> The group permissions on your TLS certificate aren't working because > your script explicitly sets the group to "nobody" when tcpserver > starts. Entries in /etc/groups only affects interactive logins, not > daemon processes like tcpserver. Try changing your script from this: > -g `id -g nobody` > To this: > -g `id -g qmaild` > You should then be able to change the file permissions back to their > original settings. > NO it is not possible to change the permissions back to their original settings
> -- Sam Clippinger > > David Bo Jensen wrote: >> In my /etc/init.d/qmail I have >> ... >> rblsmtpd2="/usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf" >> ... >> sh -c "start-stop-daemon --start --quiet --user qmaild \ >> --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ >> --exec /usr/bin/tcpserver -- -R -H \ >> -u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 >> smtps \ >> $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ >> | $logger &" >> >> >> If I understand that rightfully it means that spamdyke will run as qmaild. >> Next we >> take a look /etc/spamdyke-smtps.conf >> >> log-level=verbose >> tls-level=smtps >> tls-certificate-file=/etc/ssl/certs/stunnel.pem >> filter-level=require-auth >> smtp-auth-level=ondemand >> smtp-auth-command=/usr/bin/chkpw /bin/true >> access-file=/etc/spam-relays >> local-domains-file=/etc/qmail/rcpthosts >> relay-level=normal >> >> Clearly qmaild must have read access to /etc/ssl/certs/stunnel.pem . First I >> thought >> I could ensure that with >> >> server:/etc/ssl/certs# ls -la stunnel.pem >> >>>> -rw-r----- 1 root qmaild 2402 2009-09-23 10:03 stunnel.pem >>>> >> >> server:/# grep qmaild /etc/group >> qmaild:x:1005:qmaild >> >> Where qmaild is a group with qmaild as member, but for one strange reason >> this >> doen't >> work. First when I changed it to: >> >> s# ls -la stunnel.pem >> -rw-r----- 1 qmaild qmaild 2402 2009-09-23 10:03 stunnel.pem >> >> It started to work. I think it is a bug because these keys and certificates >> could >> be >> used by sveral programs ex. pop3 running as another user where group access >> could >> be >> handy.. >> >> Next for authentication /usr/bin/chkpw (chkpw is just a copy of >> checkpassword) >> must >> at least have suid set like this >> >> rwSr-x--- 1 root qmaild 38 2009-09-24 21:26 chkpw >> >> However it turned out that it would not work before I changed it to >> >> -rwsr-xr-x 1 root qmaild 12360 2009-09-26 20:47 /usr/bin/chkpw >> >> I don't understand why it is so, and I think it is abug >> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
