In my /etc/init.d/qmail I have
...
rblsmtpd2="/usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf"
...
sh -c "start-stop-daemon --start --quiet --user qmaild \
--pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \
--exec /usr/bin/tcpserver -- -R -H \
-u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 smtps \
$rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \
| $logger &"
If I understand that rightfully it means that spamdyke will run as qmaild. Next
we
take a look /etc/spamdyke-smtps.conf
log-level=verbose
tls-level=smtps
tls-certificate-file=/etc/ssl/certs/stunnel.pem
filter-level=require-auth
smtp-auth-level=ondemand
smtp-auth-command=/usr/bin/chkpw /bin/true
access-file=/etc/spam-relays
local-domains-file=/etc/qmail/rcpthosts
relay-level=normal
Clearly qmaild must have read access to /etc/ssl/certs/stunnel.pem . First I
thought
I could ensure that with
server:/etc/ssl/certs# ls -la stunnel.pem
>> -rw-r----- 1 root qmaild 2402 2009-09-23 10:03 stunnel.pem
server:/# grep qmaild /etc/group
qmaild:x:1005:qmaild
Where qmaild is a group with qmaild as member, but for one strange reason this
doen't
work. First when I changed it to:
s# ls -la stunnel.pem
-rw-r----- 1 qmaild qmaild 2402 2009-09-23 10:03 stunnel.pem
It started to work. I think it is a bug because these keys and certificates
could be
used by sveral programs ex. pop3 running as another user where group access
could be
handy..
Next for authentication /usr/bin/chkpw (chkpw is just a copy of checkpassword)
must
at least have suid set like this
rwSr-x--- 1 root qmaild 38 2009-09-24 21:26 chkpw
However it turned out that it would not work before I changed it to
-rwsr-xr-x 1 root qmaild 12360 2009-09-26 20:47 /usr/bin/chkpw
I don't understand why it is so, and I think it is abug
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
