Solution: sieve with reject/redirect/vacation fails, sendmail exit 71

Razmik Ghanaghounian rghanaghounian at harbourfrontcentre.com
Wed Aug 31 11:44:55 EDT 2005 

Nix, I follow you.. when cyrus runs sendmail , it has GID=smmsp and since

/var/spool/clientmqueue has rwxrwx smmsp smmsp,

it SHOULD be able to put files in there.... but it does'nt.

i did telnet localhost smtp , tried sending to a user with a sieve 
vacation/redirect and did strace on the process
but it did'nt reveal anything interesting. i even straced the master 
process. I dont think you can strace timesieved since that is a fork off 
cyrus and listens on socket.

Raz


Nikola Milutinovic wrote:

> Razmik Ghanaghounian wrote:
>
>> Privet Sergey..
>> i put trusted users 'cyrus' in submit.cf and it did'nt help.. here is 
>> the cut from my submit.cf
>>
>> #####################
>> #   Trusted users   #
>> #####################
>>
>> # this is equivalent to setting class "t"
>> #Ft/etc/mail/trusted-users
>> Troot
>> Tdaemon
>> Tuucp
>> Tcyrus
>>
>> and Nikola... the permissions on sendmail binary is
>> r-xr-sr-x r   root   smmsp
>> so yes, it is setGid smmsp
>> anyways setting g+w on /var/spool/clientmqueue and making cyrus 
>> member of smmsp does the trick but i know it is'nt the right way.
>
>
>
> The SECURITY file of the Sendmail distribution explains this to some 
> length, but I'll just give you the gist.
>
> Older versions of Sendmail had the binary set to "rwsr-xr-x", with 
> SetUID=root. This allowed any user on the system to use sendmail to 
> send mail to another local user (sendmail had to be root in order to 
> invoke /bin/mail as root, which delivered to /var/spool/mail/*). Newer 
> versions have actually 2 daemons using the same binary. Three system 
> accounts are in play here, "root", "smmta" and "smmsp". MTA daemon 
> runs as "root" and drops to "smmta" when it handles a connection. 
> MTA-queue scans /var/spool/clientmqueue and if it sees a mail in it, 
> delivers it as "root". Sendmail binary is SetGID to "smmsp" and any 
> user running it will run it with that group ID, allowing any user on 
> the system to submit messages to /var/spool/clientmqueue, in case MSP 
> cannot contact MTA directly (over the socket).
>
> So, to summarize, "cyrus" shouldn't be a member of "smmsp" group, but 
> rwxrwx--- on /var/spool/clientmqueue is a must.
>
> Nix.
> ----
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list