I'm posting this to the postfix list rather than the FreeBSD list
because I've found the level of expertise here to be almost
unsurpassed.
In trying to substitute postfix for sendmail on FreeBSD 8.0, I've come
across a problem with mail sent from the command line (including mail
from the syslogd daemon).
No matter what I do to disable the sendmail binary (using mailwrapper)
sendmail seems to grab port 25 on the localhost and any mail sent from
the command line that's destined
for a local account is shunted off, even while the mail reaches
procmail and is properly forwarded to gmail as per my recipe.
After going through all the steps of disabling sendmail in rc.conf and
setting up mainwrapper I am getting the following error:
[satyr ~]$ mail -s test jorge
test
.
[satyr ~]$ WARNING: RunAsUser for MSP ignored, check group ids
(egid=1002, want=25)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
Here's the corresponding logfile entry, which seems pretty clearly to
point to the (presumably) disabled sendmail:
satyr# tail /var/log/maillog
Feb 9 09:16:00 satyr sendmail[63415]: NOQUEUE: SYSERR(jorge): can not
chdir(/var/spool/clientmqueue/): Permission denied
Here are the permissions and owners of the queue:
satyr# ls -ld /var/spool/clientmqueue/
drwxrwx--- 2 smmsp smmsp 512 Feb 9 06:57 /var/spool/clientmqueue/
I then ran across the following sendmail README on FreeBSD:
[...]
As of sendmail 8.12, in order to improve security, the sendmail binary no
longer needs to be set-user-ID root. Instead, a set-group-ID binary
accepts command line mail and relays it to a full mail transfer agent via
SMTP. A group writable client mail queue (/var/spool/clientmqueue/ by
default) holds the mail if an MTA can not be contacted.
To accomplish this, under the default setup, an MTA must be listening on
localhost port 25. If the rc.conf sendmail_enable option is set to "NO",
a sendmail daemon will still be started and bound only to the localhost
interface in order to accept command line submitted mail (note that this
does not work inside jail(2) systems as jails do not allow binding to
just the localhost interface). If this is not a desirable solution, it
can be disabled using the sendmail_submit_enable rc.conf option. However,
if both sendmail_enable and sendmail_submit_enable are set to "NO"
[this is true in my case],
you must do one of two things for command line submitted mail:
1. Designate an alternative host for the submission agent to contact
by altering /etc/mail/freebsd.submit.mc (or setting SENDMAIL_SUBMIT_MC
in /etc/make.conf to an alternate .mc file) and using
'make install-submit-cf' in /etc/mail/. Change the FEATURE(msp) line
to FEATURE(msp, hostname) where hostname is the fully qualified hostname
of the alternative host.
Or:
2. Return to using a set-user-ID root sendmail binary by changing the
ownership and permissions on the sendmail binary and removing the
/etc/mail/submit.cf file:
chown root /usr/libexec/sendmail/sendmail
chmod 4755 /usr/libexec/sendmail/sendmail
rm /etc/mail/submit.cf
If you install from source, set the SENDMAIL_SET_USER_ID flag in
/etc/make.conf.
[...]
The first of the two suggestions isn't an option for me; I control
only this single mailserver. And I'm not quite sure about the
second: I'd rather avoid a set-user-ID root sendmail if possible. I
just want postfix to handle mail that comes from the command
line destined for localhost 25.
In case there's something I can do inside postfix so that it binds the
daemon to localhost 25 before the vestigal sendmail
gets there, here are my postfix settings:
[satyr ~]$ postconf -n
alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
allow_percent_hack = no
append_at_myorigin = yes
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
bounce_size_limit = 10000
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
default_destination_concurrency_limit = 10
default_privs = nobody
delay_warning_time = 1h
disable_vrfy_command = yes
fast_flush_domains = $relay_domains
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 2
local_recipient_maps = unix:passwd.byname, $alias_maps
luser_relay =
mail_name = $mydomain Mail Daemon
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/local/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 0
manpage_directory = /usr/local/man
maximal_queue_lifetime = 4h
message_size_limit = 102400000
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = jorge.cc
myhostname = satyr.jorge.cc
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
notify_classes = resource, software
recipient_delimiter = +
relay_domains = $mydestination
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_banner = $mail_name ESMTP
smtpd_client_restrictions = permit_mynetworks,
reject_rbl_client zen.spamhaus.org, reject_unknown_client_hostname,
reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
check_helo_access hash:$config_directory/helo_access,
reject_unauth_pipelining, reject_non_fqdn_hostname,
reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, reject_invalid_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unknown_address
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = no
swap_bangpath = no
tls_daemon_random_bytes = 32
tls_random_exchange_name = $data_directory/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
The weird thing is that sending mail with telnet through port 25
returns the postfix welcome and it's postfix that seems to accept the mail:
[jorge@satyr /etc/mail]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 jorge.cc Mail Daemon ESMTP
EHLO satyr.jorge.cc
250-satyr.jorge.cc
250-PIPELINING
250-SIZE 102400000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: jo...@jorge.cc
250 2.1.0 Ok
RCPT TO: jo...@jorge.cc
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as A1774108E2C
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
And here's the logfile:
Feb 10 14:59:50 satyr postfix/qmgr[72725]: 4CF3A108E32:
from=<jorge@localhost>, size=320, nrcpt=1 (queue active)
Feb 10 14:59:50 satyr sendmail[91511]: NOQUEUE: SYSERR(jorge): can not
chdir(/var/spool/clientmqueue/): Permission denied
The email isn't stacking up in any other queue that I can find.
The logfile goes on to record a seemingly successful procmail relay to gmail:
Feb 10 15:29:23 satyr postfix/smtpd[5845]: connect from satyr[69.55.232.70]
Feb 10 15:30:52 satyr postfix/smtpd[5845]: 61766108E39:
client=satyr[69.55.232.70]
Feb 10 15:31:08 satyr postfix/cleanup[6234]: 61766108E39:
message-id=<20120210203052.61766108...@satyr.jorge.cc>
Feb 10 15:31:08 satyr postfix/qmgr[72725]: 61766108E39:
from=<jo...@jorge.cc>, size=322, nrcpt=1 (queue active)
Feb 10 15:31:08 satyr postfix/smtp[6478]: setting up TLS connection to
gmail-smtp-in.l.google.com[74.125.45.26]:25
Feb 10 15:31:08 satyr postfix/smtp[6478]: certificate verification
failed for gmail-smtp-in.l.google.com[74.125.45.26]:25: untrusted
issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Feb 10 15:31:08 satyr postfix/smtp[6478]: Untrusted TLS connection
established to gmail-smtp-in.l.google.com[74.125.45.26]:25: TLSv1 with
cipher RC4-SHA (128/128 bits)
Feb 10 15:31:09 satyr postfix/smtp[6478]: 61766108E39:
to=<jlg.in...@gmail.com>,
relay=gmail-smtp-in.l.google.com[74.125.45.26]:25, delay=48,
delays=46/0.02/0.45/0.77, dsn=2.0.0, status=sent (250 2.0.0 OK
1328905874 s61si7054629yhn.36)
Feb 10 15:31:09 satyr postfix/qmgr[72725]: 61766108E39: removed
Feb 10 15:31:28 satyr postfix/smtpd[5845]: disconnect from satyr[69.55.232.70]
satyr#
I'm completely flummoxed by this. Ripping sendmail by the roots out
of FreeBSD may not be such a good idea so I've avoided that, though I
would have thought that mailwrapper and the rc.conf settings would
have accomplished essentially the same thing.
Thanks very much in advance for any help.
--
Jorge Luis González <jlg.in...@gmail.com>
http://people.umass.edu/jlg/
This email optimized for teletypes.
