storing messages - found permission pb... not enought...

Mon May 27 09:41:36 IST 2013

On 24 May 2013 17:16, Alessandro Dentella <sandro at e-den.it> wrote:
> On Thu, May 23, 2013 at 03:01:59PM +0200, Glenn Steen wrote:
>> On 23 May 2013 12:40, Alessandro Dentella <sandro at e-den.it> wrote:
>> >> ... If you do a "MailScanner --lint", that should point you in the
>> >> right direction.
>> >
>> > True... I run it and it finds:
>> >
>> > Could not open file >/var/spool/MailScanner/incoming/28403/1.header: Permission denied
>> > Cannot create + lock headers file /var/spool/MailScanner/incoming/28403/1.header, Permission denied at /usr/share/MailScanner/MailScanner/Message.pm line 523
>> >
>> > In fact postfix does not have permission to write there. I fixed it and it
>> > turns out as a stupid conf problem (Quarantine User = user)
>> >
>> > Now MailScanner --lint doesn't show any other problem, but still messages
>> > doesn't get into quarantine...
>> >
>> > Any thoughts?
>> >
>> Ok, so now we don't have any syntax errors, That's good:-).
>> Next over to semantics... Best is to do a debug run (this is described
>> in the MAQ/wiki)... Simple steps:
>> stop mailscanner via the init script ("service MailScanner stop", or
>> "/etc/init.d/MailScanner stop")
>>
>> Start postfix/you MTA ... In the default MailScanner init script
>> there's provision for this:
>> service MailScanner startin
>> or
>> /etc/init.d/MailScanner startin
>>
>> start the debug run via "MailScanner --debug". This will start
>> MailScanner without forking any children and without closing
>> stdin/stderr... And it will wait for exactly 1 message (or rather ...
>> one batch), process it and then exit... whilst spewing a bit of debug
>> info onto the screen.
>> Best is to run that as the postfix user (even though it should work
>> perfectly well from root... you could do two runs, one from root, one
>> from postfix.. The process should change user to whatever you have the
>> "Run User" set to... ie postfix:-).
>> After a bit of chatter, it'll hang, waiting for a messagebatch...
>> Which you need provide via normal SMTP methods.
>>
>> We'll see what that gives you.
>
> Runnng as root:
>
> root at smtp:~# MailScanner --debug
>
>
> In Debugging mode, not forking...
> Trying to setlogsock(unix)
> Building a message batch to scan...
> Have a batch of 2 messages.
> Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63, <$fh> line 4.
> Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63.
> Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63.
> Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63.
> Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63.
> Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63.
> Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630.
> Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630.
> Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630.
> Insecure dependency in unlink while running with -T switch at /usr/share/MailScanner/MailScanner/MessageBatch.pm line 630.
> Stopping now as you are debugging me.
>
>
> Googling for this message, I understand is related to the perl code not to
> system setup, correct?
> So I don't see any interesting message...
>
Well, the above probably indicate that any file manipulations done in
the perl code, through those "insecure" calls/dependencies, don't get
done.
Edit your MailScanner executable and change the first line from
#!/usr/bin/perl -I/usr/lib/MailScanner
to
#!/usr/bin/perl -I/usr/lib/MailScanner -U
... just to turn the tainting code (in perl) off. Restart MailScanner
after that and see if it works better...

Kind of a known issue:-).
You can find which file to edit with "which MailScanner", but it
likely is /usr/sbin/MailScanner that need be edited.

> line 630 is:
>   unlink @{$message->{spamarchive}}; # Wipe the spamarchive files
> line 63 is:
>   return open($fh, IO::Handle::_open_mode_string($mode), $file);
>
> If I run as postfix user, it complains it cannot setgid:
>
> postfix at smtp:~$ /usr/sbin/MailScanner --debug
> Can't set GID 33 at /usr/sbin/MailScanner line 1541.
>
> once more I'm you you hands...
>
> sandro
> *;-)
>
> PS: I'm using perl 5.10.1-27
>     ii  perl  5.10.1-17squeeze6

Cheers!
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se