Mailscanner + Exim >= 4.73

Paul Welsh paul at welshfamily.com
Fri Aug 24 01:05:21 IST 2012 

Hi all

I've spent many hours on this and so thought I'd share my findings in
case it proves helpful to anyone else.

I'm in the process of configuring centos 6.1, exim 4.76 and
mailscanner 4.84.3 on directadmin 1.41.1 and have run into the issue
whereby specifying a config file with the -C switch no longer runs
exim as root.

I copied the setup from a server running much older versions of
centos, exim and directadmin and it works fine but this was prior to
the changes in exim.

I originally used an article at
http://www.michele.me/blog/archives/2006/01/installing-mailscanner-on-directadmin-with-exim/

My MailScanner.conf contains the lines:
Sendmail = /usr/sbin/exim -C /etc/exim.conf
Sendmail2 = /usr/sbin/exim -C /etc/exim_send.conf

/etc/exim.conf and /etc/exim_send.conf are both symlinks:
# ll /usr/local/exim/configure /usr/local/exim/exim_send.conf
lrwxrwxrwx 1 root root 14 Aug 19 23:07 /usr/local/exim/configure ->
/etc/exim.conf
lrwxrwxrwx 1 root root 19 Aug 19 23:07 /usr/local/exim/exim_send.conf
-> /etc/exim_send.conf

The problem I found was that both exim instances failed to start from
/etc/init.d/MailScanner with entries like this in
/var/log/exim/mainlog
exim user lost privilege for using -C option

I realised this was due to the security changes in exim so recompiled
exim from source because the version I was running wasn't built with
the new TRUSTED_CONFIG_LIST functionality.  I added it and left
everything else alone.  Note that mail is set as the user for exim but
the mail group isn't set.  In addition, the CONFIGURE_FILE is set to
/etc/exim.conf:
# grep trusted_configs /root/exim-4.76/Local/Makefile# grep mail
/root/exim-4.76/Local/Makefile
EXIM_USER=mail
TRUSTED_CONFIG_LIST=/usr/local/exim/trusted_configs
# grep exim.conf /root/exim-4.76/Local/Makefile
CONFIGURE_FILE=/etc/exim.conf

However, this still didn't solve my problem.

After much messing about I checked the values being used by the init.d
script and found that although it contains the following at the top of
the file:
EXIM=/usr/sbin/exim
EXIMINCF=/etc/exim.conf
EXIMSENDCF=/etc/exim_send.conf

It then states:
# If you are using sendmail, Exim or Postfix, please try to avoid editing
# this file. Edit /etc/sysconfig/MailScanner instead.

Looking at /etc/sysconfig/MailScanner it contained:
# Exim settings
#
EXIM=/usr/local/exim/bin/exim
EXIMINCF=/usr/local/exim/configure         # Incoming configuration file
EXIMSENDCF=/usr/local/exim/exim_send.conf  # Outgoing configuration file

So essentially the init.d MailScanner referenced the symlink files and
the sysconfig MailScanner script referenced the source of the symlink
files.

I checked which values were being assigned to the variables prior to
execution and what was happening when they were executed by hacking
the init.d MailScanner file:
        if test -x $EXIM ; then
echo $EXIM $EXIMINCF
$EXIM -C $EXIMINCF -bd
#          $EXIM -C $EXIMINCF -bd 2> /dev/null

        if test -x $EXIM ; then
echo $EXIM $EXIMSENDCF
$EXIM -C $EXIMSENDCF -q15m
#          $EXIM -C $EXIMSENDCF -q15m 2> /dev/null

Here's what I got:
# service MailScanner start
Starting MailScanner daemons:
         incoming exim: /usr/local/exim/bin/exim /usr/local/exim/configure
-C Permission denied
                                                           [  OK  ]
         outgoing exim: /usr/local/exim/bin/exim /usr/local/exim/exim_send.conf
-C Permission denied
                                                           [  OK  ]
         MailScanner:                                      [  OK  ]

Adding:
/usr/local/exim/configure
/usr/local/exim/exim_send.conf
to /usr/local/exim/trusted_configs made no difference.

However, I updated the sysconfig MailScanner:
EXIMINCF=/etc/exim.conf         # Incoming configuration file
EXIMSENDCF=/etc/exim_send.conf  # Outgoing configuration file

Then I ensured that /usr/local/exim/trusted_configs contained:
/etc/exim_send.conf

After this, exim and MailScanner started OK.  Note that I didn't need
to have /etc/exim.conf in /usr/local/exim/trusted_configs because it
was set as the CONFIGURE_FILE in the exim Makefile.

You would not believe how long this has taken me to get working!

Regards

Paul

On 18 February 2011 18:33, Jonas <jonas at vrt.dk> wrote:
> You can have something like this:
> Sendmail2 = /usr/sbin/exim4 -c /etc/exim4/exim.outgoing.conf
>
> Then, you have to add this new "shim" configuration file into your exim
> trusted_configs file.
>
> # cat /etc/exim4/trusted_configs
> /etc/exim4/exim.outgoing.conf
>
> And finally, in your exim4.outgoing.conf file, you should define your macro and
> then include the standard exim config file.  For Debian, it might look something
> like this:
>
> # cat /etc/exim4/exim.outgoing.conf
> OUTGOING = 1
> .include /var/lib/exim4/config.autogenerated
>
> This way, you're still only modifying the one main exim4 configuration file for
> all of your needs.  I've done it this way (I even use a different macro name),
> and it works with the patched exim4 in Lenny.
> And I expect it to work as is in Squeeze.

More information about the MailScanner mailing list