> Am 24.05.2022 um 00:37 schrieb Jeremy Harris via Exim-users > <[email protected]>: > > On 23/05/2022 20:38, Axel Rau via Exim-users wrote: >> After turning on setuid bit on exim binary, it could no longer access >> the DB (error=‚valid client cert required‘) > > setuid to what (I assume root, but...)? -rwsr-xr-x 1 root wheel 1280960 Apr 9 12:15 /usr/local/sbin/exim
> Access during what phase of operation? 1st hit happens with alias routers: - - - 2022-05-24T15:06:53.393720+00:00 mx4 exim[44885] 1ntW77-000Bfx-3J <= [email protected] H=ping.lrau.net [2a02:c207:3005:2350:144:91:89:26] P=smtp S=442 for [email protected] 2022-05-24T15:06:53.425991+00:00 mx4 exim[46232] 1ntW77-000Bfx-3J == [email protected] R=postgresql_sys_aliases defer (-1) DT=0s: Temporary internal error - - - # System aliases and aliases with more than one target are handled by exim via ERDB postgresql_sys_aliases: driver = redirect allow_fail allow_defer data = ${lookup pgsql {SELECT aliasTargetAddresses FROM mailbox \ WHERE type = 'S' AND localPart ='${quote_pgsql:${lc:$local_part}}'}} postgresql_aliases: driver = redirect allow_fail allow_defer data = ${lookup pgsql {SELECT M.aliastargetaddresses \ FROM mailbox M \ JOIN localdomain D on (M.localdomainfk=D.id) \ WHERE M.localPart ='${quote_pgsql:${lc:$local_part}}' AND \ D.name='${quote_pgsql:${lc:$domain}}'}} - - - But more DB usage (including INSERTs and UPDATEs) are in the acls. PostgreSQL log shows that exim issues 3 connections, where only number 2 fails: - - - 2022-05-24 15:06:53.374 GMT,,,63253,"2a05:bec0:26:2::72:25527",628cf48d.f715,1,"",2022-05-24 15:06:53 GMT,,0,LOG,00000,"connection received: host=2a05:bec0:26:2::72 port=25527",,,,,,,,,"","not initialized" 2022-05-24 15:06:53.387 GMT,"erdb_op","operations",63253,"2a05:bec0:26:2::72:25527",628cf48d.f715,2,"authentication",2022-05-24 15:06:53 GMT,23/54087,0,LOG,00000,"connection authorized: user=erdb_op database=operations SSL enabled (protocol=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, bits=256, compression=off)",,,,,,,,,"","client backend" 2022-05-24 15:06:53.394 GMT,"erdb_op","operations",63253,"2a05:bec0:26:2::72:25527",628cf48d.f715,3,"idle",2022-05-24 15:06:53 GMT,,0,LOG,00000,"disconnection: session time: 0:00:00.020 user=erdb_op database=operations host=2a05:bec0:26:2::72 port=25527",,,,,,,,,"","client backend" 2022-05-24 15:06:53.410 GMT,,,63254,"2a05:bec0:26:2::72:22314",628cf48d.f716,1,"",2022-05-24 15:06:53 GMT,,0,LOG,00000,"connection received: host=2a05:bec0:26:2::72 port=22314",,,,,,,,,"","not initialized" 2022-05-24 15:06:53.423 GMT,"erdb_op","operations",63254,"2a05:bec0:26:2::72:22314",628cf48d.f716,2,"authentication",2022-05-24 15:06:53 GMT,23/54090,0,FATAL,28000,"connection requires a valid client certificate",,,,,,,,,"","client backend" 2022-05-24 15:06:53.425 GMT,,,63284,"2a05:bec0:26:2::72:49593",628cf48d.f734,1,"",2022-05-24 15:06:53 GMT,,0,LOG,00000,"connection received: host=2a05:bec0:26:2::72 port=49593",,,,,,,,,"","not initialized" 2022-05-24 15:06:53.426 GMT,"erdb_op","operations",63284,"2a05:bec0:26:2::72:49593",628cf48d.f734,2,"authentication",2022-05-24 15:06:53 GMT,23/54091,0,FATAL,28000,"no pg_hba.conf entry for host ""2a05:bec0:26:2::72"", user ""erdb_op"", database ""operations"", SSL off",,,,,,,,,"","client backend" 2022-05-24 15:06:53.712 GMT,,,63423,"2a05:bec0:26:5::77:12574",628cf48d.f7bf,1,"",2022-05-24 15:06:53 GMT,,0,LOG,00000,"connection received: host=2a05:bec0:26:5::77 port=12574",,,,,,,,,"","not initialized" - - - Another case is with the outgoing relay, which logs: - - - [1\4] 1ntDMI-000LG4-6m failed to expand event_action msg:delivery in remote_smtp: lookup of "SELECT * FROM record_Delivery( 'Lechner-Rau.de','axel.rau', 'lechner-rau.de', 'axel.rau', '2a05:bec0:26:5::72', 'mx5.lrau.net', '1ntDMI-000LG4-6m', '250- 1880 byte chunk, total 1880\\n250 OK id=1ntDMI-000LM5-70')" gave DEFER: PGSQL connection failed: FATAL: connection requires a valid client certificate - - - Which is triggered by this part of the config: - - - # ------------------------------------------------------------------- # log delivery in DB # ------------------------------------------------------------------- event_action = ${if eq {msg:delivery}{$event_name} \ {${lookup pgsql {SELECT * FROM record_Delivery( \ '${quote_pgsql:$sender_address_domain}',\ '${quote_pgsql:${lc:$sender_address_local_part}}', \ '${quote_pgsql:$domain}', \ '${quote_pgsql:${lc:$local_part}}', \ '${quote_pgsql:$host_address}', \ '${quote_pgsql:${lc:$host}}', \ '${quote_pgsql:$message_exim_id}', \ '${quote_pgsql:$event_data}')}} \ } {}} . . . By the way db address is an alias: root@mx4:/var/log # host db.lrau.net db.lrau.net is an alias for dbo5.lrau.net. dbo5.lrau.net has address 91.216.35.27 dbo5.lrau.net has IPv6 address 2a05:bec0:26:5::77 Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
