On Feb 10, 2012, at 3:42 PM, Jorge Luis Gonzalez wrote: > I'm posting this to the postfix list rather than the FreeBSD list > because I've found the level of expertise here to be almost > unsurpassed. > > In trying to substitute postfix for sendmail on FreeBSD 8.0, I've come > across a problem with mail sent from the command line (including mail > from the syslogd daemon). > No matter what I do to disable the sendmail binary (using mailwrapper) > sendmail seems to grab port 25 on the localhost and any mail sent from > the command line that's destined > for a local account is shunted off, even while the mail reaches > procmail and is properly forwarded to gmail as per my recipe.
Your logs don't indicate sendmail listening on port 25 at all. You should post the sendmail_* lines in /etc/rc.conf and the contents of /etc/mail/mailer.conf. What you're showing here really looks like you don't have mailer.conf properly configured. Thanks, Charles > > After going through all the steps of disabling sendmail in rc.conf and > setting up mainwrapper I am getting the following error: > > [satyr ~]$ mail -s test jorge > test > . > > [satyr ~]$ WARNING: RunAsUser for MSP ignored, check group ids > (egid=1002, want=25) > can not chdir(/var/spool/clientmqueue/): Permission denied > Program mode requires special privileges, e.g., root or TrustedUser. > > Here's the corresponding logfile entry, which seems pretty clearly to > point to the (presumably) disabled sendmail: > > satyr# tail /var/log/maillog > Feb 9 09:16:00 satyr sendmail[63415]: NOQUEUE: SYSERR(jorge): can not > chdir(/var/spool/clientmqueue/): Permission denied > > Here are the permissions and owners of the queue: > > satyr# ls -ld /var/spool/clientmqueue/ > drwxrwx--- 2 smmsp smmsp 512 Feb 9 06:57 /var/spool/clientmqueue/ > > I then ran across the following sendmail README on FreeBSD: > > [...] > > As of sendmail 8.12, in order to improve security, the sendmail binary no > longer needs to be set-user-ID root. Instead, a set-group-ID binary > accepts command line mail and relays it to a full mail transfer agent via > SMTP. A group writable client mail queue (/var/spool/clientmqueue/ by > default) holds the mail if an MTA can not be contacted. > > To accomplish this, under the default setup, an MTA must be listening on > localhost port 25. If the rc.conf sendmail_enable option is set to "NO", > a sendmail daemon will still be started and bound only to the localhost > interface in order to accept command line submitted mail (note that this > does not work inside jail(2) systems as jails do not allow binding to > just the localhost interface). If this is not a desirable solution, it > can be disabled using the sendmail_submit_enable rc.conf option. However, > if both sendmail_enable and sendmail_submit_enable are set to "NO" > [this is true in my case], > you must do one of two things for command line submitted mail: > > 1. Designate an alternative host for the submission agent to contact > by altering /etc/mail/freebsd.submit.mc (or setting SENDMAIL_SUBMIT_MC > in /etc/make.conf to an alternate .mc file) and using > 'make install-submit-cf' in /etc/mail/. Change the FEATURE(msp) line > to FEATURE(msp, hostname) where hostname is the fully qualified hostname > of the alternative host. > > Or: > > 2. Return to using a set-user-ID root sendmail binary by changing the > ownership and permissions on the sendmail binary and removing the > /etc/mail/submit.cf file: > chown root /usr/libexec/sendmail/sendmail > chmod 4755 /usr/libexec/sendmail/sendmail > rm /etc/mail/submit.cf > If you install from source, set the SENDMAIL_SET_USER_ID flag in > /etc/make.conf. > > [...] > > The first of the two suggestions isn't an option for me; I control > only this single mailserver. And I'm not quite sure about the > second: I'd rather avoid a set-user-ID root sendmail if possible. I > just want postfix to handle mail that comes from the command > line destined for localhost 25. > > In case there's something I can do inside postfix so that it binds the > daemon to localhost 25 before the vestigal sendmail > gets there, here are my postfix settings: > > [satyr ~]$ postconf -n > alias_database = hash:/etc/mail/aliases > alias_maps = hash:/etc/mail/aliases > allow_percent_hack = no > append_at_myorigin = yes > append_dot_mydomain = no > biff = no > bounce_queue_lifetime = 4h > bounce_size_limit = 10000 > broken_sasl_auth_clients = yes > command_directory = /usr/local/sbin > config_directory = /usr/local/etc/postfix > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/db/postfix > default_destination_concurrency_limit = 10 > default_privs = nobody > delay_warning_time = 1h > disable_vrfy_command = yes > fast_flush_domains = $relay_domains > header_checks = regexp:/etc/postfix/header_checks > html_directory = no > inet_interfaces = all > local_destination_concurrency_limit = 2 > local_recipient_maps = unix:passwd.byname, $alias_maps > luser_relay = > mail_name = $mydomain Mail Daemon > mail_owner = postfix > mail_spool_directory = /var/mail > mailbox_command = /usr/local/bin/procmail -a "$EXTENSION" > mailbox_size_limit = 0 > manpage_directory = /usr/local/man > maximal_queue_lifetime = 4h > message_size_limit = 102400000 > mydestination = $myhostname, localhost.$mydomain, localhost > mydomain = jorge.cc > myhostname = satyr.jorge.cc > mynetworks_style = host > myorigin = $mydomain > newaliases_path = /usr/local/bin/newaliases > notify_classes = resource, software > recipient_delimiter = + > relay_domains = $mydestination > sample_directory = /usr/local/etc/postfix > sendmail_path = /usr/sbin/sendmail > setgid_group = postdrop > show_user_unknown_table_name = no > smtp_tls_loglevel = 1 > smtp_tls_note_starttls_offer = yes > smtp_tls_security_level = may > smtp_tls_session_cache_database = btree:$data_directory/smtp_scache > smtp_tls_session_cache_timeout = 3600s > smtp_use_tls = yes > smtpd_banner = $mail_name ESMTP > smtpd_client_restrictions = permit_mynetworks, > reject_rbl_client zen.spamhaus.org, reject_unknown_client_hostname, > reject_unauth_pipelining > smtpd_data_restrictions = reject_unauth_pipelining, > reject_multi_recipient_bounce > smtpd_delay_reject = yes > smtpd_error_sleep_time = 1s > smtpd_hard_error_limit = 20 > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, > check_helo_access hash:$config_directory/helo_access, > reject_unauth_pipelining, reject_non_fqdn_hostname, > reject_invalid_hostname > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unauth_destination, > reject_unauth_pipelining, reject_invalid_hostname > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = noanonymous > smtpd_sasl_type = dovecot > smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, > reject_unknown_sender_domain, reject_unknown_address > smtpd_soft_error_limit = 10 > smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem > smtpd_tls_always_issue_session_ids = yes > smtpd_tls_auth_only = no > smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem > smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > strict_rfc821_envelopes = no > swap_bangpath = no > tls_daemon_random_bytes = 32 > tls_random_exchange_name = $data_directory/prng_exch > tls_random_prng_update_period = 3600s > tls_random_reseed_period = 3600s > tls_random_source = dev:/dev/urandom > unknown_local_recipient_reject_code = 450 > > The weird thing is that sending mail with telnet through port 25 > returns the postfix welcome and it's postfix that seems to accept the mail: > > [jorge@satyr /etc/mail]$ telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 jorge.cc Mail Daemon ESMTP > EHLO satyr.jorge.cc > 250-satyr.jorge.cc > 250-PIPELINING > 250-SIZE 102400000 > 250-ETRN > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > MAIL FROM: jo...@jorge.cc > 250 2.1.0 Ok > RCPT TO: jo...@jorge.cc > 250 2.1.5 Ok > DATA > 354 End data with <CR><LF>.<CR><LF> > test > . > > 250 2.0.0 Ok: queued as A1774108E2C > QUIT > 221 2.0.0 Bye > Connection closed by foreign host. > > And here's the logfile: > > Feb 10 14:59:50 satyr postfix/qmgr[72725]: 4CF3A108E32: > from=<jorge@localhost>, size=320, nrcpt=1 (queue active) > Feb 10 14:59:50 satyr sendmail[91511]: NOQUEUE: SYSERR(jorge): can not > chdir(/var/spool/clientmqueue/): Permission denied > > The email isn't stacking up in any other queue that I can find. > > The logfile goes on to record a seemingly successful procmail relay to gmail: > > Feb 10 15:29:23 satyr postfix/smtpd[5845]: connect from satyr[69.55.232.70] > Feb 10 15:30:52 satyr postfix/smtpd[5845]: 61766108E39: > client=satyr[69.55.232.70] > Feb 10 15:31:08 satyr postfix/cleanup[6234]: 61766108E39: > message-id=<20120210203052.61766108...@satyr.jorge.cc> > Feb 10 15:31:08 satyr postfix/qmgr[72725]: 61766108E39: > from=<jo...@jorge.cc>, size=322, nrcpt=1 (queue active) > Feb 10 15:31:08 satyr postfix/smtp[6478]: setting up TLS connection to > gmail-smtp-in.l.google.com[74.125.45.26]:25 > Feb 10 15:31:08 satyr postfix/smtp[6478]: certificate verification > failed for gmail-smtp-in.l.google.com[74.125.45.26]:25: untrusted > issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority > Feb 10 15:31:08 satyr postfix/smtp[6478]: Untrusted TLS connection > established to gmail-smtp-in.l.google.com[74.125.45.26]:25: TLSv1 with > cipher RC4-SHA (128/128 bits) > Feb 10 15:31:09 satyr postfix/smtp[6478]: 61766108E39: > to=<jlg.in...@gmail.com>, > relay=gmail-smtp-in.l.google.com[74.125.45.26]:25, delay=48, > delays=46/0.02/0.45/0.77, dsn=2.0.0, status=sent (250 2.0.0 OK > 1328905874 s61si7054629yhn.36) > Feb 10 15:31:09 satyr postfix/qmgr[72725]: 61766108E39: removed > Feb 10 15:31:28 satyr postfix/smtpd[5845]: disconnect from satyr[69.55.232.70] > satyr# > > > I'm completely flummoxed by this. Ripping sendmail by the roots out > of FreeBSD may not be such a good idea so I've avoided that, though I > would have thought that mailwrapper and the rc.conf settings would > have accomplished essentially the same thing. > > Thanks very much in advance for any help. > > -- > Jorge Luis González <jlg.in...@gmail.com> > http://people.umass.edu/jlg/ > > This email optimized for teletypes.
