Re: dovecot-lda core-dumps when antispam pipe script calls it

Steffen Kaiser Mon, 22 Aug 2016 00:20:07 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 19 Aug 2016, b...@indietorrent.org wrote:

On 2016-08-19 12:17, b...@indietorrent.org wrote:

Aha! Clearly, the vmail user cannot read from nor write to /tmp. (Why
that is, I have no idea, as the /tmp directory's permissions certainly


Do you have SELinux active?
See almost at the end of
http://wiki2.dovecot.org/WhyDoesItNotWork?highlight=%28selinux%29

allow for both; maybe Dovecot implements this as a security measure.)


No. Dovecot does not implement anything like that.
Do you chroot ?

This prompted me to change all references to /tmp in the pipe script
to ~/tmp, and create this directory:

$ whoami
vmail
$ mkdir ~/tmp && chmod 770 ~/tmp
$ /bin/bash /usr/local/bin/sa-learn-pipe.sh --ham < /var/vmail/gtube.txt

No errors this time (at least not on the console).

But I do get this in /var/log/mail.err:

Aug 19 12:04:24 example.com dovecot: lda(sa-train...@example.com):
Fatal: Can't open delivery mail as raw: Permission denied

I'm not sure how to interpret this message. Where is permission being
denied? More importantly, what's the fix?

Thanks for any hints!

-Ben


Apologies for the rapid-fire replies here.

The strace output that I'm capturing in the pipe script pinpointed theproblem:

open("/root/~/tmp/sendmail-msg-26272.txt", O_RDONLY) = -1 EACCES (Permissiondenied)


Er, '/root/~/tmp/' ??

There seems to be some expansion occurring that assumes the root user,despite executing the pipe script as the vmail user, so I changed allreferences to ~/tmp in the pipe script to /var/vmail/tmp and permission isno longer denied.
But, now dovecot-lda is core-dumping. Here is the strace output:

http://pastebin.com/RrKmFhzC

So, I'm back to where I was with this problem two years ago.
At that time, I gave-up, because I couldn't invest the time required tocompile the latest versions of Dovecot and all plugins from scratch in aneffort to prove that the bug exists in the latest source.
"Dovecot always logs a detailed error message if something goes wrong. If itdoesn't, it's considered a bug and will be fixed." -http://wiki2.dovecot.org/Logging
I'm happy to help identify the root-cause, but I need some guidance here.


First: check the SELinux thing.
Second: Do you run in a chrooted environment?
Third: Enclose all your script with logging, e.g.:

#!/bin/bash
(
date
echo "$@"
id
id -a
echo environment
env
set
# check for chroot
echo stat /
stat /
echo /proc/1/mountinfo
awk '$5=="/" {print}' </proc/1/mountinfo
echo /proc/$$/mountinfo
awk '$5=="/" {print}' </proc/$$/mountinfo
# enable bash tracing
set -vx

... # old script
) >> /var/tmp/antispam.$$.log 2>&1

Make sure /var/tmp/antispam.$$.log is writeable, maybe create a newdirectory with owner vmail.Make sure you have 2>&1 at the end. Your log misses all the errormessages.

Also, you will now have a log file for each run of the script.

To check for chroot:
stat / should print inode 2, but any mountpoint has inode 2.

/proc/$$/mountinfo displays the physical information of a mount, if bothdiffer, the current process is chrooted. "1" should be the init process.


In your script:

for opt; do
        if [[ "$*" =~ .*ham.* ]]

This makes no sense, either use for loop and test "$opt" here, or do notuse for, but use "$*"; .*ham.* should be quoted anyway.


cat<&0 >> /tmp/sendmail-msg-$$.txt
Well, if for any reason this file exists, ..
cat - >/tmp/sendmail-msg-$$.txt


/usr/lib/dovecot/deliver -d "sa-train...@example.com" -m "Training.$mode"
You've already scraped the message from stdin into a file, so add:
< /tmp/sendmail-msg-$$.txt

About the '-p' switch present in the strace-variant:

Please scan the mailing list for the status of it, IMHO, there had beenlots of trouble in certain cases.

The strace variant should use -oLogfile.strace.$$.log in order to separatethe output of the command and strace logging.

- --Steffen Kaiser

Re: dovecot-lda core-dumps when antispam pipe script calls it

Reply via email to