--- Begin Message ---
Send courier-users mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/courier-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of courier-users digest..."
Today's Topics:
1. Re: non-suid root webmail? (Steve Jacobs)
2. Re: non-suid root webmail? (Sam Varshavchik)
3. Re: authdaemond.ldap logging level (Sam Varshavchik)
4. Re: sqwebmail empty attachement (Sam Varshavchik)
5. Re: Re: SHUTDOWN: respawnhi limit reached. (Johannes Erdfelt)
6. Re: Re: SHUTDOWN: respawnhi limit reached. (Aly S.P Dharshi)
7. Re: SHUTDOWN: respawnhi limit reached. (Sam Varshavchik)
8. Re: SHUTDOWN: respawnhi limit reached. (Sam Varshavchik)
9. Re: Re: SHUTDOWN: respawnhi limit reached. (Johannes Erdfelt)
10. Re: Re: SHUTDOWN: respawnhi limit reached. (Johannes Erdfelt)
11. selinux with courier MTA (Shaun Savage)
--- Begin Message ---
You can remove the SUID bit altogether and run apache as the virtual mail
user if you would like. Setting the binary SUID to the user should work
too.
Steve Jacobs http://www.viaduct.com
Systems Engineer Viaduct Inc.
"From there to here, from here to there, funny things are everywhere."
-- Dr. Seuss
On Fri, 14 Dec 2001, Peter C. Norton wrote:
> In an environment where all users are virtual users, and all delivery takes
> place via one uid, can the webmail binary be setuid to the virtual mail user
> rather then root?
>
> --
> The 5 year plan:
> In five years we'll make up another plan.
> Or just re-use this one.
>
> _______________________________________________
> courier-users mailing list
> [EMAIL PROTECTED]
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
>
--- End Message ---
--- Begin Message ---
Peter C. Norton writes:
> In an environment where all users are virtual users, and all delivery takes
> place via one uid, can the webmail binary be setuid to the virtual mail user
> rather then root?
You can, provided that you also use the configure script option to set the
owner of the login cache directory to the same (it defaults to bin, which
won't work if sqwebmail cannot set itself to run as the bin user).
There will also be a similar issue with groupware calendaring, which also
needs to be resolved the same way.
--
Sam
--- End Message ---
--- Begin Message ---
Leon writes:
> Sorry, I just don't get it. Please consider the following logs(Original text
> at bottom of file) :
>
> This comes from /var/log/messages
>
> Dec 14 11:24:44 hostname authdaemond.ldap: copy_value homeDirectory:
> /users/rvw
> Dec 14 11:24:44 hostname authdaemond.ldap: copy_value cn: Mae A West
> Dec 14 11:24:44 hostname authdaemond.ldap: copy_value userPassword:
> {crypt}password
> this?? Didn't set it up myself, but I can't stop it, so I probably couldn't
> have set it up anyway. :-(
You compiled with DEBUG_LDAP enabled. You requested LDAP debugging
information, and you got it. Recompile with DEBUG_LDAP turned off.
--
Sam
--- End Message ---
--- Begin Message ---
Philippe Strauss writes:
> On Thu, Dec 13, 2001 at 06:11:53PM -0500, Sam Varshavchik wrote:
>> Philippe Strauss writes:
>>
>> >Hello!
>> >
>> >I'm stunt with this: on a freshly installed debian woody,
>> >sqwebmail complain with this when uploading
>> >an attachement:
>> >
>> > ERROR: You have exceeded your quota
>> >
>> >It's a hosted domain setup, with all mailboxes under
>> >
>> >/var/virtualmail/domain.com/userpart/
>> >
>> >with uid and gid, virtualmail, set to 200
>>
>> This error can get generated if the makemime binary is missing or
>> corrupted. This is one of those things that is not expected to happen.
>
> Thanks Sam.
> makemime is in the 'maildrop' package, but
> maildrop and courier are not in sync in debian.
>
> I replaced makemime from debian maildrop pkg with a
> hand compiled one from courier source and it now works.
>
> mail:/usr/src/courier-0.36.1# cp -f courier/makemime /usr/bin/makemime
>
>
> Stephan, the maildrop / courier packaging issue is here
> again under a new form :))
maildrop, when compiled from maildrop-version.tar.gz, is slightly different
that maildrop compiled from courier-version.tar.gz
You need to package courier-maildrop separately, which cannot be
simultaneously installed with the standalone maildrop package.
> ii courier-base 0.36.0-1 Courier Mail Server Suite Base System
...
> ii sqwebmail 0.36.0-1 Webmail Server
> ii maildrop 1.3.0-1 mail delivery agent with filtering abilities
No, no, no. This is the standalone version of maildrop. Can't have it
installed with Courier.
--
Sam
--- End Message ---
--- Begin Message ---
On Fri, Dec 07, 2001, Sam Varshavchik <[EMAIL PROTECTED]> wrote:
> Johannes Erdfelt writes:
>
> > On Thu, Dec 06, 2001, Gordon Messmer <[EMAIL PROTECTED]> wrote:
> >> On Thu, 6 Dec 2001, Johannes Erdfelt wrote:
> >> > The mail server is busy much of the time, but I don't think it's busy
> >> > enough to naturally hit the respawnhi timeout. It looks like somehow
> >> > courier missed that a child finished and that's why it hit the respawnhi
> >> > timeout.
> >>
> >> I was wrong about that. The child processes are still legitimately
> >> running. As fate would have it just as I started this email, I was pulled
> >> in to some mail server issues and noticed that the respawnhi thing had
> >> happened again. All of the couriersmtp processes were stuck in a read()
> >> system call on fd 5. I have the control file from a couple, and there are
> >> lots of DNS failures recorded.
> >>
> >> It's much too late to do any debugging right now, but I'll be over this
> >> tomorrow. In any case, it's not that courierd isn't harvesting children,
> >> it's that the children are blocking on an unprotected read(). (I thought
> >> they all had alarms in place... /me shrugs)
> >
> > I checked for any running processes, but I couldn't find any. I do have
> > lots of courier related process running (authdaemon, pop and imap) so I
> > may have missed one.
> >
> > Either way, my system sat for 6 hours or so doing nothing. If you're
> > right that there was a process still running, something is missing a
> > timeout.
> >
> > I wonder what the longest timeout is. I guess presumably the respawnhi
> > could happen at a time right after a legitimate process is spawned which
> > then needs to timeout to a client, there will always be the chance that
> > courier just stops delivering email for a while.
> >
> > respawnhi seems to need some sort of timeout, even if it's extremely
> > long.
>
> The server is designed to restart itself only when no mail is pending.
>
> The problem is that the client should not be stuck like that. There's a
> select() before every read from the socket, so if anything, it should be
> stuck in a select().
>
> Get the date of the stuck message, and review your logs to see if there are
> any errors in syslog around that time, or a little bit later.
Happened again, not surprisingly 7 days from when I restarted the
server. I found this process hanging around:
daemon 28027 0.0 0.0 1916 1008 ? S Dec07 0:00 courieresmtp 0
ofr.pm0.net
It's been sitting for 7 days.
In the logs I see:
Dec 7 22:31:29 quattro courierd:
started,id=00077C44.3C118991.00006D25,from=<[EMAIL PROTECTED]>,module=local,host=robjohn!!510!510!/home/robjohn!!,addr=<robjohn>
Dec 7 22:31:29 quattro courierlocal:
id=00077C44.3C118991.00006D25,from=<[EMAIL PROTECTED]>,addr=<[EMAIL PROTECTED]>,size=3209,success:
Message delivered.
Dec 7 22:31:29 quattro courierd:
started,id=00077C45.3C118991.00006D2A,from=<[EMAIL PROTECTED]>,module=esmtp,host=mediaone.net,addr=<[EMAIL PROTECTED]>
Dec 7 22:31:35 quattro courieresmtp:
id=00077C45.3C118991.00006D2A,from=<[EMAIL PROTECTED]>,addr=<[EMAIL PROTECTED]>:
550 5.7.1 <[EMAIL PROTECTED]>... Access denied
Dec 7 22:31:35 quattro courieresmtp:
id=00077C45.3C118991.00006D2A,from=<[EMAIL PROTECTED]>,addr=<[EMAIL PROTECTED]>,status:
failure
Dec 7 22:31:35 quattro courierd: completed,id=00077C45.3C118991.00006D2A
Dec 7 22:31:35 quattro courierd:
started,id=00077C45.3C118991.00006D2A,from=<>,module=dsn,host=,addr=<[EMAIL PROTECTED]>
Dec 7 22:31:35 quattro courierd: newmsg,id=00077C44.3C118997.00006D32
Dec 7 22:31:35 quattro courierd:
started,id=00077C44.3C118997.00006D32,from=<>,module=esmtp,host=ofr.pm0.net,addr=<[EMAIL PROTECTED]>
Dec 7 22:37:35 quattro courieresmtp:
id=00077C44.3C118997.00006D32,from=<>,addr=<[EMAIL PROTECTED]>: Connection timed
out
Dec 7 22:37:35 quattro courieresmtp:
id=00077C44.3C118997.00006D32,from=<>,addr=<[EMAIL PROTECTED]>,status: deferred
I see later:
Dec 7 22:42:35 quattro courierd:
started,id=00077C44.3C118997.00006D32,from=<>,module=esmtp,host=ofr.pm0.net,addr=<[EMAIL PROTECTED]>
I don't see any other messages for id 00077C44.3C118997.00006D32.
An strace on the aforementioned process resulted in:
quattro:~# strace -p 28027
read(6,
Which just sits there.
JE
--- End Message ---
--- Begin Message ---
> daemon 28027 0.0 0.0 1916 1008 ? S Dec07 0:00
courieresmtp 0 ofr.pm0.net
Just a BTW not a related topic, it seems that the domain pm0.net is regarded
as a spam site and has been blocked by a great many sites recently.
Currently it was talked about on the Exim mailing list.
--- End Message ---
--- Begin Message ---
Johannes Erdfelt writes:
> I see later:
>
> Dec 7 22:42:35 quattro courierd:
> started,id=00077C44.3C118997.00006D32,from=<>,module=esmtp,host=ofr.pm0.net,addr
> =<[EMAIL PROTECTED]>
>
> I don't see any other messages for id 00077C44.3C118997.00006D32.
>
> An strace on the aforementioned process resulted in:
>
> quattro:~# strace -p 28027
> read(6,
>
> Which just sits there.
And what is file descriptor 6?
--
Sam
--- End Message ---
--- Begin Message ---
Aly S.P Dharshi writes:
>> daemon 28027 0.0 0.0 1916 1008 ? S Dec07 0:00
> courieresmtp 0 ofr.pm0.net
>
> Just a BTW not a related topic, it seems that the domain pm0.net is regarded
> as a spam site and has been blocked by a great many sites recently.
> Currently it was talked about on the Exim mailing list.
Correct. His logs showed that his local recipient is bouncing all crap from
pm0.net, and something gets stuck in the bounce.
--
Sam
--- End Message ---
--- Begin Message ---
On Sat, Dec 15, 2001, Sam Varshavchik <[EMAIL PROTECTED]> wrote:
> Johannes Erdfelt writes:
>
> > I see later:
> >
> > Dec 7 22:42:35 quattro courierd:
> > started,id=00077C44.3C118997.00006D32,from=<>,module=esmtp,host=ofr.pm0.net,addr
> > =<[EMAIL PROTECTED]>
> >
> > I don't see any other messages for id 00077C44.3C118997.00006D32.
> >
> > An strace on the aforementioned process resulted in:
> >
> > quattro:~# strace -p 28027
> > read(6,
> >
> > Which just sits there.
>
> And what is file descriptor 6?
Fine question, but we'll have to wait until it happens again.
I restarted courier so mail would continue to be delivered, however it
seems it happens relatively quickly. The process got stuck hours after I
restarted the server.
I don't see anything stuck right now, presumably because that triggering
mail got double bounced.
I'll see if I can trigger the problem manually to that recipient.
JE
--- End Message ---
--- Begin Message ---
On Fri, Dec 14, 2001, Aly S.P Dharshi <[EMAIL PROTECTED]> wrote:
> > daemon 28027 0.0 0.0 1916 1008 ? S Dec07 0:00
> courieresmtp 0 ofr.pm0.net
>
> Just a BTW not a related topic, it seems that the domain pm0.net is regarded
> as a spam site and has been blocked by a great many sites recently.
> Currently it was talked about on the Exim mailing list.
Yeah, it pretty much looked like that.
I forward lots of mail from virtual domains to people's personal
mailboxes at other ISP's and I saw lots of those ISP's rejecting mail
with an envelope from of pm0.net.
But there's still a bug there that needs to be fixed.
JE
--- End Message ---
--- Begin Message ---
I am trying to add/make a new security policy for the courier mail
server. Sendmail is easy compared with qmail or courier. This will
also be a good learning experiance for me (and others) to go through the
thinking behind creating a security policy. I am not a courier
expert, but I think selinux and courier would be good togther.
courier stuff
See http://www.nsa.gov/selinux/doc/policy/policy.html
I was think about at least three domains for smtp. One for the input
modules, one for submit/courierd, and one for the output modules. The
issues here are we want to isolate any IO modules from the queue AND
isolate any modules that have suid.
What I need to know is which executable accesses what files/dirs?
What are the transitions, what modules call/execute what other modules?
A state diagram of the basic courier process would be great?
I the FUTURE I would want to add TLS certs auth, the pop3 and imap
daemons with auth, and then the web configuration and web email.
I courier does have selinux support then it could become one of the most
secure mail systems.
selinux stuff
The problem is how fine grained a security policy I should make?
Should every processes have a seperate policy or should the whole
package be one security?
Should the certs be protected more than other parts?
Courier writes to the users Maildir in their home dir, only
courier_local writes to users dir. ????
Background:
Courier is a all inclusive mails server. It is like qmail with
different processes doing different tasks. It also has imap,pop3 secure
imap,pop3 also. It has a web interface to help with configuration. And
webmail client.
File structure
/etc/courier courier_conf_t configuration files
/var/spool/courier courier_spool_t spool directories for courier
/var/spool/courier/msgq courier_msgq_t
/var/spool/courier/msgs courier_msgs_t
/var/spool/courier/authdaemon
/usr/lib/courier courier_t courier
/usr/lib/courier/bin courier_bin_t
/usr/lib/courier/sbin courier_sbin_t
/usr/lib/courier/share courier_share_t
/usr/lib/courier/share/rootcerts courier_certs_t esmtp,
imap, pop3 certs for SSL
/usr/lib/courier/share/htmldoc
Running processes:
courierd main daemon courier_daemon_t
courierXXXX transport daemons courier_trans_t
courieresmtp input daemon courier_esmtp_t
authdaemon authorize connections courier_auth_t
couriertcpd courier tcpd courier_tcpd_t
pop3d, pop3d-ssl, imapd, imapd-ssl courier_XXXX_t
courierfilter spam killer (not used now) courier_filter_t
--- End Message ---
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/courier-users
--- End Message ---
