Package: sendmail
Version: 8.15.2-12
Severity: grave
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On upgrade to buster, sendmail upgrade failed with this message:
> start-stop-daemon: matching only on non-root pidfile
> /var/run/sendmail/mta/sendmail.pid is insecure
Some work with Google found Debian bug #922395, which, although not
for sendmail, pointed the way to the solution.
The following patch for /etc/init.d/sendmail should fix the problem:
- --------- CUT HERE ----------
*** sendmail.orig 2019-07-20 23:35:49.360737086 -0400
- --- sendmail 2019-07-20 22:40:04.782571907 -0400
***************
*** 149,163 ****
- --- 149,166 ----
--start";
STOP_MTAL_CMD="start-stop-daemon \
--pidfile $MTAL_PIDFILE \
+ --exec $MTA_DAEMON \
--name sendmail-mta \
--stop";
SIGNAL_MTAL_CMD="start-stop-daemon \
--pidfile $MTAL_PIDFILE \
+ --exec $MTA_DAEMON \
--name sendmail-mta \
--stop";
START_MTAQ_CMD="start-stop-daemon \
--pidfile $MTAQ_PIDFILE \
--make-pidfile \
+ --exec $MTA_DAEMON \
--startas $MTA_COMMAND \
--start";
STOP_MTAQ_CMD="start-stop-daemon \
***************
*** 165,170 ****
- --- 168,174 ----
--stop";
SIGNAL_MTAQ_CMD="start-stop-daemon \
--pidfile $MTAQ_PIDFILE \
+ --exec $MTA_DAEMON \
--name sendmail-mta \
--stop";
START_MSP_CMD="start-stop-daemon \
- --------- CUT HERE ----------
It may also be necessary to delete /var/run/sendmail/mta/sendmail.pid
as well.
Note:
Although probably not a sendmail problem (start-stop daemon?), it
might be advisable to re-word the error message. "matching only on
non-root pidfile xxx.pid is insecure" is rather cryptic, and does not
point the way to fixing the problem.
.....Ron Murray
- -- Package-specific info:
Output of /usr/share/bug/sendmail/script:
ls -alR /etc/mail:
/etc/mail:
total 568
drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 .
drwxr-xr-x 260 root root 16384 Jul 20 23:16 ..
- -rwxr-xr-- 1 root smmsp 12904 Jul 20 22:42 Makefile
- -rw------- 1 root smmsp 5526 Jul 20 22:42 access
- -rw-r----- 1 smmta smmsp 12288 Jul 20 22:42 access.db
- -rw-r--r-- 1 root smmsp 5432 Jul 2 2018 access.old
- -rw------- 1 root root 2084 Nov 4 2014 access.orig
- -rw-r--r-- 1 root root 281 Sep 5 2004 address.resolve
lrwxrwxrwx 1 root smmsp 10 Mar 28 2015 aliases -> ../aliases
- -rw-r----- 1 smmta smmsp 12288 Jul 21 2017 aliases.db
- -rw-r--r-- 1 root root 1040 Nov 25 2007 aliases.orig
drwx--S--- 2 root smmsp 45 Jun 18 2017 auth
- -rw-r--r-- 1 root root 3722 Jul 20 22:42 databases
- -rw-r--r-- 1 root root 3720 Oct 22 2014 databases.orig
- -rw-r----- 1 smmta smmsp 42 Apr 7 2004 default-auth-info
- -rw-r--r-- 1 smmta smmsp 0 Oct 1 2000 domaintable
- -rw-r--r-- 1 root root 5659 Dec 8 2016 helpfile
- -rw-r--r-- 1 smmta smmsp 21 Apr 7 2004 local-host-names
drwxr-sr-x 2 smmta smmsp 81 Jul 20 20:54 m4
- -rw-r--r-- 1 smmta smmsp 15 Sep 25 2008 mailertable
- -rw-r----- 1 root smmsp 12288 Jun 18 2017 mailertable.db
- -rw-r--r-- 1 smmta smmsp 12973 Jun 4 2015 mimedefang-filter
- -rw-r--r-- 1 smmta smmsp 12973 Jun 4 2015 mimedefang-filter.spamassassin
- -rw-r--r-- 1 smmta smmsp 4108 Aug 18 2006 mimedefang.conf.12596
- -rw-r--r-- 1 smmta smmsp 4108 Dec 28 2006 mimedefang.conf.13657
- -rw-r--r-- 1 smmta smmsp 4108 Jan 30 2007 mimedefang.conf.15047
- -rw-r--r-- 1 smmta smmsp 4108 Mar 16 2007 mimedefang.conf.25782
- -rw-r--r-- 1 smmta smmsp 4108 Apr 26 2005 mimedefang.conf.5937
- -rw-r--r-- 1 smmta smmsp 4108 Nov 21 2006 mimedefang.conf.6382
- -rw-r--r-- 1 smmta smmsp 4108 Mar 27 2006 mimedefang.conf.7263
- -rw-r--r-- 1 root root 276 Feb 11 2005 mimedefang.pl.conf
drwxr-xr-x 2 root root 21 Jul 20 20:51 peers
- -rw-r--r-- 1 smmta smmsp 0 Jan 30 2002 relay-domains
- -rw-r--r-- 1 root root 4297 May 14 2018 sa-mimedefang.cf
drwxr-xr-x 2 smmta smmsp 132 May 24 2015 sasl
- -rw-r--r-- 1 smmta smmsp 54 Apr 4 2015 sendmail.cN
- -rw-r--r-- 1 root smmsp 75517 Jul 20 22:42 sendmail.cf
- -rw-r--r-- 1 root root 75514 Jul 20 22:42 sendmail.cf.old
- -rw-r--r-- 1 root root 12235 Jul 20 22:42 sendmail.conf
- -rw-r--r-- 1 root root 12222 Oct 22 2014 sendmail.conf.orig
- -rw-r--r-- 1 smmta smmsp 15 Apr 3 2015 sendmail.ct
- -rw-r--r-- 1 smmta smmsp 209 Mar 2 2008 sendmail.cw
- -rw-r--r-- 1 root smmsp 8600 Jul 20 22:42 sendmail.mc
- -rw-r--r-- 1 root root 148 Sep 15 2018 service.switch
- -rw-r--r-- 1 root root 179 Sep 15 2018 service.switch-nodns
drwxr-sr-x 2 smmta smmsp 53 Nov 7 2014 smrsh
lrwxrwxrwx 1 root root 15 Nov 7 2014 spamassassin -> ../spamassassin
- -rw-r--r-- 1 root smmsp 45240 Jul 20 22:42 submit.cf
- -rw-r--r-- 1 root root 45230 Jul 20 22:42 submit.cf.old
- -rw-r--r-- 1 root smmsp 2475 Jul 20 22:42 submit.mc
drwxr-xr-x 3 smmta smmsp 4096 Jul 8 2015 tls
- -rw-r--r-- 1 smmta smmsp 0 Apr 4 2004 trusted-users
- -rw-r--r-- 1 smmta smmsp 152 Mar 2 2008 virtusertable
- -rw-r----- 1 root smmsp 12288 Jun 18 2017 virtusertable.db
/etc/mail/m4:
total 16
drwxr-sr-x 2 smmta smmsp 81 Jul 20 20:54 .
drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 ..
- -rw-r--r-- 1 root root 790 Jan 30 2017 clamav-milter.m4
- -rw-r----- 1 smmta smmsp 838 Jul 18 2009 dialup.m4
- -rw-r--r-- 1 root root 107 Jul 2 2016 opendkim.m4
- -rw-r----- 1 smmta smmsp 0 Apr 4 2004 provider.m4
/etc/mail/peers:
total 8
drwxr-xr-x 2 root root 21 Jul 20 20:51 .
drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 ..
- -rw-r--r-- 1 root root 328 Sep 17 2003 provider
/etc/mail/sasl:
total 24
drwxr-xr-x 2 smmta smmsp 132 May 24 2015 .
drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 ..
lrwxrwxrwx 1 root root 15 Nov 7 2014 Sendmail.conf -> Sendmail.conf.2
- -rw-r--r-- 1 root root 658 Sep 21 2004 Sendmail.conf.1
- -rw-r----- 1 smmta smmsp 776 Feb 4 2012 Sendmail.conf.2
- -rwxr--r-- 1 root root 3685 Jul 20 22:42 sasl.m4
- -rw-r--r-- 1 root root 589 Sep 21 2004 saslpasswd.conf.1
- -rw-r--r-- 1 root root 701 Sep 21 2004 saslpasswd.conf.2
/etc/mail/smrsh:
total 4
drwxr-sr-x 2 smmta smmsp 53 Nov 7 2014 .
drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 ..
lrwxrwxrwx 1 root root 26 Nov 7 2014 mail.local ->
/usr/lib/sm.bin/mail.local
lrwxrwxrwx 1 root root 17 Nov 7 2014 procmail -> /usr/bin/procmail
lrwxrwxrwx 1 root root 17 Nov 7 2014 vacation -> /usr/bin/vacation
/etc/mail/tls:
total 60
drwxr-xr-x 3 smmta smmsp 4096 Jul 8 2015 .
drwxr-sr-x 8 smmta smmsp 4096 Jul 20 22:42 ..
lrwxrwxrwx 1 root root 11 Jun 4 2015 53395837.0 -> rjmx-ca.crt
lrwxrwxrwx 1 root root 20 Jun 4 2015 d521656a.0 -> rjmx-mail-client.crt
- -rw-r--r-- 1 root root 424 Jul 8 2015 dhparams.pem
lrwxrwxrwx 1 root root 13 Jun 4 2015 f99016ee.0 -> rjmx-mail.crt
- -rw-r--r-- 1 root root 7 Apr 4 2004 no_prompt
drwxr-xr-x 2 root root 118 Nov 7 2014 old
lrwxrwxrwx 1 root root 26 Nov 7 2014 rjmx-ca.crt ->
/etc/ssl/certs/rjmx-ca.crt
lrwxrwxrwx 1 root root 35 Nov 7 2014 rjmx-mail-client.crt ->
/etc/ssl/certs/rjmx-mail-client.crt
lrwxrwxrwx 1 root root 34 Nov 7 2014 rjmx-mail-client.key ->
/etc/ssl/keys/rjmx-mail-client.key
lrwxrwxrwx 1 root root 28 Nov 7 2014 rjmx-mail.crt ->
/etc/ssl/certs/rjmx-mail.crt
lrwxrwxrwx 1 root root 27 Nov 7 2014 rjmx-mail.key ->
/etc/ssl/keys/rjmx-mail.key
- -rw------- 1 root root 1190 Apr 4 2004 sendmail-client.cfg
- -rw-r--r-- 1 root smmsp 822 Apr 4 2004 sendmail-client.crt
- -rw------- 1 root root 639 Apr 4 2004 sendmail-client.csr
- -rw-r----- 1 root smmsp 887 Apr 4 2004 sendmail-common.key
- -rw-r--r-- 1 root smmsp 245 Mar 26 2008 sendmail-common.prm
- -rw------- 1 root root 1190 Apr 4 2004 sendmail-server.cfg
- -rw-r--r-- 1 root smmsp 822 Apr 4 2004 sendmail-server.crt
- -rw------- 1 root root 639 Apr 4 2004 sendmail-server.csr
- -rwxr--r-- 1 root root 3246 Jul 20 22:42 starttls.m4
- -rw-r--r-- 1 root root 2478 May 14 2004 starttls.m4.1
- -rw-r--r-- 1 smmta smmsp 2465 May 15 2004 starttls.m4.2
/etc/mail/tls/old:
total 24
drwxr-xr-x 2 root root 118 Nov 7 2014 .
drwxr-xr-x 3 smmta smmsp 4096 Jul 8 2015 ..
- -rw-r--r-- 1 root root 1326 May 8 2001 rjmx-ca.crt
- -rw-r--r-- 1 smmta smmsp 3714 Mar 27 2004 rjmx-mail-client.crt
- -rw-r----- 1 smmta smmsp 887 Mar 27 2004 rjmx-mail-client.key
- -rw-r--r-- 1 smmta smmsp 3674 May 25 2002 rjmx-mail.crt
- -rw-r----- 1 smmta smmsp 887 May 25 2002 rjmx-mail.key
sendmail.conf:
DAEMON_NETMODE="Static";
DAEMON_NETIF="eth0";
DAEMON_MODE="Daemon";
DAEMON_PARMS="";
DAEMON_HOSTSTATS="No";
DAEMON_MAILSTATS="No";
QUEUE_MODE="${DAEMON_MODE}";
QUEUE_INTERVAL="10m";
QUEUE_PARMS="";
MSP_MODE="Cron";
MSP_INTERVAL="20m";
MSP_PARMS="";
MSP_MAILSTATS="${DAEMON_MAILSTATS}";
MISC_PARMS="";
CRON_MAILTO="root";
CRON_PARMS="";
LOG_CMDS="No";
HANDS_OFF="No";
AGE_DATA="";
DAEMON_RUNASUSER="No";
DAEMON_STATS="${DAEMON_MAILSTATS}";
MSP_STATS="${MSP_MAILSTATS}";
sendmail.mc:
divert(-1)
divert(0)
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`@(#)sendmail.mc 8.9.3-21 (Debian) 20000309')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS
include(`/etc/mail/tls/starttls.m4')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confTO_CONNECT', `1m')
define(`confTRY_NULL_MX_LIST',true)
define(`confDONT_PROBE_INTERFACES',true)
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')
define(`confCW_FILE',`/etc/mail/sendmail.cw')
define(`confCT_FILE',`/etc/mail/sendmail.ct')
define(`RELAY_MAILER_ARGS', `TCP $h 587')
define(`ESMTP_MAILER_ARGS', `TCP $h 587')
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
define(`SMART_HOST',`smtp.comcast.net')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
FEATURE(`smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable')
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')
FEATURE(redirect)
FEATURE(always_add_domain)
FEATURE(use_cw_file)
FEATURE(use_ct_file)
FEATURE(local_procmail)
FEATURE(`access_db', , `skip')dnl
FEATURE(`blacklist_recipients')
FEATURE(`greet_pause', `1000')dnl 1 seconds
FEATURE(`delay_checks', `friend', `n')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
FEATURE(`masquerade_envelope')
FEATURE(masquerade_entire_domain)
FEATURE(`preserve_local_plus_detail')
FEATURE(`no_default_msa', `dnl')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=2525')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea')dnl
INPUT_MAIL_FILTER(`spamassassin',
`S=local:/var/run/spamass/spamass.sock,
F=, T=C:4m;S:4m;R:4m;E:4m')dnl
INPUT_MAIL_FILTER(`clamav',
`S=local:/var/run/clamav/clamav-milter.ctl,
F=, T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`mimedefang',
`S=unix:/var/spool/MIMEDefang/mimedefang.sock,
F=T, T=S:1m;R:1m')dnl
INPUT_MAIL_FILTER(`opendkim', `S=local:/var/run/opendkim/opendkim.sock')dnl
INPUT_MAIL_FILTER(`opendmarc', `S=local:/var/run/opendmarc/opendmarc.sock')dnl
define(`confMILTER_MACROS_CONNECT', `t, b, j, _, {daemon_name},
{if_name}, {if_addr}, {client_resolve}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits},
{cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, {auth_type}, {rcpt_mailer},
{rcpt_host}, {rcpt_addr}')dnl
define(`confINPUT_MAIL_FILTERS', `clamav,mimedefang,spamassassin,
opendkim,opendmarc')dnl
MAILER(smtp)
MAILER(procmail)
MAILER(local)dnl
LOCAL_CONFIG
MASQUERADE_AS(rjmx.net)
Dwmail
Dmrjmx.net
define(`confDOMAIN_NAME', `$w.$m')dnl
define(`ALIAS_FILE',`/etc/mail/aliases')
define(`confLOCAL_MAILER', `cyrus')
define(`CYRUS_MAILER_USER', `cyrus:mail')
MAILER_DEFINITIONS
Mcyrus, P=[IPC], F=lsDFMnqA@/:|SmXz, E=\r\n,
S=EnvFromL, R=EnvToL/HdrToL, T=DNS/RFC822/X-Unix,
A=FILE /run/cyrus/socket/lmtp
LOCAL_RULE_0
R$=N $: $#local $: $1
R$=N < @ $=w . > $: $#local $: $1
Rbb + $+ < @ $=w . > $#cyrus $: + $1
LOCAL_CONFIG
H?l?X-Envelope-From: $f
FN /etc/mail/sendmail.cN
O CipherList=HIGH:!ADH
O DHParameters=/etc/mail/tls/dhparams.pem
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
submit.mc...
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: submit.mc, v 8.12.1-5 2001-12-14 13:11:55 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-msp')dnl
include(`/etc/mail/tls/starttls.m4')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
FEATURE(`msp', `[127.0.0.1]', `25')dnl
- -- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages sendmail depends on:
ii sendmail-base 8.15.2-12
ii sendmail-bin 8.15.2-12
ii sendmail-cf 8.15.2-12
ii sensible-mda 8.15.2-12
sendmail recommends no packages.
Versions of packages sendmail suggests:
ii rmail 8.15.2-12
ii sendmail-doc 8.15.2-12
Versions of packages sensible-mda depends on:
ii libc6 2.28-10
ii procmail 3.22-26
ii sendmail-bin [mail-transport-agent] 8.15.2-12
Versions of packages rmail depends on:
ii libc6 2.28-10
ii libldap-2.4-2 2.4.47+dfsg-3
ii sendmail-bin [mail-transport-agent] 8.15.2-12
Versions of packages libmilter1.0.1 depends on:
ii libc6 2.28-10
Versions of packages sendmail-bin depends on:
ii debconf 1.5.71
ii libc6 2.28-10
ii libdb5.3 5.3.28+dfsg1-0.5
ii libldap-2.4-2 2.4.47+dfsg-3
ii liblockfile1 1.14-1.1
ii libsasl2-2 2.1.27+dfsg-1
ii libssl1.1 1.1.1c-1
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii procps 2:3.3.15-2
ii sendmail-base 8.15.2-12
ii sendmail-cf 8.15.2-12
Versions of packages sendmail-bin suggests:
ii libsasl2-modules 2.1.27+dfsg-1
ii openssl 1.1.1c-1
ii sasl2-bin 2.1.27+dfsg-1
ii sendmail-doc 8.15.2-12
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQJCBAEBCgAsFiEETZlw4yMXM0sUHntjEvfoZbXi52EFAl0z3xUOHHJqbXhAcmpt
eC5uZXQACgkQEvfoZbXi52G8UQ/8CE3E/95apdoq9x4m53OMV3ojzXJGe5LKJmZ5
X4KZ/Saanp+nVkAIgYrEVHM2hxxIhho+UVrAs/ACpLc/D9/V2dkFveTqj9XYxl4l
RwLTc/216MOSGmi/3qqyiRhDV+p9HZV2NAoxzVGOqUc9gHw+o0xJsXjJBk7/Gza/
Ef3cUlWf36IHS+VSumI5gKoBlfrd+4xE+1B1EGrBqW7cgsZToprfe8HYeupxMRFd
RC21/0IUuzv8sdu2bPAIydm9bTP+oiOWnsNudLVukSITDN+/vbujHt02EV+fB4FU
HbDdHgpaXGQ5T2wGQNwtC0RcMAJpTtdCsWy3HJ15ybZ+7AlEsUQ27yuPil1hj0HS
/m0t2S8o3l8B4KjtP54qmHYQn5vvELbiaJnhd9uFLKhqLNDqgUB2Yz//jW6kBgHQ
8Z+UNxkXGvewH22QmnasU9+29eNAMiSLi40Tb6C23OzgXH4qo8Ztqwt4TJ2xZ4Ax
vxPPMxvzDVNo1O3pi2eWZGaWwVcAGO2gASgplfZe1cW/fUydtcwfiFIQvkH7t43I
924i+f5/Mo6cgX1YPuHX7Y8WH8gVDsFR/h2N5uuNeTSwR8Xz1CLfu7IjwUOpECnP
srHh13f+/JD3FHofzOiYH3Qq3C23+E6HmRd7P/kxjvNKpYisGJ9uzcGa4zgQfh4D
sIFAino=
=z4ja
-----END PGP SIGNATURE-----
