Start/Stop script for mailScanner

Will Merkens willm at merkens.ca
Fri Jun 18 15:22:01 IST 2010


> Will,
>
> The folliwing code is executed by "service MailScanner start" to start
> your clientmqueue sendmail process:
>         touch /var/run/sm-client.pid
>         chown $MSPUSER:$MSPGROUP /var/run/sm-client.pid 2>/dev/null
>         $SENDMAIL -L sm-msp-queue -Ac -q15m -OPidFile=$SMPID 2>/dev/null
>
> You can modify the script to get some debugging (modify the lines in
> /etc/init.d/MailScanner):
>         touch /var/run/sm-client.pid
>         chown $MSPUSER:$MSPGROUP /var/run/sm-client.pid
>         $SENDMAIL -L sm-msp-queue -Ac -q15m -OPidFile=$SMPID
>
> Now do "service MailScanner stop", kill your remaining sendmail
> process and do "service MailScanner start". If there are any error
> messages when starting your sendmail process they should now appear on
> your terminal.
>
> I am guessing your smmsp user does not have access to your /var/run
> directory.
>
> Denis
>
ok this narrowed it down, it was the MSPUSER and MSPGROUP, if I set them
to 'mail' in /etc/sysconfig/MailScanner the pid file was created
correctly and start/stop worked as intended.

Further digging seems to have dug up what I believe to be a Mandriva
2010 bug in the setups up sendmail.

If I look at /etc/passwd and group I can see that the three accounts
created for sendmail are there.

mail:x:8:12:mail:/var/spool/mail:/bin/sh
mailnull:x:75:75:system user for sendmail:/var/spool/mqueue:/dev/null
smmsp:x:76:76:system user for sendmail:/var/spool/mqueue:/dev/null

but is missing a optional 'smmta' user

So when I removed the 2>/dev/null to see debug output, nothing appeared
because the user smmsp exists.

I found this section from the sendmail security doc's

-r-xr-sr-x root  smmsp ... /PATH/TO/sendmail
drwxrwx--- smmsp smmsp ... /var/spool/clientmqueue
drwx------ root  wheel ... /var/spool/mqueue
-r--r--r-- root  wheel ... /etc/mail/sendmail.cf
-r--r--r-- root  wheel ... /etc/mail/submit.cf

[Notice: On some OS "wheel" is not used but "bin" or "root" instead,
however, this is not important here.]

That is, the owner of sendmail is root, the group is smmsp, and the binary
is set-group-ID. The client mail queue is owned by smmsp with group smmsp
and is group writable. The client mail queue directory must be writable by
smmsp, but it must not be accessible for others. That is, do not use world
read or execute permissions. In submit.cf the option UseMSP must be set,
and QueueFileMode must be set to 0660.

I see how they intended the perms and users/groups should go

but in Mandriva 2010

-r-xr-sr-x  1 root   mail 765504 2010-01-12 06:00
/usr/sbin/sendmail.sendmail*
drwxrwx---  2 mail   mail      6 2010-06-18 04:03 clientmqueue/
drwxr-x---  2 root   mail      6 2010-06-18 07:36 mqueue/
-r--r--r--  1 root   mail 65237 2010-04-12 13:48 sendmail.cf
-r--r--r--  1 root   mail 41313 2010-01-12 06:00 submit.cf

and if I grep /etc/mail/*.cf for RunAsUser

sendmail.cf:#O RunAsUser=sendmail
submit.cf:O RunAsUser=mail:mail

It look's to me that Mandriva half did the config, this all looks like
the older way that sendmail use to operate as.

it work's now running as user 'mail', I had a look at correcting the
ownership's of the various files/dirs but there seems to be a lot tied
to the user 'mail' and group 'mail' that I think for the moment will
leave alone.

Thanks for the help.





-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list