[exim] Re: "Spool error for" but seems to work ok
On 2024-12-22 Andrew C Aitchison via Exim-users wrote: > On Sun, 22 Dec 2024, Marcin Owsiany via Exim-users wrote: >> Would it make sense to write a simple /usr/lib/sendmail shim that >> would simply forward its input to localhost:25 (or to a UNIX socket, >> if Exim could be taught to listen on one, as that would allow it to >> discover UID of the invoking process)? > Exim supports RFC 1413 - Ident - so can discover the UID over TCP. > Since this is on local host we can require Ident to be enabled. > Listening on a UNIX socket could be useful, > but is sufficiently niche that it would probably best > be kept as a build time option if ever implemented. > I'm assuming that LMTP is not an option in this case ? Good morning, take another look at the problem: We have some piece of software that uses a generic interface to send mail (/usr/sbin/sendmail) and there is breakage if /usr/sbin/sendmail happens to be exim. "Use BSMTP" is not a solution for that. cu Andreas -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] exim migration to different platform
I have an exim installation on host [A}, i want to pass the service [backup MX, to collect email in case of maintenance stop for the main server] to another server [B]. It is enough after installing exim4 [both have same version 4.96 from bookworm] on server B to copy all configuration files to the new server? [the processor architecture is different, but i do not think this is a problem with configuration files] -- Leonardo Boselli Firenze, Toscana, Europa http://i.trail.it -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: "Spool error for" but seems to work ok
On 22/12/2024 12:50, Andreas Metzler via Exim-users wrote: I think we just need to get accustomed to suspecting systemd hardening. (Cryptic permission error -> Probably* systemd service hardening, secondary candidates missing SUID bit, thirdly selinux or apparmor.) Sadly, that's my default position also. No doubt "AI" support agents will be offered to fix all the issues ^W^W^W burn more electrons. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: "Spool error for" but seems to work ok
On 2024-12-21 Jeremy Harris via Exim-users wrote: > On 21/12/2024 16:11, Andreas Metzler via Exim-users wrote: >> Last time I looked at a similar issue the respective service file did not >> allow CAP_FOWNER CAP_CHOWN. Afaict from looking at >> https://git.progress-linux.org/users/daniel.baumann/debian/packages/netdata/plain/debian/netdata.service >> netdata does not either. > Is there some way the applications (and their developers) are supposed > to check for and report such runtime issues (given that errno doesn't > supply helpful information...) ? Hello, I think we just need to get accustomed to suspecting systemd hardening. (Cryptic permission error -> Probably* systemd service hardening, secondary candidates missing SUID bit, thirdly selinux or apparmor.) The key takeaway is that systemd service hardening will be of very limited use and very hard to get right if the respective daemon invokes complex third-party software which might need more/different permissions. There is huge potential for whack-a-molish trial and error. cu Andreas -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: "Spool error for" but seems to work ok
niedz., 22 gru 2024, 13:54 użytkownik Andreas Metzler via Exim-users < exim-users@lists.exim.org> napisał: > On 2024-12-21 Jeremy Harris via Exim-users > wrote: > > On 21/12/2024 16:11, Andreas Metzler via Exim-users wrote: > >> Last time I looked at a similar issue the respective service file did > not > >> allow CAP_FOWNER CAP_CHOWN. Afaict from looking at > >> > https://git.progress-linux.org/users/daniel.baumann/debian/packages/netdata/plain/debian/netdata.service > >> netdata does not either. > > > Is there some way the applications (and their developers) are supposed > > to check for and report such runtime issues (given that errno doesn't > > supply helpful information...) ? > > Hello, > > I think we just need to get accustomed to suspecting systemd hardening. > (Cryptic permission error -> Probably* systemd service hardening, > secondary candidates missing SUID bit, thirdly selinux or apparmor.) > > The key takeaway is that systemd service hardening will be of very > limited use and very hard to get right if the respective daemon invokes > complex third-party software which might need more/different permissions. > There is huge potential for whack-a-molish trial and error. > Would it make sense to write a simple /usr/lib/sendmail shim that would simply forward its input to localhost:25 (or to a UNIX socket, if Exim could be taught to listen on one, as that would allow it to discover UID of the invoking process)? Marcin -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: exim migration to different platform
On 22/12/2024 13:20, Leonardo Boselli via Exim-users wrote: I have an exim installation on host [A}, i want to pass the service [backup MX, to collect email in case of maintenance stop for the main server] to another server [B]. It is enough after installing exim4 [both have same version 4.96 from bookworm] on server B to copy all configuration files to the new server? My preferred way is to have a config which handles either being the primary MX for the overall system, or being a secondary which forwards to the primary. The secondary can then be running well in advance of any primary outage, planned or not, and will merely queue if needed (and deliver eventually on queue-runs once the primary reappears). Your use of the name "exim4" implies a Debian (or related) system [nobody else calls Exim that. Exim version 3 went obsolete twenty yeas ago]. You should look at Debian docs regarding secondary MX installations if you are running their configuration. If your config on B thinks it should be delivering to files, you'd end up having to deal with all those files, which I call suboptimal. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: "Spool error for" but seems to work ok
On Sun, 22 Dec 2024, Marcin Owsiany via Exim-users wrote: Would it make sense to write a simple /usr/lib/sendmail shim that would simply forward its input to localhost:25 (or to a UNIX socket, if Exim could be taught to listen on one, as that would allow it to discover UID of the invoking process)? Exim supports RFC 1413 - Ident - so can discover the UID over TCP. Since this is on local host we can require Ident to be enabled. Listening on a UNIX socket could be useful, but is sufficiently niche that it would probably best be kept as a build time option if ever implemented. I'm assuming that LMTP is not an option in this case ? -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
