> Something is nonstandard about your installation or system. > > Has it ever worked? What changed? > > Or is this a new setup? > If so you might want to start from scratch. > -- > Cheers, > Jeremy
I'm running the Exim version packaged for Guix. This is the first time I am trying to get it to work. I tried to start from scratch as much as possible. Here is the diff between my exim config and the default one (other than adding ACL messages, domain redacted as my.domain): 70c70 < domainlist local_domains = @ --- > domainlist local_domains = @ : localhost : my.domain 167a168,169 > tls_certificate = /etc/letsencrypt/live/my.domain/fullchain.pem > tls_privatekey = /etc/letsencrypt/live/my.domain/privkey.pem 304,305c306,308 < log_selector = +smtp_protocol_error +smtp_syntax_error \ < +tls_certificate_verified --- > log_selector = +all 824a835,840 > dkim_domain = my.domain > dkim_selector = my_ed_sel : my_rsa_sel > dkim_private_key = /etc/exim/dkim_$dkim_selector.private > dkim_identity = my.domain > dkim_strict = true Because of the way exim is packaged in Guix, my config actually gets wrapped in the following config: exim_user = exim exim_group = exim .include /gnu/store/88px88wqr7lbwlhxxlf4nl8pd1m00x63-exim.conf I looked at the package definition in Guix, and it seems pretty minimal. Mostly just sets paths to work on Guix. > > Seems like when running as root, exim refuses to keep root > > permissions, but when running as exim, it has insufficient > > privileges? > > Is your exim binary setuid root? > > I have very recently had a similar problem, and mine is not -- but I > know what I am doing. > > -- > Ian Should it be? Currently, it is: -r-xr-xr-x 2 root root 1165112 Dec 31 1969 /gnu/store/14ymh0d8xk0089wbnm0xmjz4kw6yzvln-exim-4.96/bin/exim-4.96-1 so no. The exim service is launched by root with "/path/to/exim -bV -C /path/to/wrapper/config.conf" which, to my knowledge, is quickly changed to running as exim:exim by the exim executable itself. There is only one file in /var/spool/exim not owned by exim: $ ls -ld /var/spool/exim/exim-daemon.pid -rw-r--r-- 1 root exim 5 May 9 19:30 /var/spool/exim/exim-daemon.pid I tried ensuring the file was owned by exim, but the "exim: debugging permission denied" issue persists. Thanks for the responses! -Zacchae On Thu, May 9, 2024 at 4:58 PM Zacchaeus Scheffer <[email protected]> wrote: > > Try a manual delivery of the spooled message, with debug enabled :- > > > > # exim -d+all -M 1s1rwf-00034B-0B 2>&1 | tee debuglog > > > > and inspect the detailed debug output. Find the part where > > it starts running the transport, specifically. > > -- > > Cheers, > > Jeremy > > Thanks Jeremy! At first, when I tried to run that command as root, it > gave some output ending with: > > 18:56:50 825 LOG: PANIC DIE > 18:56:50 825 Cannot open main log file "/var/spool/exim/log/mainlog": > Permission denied: euid=0 egid=0 > 18:56:50 825 2024-05-09 18:56:50 Warning: purging the environment. > 18:56:50 825 Suggested action: use keep_environment. > 18:56:50 825 2024-05-09 18:56:50 Cannot open main log file > "/var/spool/exim/log/mainlog": Permission denied: euid=0 egid=0 > 18:56:50 825 exim: could not open panic log - aborting: see message(s) > above > 18:56:50 825 search_tidyup called > 18:56:50 825 >>>>>>>>>>>>>>>> Exim pid=825 (fresh-exec) terminating with > rc=1 >>>>>>>>>>>>>>>> > > However, when I ran it inside "su - exim -s /bin/sh" (exim user:group is > exim:exim), I get the full following output: > > 19:01:24 888 Exim version 4.96.1 uid=979 gid=974 pid=888 D=fff9ffff > 19:01:24 888 Support for: crypteq iconv() GnuTLS TLS_resume DANE DKIM > DNSSEC Event OCSP PIPECONNECT PRDR Queue_Ramp TCP_Fast_Open > 19:01:24 888 Lookups (built-in): lsearch wildlsearch nwildlsearch > iplsearch dbm dbmjz dbmnz dnsdb > 19:01:24 888 Authenticators: cram_md5 dovecot external plaintext spa tls > 19:01:24 888 Routers: accept dnslookup ipliteral manualroute > queryprogram redirect > 19:01:24 888 Transports: appendfile autoreply pipe smtp > 19:01:24 888 Configure owner: 0:0 > 19:01:24 888 Size of off_t: 8 > 19:01:24 888 Compiler: GCC [11.3.0] > 19:01:24 888 Library version: Glibc: Compile: 2.35 > 19:01:24 888 Runtime: 2.35 > 19:01:24 888 Library version: BDB: Compile: Berkeley DB 5.3.28: > (September 9, 2013) > 19:01:24 888 Runtime: Berkeley DB 5.3.28: > (September 9, 2013) > 19:01:24 888 Library version: GnuTLS: Compile: 3.7.7 > 19:01:24 888 Runtime: 3.8.3 > 19:01:24 888 Library version: PCRE2: Compile: 10.40 > 19:01:24 888 Runtime: 10.40 2022-04-14 > 19:01:24 888 Total 9 lookups > 19:01:24 888 WHITELIST_D_MACROS unset > 19:01:24 888 TRUSTED_CONFIG_LIST unset > 19:01:24 888 Exim has no root privilege: uid=979 gid=974 euid=979 > egid=974 > 19:01:24 888 changed uid/gid: forcing real = effective > 19:01:24 888 uid=979 gid=974 pid=888 > 19:01:24 888 auxiliary group list: 974 1000 > 19:01:24 888 seeking password data for user "root": cache not available > 19:01:24 888 getpwnam() succeeded uid=0 gid=0 > 19:01:24 888 LOG: MAIN > 19:01:24 888 Warning: purging the environment. > 19:01:24 888 Suggested action: use keep_environment. > 2024-05-09 19:01:24 Warning: purging the environment. > Suggested action: use keep_environment. > 19:01:24 888 configuration file is > /gnu/store/076bissc2g84ic1lcb5jw9hx3wnvl7j7-exim-4.96.1/etc/exim.conf > 19:01:24 888 log selectors = 0000cffc 64205022 0000000c > 19:01:24 888 cwd=/var/empty 4 args: exim -d+all -M 1s1rwf-00034B-0B > exim: debugging permission denied > > Seems like when running as root, exim refuses to keep root permissions, > but when running as exim, it has insufficient privileges? I have the > following local_delivery section: > > local_delivery: > driver = appendfile > file = /var/mail/$local_part_data > delivery_date_add > envelope_to_add > return_path_add > #group = exim > #mode = 0660 > > and I have the /var/mail directory set like so: > > # ls -la /var/mail > total 0 > drwxrwxrwt 1 exim exim 0 Apr 30 17:10 ./ > drwxr-xr-x 1 root root 88 May 9 18:39 ../ > > > Thanks for the help, > -Zacchae > -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
