regards
>>>>> Daniela
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 05/12/2015 10:31 AM, Matthias Weigel wrote:
>>>>>> Hi Daniela,
>>>>>>
>>>>>> does using sendmail on command line work?
>>>>>> e.g.
>>>>>> sendmail -v somebody at example.com < /tmp/sometext
>>>>>>
>>>>>> What does your /etc/mail/submit.mc and your /etc/mail/sendmail.mc
>>>>>> look
>>>>>> like?
>>>>>>
>>>>>> Best Regards
>>>>>>
>>>>>> Matthias
>>>>>>
>>>>>> Am 12.05.2015 um 10:18 schrieb bortolotti:
>>>>>>> Hi Fabian,
>>>>>>> our permission of  "/var/spool/clientmqueue"
>>>>>>> is good and SELINUX is already DISABLE.
>>>>>>> What else can I investigate?
>>>>>>>
>>>>>>> Thanks a lot.
>>>>>>> Daniela Bortolotti
>>>>>>>
>>>>>>>
>>>
> 
> 


More information about the amavis-users mailing list