On Fri, Feb 10, 2012 at 3:50 PM, CSS <c...@morefoo.com> wrote:
>
> On Feb 10, 2012, at 3:42 PM, Jorge Luis Gonzalez wrote:
>
>> I'm posting this to the postfix list rather than the FreeBSD list
>> because I've found the level of expertise here to be almost
>> unsurpassed.
>>
>> In trying to substitute postfix for sendmail on FreeBSD 8.0, I've come
>> across a problem with mail sent from the command line (including mail
>> from the syslogd daemon).
>> No matter what I do to disable the sendmail binary (using mailwrapper)
>> sendmail seems to grab port 25 on the localhost and any mail sent from
>> the command line that's destined
>> for a local account is shunted off, even while the mail reaches
>> procmail and is properly forwarded to gmail as per my recipe.
>
> Your logs don't indicate sendmail listening on port 25 at all.
>
> You should post the sendmail_* lines in /etc/rc.conf and the contents
> of /etc/mail/mailer.conf.
>
> What you're showing here really looks like you don't have
> mailer.conf properly configured.
>
> Thanks,
>
> Charles
Here are all the sendmail and postfix entries in rc.conf:
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
postfix_enable="YES"
dovecot_enable="YES"
And here's /etc/mail/mailer.conf:
#
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
#
sendmail /usr/local/sbin/sendmail
send-mail /usr/local/sbin/sendmail
mailq /usr/local/sbin/sendmail
newaliases /usr/local/sbin/sendmail
Your correct that it's not sendmail listening on tcp 25; it's
postfix's master. But why the caution in the README that sendmail
will bind to 25 if "NO" is specified in rc.conf? And what's the queue
that fails with a permission block, clientmqueue, owned by smmsp?
satyr# netstat -a | egrep 'Proto|LISTEN'
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 satyr.smtp *.*
LISTEN
satyr# sockstat -46 | grep ':25'
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root master 25052 12 tcp4 69.55.232.70:25
*:*
satyr#
>
>>
>> After going through all the steps of disabling sendmail in rc.conf and
>> setting up mainwrapper I am getting the following error:
>>
>> [satyr ~]$ mail -s test jorge
>> test
>> .
>>
>> [satyr ~]$ WARNING: RunAsUser for MSP ignored, check group ids
>> (egid=1002, want=25)
>> can not chdir(/var/spool/clientmqueue/): Permission denied
>> Program mode requires special privileges, e.g., root or TrustedUser.
>>
>> Here's the corresponding logfile entry, which seems pretty clearly to
>> point to the (presumably) disabled sendmail:
>>
>> satyr# tail /var/log/maillog
>> Feb 9 09:16:00 satyr sendmail[63415]: NOQUEUE: SYSERR(jorge): can not
>> chdir(/var/spool/clientmqueue/): Permission denied
>>
>> Here are the permissions and owners of the queue:
>>
>> satyr# ls -ld /var/spool/clientmqueue/
>> drwxrwx--- 2 smmsp smmsp 512 Feb 9 06:57 /var/spool/clientmqueue/
>>
>> I then ran across the following sendmail README on FreeBSD:
>>
>> [...]
>>
>> As of sendmail 8.12, in order to improve security, the sendmail binary no
>> longer needs to be set-user-ID root. Instead, a set-group-ID binary
>> accepts command line mail and relays it to a full mail transfer agent via
>> SMTP. A group writable client mail queue (/var/spool/clientmqueue/ by
>> default) holds the mail if an MTA can not be contacted.
>>
>> To accomplish this, under the default setup, an MTA must be listening on
>> localhost port 25. If the rc.conf sendmail_enable option is set to "NO",
>> a sendmail daemon will still be started and bound only to the localhost
>> interface in order to accept command line submitted mail (note that this
>> does not work inside jail(2) systems as jails do not allow binding to
>> just the localhost interface). If this is not a desirable solution, it
>> can be disabled using the sendmail_submit_enable rc.conf option. However,
>> if both sendmail_enable and sendmail_submit_enable are set to "NO"
>> [this is true in my case],
>> you must do one of two things for command line submitted mail:
>>
>> 1. Designate an alternative host for the submission agent to contact
>> by altering /etc/mail/freebsd.submit.mc (or setting SENDMAIL_SUBMIT_MC
>> in /etc/make.conf to an alternate .mc file) and using
>> 'make install-submit-cf' in /etc/mail/. Change the FEATURE(msp) line
>> to FEATURE(msp, hostname) where hostname is the fully qualified hostname
>> of the alternative host.
>>
>> Or:
>>
>> 2. Return to using a set-user-ID root sendmail binary by changing the
>> ownership and permissions on the sendmail binary and removing the
>> /etc/mail/submit.cf file:
>> chown root /usr/libexec/sendmail/sendmail
>> chmod 4755 /usr/libexec/sendmail/sendmail
>> rm /etc/mail/submit.cf
>> If you install from source, set the SENDMAIL_SET_USER_ID flag in
>> /etc/make.conf.
>>
>> [...]
>>
>> The first of the two suggestions isn't an option for me; I control
>> only this single mailserver. And I'm not quite sure about the
>> second: I'd rather avoid a set-user-ID root sendmail if possible. I
>> just want postfix to handle mail that comes from the command
>> line destined for localhost 25.
>>
>> In case there's something I can do inside postfix so that it binds the
>> daemon to localhost 25 before the vestigal sendmail
>> gets there, here are my postfix settings:
>>
>> [satyr ~]$ postconf -n
>> alias_database = hash:/etc/mail/aliases
>> alias_maps = hash:/etc/mail/aliases
>> allow_percent_hack = no
>> append_at_myorigin = yes
>> append_dot_mydomain = no
>> biff = no
>> bounce_queue_lifetime = 4h
>> bounce_size_limit = 10000
>> broken_sasl_auth_clients = yes
>> command_directory = /usr/local/sbin
>> config_directory = /usr/local/etc/postfix
>> daemon_directory = /usr/local/libexec/postfix
>> data_directory = /var/db/postfix
>> default_destination_concurrency_limit = 10
>> default_privs = nobody
>> delay_warning_time = 1h
>> disable_vrfy_command = yes
>> fast_flush_domains = $relay_domains
>> header_checks = regexp:/etc/postfix/header_checks
>> html_directory = no
>> inet_interfaces = all
>> local_destination_concurrency_limit = 2
>> local_recipient_maps = unix:passwd.byname, $alias_maps
>> luser_relay =
>> mail_name = $mydomain Mail Daemon
>> mail_owner = postfix
>> mail_spool_directory = /var/mail
>> mailbox_command = /usr/local/bin/procmail -a "$EXTENSION"
>> mailbox_size_limit = 0
>> manpage_directory = /usr/local/man
>> maximal_queue_lifetime = 4h
>> message_size_limit = 102400000
>> mydestination = $myhostname, localhost.$mydomain, localhost
>> mydomain = jorge.cc
>> myhostname = satyr.jorge.cc
>> mynetworks_style = host
>> myorigin = $mydomain
>> newaliases_path = /usr/local/bin/newaliases
>> notify_classes = resource, software
>> recipient_delimiter = +
>> relay_domains = $mydestination
>> sample_directory = /usr/local/etc/postfix
>> sendmail_path = /usr/sbin/sendmail
>> setgid_group = postdrop
>> show_user_unknown_table_name = no
>> smtp_tls_loglevel = 1
>> smtp_tls_note_starttls_offer = yes
>> smtp_tls_security_level = may
>> smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
>> smtp_tls_session_cache_timeout = 3600s
>> smtp_use_tls = yes
>> smtpd_banner = $mail_name ESMTP
>> smtpd_client_restrictions = permit_mynetworks,
>> reject_rbl_client zen.spamhaus.org, reject_unknown_client_hostname,
>> reject_unauth_pipelining
>> smtpd_data_restrictions = reject_unauth_pipelining,
>> reject_multi_recipient_bounce
>> smtpd_delay_reject = yes
>> smtpd_error_sleep_time = 1s
>> smtpd_hard_error_limit = 20
>> smtpd_helo_required = yes
>> smtpd_helo_restrictions = permit_mynetworks,
>> check_helo_access hash:$config_directory/helo_access,
>> reject_unauth_pipelining, reject_non_fqdn_hostname,
>> reject_invalid_hostname
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, reject_unauth_destination,
>> reject_unauth_pipelining, reject_invalid_hostname
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_authenticated_header = yes
>> smtpd_sasl_local_domain = $myhostname
>> smtpd_sasl_path = private/auth
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_tls_security_options = noanonymous
>> smtpd_sasl_type = dovecot
>> smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,
>> reject_unknown_sender_domain, reject_unknown_address
>> smtpd_soft_error_limit = 10
>> smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
>> smtpd_tls_always_issue_session_ids = yes
>> smtpd_tls_auth_only = no
>> smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
>> smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
>> smtpd_tls_loglevel = 1
>> smtpd_tls_received_header = yes
>> smtpd_tls_security_level = may
>> smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
>> smtpd_tls_session_cache_timeout = 3600s
>> smtpd_use_tls = yes
>> strict_rfc821_envelopes = no
>> swap_bangpath = no
>> tls_daemon_random_bytes = 32
>> tls_random_exchange_name = $data_directory/prng_exch
>> tls_random_prng_update_period = 3600s
>> tls_random_reseed_period = 3600s
>> tls_random_source = dev:/dev/urandom
>> unknown_local_recipient_reject_code = 450
>>
>> The weird thing is that sending mail with telnet through port 25
>> returns the postfix welcome and it's postfix that seems to accept the mail:
>>
>> [jorge@satyr /etc/mail]$ telnet localhost 25
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> 220 jorge.cc Mail Daemon ESMTP
>> EHLO satyr.jorge.cc
>> 250-satyr.jorge.cc
>> 250-PIPELINING
>> 250-SIZE 102400000
>> 250-ETRN
>> 250-STARTTLS
>> 250-ENHANCEDSTATUSCODES
>> 250-8BITMIME
>> 250 DSN
>> MAIL FROM: jo...@jorge.cc
>> 250 2.1.0 Ok
>> RCPT TO: jo...@jorge.cc
>> 250 2.1.5 Ok
>> DATA
>> 354 End data with <CR><LF>.<CR><LF>
>> test
>> .
>>
>> 250 2.0.0 Ok: queued as A1774108E2C
>> QUIT
>> 221 2.0.0 Bye
>> Connection closed by foreign host.
>>
>> And here's the logfile:
>>
>> Feb 10 14:59:50 satyr postfix/qmgr[72725]: 4CF3A108E32:
>> from=<jorge@localhost>, size=320, nrcpt=1 (queue active)
>> Feb 10 14:59:50 satyr sendmail[91511]: NOQUEUE: SYSERR(jorge): can not
>> chdir(/var/spool/clientmqueue/): Permission denied
>>
>> The email isn't stacking up in any other queue that I can find.
>>
>> The logfile goes on to record a seemingly successful procmail relay to gmail:
>>
>> Feb 10 15:29:23 satyr postfix/smtpd[5845]: connect from satyr[69.55.232.70]
>> Feb 10 15:30:52 satyr postfix/smtpd[5845]: 61766108E39:
>> client=satyr[69.55.232.70]
>> Feb 10 15:31:08 satyr postfix/cleanup[6234]: 61766108E39:
>> message-id=<20120210203052.61766108...@satyr.jorge.cc>
>> Feb 10 15:31:08 satyr postfix/qmgr[72725]: 61766108E39:
>> from=<jo...@jorge.cc>, size=322, nrcpt=1 (queue active)
>> Feb 10 15:31:08 satyr postfix/smtp[6478]: setting up TLS connection to
>> gmail-smtp-in.l.google.com[74.125.45.26]:25
>> Feb 10 15:31:08 satyr postfix/smtp[6478]: certificate verification
>> failed for gmail-smtp-in.l.google.com[74.125.45.26]:25: untrusted
>> issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>> Feb 10 15:31:08 satyr postfix/smtp[6478]: Untrusted TLS connection
>> established to gmail-smtp-in.l.google.com[74.125.45.26]:25: TLSv1 with
>> cipher RC4-SHA (128/128 bits)
>> Feb 10 15:31:09 satyr postfix/smtp[6478]: 61766108E39:
>> to=<jlg.in...@gmail.com>,
>> relay=gmail-smtp-in.l.google.com[74.125.45.26]:25, delay=48,
>> delays=46/0.02/0.45/0.77, dsn=2.0.0, status=sent (250 2.0.0 OK
>> 1328905874 s61si7054629yhn.36)
>> Feb 10 15:31:09 satyr postfix/qmgr[72725]: 61766108E39: removed
>> Feb 10 15:31:28 satyr postfix/smtpd[5845]: disconnect from
>> satyr[69.55.232.70]
>> satyr#
>>
>>
>> I'm completely flummoxed by this. Ripping sendmail by the roots out
>> of FreeBSD may not be such a good idea so I've avoided that, though I
>> would have thought that mailwrapper and the rc.conf settings would
>> have accomplished essentially the same thing.
>>
>> Thanks very much in advance for any help.
>>
>> --
>> Jorge Luis González <jlg.in...@gmail.com>
>> http://people.umass.edu/jlg/
>>
>> This email optimized for teletypes.
>
--
Jorge Luis González <jlg.in...@gmail.com>
http://people.umass.edu/jlg/
